Exactly why people in power continue to advance the use of mediocre software, which leads to increasing insecurity, not to mention the loss of vital data and the endangering of lives, is beyond me. When hospitals are attacked, then lives are indeed in danger.
Before I continue let me say that one can write ransomware for other operating systems too – macOS, Linux, Android, iOS and the BSDs. But they are of no use to an attacker unless one can gain administrator status on a machine.
In the case of Windows, there are numerous components, which are part of the operating system and which cannot be removed, that are vulnerable. It is probably the main reason why nobody in authority at Microsoft ever mentions the word Windows these days.
True to form, the Victorian authorities have said nothing further about the ransomware attack; Australia is a country where the government is loath to disclose any details about anything at all that it fears would be embarrassing.
Few things are more on brand in security than shortening National Cybersecurity Awareness Month to NCSAM. pic.twitter.com/lJ09cyap5F— Kevin Beaumont (@GossiTheDog) October 7, 2019
Of course, there is plenty of money in the public purse to hire expensive consultants who will bill the Victorian Government tens of thousands a day to fix the problem. Victoria is always willing to dole out taxpayers' money – the most recent handouts went to the politicians themselves, with the Premier, Daniel Andrews, increasing his salary by more than $45,000.
At the end of it all, we will be told that things are back to normal. Local media will keep the focus on the Melbourne Cup and any other distraction. It has worked for decades.
This is the first time that a ransomware attack in Australia has been openly disclosed. But there are probably a good number more that are not disclosed. In the US, the first nine months of the year saw 621 ransomware attacks. In September, one private hospital, Wood Ranch Medical in California, had to shutter its doors after it was hit.
We have yet to hear even a word from Microsoft about these attacks. Doubtless, the end-user licence that accompanies Windows would have been bolstered in recent years to prevent any legal problems.
And, true to the adage that a sucker is born every minute, clueless officials will continue to invite Microsoft to participate in more and more programs and entrench its mediocre software even more in the infrastructure of the country.
When the question of insecure Microsoft software is raised, there are plenty of pundits who come out of the woodwork and advise people to update their systems. But nobody says a word about the cost of updating software at even a medium-sized business.
This is what a well-known security expert, Dave Aitel of Immunity, told me many years ago: "Patching is terribly expensive. You have to test and test to ensure that your applications all work after the patch. And then deploying a patch in a medium-sized firm will cost many hundreds of thousands. How many companies are prepared — or even have — this kind of money to spend on deploying a patch?"
Defenders of Microsoft — and the security industry loves products from Redmond for their businesses would be unable to rake in money at the rate they do were it not for the poor-quality products from the company — say that Windows is under attack only because it has such wide usage.
But, pray, what about Android then? It has nearly double the number of users that Windows has. One is yet to hear of any ransomware for Android.
No, the arguments for continuing to use Windows do not hold water. It is high time for businesses to seriously look at alternatives.