Leaked NSA Hacking Tool On Global Ransomware Rampage
from the who-trusts-the-nsa? dept
Welp. What was that we were saying about the problems of the NSA creating hacking tools that leak, rather than helping patch security flaws? Oh, right. That it would make everyone less safe.
And here we are. With a global ransomware rampage, referred to as “WannaCry” putting tons of people at risk, thanks to leaked NSA malware:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks ? which been spotted in tens of thousands of incidents in 99 countries, according to the cyber firm Avast ? have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
Specifically, it appears that the ransomware is using an NSA tool called ETERNALBLUE, which was leaked in April by Shadow Brokers. This was among those that were quietly patched by Microsoft back in March, but not everyone installs security patches in a timely manner. Indeed, as some are reporting, some of the victims — including the National Health Service Hospitals in the UK — are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.
Thus, there’s some debate online about whether the “problem” here is organizations who don’t upgrade/patch or the NSA. Of course, these things are not mutually exclusive: you can reasonably blame both. Failing to update and patch your computers is a bad idea these days — especially for large organizations with IT staff who should know better.
At the same time, the fact that this hack is built off of a leaked NSA hacking tool highlights a couple of key points:
- The NSA’s dual-hatted offensive & defensive structure is damaging: The NSA plays both offense and defense on computer security. That is, it is supposed to hack into other systems, but also help protect our systems. But it’s quite clear that the offensive capabilities are valued much more than the defensive ones — and that’s a problem. Once again, it appears that people in the intelligence community are not doing a clear cost-benefit analysis of the tools that they use. They like their toys, but they rarely seem to take into consideration what happens should those toys get out.
- Once again, this reinforces why we should not allow backdoors to encryption or any other such vulnerability. Over and over again, the proponents of backdooring encryption have insisted that it can be built in a “safe” way, where only government will get the backdoor access to encryption. The fact that some of the NSA’s most powerful hacking tools have not only been leaked but are now wreaking havoc around the world, should put a complete end to the “going dark” debate. But it won’t. It’s not safe, but many in the law enforcement community, in particular, are in denial about this.
These problems are not new. Hell, we’ve been talking about both of them for the better part of a decade already. But this rapid spread of WannaCry is putting an exclamation point on those arguments. Unfortunately, the cynical side of my brain says this warning will still be ignored.
Filed Under: hacking tools, malware, nhs, nsa, ransomware, shadow brokers, wannacry
Comments on “Leaked NSA Hacking Tool On Global Ransomware Rampage”
NSA: The Best Defense is a Good Offense
Which is why Shadow Brokers stole your toolkit.
Re: NSA: The Best Defense is a Good Offense
And this is the question I am thinking about.
Re: NSA: The Best Defense is a Good Offense
“The Best Defense is a Good Offense” is complete bogus in this environment.
Because every zero-day you know, is at the same time a vulnerability.
You think it’s nice to be able to penetrate systems at will for your surveillance wants? Well, you’re putting your hospitals, electrical grid, power plants, all other government agencies, the military, everything at risk at the same time.
You can only choose to have everyone vulnerable or nobody.
Re: Re: NSA: The Best Defense is a Good Offense
The NSA, knowing about these offensive exploits, can defend their computers against them.
Re: Re: Re: NSA: The Best Defense is a Good Offense
How?
In this case, the only fix I’ve seen reported is to install a patch from Microsoft.
That patch only exists because Microsoft was notified about the vulnerability. No one else has the source code, so no one else can build a patch to close the vulnerability, much less actually get it installed (given code-signing practices nowadays, et cetera).
If the NSA notifies Microsoft about the vulnerability, the patch for it will be released publicly, thereby both notifying the public about the vulnerability and enabling the public to close it – meaning that the NSA won’t be able to rely on using the vulnerability to get in.
If the NSA does not notify Microsoft about the vulnerability, no patch will be created (until such time as someone else finds and reports the same vulnerability), and so the NSA will not be able to secure their own Windows computers.
Is there a hole in that logic somewhere?
Re: Re: Re:2 NSA: The Best Defense is a Good Offense
“No one else has the source code, so no one else can build a patch to close the vulnerability, much less actually get it installed (given code-signing practices nowadays, et cetera).”
