Knap 1000 computere på hovedstadens hospitaler kører XP: giver risiko for hackerangreb

Lige som Version2 kunne berette i foråret, så fortæller DR nu, at næsten 1000 computere på hovedstadssygehusenes computere kører det forældede Windows XP, som er sårbart for angreb.

985 computere, der bruges af personalet på hospitalerne i hovedstaden, kører med det usikre styresystem Windows XP.

Det viser en aktindsigt, som P4 København har foretaget.

Windows XP er relativt let offer for hackere, der vil have adgang til data på computerne, fordi styresystemet ikke er blevet opdateret de sidste to år af Microsoft.

Det bekymrer Søren Debois, der er professor på IT-universitet og ekspert i datasikkerhed.

»Man kan være bange for, at de (Region Hovedstaden, red.) mister data, at hackerne kan læse patientdata, at de mister adgang til deres systemet, eller at hackerne kan bruge de 1.000 computere som springbræt til at komme længere ind i Region Hovedstadens systemer,« siger han til P4 København.

Version2 kunne i foråret på baggrund af et rundspørge hos regionerne fortælle, at over 22.900 af regionernes computere dengang stadig kørte Windows XP. Regionerne prøvede at slippe af med XP, men især styringscomputere på sygehusene driller.

»Vi har for eksempel systemer til køleskabe og elevatorsystemer samt noget mikroskopstyring, hvor det software, man bruger, ikke kan køre på nyere versioner,« forklarede Klaus Larsen, som er kontorchef med ansvar for forvaltning drift og support i it-afdelingen i Region Nordjylland og tilføjede:

»Den klassiske løsning, vi anvender mest, er at låse computeren, så det ikke er muligt at foretage ændringer, og du kan ikke gå på internettet.«

Læs også: Danske sygehuse trækkes med 23.000 usikre Windows XP-installationer

I Region Hovedstaden er en stor del af computerne beskyttet af Regionens Hovedstadens eget sikkerhedssystem, oplyser P4 København.

Men ifølge Rasmus Theede, der er formand i Rådet for Digital Sikkerhed, er det en yderst vanskelig opgave at sikre Windows XP-computere mod hackere og virus. Det kræver først og fremmest, at ingen af dem er forbundet eller har adgang til internettet.

»En ting er, at man kan få virus ind fra internettet, men ofte ser man også, at virus kommer ind via et USB-stik eller en CD.«

It-systemet Sundhedsplatformen, som er blevet rullet ud på Rigshospitalet, Herlev og Gentofte Hospital, kræver Windows 7 og er dermed ikke omfattet af sikkerhedstruslen.

Region Hovedstaden oplyser i en mail, at visse computere fortsat er nødsaget til at køre på Windows XP, fordi de programmer, som disse computere skal kunne køre, endnu ikke er tilgængelige til nyere versioner af styresystemet Windows. Dette kan bl.a. være på grund af ældre medicoteknisk udstyr.

Microsoft standsede supporten af Windows XP d. 8. april 2014.

Tips og korrekturforslag til denne historie sendes til tip@version2.dk
Følg forløbet
Kommentarer (12)
Povl H. Pedersen

Hvad er den reelle risiko ? Hvis maskinen er låst tilstrækkeligt ned, ikke kan tilgå Internet, og har en restriktiv Software Restriction Policy, hvad er så den reelle trussel ? Den kan have disablet/Firewalled alle netværksservices.

USB er nævnt som en risk, men hvis der ikke er Office eller andet på maskinerne så er sandsynligheden for at brugerne sætter en USB stick i nok meget lille. Selvfølgelig kan en ondsindet person on-location nok godt gøre noget for at få priviligeret access til maskinen. Men der er helt sikkert maskiner på de fleste sygehuse der ikke er sikret om natten, så man kunne låne den, sætte harddisken i en anden maskine, installere malware, og sætte disken tilbage. Dette beskytter Windows 10 heller ikke imod. Og SATA kryptering er vist også usikkert når maskinen er vågen (selv i den nye Win10 rebrandede version).

Så den reelle trussel kan minimeres betragteligt, og kan være langt mindre end truslen ved en fully patched Windows 10 uden AppLocker.

