Leaked NSA Hacking Tool On Global Ransomware Rampage

from the who-trusts-the-nsa? dept

Welp. What was that we were saying about the problems of the NSA creating hacking tools that leak, rather than helping patch security flaws? Oh, right. That it would make everyone less safe.

And here we are. With a global ransomware rampage, referred to as "WannaCry" putting tons of people at risk, thanks to leaked NSA malware:

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks — which been spotted in tens of thousands of incidents in 99 countries, according to the cyber firm Avast — have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

Specifically, it appears that the ransomware is using an NSA tool called ETERNALBLUE, which was leaked in April by Shadow Brokers. This was among those that were quietly patched by Microsoft back in March, but not everyone installs security patches in a timely manner. Indeed, as some are reporting, some of the victims -- including the National Health Service Hospitals in the UK -- are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.

Thus, there's some debate online about whether the "problem" here is organizations who don't upgrade/patch or the NSA. Of course, these things are not mutually exclusive: you can reasonably blame both. Failing to update and patch your computers is a bad idea these days -- especially for large organizations with IT staff who should know better.

At the same time, the fact that this hack is built off of a leaked NSA hacking tool highlights a couple of key points:

  1. The NSA's dual-hatted offensive & defensive structure is damaging: The NSA plays both offense and defense on computer security. That is, it is supposed to hack into other systems, but also help protect our systems. But it's quite clear that the offensive capabilities are valued much more than the defensive ones -- and that's a problem. Once again, it appears that people in the intelligence community are not doing a clear cost-benefit analysis of the tools that they use. They like their toys, but they rarely seem to take into consideration what happens should those toys get out.
  2. Once again, this reinforces why we should not allow backdoors to encryption or any other such vulnerability. Over and over again, the proponents of backdooring encryption have insisted that it can be built in a "safe" way, where only government will get the backdoor access to encryption. The fact that some of the NSA's most powerful hacking tools have not only been leaked but are now wreaking havoc around the world, should put a complete end to the "going dark" debate. But it won't. It's not safe, but many in the law enforcement community, in particular, are in denial about this.
These problems are not new. Hell, we've been talking about both of them for the better part of a decade already. But this rapid spread of WannaCry is putting an exclamation point on those arguments. Unfortunately, the cynical side of my brain says this warning will still be ignored.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    TechDescartes (profile), 12 May 2017 @ 8:07pm

    NSA: The Best Defense is a Good Offense

    Which is why Shadow Brokers stole your toolkit.

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, 12 May 2017 @ 8:27pm

    What about liability?

    What, if any, liability does the U.S. Government now face?
    We're looking at not just financial loss, but potentially injury and loss of human life, as well.

    reply to this | link to this | view in thread ]

  3. icon
    afn29129 (profile), 12 May 2017 @ 8:40pm

    Re: What about liability?

    Two words: Sovereign immunity..
    "In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit.[2] The United States as a sovereign is immune from suit unless it unequivocally consents to being sued." Or in other words; The king is untouchable.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 12 May 2017 @ 8:47pm

    Patched 2 months ago, but too many people and companies dont apply the free updates.

    Don't blame tge NSA for bad system management.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 12 May 2017 @ 9:30pm

    Re: Re: What about liability?

    However we quite frequently seize assets of foreign countries in lawsuits.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 12 May 2017 @ 9:43pm

    Re:

    We aren't. We are blaming them for creating tools to mass exploit vulnerabilities and claiming that they need more vulnerabilities to exploit in order to prevent cyber attacks they are now complicit in assisting. ._.

    reply to this | link to this | view in thread ]

  7. identicon
    Lionel Messi, 12 May 2017 @ 10:18pm

    The best offense in soccer . . .

    is to keep possession of IT.

    reply to this | link to this | view in thread ]

  8. icon
    mhajicek (profile), 12 May 2017 @ 10:25pm

    Saying you can make backdoors that only goodguys can use is like saying you can make bullets that only goodguys can fire.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 12 May 2017 @ 10:48pm

    Re:

    Blame Microsoft, and their NSA friends, for bad systems.

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 12 May 2017 @ 10:51pm

    Forget about patching. Windows is malware. Upgrade:

    https://www.linuxmint.com/

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 12 May 2017 @ 10:54pm

    If _only_ there was a law!