I’d stop there and just say that it’s certainly possible for a 3rd party patch to be created and installed, although it’s not as easy if you don’t have the source to hand. The NSA will certainly have people available with the necessary skills. It’s also likely that the NSA would be able to have some agreement with Microsoft to have access to the signing keys for various reasons. They could hack the OS or just choose to use something more secure for anything that would be non-trivial if compromised.
Either way, in this particular case it’s possible to guard against the vulnerability without doing anything to code:
“In this case, the only fix I’ve seen reported is to install a patch from Microsoft.”
The vulnerability exists on SMB v1, which you can disable if not required, and I believe can be removed completely in Windows 10. The patch stops the vulnerability from being present in the service, but as with all optional services the best advice is always to remove anything not required. If simply disabled, the service can be re-enabled by attackers in they gain access in other ways.
In fact, one of the reason why Microsoft has such a poor security reputation is that their systems usually had services installed and enabled by default that had no business being on a machine for 95% of use cases. Older versions of Windows became exponentially more secure just by changing the default running services and applying a few additional security measures, it’s just that Windows admins of the time neither knew nor cared about the security above convenience.
Re: Re: Re:3 NSA: The Best Defense is a Good Offense
Hmm. Thanks for the note; I’d heard suggestions of the problem being specific to SMBv1, but even Microsoft’s own article on the subject didn’t seem to be explicit that this was SMBv1 only and that other versions of SMB are not vulnerable, so I didn’t trust that as being a fix. (If you have a source for an explicit statement that this is only a hole in SMBv1, I’d appreciate a link.)
If it’s confirmed that only SMBv1 has the problem, then that does simplify things considerably, and would have let the NSA secure their own systems without needing to touch the question of hacking together a third-party patch (and dodging code signing enforcement, in whatever form it may be in place).
Re: Re: Re:4 NSA: The Best Defense is a Good Offense
“(If you have a source for an explicit statement that this is only a hole in SMBv1, I’d appreciate a link.)”
The official patch notes only specify that version 1 is affected, so I believe that’s good enough for me. I think there was a rumour about v2 also being affected that was later debunked, but I can’t seem to see any sources at a quick glance.
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Generally speaking, we got lucky this time. I don’t believe the attack was particularly targeted, patches were immediately available when the attack started, someone accidentally managed to trigger the payload’s kill switch and it was well enough broadcast that most vulnerable computers were patched before the killswitch-free version was released.
We won’t be so lucky next time, but I think you can pretty much guarantee that the NSA are always working on their own protective measures. I’d say that would include bespoke patches where workarounds aren’t available.
Re: Re: Re:5 NSA: The Best Defense is a Good Offense
That’s the Microsoft article I read, but I didn’t spot an explicit statement that only v1 was affected; I saw it as being implied by parts of the phrasing I don’t remember (I’m currently on a computer which is configured in a way that doesn’t load most Microsoft pages correctly, and I don’t feel like undoing and redoing that configuration just at the moment, so I can’t double-check right now), but not stated explicitly. That’s why I didn’t bother pushing to only disable SMBv1 in my organization, rather than an emergency deployment of the patch. (I’m working on getting regular, timely patch deployments going, but that implementation has been stalled by factors out of my control, including bureacratic obstacles. We may hope that they clear out of the way somewhat after this incident.)
I agree that we got lucky this time, for all the reasons you cite.
What about liability?
What, if any, liability does the U.S. Government now face?
We’re looking at not just financial loss, but potentially injury and loss of human life, as well.
Re: What about liability?
Two words: Sovereign immunity..
“In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit.[2] The United States as a sovereign is immune from suit unless it unequivocally consents to being sued.” Or in other words; The king is untouchable.
Re: Re: What about liability?
However we quite frequently seize assets of foreign countries in lawsuits.
Re: Re: It's Good to be King
yeah, but Americans have the sacred right-to-vote … and can just leash or get rid of the NSA at the ballot box.
oh wait, the NSA was created by a secret Presidential Executive Order in direct violation of all that constitutional and democracy stuff.
Citizens have effectively zero control over the NSA.
US Presidents, Congressmen, and Supreme Court Justices often act as unaccountable sovereigns and usually get away with it.
… never mind
Re: Re: Re: It's Good to be King
” in direct violation of all that constitutional and democracy stuff. “
Additional information is needed here, how exactly is an EO and or a TLA creation a violation of the constitution?
Re: Re: Re:2 Good to be King
Constitution does not authorize a President to create a major new Federal department, bypassing Congress (separation of powers).