Selvfølgelig er forældet software ikke godt. Men hvis det ikke kan nås er det svært at udnytte hullerne. Det store spørgsmål er så, om de er låst tilstrækkeligt ned.

Jesper Ravn

Jeg tænker også på, at det må have kostet rigtig mange mandetimer, at planlægge og lave en forsvarlig lock-down af disse computere.

Hvis man så samtidig har Windows 7 som det primære OS, så vil det godt nok være op ad bakke, da man inden for få år, vil stå i den samme situation igen.

Morten Christiansen

Reelt set er andre windows potentielt ikke mere eller mindre sikker, da (.vbs .js .bat .exe .com .reg) gængse filformater kan snige alt i gennem uset, så længe der findes programmerings standarder kan intet udelukkes, og kan være kompatibel i flere windows generation, dos og cmd har stadig mange ligheder.

Glenn Møller

Hvis man installerer EMET på Windows XP og 7 er de mere sikre end Windows 10 (mon det er derfor "slukker" EMET):
https://microsoft.com/emet/

Om EMET og Windows 10:

24 Nov 2016, CERT tells Microsoft to keep EMET alive because it's better than Win 10's own security.
Vuln seeker saus EMET has 13 protections Win 10 doesn't:
http://www.theregister.co.uk/2016/11/24/cert_no_microsoft_even_win_7_eme...

Nov 29, 2016, CERT to Microsoft: Keep EMET alive.
Windows systems with Enhanced Mitigation Experience Toolkit properly configured is more secure than a standalone Windows 10 system, says CERT:
http://www.infoworld.com/article/3145565/security/cert-to-microsoft-keep...
"...
Microsoft wants to stop supporting its Enhanced Mitigation Experience Toolkit (EMET) because all of the security features have been baked into Windows 10. A vulnerability analyst says Windows with EMET offers additional protection not available in standalone Windows 10.
"Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system," said Will Dormann, a vulnerability analyst with the Computer Emergency Response Team (CERT) at Carnegie Mellon University’s Software Engineering Institute.
...
EMET...make it harder for malware to trigger unpatched vulnerabilities.
...
Microsoft is planning to end-of-life the free tool in July 2018. CERT’s Dormann said Microsoft should keep supporting the toolkit because Windows 10 does not provide all of the application-specific mitigations available in EMET.
...
Microsoft’s principal lead program for OS security, Jeffrey Sutherland, recently said that users should upgrade to Windows 10 since the latest operating system natively includes the security features provided by EMET. That is true to some extent, as DEP, SEHOP, ASLR, BottomupASLR, and ROP mitigation (as Control Flow Guard) are part of Windows 10, but many of the application-specific mitigations are not.
...
"It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured," Dormann said.
...
"Out of all of the applications you run in your enterprise, do you know which ones are built with Control Flow Guard support? If an application is not built to use Control Flow Guard, it doesn't matter if your underlying operating system supports it or not," Dormann said.
...
The problem isn’t limited to third-party and custom enterprise applications, as there are older -- but still widely used -- Microsoft applications that don’t access the advanced exploit mitigations. For example, Microsoft does not compile all of Office 2010 with the /DYNAMICBASE flag to indicate compatibility with ASLR. An attacker could potentially bypass ASLR and exploit a memory corruption vulnerability by loading a malicious library into the vulnerable application’s process space.

Ironically, administrators would protect the application from being targeted in this way by running EMET with application-specific mitigations.

"Because we cannot rely on all software vendors to produce code that uses all the exploit mitigations available, EMET puts this control back in our hands," Dormann said.
..."

Også anbefalet af NSA:

https://www.nsa.gov/ia/_files/os/Win_EMET/EMET_FAQ_v3.1.pdf
Citat: "...
This document should be read by technical managers, security officers, administrators, and cyber defenders who are unfamiliar with Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). The document is presented as a list of Frequently Asked Questions (FAQs).
...
Although EMET is provided without cost by Microsoft, an organization must commit some level of trained manpower and resources to configure, test, and install EMET. Thereafter, maintenance cost is nominal: an organization should monitor “EMET alerts.” This activity can be integrated into the organization’s existing network defense operations. While EMET alerts can be ignored, the organization will lose a valuable source of threat information.
...
Attackers use the web, email, and other tricks to convince a user to open a Word, Excel, PowerPoint, PDF, and other documents. Once opened, the improperly formatted file causes the computer to run code (the attacker’s program) inside the file. EMET inhibits (malicious) code from running inside a data file.
..."