    If only there were a law that required the US Government to coordinate with computer vendors to disclose vulnerabilities so they could get fixed. We should immediately pass such a law and insist that all government agencies obey it and send any that do not to federal "pound you in the ass" prison.

    Oh - wait. Yeah, there is such a law.

    Oh well, because -terrorism- yeah, makes it acceptable to break our own laws.

    Because nothing says "love" quite like mocking your own laws while others seek to expose your own hypocrisy and unethical/illegal actions.

    Honor isn't what others think of you - it's what you know of the justice of your own actions. And America is seriously lacking in Honor these days.

    reply to this | link to this | view in thread ]

  12. icon
    Mononymous Tim (profile), 13 May 2017 @ 12:59am

    Obviously if there were laws mandating back doors in encryption, this would be a non-issue. The government would just decrypt everything for us. Hellooo!!

    *cough*BS!*cough*

    reply to this | link to this | view in thread ]

  13. identicon
    NSA, 13 May 2017 @ 1:20am

    Not our fault! It's the terrorists!

    reply to this | link to this | view in thread ]

  14. icon
    GristleMissile (profile), 13 May 2017 @ 1:50am

    Re:

    There are actually people attempting to make "smart" guns to do that. OFC, they don't realise they're just adding extra failure modes to something you want to be as reliable as possible.

    The modern revolver has been around for over 150 years, and most likely will be around for several hundred more just because it is as simple and reliable as possible.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 13 May 2017 @ 2:39am

    Re:

    Which ones, your's or their's?

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, 13 May 2017 @ 3:16am

    History

    Those who fail to learn from history get jobs at the NSA.

    reply to this | link to this | view in thread ]

  17. identicon
    Jim, 13 May 2017 @ 4:39am

    Re: Re:

    Don't blame ms for a nsa unreported hole in security. Just blame me for delaying delivery of patches for the consumer. Not everyone gets patches at the same time. That would mean that the ms servers would have to be on 24 x 7, they aren't. An don't blame the consumer for not leaving their system on 24 x7 to receive patches. They want to use their system eventually to post on Facebook or read the latest news.

    reply to this | link to this | view in thread ]

  18. identicon
    Jim, 13 May 2017 @ 4:39am

    Re: Re:

    Don't blame ms for a nsa unreported hole in security. Just blame me for delaying delivery of patches for the consumer. Not everyone gets patches at the same time. That would mean that the ms servers would have to be on 24 x 7, they aren't. An don't blame the consumer for not leaving their system on 24 x7 to receive patches. They want to use their system eventually to post on Facebook or read the latest news.

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 13 May 2017 @ 4:40am

    The NSA link seems to be missing from many mainstream media reports. Wonder why.

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, 13 May 2017 @ 4:44am

    Re:

    You might want to advertise a distro that doesn't have a history of distributing malware and poor security defaults. Debian or an official Ubuntu derivative are better choices.

    https://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-its-website- and-forum-after-hack-attack/

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, 13 May 2017 @ 4:51am

    Re: If _only_ there was a law!

    These days equal the amount of time we have been waging unending, undeclared war against concepts like terrorism.

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, 13 May 2017 @ 5:03am

    here is what happens when nsa pays bill gates for backdoors. like making all humans having same dna.

    just wait till some schmuck sends nsa own virus to nuke plant.

    reply to this | link to this | view in thread ]

  23. identicon
    Anonymous Coward, 13 May 2017 @ 5:13am

    Blame it on the Russians.

    reply to this | link to this | view in thread ]

  24. identicon
    1eyed Jack, 13 May 2017 @ 5:34am

    Re: It's Good to be King

    yeah, but Americans have the sacred right-to-vote ... and can just leash or get rid of the NSA at the ballot box.

    oh wait, the NSA was created by a secret Presidential Executive Order in direct violation of all that constitutional and democracy stuff.
    Citizens have effectively zero control over the NSA.
    US Presidents, Congressmen, and Supreme Court Justices often act as unaccountable sovereigns and usually get away with it.

    ... never mind

    reply to this | link to this | view in thread ]

  25. identicon
    Anonymous Coward, 13 May 2017 @ 5:57am

    missing budget

    It's not the IT staff who should know better, it's the missing budget. Medical care uses a lot of special software, often software which has to be certified and may run only on specific PCs (example: DICOM and PACS). Certification processes are expensive and very slow, i.e. you might have to wait a few years to get certified software for your current OS. Each OS upgrade is a quite expensive adventure. Simply blaming hospital IT staff without any further research is a sign of ignorance.