Truman’s October 1952 secret 7-page memo (not even a formal Executive Order) created the super secret NSA. Even the NSA name was initially classified… Truman’s memo that acted as the agency’s charter remained secret for decades.
The executive branch secretly creating a big new government agency vested with extremely broad and unaccountable powers… is not how representative democracy or the American constitutional system works. Few Congressmen knew of the NSA, its activities, or budget.
“No statute establishes the NSA or defines the permissible scope of its responsibilities” stated former Senate intelligence committee chairman Frank Church– ” The CIA, on the other hand, was established by Congress under a public law, the National Security Act of 1947, setting out that agency’s legal mandate as well as the restrictions on its activities. “
Re: Re: Re:3 Good to be King
Which the CIA just ignores and funds itself through cocaine imports and elimination of competing drug cartels.
Re: Re: Re:4 Good to be King
So, in order to defund the CIA you have merely to stop smoking crack and snorting coke? Why has nobody thought of it before?
Re: Re: Re: It's Good to be King
Great, so I will just vote for the other party which supports the NSA.
Re: What about liability?
Third party liability?
Patched 2 months ago, but too many people and companies dont apply the free updates.
Don’t blame tge NSA for bad system management.
Re: Re:
We aren’t. We are blaming them for creating tools to mass exploit vulnerabilities and claiming that they need more vulnerabilities to exploit in order to prevent cyber attacks they are now complicit in assisting. ._.
Re: Re:
Blame Microsoft, and their NSA friends, for bad systems.
Re: Re: Re:
Don’t blame ms for a nsa unreported hole in security. Just blame me for delaying delivery of patches for the consumer. Not everyone gets patches at the same time. That would mean that the ms servers would have to be on 24 x 7, they aren’t. An don’t blame the consumer for not leaving their system on 24 x7 to receive patches. They want to use their system eventually to post on Facebook or read the latest news.
Re: Re: Re:
Don’t blame ms for a nsa unreported hole in security. Just blame me for delaying delivery of patches for the consumer. Not everyone gets patches at the same time. That would mean that the ms servers would have to be on 24 x 7, they aren’t. An don’t blame the consumer for not leaving their system on 24 x7 to receive patches. They want to use their system eventually to post on Facebook or read the latest news.
Re: Re:
So in your simplistic worldview blame can only be attributed to one party? Plenty of blame to go around here, and a big chunk of it goes to the NSA for the reasons clearly explained in the article.
Re: Re:
“Patched 2 months ago, but too many people and companies dont apply the free updates.”
There’s multiple reasons for that, ranging from underfunded agencies being unable to afford decent system management to the fact that most experienced Windows admins have experienced failures due to routing patching so need to spend much more time testing & rolling out patches to large organisations. Victim blaming might be fun, but there’s a lot of factors involved in the real world.
“Don’t blame tge NSA for bad system management.”
Can we blame them for creating tools to easily exploit the known vulnerabilities, (presumably) asking Microsoft to keep the specifics and priority quiet when they patched it, and allowing the tool to be leaked?
The NSA might not deserve 100% of the blame, but they own their well deserved chunk of it.
The best offense in soccer . . .
is to keep possession of IT.
Saying you can make backdoors that only goodguys can use is like saying you can make bullets that only goodguys can fire.
Re: Re:
There are actually people attempting to make “smart” guns to do that. OFC, they don’t realise they’re just adding extra failure modes to something you want to be as reliable as possible.
The modern revolver has been around for over 150 years, and most likely will be around for several hundred more just because it is as simple and reliable as possible.
Re: Re:
and this is proof their “good guys” rational is complete bullshit.
Forget about patching. Windows is malware. Upgrade:
https://www.linuxmint.com/
Re: Re:
You might want to advertise a distro that doesn’t have a history of distributing malware and poor security defaults. Debian or an official Ubuntu derivative are better choices.
https://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-its-website-and-forum-after-hack-attack/
Re: Re: Re:
It was compromised for one day. Once. And checking the MD5 would have found it. Mint is the best choice for current MS users wanting to dip a toe.
Re: Re: Re: Re:
Re: Re: Re:2 Re:
The problem goes beyond that. Kernel updates are disabled by default. ….
What??, I rum Mint on one of my machines, and Mint patches and updates it kernel as required for security fixes. What it does not do, in common with many distros that value stability, is update the system to the latest kernel automatically.