-

https://www.nsa.gov/ia/_files/os/Win_EMET/I43V_EMET_Rationale_v3.4.pdf
Citat: "...
Although a part of the Windows operating system, the mitigations are not generally enabled. EMET assures that these built-in mitigations are enforced and provides simple management of the mitigations. EMET also introduces additional mitigations not in the operating system for greater security.
...
EMET protects vulnerable software from memory corruption attacks, preventing malware from gaining a foothold within the Windows operating system. The layer of defense provided by EMET inhibits data exfiltration, data theft, and the theft of personally identifiable information (PII) resulting from the installation of malware.
Speci cally, EMET provides three (broad) types of mitigations: system wide mitigations, application specific mitigations, and (new in EMET version 4.0) advanced mitigations.3 These mitigations and the protections they define, represent the overall “attack surface” that EMET defends. The protection defined for each type of mitigation is described below.
...
EMET is part of a defense-in-depth strategy. As such, EMET has an important role in both the attack lifecycle and within the patch cycle. Namely, EMET is an important mitigation used in the exploitation stage, and a mitigation that reduces risk when a patch is not available.
..."

Glenn Møller

Anti-virus (fx Sophos) aktiverer ikke EMET faciliteter - Anti-virus og EMET er komplimentære sikkerhedsværktøjer:

Compatibility with Microsoft Enhanced Mitigation Experience Toolkit (EMET):
https://www.sophos.com/en-us/support/knowledgebase/120039.aspx

March 28, 2014, Sophos Antivirus and EMET:
http://lostflood.blogspot.dk/2014/03/sophos-antivirus-and-emet.html

November 11th, 2014, EMET – The Ultimate Installation and Deployment Guide:
https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/
Citat: “…
The Enhanced Mitigation Experience Toolkit (EMET) is a free tool from Microsoft that incorporates advanced protection from attackers. The concept allows added protection from methods that hackers use to compromise systems through exploitation. If you are new to this, and aren’t super tech savvy and are looking to install EMET for your home or personal use (don’t worry! it’s easy!!!), skim down to the “Installing EMET Step-by-Step” tutorial located just a little bit down in this article.

For individuals new to EMET, the way it works is you first need to deploy EMET, baseline applications and create a template of what types of applications you want to cover within EMET. The big misconception for large organizations is that by deploying EMET, it will break everything. The truth of the matter is that EMET only protects what is specified, tested, and configured within your configuration profile (xml). You actually have to specify what applications you want to protect under EMET (there are common templates that include basic applications). TrustedSec has done a number of large-scale implementations for Enterprise customers with tens of thousands of assets – as long as the deployment is appropriately tested, EMET is relatively trivial and easy to deploy.

A couple items for explanation, the lower half section of “Running Processes” is the applications that are currently protected by EMET. Notice that in this screenshot we have not configured anything to be protected by EMET. By default, EMET will protect common applications such as Java, Adobe, and Internet Explorer. It does not however protect anything you do not specify other than the common applications. Since we previously specified “Use Recommended Settings” it will select the default applications just mentioned (Java/Adobe/Internet Explorer). We will want to change this shortly. Note that a protected application would have a green check mark under “Running EMET” on the lower right hand side.

The only time when you may want to deploy “Audit only” is when you are doing initial testing and are experiencing application crashes. EMET will notify you upon a time when it would traditionally block something from running vs. actually stopping it from running and you can fine tune EMET’s protections to not block a certain protection for normal application functionality.

For Enterprise users, and tech savvy folks, you will want to incorporate additional applications for added protection. This is highly recommended and a necessity for enterprise deployments.

If creating a template for your organization as a standard configuration for enterprises, TrustedSec recommends creating two separate templates, one for servers and another for workstations/endpoints.

