Friday, May 26, 2017

Paw in the bottle!

12th May 2017 turned out to be a Dark Friday when the world woke up to cyber terror in the form of WannaCry virus. According to media reports it has wreaked havoc by locking up over 300,000 computer systems across over 150 countries around the world. Most affected systems were from UK, USA, Russia, China, Spain and India. 

Five percent of the systems affected worldwide was reportedly from India. However, the government hastily responded with "The impact of WannaCry ransomware attack has been limited to five or six isolated instances so far and there are no reports of any substantial disruption to India’s IT backbone".

It is quite interesting how the enormity of the damage was accidentally stemmed by a young technology expert Marcus Hutchins. While the world was grappling with the cyber terror, Marcus Hutchins accidentally discovered the "Kill Switch" to stop the propagation of the malware. It happened when he was going through the sample of the malware, he discovered an unregistered Domain Name. He quickly bought the domain and registered it. To his surprise the propagation of the malware stopped as soon as he registered the domain (domain was "sink holed").

How exactly did WannaCry wreak havoc on the unsuspecting world? WannaCry is a Trojan virus, a “ransomware” which in effect holds the infected computer hostage and demands that the victim pay a ransom money in order to regain access to the files on his or her computer. WannaCry demanded ransom to be paid within 3 days through Bitcoins, ransom amount would be doubled after 3 days. After 7 days, the affected files would be lost for ever.

So, did any one really fall for the threat? It seems many did fall for it but according to experts, the hackers must have made less than $60,000. One reason, they said, was because many people did not know how to pay the ransom. Bitcoin is a kind of digital currency stored in an online "wallet", transactions not easily traceable to the hackers.

Even if the financial gain may not have been substantial to the hackers, the indirect effect of malware seemed to be much more by way of "Denial of Service" (non availability of the system to the users). Computers that had important data stored online were the most badly affected. Health systems were primary targets. NHS of UK was quite seriously affected. Many critical surgeries and procedures had to be postponed due to non availability of online patient records from the NHS systems.

As for the IT security experts, it was busy times once again. There was a barrage of articles and talks on IT security with list of "Do" and "Don't" from IT security gurus and security evangelists. Common among suggestions were related to Windows Operating System and Anti Virus software: install Anti Virus, patch/upgrade regularly, migrate to latest software version, update Anti Virus everyday, back up data (too late for this, may be for future attacks), train employees on best & safe practices, do not click anything from unknown source (most valuable suggestion in my opinion) and so on.

It has been reported that Cyber Security stocks jumped up after the 'WannaCry' attack and IT sales boomed. Perhaps the spurt in business was because of sudden sales in products and services. Sometimes I wonder, if perhaps a vile conspiracy was going on, driven by financial greed. Whenever such incidents take place, I cannot help wondering, who exactly was to be blamed for such events. Is it the manufacturers of IT products or the "bad guys" (black hat hackers) or we the buyers of the systems! 

We cannot blame the "bad guys" for they do it simply because they are "bad guys". They could be doing it for financial gains or simply because they like the challenge or they get a thrill/kick out of causing damage and mayhem. Some of them claim that they were doing a favor to IT community by exposing software vulnerabilities. Whatever the reason may be, the fact is, very rarely is any of them caught. They will continue to hack systems and continue to thrive in their evil objectives.

WannaCry succeeded in its objective by exploiting a weakness in Windows Operating Systems. Microsoft Corporation has blamed NSA (National Security Agency) for allegedly creating and revealing “EternalBlue”, which is a hacking tool used to exploit the vulnerability in Windows Operating System. The tool was reportedly stolen and leaked to the public by the hacker group Shadow Brokers. The same tool was used by the hackers in WannaCry Trojan. 

I guess, this must be one of those exceptional circumstances when users of legacy systems operating under non-Microsoft platforms must have counted their blessings for staying with legacy systems!

Since the exploitation happened because of vulnerability in Windows Operating System, can Microsoft Corporation be blamed for the disaster of such mammoth proportion? Is it necessary to release software that requires, not dozens or hundreds, but thousands of fixes and patches through out the year? Why cannot more time be spent on the quality of software, on improving testing procedures and quality assurance procedures to reduce the number of fixes and patches? Do they have to go on releasing new versions in quick succession even before the current version stabilizes? 

We may ask any number of such questions without much use because there is nothing called "perfect systems". Software is built by humans and as they say "it is human to err".  Perhaps, when Artificial Intelligence comes of age, we can expect perfect systems but until then we have to live with faulty or not so perfect software.

Manufacturers of IT products cannot keep up with the "bad guys" who are always ten steps ahead. They adopt all sorts of nefarious (some call it intelligent) methods, even brute force to find ways of penetrating into software and plant their viruses. It is an amazing fact of life that humans achieve higher levels of competence and creativity when it comes to carrying out nefarious, illegal, criminal things.

Moreover, the manufacturers of IT products safeguard themselves through disclaimers which redeems them from legal responsibility, doesn't matter about moral responsibility. The bottom line is, technology companies are in business to make money, for profit. So they will primarily focus on growing their businesses.