Re: Re: Re:
Let the Distro Wars commence! Go team Linux! Go! Go! Team Linux!
If _only_ there was a law!
If only there were a law that required the US Government to coordinate with computer vendors to disclose vulnerabilities so they could get fixed. We should immediately pass such a law and insist that all government agencies obey it and send any that do not to federal "pound you in the ass" prison.
Oh – wait. Yeah, there is such a law.
Oh well, because -terrorism- yeah, makes it acceptable to break our own laws.
Because nothing says "love" quite like mocking your own laws while others seek to expose your own hypocrisy and unethical/illegal actions.
Honor isn’t what others think of you – it’s what you know of the justice of your own actions. And America is seriously lacking in Honor these days.
Re: If _only_ there was a law!
These days equal the amount of time we have been waging unending, undeclared war against concepts like terrorism.
Obviously if there were laws mandating back doors in encryption, this would be a non-issue. The government would just decrypt everything for us. Hellooo!!
*cough*BS!*cough*
Not our fault! It’s the terrorists!
Re: Re:
Which ones, your’s or their’s?
Re: Re: Re:
http://www.apostropheabuse.com/
History
Those who fail to learn from history get jobs at the NSA.
The NSA link seems to be missing from many mainstream media reports. Wonder why.
here is what happens when nsa pays bill gates for backdoors. like making all humans having same dna.
just wait till some schmuck sends nsa own virus to nuke plant.
Blame it on the Russians.
missing budget
It’s not the IT staff who should know better, it’s the missing budget. Medical care uses a lot of special software, often software which has to be certified and may run only on specific PCs (example: DICOM and PACS). Certification processes are expensive and very slow, i.e. you might have to wait a few years to get certified software for your current OS. Each OS upgrade is a quite expensive adventure. Simply blaming hospital IT staff without any further research is a sign of ignorance.
BTW, I’m not a member of a hospital’s IT staff. Just happen to know a few things about that topic.
Encryption backdoors anyone?
Sooo… how’s the fight against encryption going? Like miss Amber Rudd’s plan to introduce government backdoors into every secure piece of software, which as this shows will be magically used only by the good guys to keep us safe!
The problem with "Best defence is a good offence"
It only works if the only thing that matters is if you are ahead in the end. What the heck is so great about winning a “war” when all that is left, is rubble on both sides?
But by all means, lets forget the real crooks here who made it all possible in the first place, and then wonder in amazement about the bad hackers being bad and possibly use it to make us even more vulnerable. That is the NSA/government style we are used to by now.
The time lime of events is an important point
Microsoft ended support for Windows XP on April 8, 2014. My brief search didn’t turn up an estimate of when the NSA developed ETERNALBLUE, but given the age of some of the other leaks, I’m betting it would have been before the XP EOL. So basically the NSA *ensured* that XP would always be vulnerable by withholding this information from Microsoft. Assholes.
Re: The time lime of events is an important point
While it is true that Microsoft ended support for Windows XP in April 2014, some business users entered into contracts with Microsoft for security updates well past that date. For example, the U.S. Navy contracted with Microsoft to extend its XP support until 2017.
Also, several news sources reported in 2014 that “Windows Embedded Industry” users would have continued security updates for XP until April 2019. Other users could hack the registry to trick Windows into thinking it was part of the “Windows Embedded Industry” and thus receive free updates.
As Forbes magazine’s blog stated on May 27, 2014, “…clearly, there is nothing more difficult to kill than Windows XP.”
Re: Re: The time lime of events is an important point
Maybe people just want a mainstream OS without built in spyware.
Re: The time lime of events is an important point
At least Microsoft have released a patch for unsupported OS’s.
Re: The time lime of events is an important point
According to Dan Goodin at Ars Technica, Microsoft has released patches for XP ans Server 2003 for WannaCrypt.
I’ve just installed it successfully on a Server 2003 system (thats well overdue for replacement)
Re: Re: The time lime of events is an important point
How can you know you haven’t installed a NSA backdoor?
So what about Google or Wikileaks
For all the hate directed at the NSA, which rightfully should fall on them (or more likely their Booze-Allen contractors which have been the Human Relation security hole).
What about Google who exposes very publicly any holes they find which helps marketing their brand or Wikileaks that leaked this info to begin with?