    BTW, I'm not a member of a hospital's IT staff. Just happen to know a few things about that topic.

    reply to this | link to this | view in thread ]

  26. identicon
    Anonymous Coward, 13 May 2017 @ 6:10am

    Re: Re:

    reply to this | link to this | view in thread ]

  27. identicon
    Anonymous Coward, 13 May 2017 @ 6:18am

    Re: What about liability?

    Third party liability?

    reply to this | link to this | view in thread ]

  28. identicon
    Anonymous Coward, 13 May 2017 @ 6:21am

    Re:

    and this is proof their "good guys" rational is complete bullshit.

    reply to this | link to this | view in thread ]

  29. identicon
    Filipescu Mircea Alexandru, 13 May 2017 @ 6:28am

    Encryption backdoors anyone?

    Sooo... how's the fight against encryption going? Like miss Amber Rudd's plan to introduce government backdoors into every secure piece of software, which as this shows will be magically used only by the good guys to keep us safe!

    reply to this | link to this | view in thread ]

  30. identicon
    Anonymous Coward, 13 May 2017 @ 7:55am

    The problem with "Best defence is a good offence"

    It only works if the only thing that matters is if you are ahead in the end. What the heck is so great about winning a "war" when all that is left, is rubble on both sides?

    But by all means, lets forget the real crooks here who made it all possible in the first place, and then wonder in amazement about the bad hackers being bad and possibly use it to make us even more vulnerable. That is the NSA/government style we are used to by now.

    reply to this | link to this | view in thread ]

  31. icon
    Dave Cortright (profile), 13 May 2017 @ 8:59am

    The time lime of events is an important point

    Microsoft ended support for Windows XP on April 8, 2014. My brief search didn't turn up an estimate of when the NSA developed ETERNALBLUE, but given the age of some of the other leaks, I'm betting it would have been before the XP EOL. So basically the NSA *ensured* that XP would always be vulnerable by withholding this information from Microsoft. Assholes.

    reply to this | link to this | view in thread ]

  32. identicon
    Quick Brown Fox, 13 May 2017 @ 9:24am

    Re: The time lime of events is an important point

    While it is true that Microsoft ended support for Windows XP in April 2014, some business users entered into contracts with Microsoft for security updates well past that date. For example, the U.S. Navy contracted with Microsoft to extend its XP support until 2017.

    Also, several news sources reported in 2014 that "Windows Embedded Industry" users would have continued security updates for XP until April 2019. Other users could hack the registry to trick Windows into thinking it was part of the "Windows Embedded Industry" and thus receive free updates.

    As Forbes magazine's blog stated on May 27, 2014, "...clearly, there is nothing more difficult to kill than Windows XP."

    reply to this | link to this | view in thread ]

  33. identicon
    Anonymous Coward, 13 May 2017 @ 9:45am

    Re: The time lime of events is an important point

    At least Microsoft have released a patch for unsupported OS's.

    reply to this | link to this | view in thread ]

  34. identicon
    ItAintJusttheToolItsThePublicity, 13 May 2017 @ 10:35am

    So what about Google or Wikileaks

    For all the hate directed at the NSA, which rightfully should fall on them (or more likely their Booze-Allen contractors which have been the Human Relation security hole).

    What about Google who exposes very publicly any holes they find which helps marketing their brand or Wikileaks that leaked this info to begin with?

    Just saying double standards and all that Google and Wikileaks play a role here for exposing what others pick up and use and that they should be in the cross hairs for any animus as well.

    reply to this | link to this | view in thread ]

  35. identicon
    Anonymous Coward, 13 May 2017 @ 11:02am

    Re: Re: It's Good to be King

    " in direct violation of all that constitutional and democracy stuff. "

    Additional information is needed here, how exactly is an EO and or a TLA creation a violation of the constitution?

    reply to this | link to this | view in thread ]

  36. identicon
    Anonymous Coward, 13 May 2017 @ 11:07am

    Attack the maker of the tool?

    Isn't this like saying gun manufacturers are responsible for what people do with the guns they purchase?

    No wait, it is the guns that get stolen they are responsible for - right?

