It’s hard to feel secure in a world where the latest malware attack on computers worldwide was the result of software heisted from the National Security Agency. But it’s evidently true: The hacking tools that allowed the so-called WannaCry ransomware to work included an NSA-found vulnerability in Microsoft Windows that homed in on older versions of Windows. How the hackers behind this got hold of NSA tools is a question we’ll need to answer.
The latest numbers I’ve heard say that around 300,000 computers in 150 countries are among those affected, and most of these seem to have been in businesses and institutions, including Britain’s National Health Service, a scary warning shot indeed of the kind of havoc we might one day see if there ever is what some are calling a “9/11 on the Internet.”
But let’s talk about what we can do right now. Ransomware locks up your computer and demands money, some $300 in this case. The thing that baffles some users is that Microsoft released the necessary updates to combat this intrusion all the way back in March. A clear lesson is that if you’re running Windows (and never mind that this exploit didn’t target Windows 10), you should always run the updates from Microsoft when recommended.
Don’t, in other words, keep putting off updating your machine because the process is cumbersome and annoying. Windows has always been cumbersome and annoying (remember Windows Vista – I rest my case). But this is an annoyance that we have no choice but to tolerate, because the bad guys are out there in ever greater numbers, and they are clearly able to get hold of professional-grade hacking programs.
Thus use this attack to update your Windows computer today, if you haven’t been doing it all along. And keep it updated. If you use other operating systems, keep the same principle in mind. You’re safer with the latest updates whether we’re talking Mac or Linux, and we have no idea which kind of computer will be targeted next. As a Linux user, I sometimes have a false sense of security because of the small installed base and the quality of the software. But I keep learning not to make any easy assumptions about security in any environment.
Do remember one thing about WannaCry. I think there is good reason to believe that many of the affected machines in business and government were vulnerable because the institutions involved use old versions of Windows. They do this because they have tools vital to their operations that will only run on these older operating systems. WannaCry is thus a reminder to all large computer operations that some upgrades can’t be put off.
Take Windows XP. I’ve seen estimates that a high percentage (some say as much as 90 percent) of Britain’s National Health Service computers run at least one device using this version of Windows, which has not been supported since 2014. Yes, Microsoft did rush out an emergency patch after WannaCry surfaced, but by the time it was issued, it was too late for many of the affected businesses. Remember, Microsoft guarantees no security support whatsoever for Windows XP. It was a good operating system in its day, but its day is over.
Getting a computer locked up when it contains critical information is a disaster, which is why ransomware can work – people feel they have no recourse but to pay up. But those with good backups have a way out, including wiping the affected drive and reinstalling the system and data. If you have information you can’t afford to lose on your computer, revisit your backup strategy. But first do those updates I keep harping about. And stop running Windows XP!
Can you imagine what it would be like if so-called Internet of Things devices get attacked this way? There you are in your self-driving car and it announces that it won’t let you out of the vehicle until you pay up. It sounds crazy, but we’re going to need strategies against attacks like these and more. You can bet IT manufacturers are going to be considering how to protect their systems with a whole new urgency thanks to the spread of WannaCry.
Reach Paul Gilster at firstname.lastname@example.org