Despite what you have been reading and hearing about this “biggest story” and “most widespread hack” in history. I hate to you, it wasn’t a hack. Not even close.

True that the NSA should never have had the ability (vulnerability) to have their deepest secrets swiped out right from under them. Even that wasn’t a hack. It was a leak, that could have been detected and fixed and should never have happened at such an agency had the proper people protocols been in place. And that is my point. It’s about people and not a computer hack. No computer was hacked. Somebody just clicked. More somebodies than ever. Only because there was a massive coordinated barrage of emails that if the links therein were clicked you got the Ransomware. Sorry but not only is this technically not a hack, it is an exploit of a vulnerability.

The NSA discovered a vulnerability in Microsoft Windows months ago. They planned to use it for their own nefarious purposes against what they call “foreign actors” or criminals and most likely anyone from politicians, to judges to John and Jane Doe. It’s what they do 24/7/365. The Patriot Act allows it. They get to act on patriots despite the Fourth Amendment. But I digress. The two points to note heart are this. The NSA did not immediately notify Microsoft of the vulnerability, putting millions of Windows users at risk. They have not learned their lesson taught to them by Edward Snowden and Dennis Montgomery who walked away with secrets, right under the noses of the NSA and CIA long ago. They relied on the FBI not to investigate and somehow it would disappear. Well, the FBI still has not investigated, nor have they.

In any case, the right thing to do was to notify Microsoft immediately to protect the citizens of the world from serious financial troubles from stealing information to shutting down businesses, governments, banks and lifesaving institutions like hospitals and clinics that had to close emergency rooms. Why? Because Microsoft could have fixed that vulnerability and released it to their customers a long time ago.

But what happened was: The NSA finally informed Microsoft in April, but Microsoft issued the patch-fix in March. So why was there a “hack” in May. As I said above this is about people.

People who click on emails, people who don’t update their machines and software, people who run their mission critical software on un-supported systems like Windows XP. These are the people that got “hacked”.

So there’s no news here.

I’m going to give the same advice I’ve been giving for years:

• Keep your operating system up to date with the latest patches and fixes.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
• Do not ever click on links in these emails.
• Don’t send sensitive information over the Internet before checking a website’s security. The address should begin with HTTPS and sometimes a lock icon will show in the browser.
• Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  EVEN IF THE EMAIL IS FROM SOMEONE YOU KNOW and you were not expecting it, call or text them or write them a new email, DO NOT REPLY and double-check.
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic
• Take advantage of any anti-phishing features offered by your email client and web browser.

Technical Steps for Your Business or Tech Support Companies to do NOW

• Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.

• Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
• Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
• Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
• Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
• Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
• Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.

• Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.

• Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.

• Test your backups to ensure they work correctly upon use.

This is what it looks like inside your computer: (Kids, DON’T try this at home!)

This is what it looks like on your screen:

Did you know that if you don’t do this your insurance company will NOT cover the loss and drop you like a hot potato. And if your customers or patients are restricted from their services you will be sued and there’s nothing you can do.

My advice to those businesses (and I personally know of many) that are running the show on Windows XP or any other obsolete, officially unsupported system. UPGRADE. It’s cheaper than losing your business, your reputation and your assets.

It’s all about people. That’s the fix. It’s on you. This exploit was called “Wanna Cry”. Believe me, if you do, forget what I’ve said and you will be.

If you don’t know where to turn for help, are afraid of getting ripped-off in the process, just plain embarrassed. I’m here to help. Would you rather have a surgeon operate on you who’s been doing it for a couple of years or twenty-five? It’s about the people, not the procedure.

Update: WannaCry Ransomware Event

Since last Friday, the NJCCIC has closely monitored the outbreak of the WannaCry ransomware variant, also reported as Wana Decrypt0r or WCry. Over the weekend, we observed reports from around the world indicating this ransomware variant was impacting dozens of countries and hundreds of thousands of devices. However, the extent of the impact on New Jersey and the United States remains unclear. As of today, the NJCCIC is only aware of one confirmed infection in New Jersey and we have not independently verified any other US victims, or the total number of countries impacted. According to a Forbes article, there were at least two incidents at US healthcare organizations and an unknown number of incidents impacting small utilities and manufacturing sites, though impacts were limited. According to Reuters, fewer than 10 organizations have reported WannaCry infections to the Department of Homeland Security.

Ron Benvenisti

CyVision Technologies, Inc