    Should the makers of tools be held accountable for any and all potential use/abuse of same?

    reply to this | link to this | view in thread ]

  37. icon
    William Braunfeld (profile), 13 May 2017 @ 11:55am

    Re:

    The police union(s) tryin to sue toy makers for making "realistic" guns certainly think so.
    In reality, this is more like someone makin a master key for gun storage lockers, and said key bein stolen. The concern is, we shouldn't be making suh keys in the first place if we want our gun lockers to be secure.

    reply to this | link to this | view in thread ]

  38. identicon
    Anonymous Coward, 13 May 2017 @ 12:52pm

    Re: Re:

    It was compromised for one day. Once. And checking the MD5 would have found it. Mint is the best choice for current MS users wanting to dip a toe.

    reply to this | link to this | view in thread ]

  39. icon
    Jeffrey Nonken (profile), 13 May 2017 @ 1:24pm

    https://m.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/

    Assuming Wannacrypt is just another name for Wannacry, looks like MS has actually stepped up to the plate on this one. Well done.

    reply to this | link to this | view in thread ]

  40. identicon
    Anonymous Coward, 13 May 2017 @ 1:36pm

    Re:

    Isn't this like saying gun manufacturers are responsible for what people do with the guns they purchase?

    Well.... There is this little thing that guns do have some a valid uses - protection and hunting.

    A root kit... any valid uses?

    reply to this | link to this | view in thread ]

  41. icon
    AEIO_ (profile), 13 May 2017 @ 2:00pm

    Re: Re:

    "A root kit... any valid uses?"

    Why of COURSE! Just ask Sony!

    (If you don't know: https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal )

    It's also great if you're ALWAYS forgetting those pesky authentication codes on systems that you don't own.

    reply to this | link to this | view in thread ]

  42. identicon
    stine, 13 May 2017 @ 2:11pm

    Re: The time lime of events is an important point

    According to Dan Goodin at Ars Technica, Microsoft has released patches for XP ans Server 2003 for WannaCrypt.

    I've just installed it successfully on a Server 2003 system (thats well overdue for replacement)

    reply to this | link to this | view in thread ]

  43. identicon
    stine, 13 May 2017 @ 2:19pm

    Re: So what about Google or Wikileaks

    So..what you're saying is that when Google announces that they notified Microsoft about a vulnerability 90 days ago, and Microsoft hasn't patched it yet, that its Google's fault that the patch hasn't been released?

    Think again.

    reply to this | link to this | view in thread ]

  44. identicon
    Unanimous Cow Herd, 13 May 2017 @ 3:49pm

    Re: Re:

    Let the Distro Wars commence! Go team Linux! Go! Go! Team Linux!

    reply to this | link to this | view in thread ]

  45. identicon
    Anonymous Coward, 13 May 2017 @ 5:12pm

    EOL operating systems reslly should come with nagware that encourages upgrades.

    I really wonder if there shouldn't be an expiry date after which the OS is effectively hobbled until replaced

    reply to this | link to this | view in thread ]

  46. identicon
    Anonymous Coward, 13 May 2017 @ 5:20pm

    Re: Re: Re:

    >compromised for one day
    The problem goes beyond that. Kernel updates are disabled by default. There's no excuse for putting users at risk. Consider Ubuntu Mate, it's the same desktop environment with sane security defaults.



    http://www.techrepublic.com/article/linux-mint-18-improves-security-mostly/

    reply to this | link to this | view in thread ]

  47. identicon
    Rekrul, 13 May 2017 @ 5:47pm

    Re: Re: The time lime of events is an important point

    As Forbes magazine's blog stated on May 27, 2014, "...clearly, there is nothing more difficult to kill than Windows XP."

    Maybe people just want a mainstream OS without built in spyware.

    reply to this | link to this | view in thread ]

  48. identicon
    Rekrul, 13 May 2017 @ 6:00pm

    Re:

    EOL operating systems reslly should come with nagware that encourages upgrades.

    I really wonder if there shouldn't be an expiry date after which the OS is effectively hobbled until replaced

    The problem with that is that newer versions of an OS aren't 100% backwards compatible with older software. If a user has spent money over the years on software that will only work on an older OS, what right does anyone have to tell them that they must effectively throw that software in the trash? Not every program gets updated and even if they do, newer versions aren't always better.

