A hacker who cracked into an NHS website three months ago has said it took him less than an hour to get through the out-of-date security.
Speaking exclusively to Sky News on the condition of anonymity, the teenager described the defences protecting the confidential details of thousands of patients as "vulnerable to basic attacks that have been around for years".
It comes as NHS security is being criticised for being susceptible to the widespread "ransomware" attack that is still causing problems in hospitals.
Barts Health NHS Trust, the largest NHS trust in the country, has said it was continuing to experience IT disruption, leading to delays and cancellations for patients.
It has advised the public to use other NHS services where possible.
A cyber security expert has also told Sky News there is "no reason" why the hackers would not launch another attack and warned: "It's going to be another tough week".
The huge hack also targeted organisations and companies worldwide, with up to 99 countries possibly affected, according to some researchers.
It is believed to be the biggest attack of its kind.
The hacker said he could have asked for a ransom when he gained access to the NHS database but, on this occasion, he got in touch with the administrator to offer his help.
"At the time, the NHS was under a lot of controversy in the media as some areas had been victim to state-sponsored hacking so I thought I would try and help them.
"It took me less than an hour to find the first vulnerability and the second one I found was extremely serious.
"I had access to anything on the server - patient records or virtually anything that was hosted on that server."
:: Accidental hero finds virus 'kill switch'
Sky News has seen the email chain between the hacker and NHS administrator whom he helped to fix the issue.
It took around 12 hours for the NHS administrator to respond to the initial whistleblowing email and a further three hours for the hole in the system to be patched with the guidance of the hacker.
Although NHS web systems are overseen by NHS Digital, all trusts are responsible for their own IT systems and security.
The website that was hacked months ago is an affiliate of one of the NHS trusts that was badly affected by the weekend's cyberattack. It's unclear if the website itself was compromised again.
Speaking about the current large-scale attack, the hacker says the timing of the launch could give us clues as to what the culprits are like.
:: Strike gives glimpse of 'cyber-apocalypse'
The untraceable crypto-currency Bitcoin was at a near all-time high when the criminals launched their ransomware, which implies an element of planning. However, the hackers did not ask for their payment in Bitcoin, but US dollars.
"I think (it shows) a lack of understanding from them. It doesn't make sense why they would do that because if they were after money then it would have made a lot more sense to demand the payment in actual Bitcoin."
The hacker also said the attack has angered many in his community and could explain why so many have given up their time to fight back and try to stop the virus spreading.
"I think it's extremely dangerous what they've done," he said. "They're putting people's lives at risk. It's just sad really."
Speaking to Sky News, Dr Markus Jakobsson, chief scientist at the cyber security firm Agari, said the malware strike had been shut off "temporarily", but added: "There is no reason why the attacker won't come back and decide to pull another one on us all.
"It's going to be another tough week I think."
He stressed the importance of organisations taking action to safeguard their data.
Dr Jakobsson said: "There's absolutely no excuse for any business not to have up to date systems. This is critical."
He added: "The real problem is that there's the human factor.
People are making mistakes. Whether it's about not patching things like in this situation or clicking on things in emails.
"And the attackers know this very well and they take advantage of it in a very clever way.
"Psychology is against us in a sense."
He went on: "This is a watershed event and we need to fear what this will do to the trust of the infrastructure."
No comments:
Post a Comment