Leaked NSA Hacking Tool On Global Ransomware Rampage
from the who-trusts-the-nsa? dept
Welp. What was that we were saying about the problems of the NSA creating hacking tools that leak, rather than helping patch security flaws? Oh, right. That it would make everyone less safe.
And here we are. With a global ransomware rampage, referred to as "WannaCry" putting tons of people at risk, thanks to leaked NSA malware:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks — which been spotted in tens of thousands of incidents in 99 countries, according to the cyber firm Avast — have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
Specifically, it appears that the ransomware is using an NSA tool called ETERNALBLUE, which was leaked in April by Shadow Brokers. This was among those that were quietly patched by Microsoft back in March, but not everyone installs security patches in a timely manner. Indeed, as some are reporting, some of the victims -- including the National Health Service Hospitals in the UK -- are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.
Thus, there's some debate online about whether the "problem" here is organizations who don't upgrade/patch or the NSA. Of course, these things are not mutually exclusive: you can reasonably blame both. Failing to update and patch your computers is a bad idea these days -- especially for large organizations with IT staff who should know better.
At the same time, the fact that this hack is built off of a leaked NSA hacking tool highlights a couple of key points:
- The NSA's dual-hatted offensive & defensive structure is damaging: The NSA plays both offense and defense on computer security. That is, it is supposed to hack into other systems, but also help protect our systems. But it's quite clear that the offensive capabilities are valued much more than the defensive ones -- and that's a problem. Once again, it appears that people in the intelligence community are not doing a clear cost-benefit analysis of the tools that they use. They like their toys, but they rarely seem to take into consideration what happens should those toys get out.
- Once again, this reinforces why we should not allow backdoors to encryption or any other such vulnerability. Over and over again, the proponents of backdooring encryption have insisted that it can be built in a "safe" way, where only government will get the backdoor access to encryption. The fact that some of the NSA's most powerful hacking tools have not only been leaked but are now wreaking havoc around the world, should put a complete end to the "going dark" debate. But it won't. It's not safe, but many in the law enforcement community, in particular, are in denial about this.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking tools, malware, nhs, nsa, ransomware, shadow brokers, wannacry
Reader Comments
Subscribe: RSS
View by: Time | Thread
NSA: The Best Defense is a Good Offense
[ link to this | view in chronology ]
Re: NSA: The Best Defense is a Good Offense
[ link to this | view in chronology ]
Re: NSA: The Best Defense is a Good Offense
Because every zero-day you know, is at the same time a vulnerability.
You think it's nice to be able to penetrate systems at will for your surveillance wants? Well, you're putting your hospitals, electrical grid, power plants, all other government agencies, the military, everything at risk at the same time.
You can only choose to have everyone vulnerable or nobody.
[ link to this | view in chronology ]
Re: Re: NSA: The Best Defense is a Good Offense
The NSA, knowing about these offensive exploits, can defend their computers against them.
[ link to this | view in chronology ]
Re: Re: Re: NSA: The Best Defense is a Good Offense
How?
In this case, the only fix I've seen reported is to install a patch from Microsoft.
That patch only exists because Microsoft was notified about the vulnerability. No one else has the source code, so no one else can build a patch to close the vulnerability, much less actually get it installed (given code-signing practices nowadays, et cetera).
If the NSA notifies Microsoft about the vulnerability, the patch for it will be released publicly, thereby both notifying the public about the vulnerability and enabling the public to close it - meaning that the NSA won't be able to rely on using the vulnerability to get in.
If the NSA does not notify Microsoft about the vulnerability, no patch will be created (until such time as someone else finds and reports the same vulnerability), and so the NSA will not be able to secure their own Windows computers.
Is there a hole in that logic somewhere?
[ link to this | view in chronology ]
Re: Re: Re: Re: NSA: The Best Defense is a Good Offense
I'd stop there and just say that it's certainly possible for a 3rd party patch to be created and installed, although it's not as easy if you don't have the source to hand. The NSA will certainly have people available with the necessary skills. It's also likely that the NSA would be able to have some agreement with Microsoft to have access to the signing keys for various reasons. They could hack the OS or just choose to use something more secure for anything that would be non-trivial if compromised.