    Then there's the issue of all the spyware that MS crammed into Win10, some of which I've read is virtually impossible to disable. There were even reports that they were pushing updates to Win7/8 that included a lot of the same crap, and making it impossible to refuse individual updates for those systems without refusing the entire pack.

    Is it reasonable to expect a user to surrender all their privacy and control of their system in exchange for some security?

    reply to this | link to this | view in thread ]

  49. identicon
    Anonymous Coward, 13 May 2017 @ 6:02pm

    Re: Good to be King

    Constitution does not authorize a President to create a major new Federal department, bypassing Congress (separation of powers).

    Truman's October 1952 secret 7-page memo (not even a formal Executive Order) created the super secret NSA. Even the NSA name was initially classified... Truman's memo that acted as the agency's charter remained secret for decades.

    The executive branch secretly creating a big new government agency vested with extremely broad and unaccountable powers... is not how representative democracy or the American constitutional system works. Few Congressmen knew of the NSA, its activities, or budget.

    "No statute establishes the NSA or defines the permissible scope of its responsibilities" stated former Senate intelligence committee chairman Frank Church-- " The CIA, on the other hand, was established by Congress under a public law, the National Security Act of 1947, setting out that agency's legal mandate as well as the restrictions on its activities. "

    reply to this | link to this | view in thread ]

  50. identicon
    Rekrul, 13 May 2017 @ 6:05pm

    Indeed, as some are reporting, some of the victims -- including the National Health Service Hospitals in the UK -- are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.

    Ironically, while the linked Motherboard article mentions that the hospitals still running XP may be in breach of data protection laws, upgrading to Win10 would probably put them in breach of patient confidentiality laws as the OS sends information on everything they do back to MS. Even using Win7/8 may breach the laws as MS has reportedly introduced similar tracking into those versions of Windows as well.

    reply to this | link to this | view in thread ]

  51. identicon
    Anonymous Coward, 13 May 2017 @ 6:19pm

    Re: Re: It's Good to be King

    Great, so I will just vote for the *other* party which supports the NSA.

    reply to this | link to this | view in thread ]

  52. identicon
    Anonymous Champion, 13 May 2017 @ 6:58pm

    and i bet windows forced ten is also to blame here

    and i bet windows forced ten is also to blame here....if you didnt have microsoft trying to do what they did hte last 6 months or so, a lot more people might have upgraded and been fine...

    I decided to try the windows 7 update and guess what not only working ....no foolishness on ms's part...

    today was a good day to do your upgrading...my bet is they absolutely wont try and crap after this incident at least today and for a lil while till the news dies off.

    reply to this | link to this | view in thread ]

  53. identicon
    Lucas, 13 May 2017 @ 8:52pm

    Re: NSA: The Best Defense is a Good Offense

    And this is the question I am thinking about.

    reply to this | link to this | view in thread ]

  54. identicon
    Anonymous Coward, 13 May 2017 @ 11:54pm

    Re: Re: Re: Re:

    The problem goes beyond that. Kernel updates are disabled by default. ....

    What??, I rum Mint on one of my machines, and Mint patches and updates it kernel as required for security fixes. What it does not do, in common with many distros that value stability, is update the system to the latest kernel automatically.

    reply to this | link to this | view in thread ]

  55. icon
    Seegras (profile), 14 May 2017 @ 2:03am

    Re: NSA: The Best Defense is a Good Offense

    "The Best Defense is a Good Offense" is complete bogus in this environment.

    Because every zero-day you know, is at the same time a vulnerability.

    You think it's nice to be able to penetrate systems at will for your surveillance wants? Well, you're putting your hospitals, electrical grid, power plants, all other government agencies, the military, everything at risk at the same time.

    You can only choose to have everyone vulnerable or nobody.

    reply to this | link to this | view in thread ]

  56. identicon
    Anonymous Champion, 14 May 2017 @ 6:27am

    new version now ...no kill switch

    enjoy

    reply to this | link to this | view in thread ]

  57. identicon
    Anonymous Coward, 14 May 2017 @ 10:46am

    Re: Re: Good to be King

    Which the CIA just ignores and funds itself through cocaine imports and elimination of competing drug cartels.

    reply to this | link to this | view in thread ]

  58. identicon
    Anonymous Coward, 14 May 2017 @ 5:16pm

    Re: Re:

    If thats the case don't cry when your out of date os gets hacked, even it is by the gubbermint.

    reply to this | link to this | view in thread ]

  59. icon
    JMT (profile), 14 May 2017 @ 11:16pm

    Re:

    So in your simplistic worldview blame can only be attributed to one party? Plenty of blame to go around here, and a big chunk of it goes to the NSA for the reasons clearly explained in the article.

    reply to this | link to this | view in thread ]

  60. identicon
    Anonymous Coward, 15 May 2017 @ 12:18am

    Re: Re: Re:

    Don't forget that upgrading Windows means upgrading all DRMed applications, if you can get new versions, and fgor some, like Adobe, switching to a subscription based clod service.

