[everfrustrated]

This report is a joke.

No root cause. On other forums it is understood they were running very old and unpatched VMware os. Which is simply embarrassing and everybody within their IT team should be fired immediately for gross negligence.

They can't inform people whos data has been compromised because they refuse to pay the ransom and have no other way to tell what was stolen. Farcical.

Their ability to rebuild in a timely manner was hampered by not having any spare servers and presumably because all their server hardware was compromised and couldnt be used for restore.

[toyg]

> they refuse to pay the ransom and have no other way to tell what was stolen. Farcical.

It's bad that they don't know what was taken, but as for paying the ransom, I wouldn't do it either: first, because it's danegeld; second, because you're just exposing yourself to even further risk by accepting files from criminals; third, because as others said, it would be UK tax money.

[clwg]

I suspect they don't have the forensic evidence to determine the root cause. Chances are there are probably too many ways it could have happened, and the evidence was encrypted or simply wasn't being captured.

At least they seem to have a plan moving forward that seems considered, though I think a lot of what they want to do is easier said than done effectively. I wish them the best of luck.

[nonrandomstring]

> I suspect they don't have the forensic evidence to determine the root cause.

It said that. The terminal server entry point was completely scorched in the attack. Offsite rlogd would have helped.

[nonrandomstring]

> everybody within their IT team should be fired immediately for gross negligence.

That may be true, but by that standard about 90% of every sysadmin, IT managers and even CISOs would be out of a job next week.

Most companies are just "getting by" and hoping it won't be them next.

We have a multi-national cybersecurity crisis due to decades of kicking the can down the road, excusing poor software engineering to allow unfettered commercial development, and destroying our education and training sectors.

[Veserv]

If 90% of them qualify as grossly negligent, then they should be fired. That is kind of what grossly negligent means.

You do not really worry about what would happen if all the grossly negligent doctors get fired. Who will do those procedures with a total disregard for safety, said no one ever.

[nonrandomstring]

> You do not really worry about what would happen if all the grossly negligent...

But I do. I care about them as people. People who have families and need a job. I'd rather help them to not be grossly negligent than see them fired (and probably worse idiots take their place since we are in a major skills crisis right now).

The world is getting complex faster than anyone can track. Tomorrow it could be you, or I who is getting called on gross negligence because we can't follow it. So I choose to be a teacher even though telling people the truth is getting REALLY F**ING HARD these days - cos no one wants to hear it.

[Veserv]

No, they should not continue to be in a position where they can continue committing grossly negligent actions and harm others.

You can train them once they are removed and reinstate them when they can do the job right, but supporting their continued harm of others so they can “support themselves” is detrimental, counterproductive, misguided, and extremely selfish.

You are literally better off paying them to do nothing. Please at least do that instead of paying for harm.

[nonrandomstring]

> they should not continue to be in a position

"should" is doing a lot of work there. Im so many ways we're in agreement. But I do this in the real world, and experience has shown me we must deal with the world as it is and not merely as we wish it to be.

[everfrustrated]

Not keeping on top of basic IT security is the equivalent of driving drunk.

[nonrandomstring]

Good analogy. It is. People's livelihoods and even people's lives are at risk.

But we've utterly normalised digital ignorance and built what Edward Snowden very rightly calls an "Insecurity Industry".

I'd go further, we've turned a celebration of ignorance around cybersecurity and dismissive attitudes into virtuous slogans.

   "Don't make me think" - Krug

   "Move fast and break things" - Mark Zuckerberg

   "If you've nothing to hide you've nothing to fear" - J Random Idiot

And those who are charged with advising and protecting are deeply conflicted - because they want backdoor access or at least insecure products.

What it boils down to is that presently there's more money and power in insecurity than there is in security. Our industry has multiple principal agent, Shirky Principle and Pournelle's Law problems, see [0].

We allow ransomware and stalkerware companies, and outfits like NSO (which I only mention because they are most well recognised) to operate as legitimate.

We flood markets with defective IoT crap and reduce consumers expectations to the level of accepting vendor malware and backdoors installed out of the box.

And then we turn around and complain that "stuff ain't secure".

This whole ship is DUI.

[0] https://cybershow.uk/blog/posts/love/

[objclxt]

> I'd go further, we've turned a celebration of ignorance around cybersecurity and dismissive attitudes into virtuous slogans.