Either way, in this particular case it's possible to guard against the vulnerability without doing anything to code:
"In this case, the only fix I've seen reported is to install a patch from Microsoft."
The vulnerability exists on SMB v1, which you can disable if not required, and I believe can be removed completely in Windows 10. The patch stops the vulnerability from being present in the service, but as with all optional services the best advice is always to remove anything not required. If simply disabled, the service can be re-enabled by attackers in they gain access in other ways.
In fact, one of the reason why Microsoft has such a poor security reputation is that their systems usually had services installed and enabled by default that had no business being on a machine for 95% of use cases. Older versions of Windows became exponentially more secure just by changing the default running services and applying a few additional security measures, it's just that Windows admins of the time neither knew nor cared about the security above convenience.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: NSA: The Best Defense is a Good Offense
Hmm. Thanks for the note; I'd heard suggestions of the problem being specific to SMBv1, but even Microsoft's own article on the subject didn't seem to be explicit that this was SMBv1 only and that other versions of SMB are not vulnerable, so I didn't trust that as being a fix. (If you have a source for an explicit statement that this is only a hole in SMBv1, I'd appreciate a link.)
If it's confirmed that only SMBv1 has the problem, then that does simplify things considerably, and would have let the NSA secure their own systems without needing to touch the question of hacking together a third-party patch (and dodging code signing enforcement, in whatever form it may be in place).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: NSA: The Best Defense is a Good Offense
The official patch notes only specify that version 1 is affected, so I believe that's good enough for me. I think there was a rumour about v2 also being affected that was later debunked, but I can't seem to see any sources at a quick glance.
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Generally speaking, we got lucky this time. I don't believe the attack was particularly targeted, patches were immediately available when the attack started, someone accidentally managed to trigger the payload's kill switch and it was well enough broadcast that most vulnerable computers were patched before the killswitch-free version was released.
We won't be so lucky next time, but I think you can pretty much guarantee that the NSA are always working on their own protective measures. I'd say that would include bespoke patches where workarounds aren't available.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: NSA: The Best Defense is a Good Offense
That's the Microsoft article I read, but I didn't spot an explicit statement that only v1 was affected; I saw it as being implied by parts of the phrasing I don't remember (I'm currently on a computer which is configured in a way that doesn't load most Microsoft pages correctly, and I don't feel like undoing and redoing that configuration just at the moment, so I can't double-check right now), but not stated explicitly. That's why I didn't bother pushing to only disable SMBv1 in my organization, rather than an emergency deployment of the patch. (I'm working on getting regular, timely patch deployments going, but that implementation has been stalled by factors out of my control, including bureacratic obstacles. We may hope that they clear out of the way somewhat after this incident.)
I agree that we got lucky this time, for all the reasons you cite.
[ link to this | view in chronology ]
What about liability?
We're looking at not just financial loss, but potentially injury and loss of human life, as well.
[ link to this | view in chronology ]
Re: What about liability?
"In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit.[2] The United States as a sovereign is immune from suit unless it unequivocally consents to being sued." Or in other words; The king is untouchable.
[ link to this | view in chronology ]
Re: Re: What about liability?
[ link to this | view in chronology ]
Re: It's Good to be King
oh wait, the NSA was created by a secret Presidential Executive Order in direct violation of all that constitutional and democracy stuff.
Citizens have effectively zero control over the NSA.
US Presidents, Congressmen, and Supreme Court Justices often act as unaccountable sovereigns and usually get away with it.
... never mind
[ link to this | view in chronology ]
Re: Re: It's Good to be King
Additional information is needed here, how exactly is an EO and or a TLA creation a violation of the constitution?
[ link to this | view in chronology ]
Re: Good to be King
Truman's October 1952 secret 7-page memo (not even a formal Executive Order) created the super secret NSA. Even the NSA name was initially classified... Truman's memo that acted as the agency's charter remained secret for decades.
The executive branch secretly creating a big new government agency vested with extremely broad and unaccountable powers... is not how representative democracy or the American constitutional system works. Few Congressmen knew of the NSA, its activities, or budget.