    Unlike Linux, upgrading a Windows OS requires careful planning to ensure that you do not end uo losing the use of some application, anywhere it may not be possible to find a replacement. This situation is not helped by the inability to run older versions of languages and libraries in parallel in Windows. The situations can be even worse if Windows is used in some medical or industrial equipment and any associated workstations,, where the only way to upgrade can be to replace everything.

    There are mi££ion$ of reasons why some institutions are stuck on XP.

    reply to this | link to this | view in thread ]

  61. icon
    PaulT (profile), 15 May 2017 @ 12:57am

    Re:

    "Patched 2 months ago, but too many people and companies dont apply the free updates."

    There's multiple reasons for that, ranging from underfunded agencies being unable to afford decent system management to the fact that most experienced Windows admins have experienced failures due to routing patching so need to spend much more time testing & rolling out patches to large organisations. Victim blaming might be fun, but there's a lot of factors involved in the real world.

    "Don't blame tge NSA for bad system management."

    Can we blame them for creating tools to easily exploit the known vulnerabilities, (presumably) asking Microsoft to keep the specifics and priority quiet when they patched it, and allowing the tool to be leaked?

    The NSA might not deserve 100% of the blame, but they own their well deserved chunk of it.

    reply to this | link to this | view in thread ]

  62. identicon
    Anonymous Coward, 15 May 2017 @ 5:56am

    The big issue here is stockpiling. It's pretty much expected for any Intelligence Agency to have exploits and use them (legal issues such as warantless wiretapping aside) - within a reasonable timeframe.

    But to gather up years worth (at which point they're likely leaked / also known to third parties) of undisclosed exploits pretty much "just in case"!?

    To make the explosives analogy, that's like insisting we leave old WW2 shells & landmines buried in the ground, you know, just in case ...

    Sure THIS particular exploit happened to be leaked but many others are still out there and there's an army of young and hungry (in more ways than one) russian & chinese hackers hammering away at the exact same systems. Unfortunately that means many of those unknown exploits won't stay hidden for too long.

    reply to this | link to this | view in thread ]

  63. identicon
    Wendy Cockcroft, 15 May 2017 @ 5:58am

    Re: Re: Re: Good to be King

    So, in order to defund the CIA you have merely to stop smoking crack and snorting coke? Why has nobody thought of it before?

    reply to this | link to this | view in thread ]

  64. identicon
    Anonymous Coward, 15 May 2017 @ 12:30pm

    Re: Re: NSA: The Best Defense is a Good Offense

    "The Best Defense is a Good Offense" is complete bogus in this environment. Because every zero-day you know, is at the same time a vulnerability.

    The NSA, knowing about these offensive exploits, can defend their computers against them.

    reply to this | link to this | view in thread ]

  65. identicon
    Anonymous Coward, 16 May 2017 @ 7:47am

    Re: Re: The time lime of events is an important point

    How can you know you haven't installed a NSA backdoor?

    reply to this | link to this | view in thread ]

  66. icon
    The Wanderer (profile), 17 May 2017 @ 4:02am

    Re: Re: Re: NSA: The Best Defense is a Good Offense

    The NSA, knowing about these offensive exploits, can defend their computers against them.

    How?

    In this case, the only fix I've seen reported is to install a patch from Microsoft.

    That patch only exists because Microsoft was notified about the vulnerability. No one else has the source code, so no one else can build a patch to close the vulnerability, much less actually get it installed (given code-signing practices nowadays, et cetera).

    If the NSA notifies Microsoft about the vulnerability, the patch for it will be released publicly, thereby both notifying the public about the vulnerability and enabling the public to close it - meaning that the NSA won't be able to rely on using the vulnerability to get in.