That leaves us the "buyers of IT products" who are to be blamed for accepting any software by clicking "I Agree" button without even reading the disclaimer notice. Not many of us have the time and patience to read the disclaimers written through extensive legal jargon, written in small almost unreadable fonts. Even if we did take time to read it, what option is left other than to "accept"? Ultimately, we end up blindly clicking anything presented with "I Agree" button. 

This act of clicking "I Agree" button develops into such a habit that most people end up clicking and sharing anything that is posted on their inboxes and social media timeline. Whatever may be the argument, in the end, we the "buyers of IT products" end up paying a heavy price. That, unfortunately, is the sad fact of life.

It seems as if we are all caught up in a strange kind of vicious circle. If there were no threats to our systems, who would buy all that goes into protection of systems (software, hardware, services, frameworks)? 

If 100% fail safe and fault tolerant systems are built (which is highly unlikely), who will pay for upgrades? Then what will happen to technology businesses?  If perfect systems were built, who would want maintenance and other IT services? 

If people are stuck with systems that keep on grinding tirelessly day-in and day-out without any failure, then what excitement was left? What will happen to the thrill and excitement of that new software release, to that release of new model or brand? What motivation would be there for research and development? 

So in essence, we are stuck with the way things are now, the endless game of cat and mouse. And who ultimately pays the price? No prizes for guessing.

We the buyers of IT products are done for, stuck, cornered, doomed. They got us "hook, line, sinker", the day the first version of MS DOS was distributed for free several decades ago. Actually, there is nothing in this world which comes for free. Everything comes with a price tag. If not now, we pay the price some day later, and oh boy how we pay, we pay through our nose. 

I am reminded of a story of how they caught monkeys. According to the story, monkey hunters placed nuts in huge bottles which had very narrow necks. When a curious monkey chances upon the bottle, it grabs the nut but it cannot get its paw out. With the nut in its hand the fist becomes big, so big that it cannot pass through the narrow neck. The "poor gullible monkey" is caught in a hopeless dilemma. It doesn't want to let go of the nut because it wants it so badly. It is stuck with the bottle because it cannot move much because its paw is stuck in the bottle. And that is how the hunters catch the monkey. That just about sums up situation we find ourselves in.

Coming back to WannaCry ransomware, experts have been frantically trying to find the source behind it. Until few days ago, no one seemed to have any idea, though there were few theories. According to Neel Mehta, a security researcher at Google, the virus could have originated from North Korea. He claimed that there was proof of same signature between WannaCry and previous viruses they had used in other attacks. Though there was skepticism initially, experts have started accepting the possibility of such a theory.

While the world was reeling from this cyber terror, some people found the situation to be quite amusing. I was chatting about the ransomware with a work place acquaintance, who sounded as if he was reveling in some kind of euphoria. When I pointed out that obviously the hackers behind the virus didn't make much money out of the cyber attack, all the efforts have gone waste, for nothing. His amused response was "this is only a trial, just wait, the big one is coming soon".

I often wonder what creates such a euphoria in some people! While the whole world was in shock, guys like him are in jubilation which is particularly extreme if the victim happens to be America or Europe.

It takes me back to an incidence that happened many years ago, on 11th September 2001 to be exact. As I was driving home after work, I received a call from another work place acquaintance. As I took the call on the hands-free set, I heard the person having an uncontrollable fit of laughter "ha ha ha ha". I could hear the sound of news on his car radio. After he managed to control his laughter, he asked "have you heard the news?". I had no clue what he was talking about. I said  "what news? what happened?". 

He again went through another ecstatic fit of "ha ha ha ha" and said "Oh man, America is on fire". I couldn't quite grasp what exactly he meant. Was it a figure of speech? Was America really on fire? Then he said, "you listen to the news, you will know better what happened". He ended the call with another ecstatic guffaw "ha ha ha ha". 

By then I had reached home. As I tuned in to international news, I just stood there, totally dumb struck by what I was seeing on the television screen. The twin towers of World Trade Center were on fire, burning out like candles, people were jumping off the roof or through open windows. Thick, dark smoke was billowing from the burning towers, ash was flying all around what was left of the towers. People were running helter-skelter on the streets screaming "oh my God, oh my God". Dozens of firefighters were trying desperately to put out the fire, the firemen covered with ash, looking as if there was snow on their hats and dresses. There were screams of horror, pain and disbelief in the background. The whole thing looked like scenes from one of Bruce Willis movies and yet it was all happening in front of everybody's eyes. 

My mouth went dry and I felt as if someone had punched me in the gut. What I was seeing on the television screen was unbelievable. It was bone numbing horror! How could anyone in their right mind be having a laugh about such a terrible tragedy. It was something unfathomable.

Most funny thing is, these very same guys would run off to USA or UK at the drop of a hat and enjoy the freedom, the excitement and all the good things these countries offered. Even when it came to their children's education, their first preference would be USA or Europe. That is the unbelievable hypocrisy!

No comments:

Post a Comment