"No statute establishes the NSA or defines the permissible scope of its responsibilities" stated former Senate intelligence committee chairman Frank Church-- " The CIA, on the other hand, was established by Congress under a public law, the National Security Act of 1947, setting out that agency's legal mandate as well as the restrictions on its activities. "
[ link to this | view in chronology ]
Re: Re: Good to be King
[ link to this | view in chronology ]
Re: Re: Re: Good to be King
[ link to this | view in chronology ]
Re: Re: It's Good to be King
[ link to this | view in chronology ]
Re: What about liability?
[ link to this | view in chronology ]
Don't blame tge NSA for bad system management.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
There's multiple reasons for that, ranging from underfunded agencies being unable to afford decent system management to the fact that most experienced Windows admins have experienced failures due to routing patching so need to spend much more time testing & rolling out patches to large organisations. Victim blaming might be fun, but there's a lot of factors involved in the real world.
"Don't blame tge NSA for bad system management."
Can we blame them for creating tools to easily exploit the known vulnerabilities, (presumably) asking Microsoft to keep the specifics and priority quiet when they patched it, and allowing the tool to be leaked?
The NSA might not deserve 100% of the blame, but they own their well deserved chunk of it.
[ link to this | view in chronology ]
The best offense in soccer . . .
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The modern revolver has been around for over 150 years, and most likely will be around for several hundred more just because it is as simple and reliable as possible.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Forget about patching. Windows is malware. Upgrade:
https://www.linuxmint.com/
[ link to this | view in chronology ]
Re:
https://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-its-website- and-forum-after-hack-attack/
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
The problem goes beyond that. Kernel updates are disabled by default. There's no excuse for putting users at risk. Consider Ubuntu Mate, it's the same desktop environment with sane security defaults.
http://www.techrepublic.com/article/linux-mint-18-improves-security-mostly/
[ link to this | view in chronology ]
Re: Re: Re: Re:
What??, I rum Mint on one of my machines, and Mint patches and updates it kernel as required for security fixes. What it does not do, in common with many distros that value stability, is update the system to the latest kernel automatically.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
If _only_ there was a law!
If only there were a law that required the US Government to coordinate with computer vendors to disclose vulnerabilities so they could get fixed. We should immediately pass such a law and insist that all government agencies obey it and send any that do not to federal "pound you in the ass" prison.
Oh - wait. Yeah, there is such a law.
Oh well, because -terrorism- yeah, makes it acceptable to break our own laws.
Because nothing says "love" quite like mocking your own laws while others seek to expose your own hypocrisy and unethical/illegal actions.
Honor isn't what others think of you - it's what you know of the justice of your own actions. And America is seriously lacking in Honor these days.
[ link to this | view in chronology ]
Re: If _only_ there was a law!
[ link to this | view in chronology ]
*cough*BS!*cough*
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
History
[ link to this | view in chronology ]
[ link to this | view in chronology ]
just wait till some schmuck sends nsa own virus to nuke plant.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
missing budget
BTW, I'm not a member of a hospital's IT staff. Just happen to know a few things about that topic.
[ link to this | view in chronology ]
Encryption backdoors anyone?
[ link to this | view in chronology ]
The problem with "Best defence is a good offence"
But by all means, lets forget the real crooks here who made it all possible in the first place, and then wonder in amazement about the bad hackers being bad and possibly use it to make us even more vulnerable. That is the NSA/government style we are used to by now.
[ link to this | view in chronology ]
The time lime of events is an important point
[ link to this | view in chronology ]
Re: The time lime of events is an important point
Also, several news sources reported in 2014 that "Windows Embedded Industry" users would have continued security updates for XP until April 2019. Other users could hack the registry to trick Windows into thinking it was part of the "Windows Embedded Industry" and thus receive free updates.
As Forbes magazine's blog stated on May 27, 2014, "...clearly, there is nothing more difficult to kill than Windows XP."
[ link to this | view in chronology ]
Re: Re: The time lime of events is an important point
Maybe people just want a mainstream OS without built in spyware.