To add a new application, you can simply select “Add Application” and point EMET to an executable you want protected. The way TrustedSec likes to break up protection mechanisms are as follows:

For enterprise users, there are two main deployment methods that work successfully for both small and large organizations. The first is handling configuration changes through your patch management software such as SCCM.

You can also manage EMET through group policy however the group policy settings are limited in nature and do not have the same granularity as utilizing the xml deployment methods.

A good article on group policy deployment can be found here http://windowsitpro.com/security/control-emet-group-policy. One major catch is also creating a scheduled task to perform a EMET_Conf -refresh upon logon to ensure the latest policies are pushed when a new user logs into their machine.

The second method, which is most preferred is by automatically refreshing EMET policies via a scheduled task and a remote file share. In this case, you would configure EMET completely, test it with a pristine XML then export it. You can do this either through the GUI or when inside the EMET directory, you can just run:
…"

Glenn Møller

Det lyder som et mirakel:

Mar 14, 2014: IE11 w/ EMET Unhacked at Pwn2Own:
https://mspoweruser.com/ie11-w-emet-unhacked-at-pwn2own/
Citat: "...
An item which has been getting very little media attention is a $150,000 prize for exploiting Microsoft Windows Internet Explorer 11 running on 64-bit Windows 8.1, with the Enhanced Mitigation Experience Toolkit (EMET) turned on is still unclaimed.
..."

Jesper Ravn

EMET er helt sikkert et godt freeware tool til beskyttelse/hærdning mod f.eks. zero days exploits.

Men god sikkerhed består af flere lag og derfor skal man heller ikke opfatte EMET som en silver bullet i dag.

For XP SP3 er der kun support for EMET 4.x, som desværre er blevet bypassed af moderne Exploit Kit.

Using EMET to Disable EMET
https://www.fireeye.com/blog/threat-research/2016/02/using_emet_to_disab...

Angler Exploit Kit Evading EMET
https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite...

Widespread exploits evade protections enforced by Microsoft EMET
http://www.computerworld.com/article/3079826/security/widespread-exploit...

Glenn Møller

Man kunne bruge Palo-Alto Traps (AMP) (suppleret af EMET):
https://www.paloaltonetworks.com/resources/whitepapers/traps-for-windows-xp
(kræver en eller anden login for at kunne downloade white-paper)

Traps fås også til senere Windows incl. server versioner:
https://www.paloaltonetworks.com/documentation/32/endpoint/endpoint-admi...
https://www.paloaltonetworks.com/products/secure-the-endpoint/traps

Hævdes kun at bruge 1% af CPUen.

Jørgen Henningsen

»Vi har for eksempel systemer til køleskabe og elevatorsystemer samt noget mikroskopstyring, hvor det software, man bruger, ikke kan køre på nyere versioner,«

Ofte er de bagved liggende protokoller også lukkede og proprietære. Det er desværre resultatet af manglede opmærksom på vendor lock-in problematikken.

Glenn Møller

Ved ikke om det gælder Traps 3.2 som virker til XP:

7 October, 2016, Palo Alto Networks Traps is certified as AntiVirus Replacement:
http://tesrex.com/palo-alto-networks/palo-alto-networks-traps-certified-...
Citat: "...
On Tuesday Palo Alto Networks announced that its Advanced Endpoint Security Solution, Traps, has received third-party PCI and HIPAA certification as a replacement for legacy AntiVirus.
..."

Log ind eller Opret konto for at kommentere
Pressemeddelelser

Welcome to the Cloud Integration Enablement Day (Bring your own laptop)

On this track, we will give you the chance to become a "Cloud First" data integration specialist.
15. nov 2017

Silicom i Søborg har fået stærk vind i sejlene…

Silicom Denmark arbejder med cutting-edge teknologier og er helt fremme hvad angår FPGA teknologien, som har eksisteret i over 20 år.
22. sep 2017

Conference: How AI and Machine Learning can accelerate your business growth

Can Artificial Intelligence (AI) and Machine Learning bring actual value to your business? Will it supercharge growth? How do other businesses leverage AI and Machine Learning?
13. sep 2017