> "Don't make me think" - Krug

That quote has nothing to do with cybersecurity, it's the title of a book by Steve Krug about web usability.

I am unfortunately old enough to have read that book when it first came out, and it's exclusively around how to design front-end UIs on websites to reduce user complexity. There is no mention of infrastructure or security at all.

You're making a quote around how we should make websites more usable and understandable to users - so they can use them without thinking - into something it isn't.

[nonrandomstring]

> That quote has nothing to do with cybersecurity

It has everything to do with it.

I know exactly what the book is and I read it. It's actually an excellent book on UX and I expect Steve Krug picked the title because it sounds cool.

No disrespect to that author intended, but it (maybe unwittingly) expresses a sentiment that has grave implications about the position of technology in human affairs. To understand why, please look deeper into what we used to call Human Computer Interaction (HCI) or "Cognitive Ergonomics".

I think I recently mentioned it in this online chat [0]

Explicit cognition is the "thinking slow" part of our brains that uses so-called left-brain linear reasoning and logic. It sits high in the cognitive stack. But as people use devices today, in what McLuhan [4] or Innes [5] would call an "acoustic" (nothing much to do with actual sound) way, we drop down a cognitive level to a faster, visual-haptic loop that bypasses explicit reasoning.

Designing applications that bypass this has major effects on security. The work of B J Fogg will show you more about this [1].

Tristan Harris also has lots on it [2,3].

One of the disastrous effects of this "distracted" level of HCI is that people use more emotional cues, rote, colour, word association, implicit trust and other models that make them easy prey for phishing and other kinds magic and trickery.

If you're interested in a much broader understanding of cybersecurity I give you a sincere invitation to check us out here [6].

[0] https://www.youtube.com/watch?v=hYnOf4PWGpA

[1] https://behaviordesign.stanford.edu/people/bj-fogg

[2] https://www.youtube.com/watch?v=LUNErhONqCY

[3] https://www.wired.com/story/our-minds-have-been-hijacked-by-...

[4] https://en.wikipedia.org/wiki/Marshall_McLuhan

[5] https://en.wikipedia.org/wiki/Harold_Innis

[6] https://cybershow.uk/

[technion]

Coming from these sort of businesses, I usually read these sort of comments as "they should be fired because when they recommended mfa they management said no".

[mschuster91]

> No root cause. On other forums it is understood they were running very old and unpatched VMware os. Which is simply embarrassing and everybody within their IT team should be fired immediately for gross negligence.

The IT team most likely begged for years for funds to upgrade their infrastructure, but did not receive any of it. Public institutions are already short on money, but education has it even worse.

If anyone is to blame, it is the last British governments, who have focused their attention on Brexit and Ruanda crap instead of providing services for the citizens.

[hardlianotion]

It's a government with huge civil service infrastructure. The people involved with Brexit and Rwanda miles away from this stuff. Willing to bet that in your counterfactual world lacking Brexit and Rwanda (and let's throw in, say, a Labour government), this would still not have been financed.

[timthorn]

> they refuse to pay the ransom

As an organisation forming part of the UK State, they're not allowed to. Rightly, in my opinion.

[wara23arish]

If i was user/staff, I would sure prefer if they paid the ransom…

Since I dont trust the library to actually assess my impact, or track records of companies getting hacked often drag their feet making it up to victims. (equifax)

[KineticLensman]

> because they refuse to pay the ransom

They were following explicit government guidance, as promulgated by the National Cyber Security Centre (NCSC), which is the civvie offshoot of GCHQ.

[CyberEldrich]

@everfrustrated: There is nothing in your piece that can be refuted. Therefore it must be modded into invisibility.

> This report is a joke.

> No root cause. On other forums it is understood they were running very old and unpatched VMware os. Which is simply embarrassing and everybody within their IT team should be fired immediately for gross negligence.

> They can't inform people whos data has been compromised because they refuse to pay the ransom and have no other way to tell what was stolen. Farcical.

> Their ability to rebuild in a timely manner was hampered by not having any spare servers and presumably because all their server hardware was compromised and couldnt be used for restore.

[tokai]

>They can't inform people whos data has been compromised because they refuse to pay the ransom and have no other way to tell what was stolen.

That doesn't fit their claims on page 7 about reviewing the lost data and contacting affected users.

[toyg]

They reviewed what the criminals later dumped on the dark web. They have no way to determine if the criminals kept more for themselves.