    If the NSA does not notify Microsoft about the vulnerability, no patch will be created (until such time as someone else finds and reports the same vulnerability), and so the NSA will not be able to secure their own Windows computers.

    Is there a hole in that logic somewhere?

    reply to this | link to this | view in thread ]

  67. icon
    PaulT (profile), 17 May 2017 @ 4:28am

    Re: Re: Re: Re: NSA: The Best Defense is a Good Offense

    "No one else has the source code, so no one else can build a patch to close the vulnerability, much less actually get it installed (given code-signing practices nowadays, et cetera)."

    I'd stop there and just say that it's certainly possible for a 3rd party patch to be created and installed, although it's not as easy if you don't have the source to hand. The NSA will certainly have people available with the necessary skills. It's also likely that the NSA would be able to have some agreement with Microsoft to have access to the signing keys for various reasons. They could hack the OS or just choose to use something more secure for anything that would be non-trivial if compromised.

    Either way, in this particular case it's possible to guard against the vulnerability without doing anything to code:

    "In this case, the only fix I've seen reported is to install a patch from Microsoft."

    The vulnerability exists on SMB v1, which you can disable if not required, and I believe can be removed completely in Windows 10. The patch stops the vulnerability from being present in the service, but as with all optional services the best advice is always to remove anything not required. If simply disabled, the service can be re-enabled by attackers in they gain access in other ways.

    In fact, one of the reason why Microsoft has such a poor security reputation is that their systems usually had services installed and enabled by default that had no business being on a machine for 95% of use cases. Older versions of Windows became exponentially more secure just by changing the default running services and applying a few additional security measures, it's just that Windows admins of the time neither knew nor cared about the security above convenience.

    reply to this | link to this | view in thread ]

  68. icon
    The Wanderer (profile), 17 May 2017 @ 7:21am

    Re: Re: Re: Re: Re: NSA: The Best Defense is a Good Offense

    Hmm. Thanks for the note; I'd heard suggestions of the problem being specific to SMBv1, but even Microsoft's own article on the subject didn't seem to be explicit that this was SMBv1 only and that other versions of SMB are not vulnerable, so I didn't trust that as being a fix. (If you have a source for an explicit statement that this is only a hole in SMBv1, I'd appreciate a link.)

    If it's confirmed that only SMBv1 has the problem, then that does simplify things considerably, and would have let the NSA secure their own systems without needing to touch the question of hacking together a third-party patch (and dodging code signing enforcement, in whatever form it may be in place).

    reply to this | link to this | view in thread ]

  69. icon
    PaulT (profile), 17 May 2017 @ 7:48am

    Re: Re: Re: Re: Re: Re: NSA: The Best Defense is a Good Offense

    "(If you have a source for an explicit statement that this is only a hole in SMBv1, I'd appreciate a link.)"

    The official patch notes only specify that version 1 is affected, so I believe that's good enough for me. I think there was a rumour about v2 also being affected that was later debunked, but I can't seem to see any sources at a quick glance.

    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

    Generally speaking, we got lucky this time. I don't believe the attack was particularly targeted, patches were immediately available when the attack started, someone accidentally managed to trigger the payload's kill switch and it was well enough broadcast that most vulnerable computers were patched before the killswitch-free version was released.

    We won't be so lucky next time, but I think you can pretty much guarantee that the NSA are always working on their own protective measures. I'd say that would include bespoke patches where workarounds aren't available.

    reply to this | link to this | view in thread ]

  70. icon
    The Wanderer (profile), 17 May 2017 @ 8:21am

    Re: Re: Re: Re: Re: Re: Re: NSA: The Best Defense is a Good Offense

    That's the Microsoft article I read, but I didn't spot an explicit statement that only v1 was affected; I saw it as being implied by parts of the phrasing I don't remember (I'm currently on a computer which is configured in a way that doesn't load most Microsoft pages correctly, and I don't feel like undoing and redoing that configuration just at the moment, so I can't double-check right now), but not stated explicitly. That's why I didn't bother pushing to only disable SMBv1 in my organization, rather than an emergency deployment of the patch. (I'm working on getting regular, timely patch deployments going, but that implementation has been stalled by factors out of my control, including bureacratic obstacles. We may hope that they clear out of the way somewhat after this incident.)

    I agree that we got lucky this time, for all the reasons you cite.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.