Just saying double standards and all that Google and Wikileaks play a role here for exposing what others pick up and use and that they should be in the cross hairs for any animus as well.
Re: So what about Google or Wikileaks
So..what you’re saying is that when Google announces that they notified Microsoft about a vulnerability 90 days ago, and Microsoft hasn’t patched it yet, that its Google’s fault that the patch hasn’t been released?
Think again.
Attack the maker of the tool?
Isn’t this like saying gun manufacturers are responsible for what people do with the guns they purchase?
No wait, it is the guns that get stolen they are responsible for – right?
Should the makers of tools be held accountable for any and all potential use/abuse of same?
Re: Re:
The police union(s) tryin to sue toy makers for making “realistic” guns certainly think so.
In reality, this is more like someone makin a master key for gun storage lockers, and said key bein stolen. The concern is, we shouldn’t be making suh keys in the first place if we want our gun lockers to be secure.
Re: Re:
Isn’t this like saying gun manufacturers are responsible for what people do with the guns they purchase?
Well…. There is this little thing that guns do have some a valid uses – protection and hunting.
A root kit… any valid uses?
Re: Re: Re:
“A root kit… any valid uses?”
Why of COURSE! Just ask Sony!
(If you don’t know: https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal )
It’s also great if you’re ALWAYS forgetting those pesky authentication codes on systems that you don’t own.
https://m.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/
Assuming Wannacrypt is just another name for Wannacry, looks like MS has actually stepped up to the plate on this one. Well done.
EOL operating systems reslly should come with nagware that encourages upgrades.
I really wonder if there shouldn’t be an expiry date after which the OS is effectively hobbled until replaced
Re: Re:
The problem with that is that newer versions of an OS aren’t 100% backwards compatible with older software. If a user has spent money over the years on software that will only work on an older OS, what right does anyone have to tell them that they must effectively throw that software in the trash? Not every program gets updated and even if they do, newer versions aren’t always better.
Then there’s the issue of all the spyware that MS crammed into Win10, some of which I’ve read is virtually impossible to disable. There were even reports that they were pushing updates to Win7/8 that included a lot of the same crap, and making it impossible to refuse individual updates for those systems without refusing the entire pack.
Is it reasonable to expect a user to surrender all their privacy and control of their system in exchange for some security?
Re: Re: Re:
If thats the case don’t cry when your out of date os gets hacked, even it is by the gubbermint.
Re: Re: Re: Re:
Don’t forget that upgrading Windows means upgrading all DRMed applications, if you can get new versions, and fgor some, like Adobe, switching to a subscription based clod service.
Unlike Linux, upgrading a Windows OS requires careful planning to ensure that you do not end uo losing the use of some application, anywhere it may not be possible to find a replacement. This situation is not helped by the inability to run older versions of languages and libraries in parallel in Windows. The situations can be even worse if Windows is used in some medical or industrial equipment and any associated workstations,, where the only way to upgrade can be to replace everything.
There are mi££ion$ of reasons why some institutions are stuck on XP.
Ironically, while the linked Motherboard article mentions that the hospitals still running XP may be in breach of data protection laws, upgrading to Win10 would probably put them in breach of patient confidentiality laws as the OS sends information on everything they do back to MS. Even using Win7/8 may breach the laws as MS has reportedly introduced similar tracking into those versions of Windows as well.
and i bet windows forced ten is also to blame here
and i bet windows forced ten is also to blame here….if you didnt have microsoft trying to do what they did hte last 6 months or so, a lot more people might have upgraded and been fine…
I decided to try the windows 7 update and guess what not only working ….no foolishness on ms’s part…
today was a good day to do your upgrading…my bet is they absolutely wont try and crap after this incident at least today and for a lil while till the news dies off.
new version now ...no kill switch
enjoy
The big issue here is stockpiling. It’s pretty much expected for any Intelligence Agency to have exploits and use them (legal issues such as warantless wiretapping aside) – within a reasonable timeframe.
But to gather up years worth (at which point they’re likely leaked / also known to third parties) of undisclosed exploits pretty much “just in case”!?
To make the explosives analogy, that’s like insisting we leave old WW2 shells & landmines buried in the ground, you know, just in case …
Sure THIS particular exploit happened to be leaked but many others are still out there and there’s an army of young and hungry (in more ways than one) russian & chinese hackers hammering away at the exact same systems. Unfortunately that means many of those unknown exploits won’t stay hidden for too long.