The Outdated XP Testimony on WannaCry to Congress

The Oversight Committee had a hearing on WannaCry last week. I won’t have time to watch the hearing for a few days, but I did read the testimony with some alarm. That’s because two of the four witnesses appear to have misstated one detail about the attack.

First, Symantec CTO Hugh Thompson suggested that the spread of the ransomware was due to Microsoft not releasing a patch for XP when it had released EternalBlue patches for other systems in March.

WannaCry spread to unpatched computers. Microsoft released a patch for the SMB vulnerability for Windows 7 and newer operating systems in March, but unpatched systems and systems running XP or older operating systems were unprotected. After the WannaCry outbreak began, Microsoft released a patch for XP and earlier platforms. Four days after the initial outbreak these patches were widely applied and new infections slowed to a trickle.

The implication here is that the ransomware primarily affected XP, and only because there hadn’t been a patch available.

Retired General Touhill suggested this outdated system was actually Windows 95 — and claimed that Microsoft had released that patch in March, along with the supported system patches.

Systems using unpatched versions of the Windows 95 operating system have been highlighted as exemplar victims of the Wannacry attack. Microsoft who, after a long and very public notification process, discontinued support to the Windows 95 operating system in 2014, about 19 years after its initial release. However, in light of the warnings and their own research, in March of this year Microsoft issued a rare emergency patch to Windows 95, nearly three years after they had discontinued support of the software. Despite these extraordinary actions, many organizations still did not heed the warnings and properly patch and configure their systems. As a result, they fell victim to Wannacry.

In fact, XP (to say nothing of Windows 95) was not the problem. Windows 7 was. Kaspersky Lab (which Congress has spent time of late demonizing as potential Russian spies) first pointed this out on May 19.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That’s according to Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there’s little question Windows 7 was overwhelmingly affected by WCry, which is also known as “WannaCry” and “WannaCrypt.” Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

The figures challenge the widely repeated perception that the outbreak was largely the result of end users who continued to deploy Windows XP, a Windows version Microsoft decommissioned three years ago. In fact, researchers now say, XP was largely untouched by last week’s worm because PCs crashed before WCry could take hold. Instead, it now appears, the leading contributor to the virally spreading infection were Windows 7 machines that hadn’t installed a critical security patch Microsoft issued in March

Days later Sophos confirmed that analysis.

Though the lack of patching and exposure of port 445 were easily identified problems, the reasons why Windows 7 was an easier target than XP remain somewhat clouded.

During testing, SophosLabs found that XP wasn’t the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.


Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher: our analysis of endpoint data for the three days that followed the outbreak shows that Windows 7 accounted for nearly 98% of infected computers.

It’s still a question of whether a victim patched their computer or not, but Microsoft did make a patch available for Windows 7 along with other supported systems. Though, as Sophos notes, unless users were paying extra for support, they might not have noticed the patch was there.

Microsoft had addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn’t have seen it unless they were signed up for custom support, ie Microsoft’s special extended – and paid-for – support.

That suggests one problem with the patching wasn’t the timeliness, but the secrecy. But, Congress might not learn that detail given the testimony they got last week.

Three days after the attack started, Homeland Security Czar Tom Bossert was still claiming WannaCry was spread via phishing. Now Congress is getting other debunked reporting.

We might respond better to these threats if the government was getting information that was at least as accurate as that information available to lowly hippie bloggers.

How Did Two CISA Beneficiaries and Numerous Agnostics Come to Support CISA?

When the Business Software Alliance released this letter a while back, I was perplexed.

In addition to its call for Congress to pass a set of designated bills, including ECPA reform, that would give assurances to international customers that US services weren’t more exposed to US spying, the letter also called for passage of cybersecurity sharing legislation.

Cyber Threat Information Sharing Legislation will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster.

As TechDirt noted, the letter didn’t name any particular cyber sharing bill, but there are three and all expand US government access to data. Even if some or all tech companies that make up BSA wanted such a bill it seemed odd to include in a call for legislation that would reassure international customers. I asked around and the impression was it was just convenience to include a CISA-type legislation (but why include it at all)?

So then Fight for the Future went to work. It got thousands of activists to complain to the companies directly about their stated support for a CISA-type legislation. And also announced their intention to stop using Heroku, which is part of Salesforce, as their host.

That led first Salesforce then BSA more generally to deny they had ever supported CISA. The BSA language pretended their original letter called for balanced legislation. And it also claimed to consistently advocate for strong privacy protections on such legislation — which of course they didn’t do in the letter.

There have been questions about our views of the current CISA legislation. For clarity, BSA does not support any of the three current bills pending before Congress, including the Cybersecurity Information Sharing Act (CISA), the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity and Communications Integration Center (NCCIC) Act.

Consistent with this view, BSA’s September 14 data agenda letter to Congressional leaders identified five key areas where Congress can pass legislation to strengthen the policy environment around digital commerce, including voluntary information sharing, and highlighted the need for balanced legislation in this area.

BSA has consistently advocated for strong privacy protections in all information sharing bills currently pending before the Congress.

We will continue to work with the Congress, others in industry and the privacy community to advance legislation that effectively deals with cyber threats, while protecting individual privacy.

All of raises more questions about how the endorsement for cyber sharing at a time when all the cyber sharing bills before Congress don’t balance privacy interests got into the letter.

Especially given the signatories. The signatories include companies — like Apple — that have fought hard to protect their customers’ privacy. It included several — notably Adobe and Siemens — that could significantly benefit from any kind of immunity, given that their products are among the most consistent targets of hacks. Most interesting, it includes several companies — including IBM and Symantec — that will benefit when a CISA bill makes it easier for cybersecurity contractors to get more data with which to serve customers.

Indeed, the language from the original bullet support cyber sharing — “enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat” — might well describe how cybersecurity contractors will get a boost from CISA.

Some members of BSA probably do, individually, support CISA for the immunity and data it would give them. Others neither need it nor want the stigma.

So how did it get in this letter?