The Software Security Model Is Broken

Chris Baraniuk, BBC News:

A massive ransomware campaign appears to have infected a number of organisations around the world.

Computers in thousands of locations have apparently been locked by a program that demands $300 (£230) in Bitcoin.

There have been reports of infections in more than 70 countries, including the UK, US, China, Russia, Spain, Italy and Taiwan.

Many security researchers are linking the incidents together.

BBC News:

NHS services across England and Scotland have been hit by a large-scale cyber-attack, which is being treated as a major incident.

The prime minister said the incident was part of a wider attack affecting organisations around the world.

Some hospitals and GPs cannot access patient data, after their computers were locked by a malicious program demanding a payment worth £230.

The individual aspects of this story aren’t necessarily new, but the scale of this attack is, as far as I can figure out, unprecedented. And, because of how widespread this attack is, the low ransom demand also appears to be a relatively new tactic. Instead of banking on a single target paying tens of thousands of dollars, the perpetrator can assume that more people will be willing to pay just $300 to get back to work.

Some reports are framing this attack through the method of its operation: it uses a method developed by the NSA and patched by Microsoft on March 14, before being leaked by Shadow Brokers a month later.

But, while that’s interesting, I don’t think it’s the main story. This attack reveals something that’s obvious to anyone whose main role during the holidays is updating their family’s computers: the software security model is deeply flawed. There are simply too many points of failure, and all of them are human.

Developers leave bugs in the software they build all the time. Sometimes, these bugs can be exploited in a way that allows someone to gain an elevated level of permissions. These bugs are typically only found when someone is actively trying to find them. Patches can be made available, but it’s up to users to decide to update.

Users have been conditioned to be wary of installing any software updates because it’s risky: software updates regularly break applications that users rely upon. In a home environment, that’s irritating; in an enterprise environment with life-or-death consequences — like in the NHS — an incompatibility can be disastrous.

Update: This specific strain of the malware should no longer spread now that a “sinkhole” domain was registered by a security researcher, completely by accident.