[ link to this | view in chronology ]
Re: The time lime of events is an important point
At least Microsoft have released a patch for unsupported OS's.
[ link to this | view in chronology ]
Re: The time lime of events is an important point
I've just installed it successfully on a Server 2003 system (thats well overdue for replacement)
[ link to this | view in chronology ]
Re: Re: The time lime of events is an important point
[ link to this | view in chronology ]
So what about Google or Wikileaks
What about Google who exposes very publicly any holes they find which helps marketing their brand or Wikileaks that leaked this info to begin with?
Just saying double standards and all that Google and Wikileaks play a role here for exposing what others pick up and use and that they should be in the cross hairs for any animus as well.
[ link to this | view in chronology ]
Re: So what about Google or Wikileaks
Think again.
[ link to this | view in chronology ]
Isn't this like saying gun manufacturers are responsible for what people do with the guns they purchase?
No wait, it is the guns that get stolen they are responsible for - right?
Should the makers of tools be held accountable for any and all potential use/abuse of same?
[ link to this | view in chronology ]
Re:
In reality, this is more like someone makin a master key for gun storage lockers, and said key bein stolen. The concern is, we shouldn't be making suh keys in the first place if we want our gun lockers to be secure.
[ link to this | view in chronology ]
Re:
Well.... There is this little thing that guns do have some a valid uses - protection and hunting.
A root kit... any valid uses?
[ link to this | view in chronology ]
Re: Re:
Why of COURSE! Just ask Sony!
(If you don't know: https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal )
It's also great if you're ALWAYS forgetting those pesky authentication codes on systems that you don't own.
[ link to this | view in chronology ]
Assuming Wannacrypt is just another name for Wannacry, looks like MS has actually stepped up to the plate on this one. Well done.
[ link to this | view in chronology ]
I really wonder if there shouldn't be an expiry date after which the OS is effectively hobbled until replaced
[ link to this | view in chronology ]
Re:
The problem with that is that newer versions of an OS aren't 100% backwards compatible with older software. If a user has spent money over the years on software that will only work on an older OS, what right does anyone have to tell them that they must effectively throw that software in the trash? Not every program gets updated and even if they do, newer versions aren't always better.
Then there's the issue of all the spyware that MS crammed into Win10, some of which I've read is virtually impossible to disable. There were even reports that they were pushing updates to Win7/8 that included a lot of the same crap, and making it impossible to refuse individual updates for those systems without refusing the entire pack.
Is it reasonable to expect a user to surrender all their privacy and control of their system in exchange for some security?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Unlike Linux, upgrading a Windows OS requires careful planning to ensure that you do not end uo losing the use of some application, anywhere it may not be possible to find a replacement. This situation is not helped by the inability to run older versions of languages and libraries in parallel in Windows. The situations can be even worse if Windows is used in some medical or industrial equipment and any associated workstations,, where the only way to upgrade can be to replace everything.
There are mi££ion$ of reasons why some institutions are stuck on XP.
[ link to this | view in chronology ]
Ironically, while the linked Motherboard article mentions that the hospitals still running XP may be in breach of data protection laws, upgrading to Win10 would probably put them in breach of patient confidentiality laws as the OS sends information on everything they do back to MS. Even using Win7/8 may breach the laws as MS has reportedly introduced similar tracking into those versions of Windows as well.
[ link to this | view in chronology ]
and i bet windows forced ten is also to blame here
I decided to try the windows 7 update and guess what not only working ....no foolishness on ms's part...
today was a good day to do your upgrading...my bet is they absolutely wont try and crap after this incident at least today and for a lil while till the news dies off.
[ link to this | view in chronology ]
new version now ...no kill switch
[ link to this | view in chronology ]
But to gather up years worth (at which point they're likely leaked / also known to third parties) of undisclosed exploits pretty much "just in case"!?
To make the explosives analogy, that's like insisting we leave old WW2 shells & landmines buried in the ground, you know, just in case ...
Sure THIS particular exploit happened to be leaked but many others are still out there and there's an army of young and hungry (in more ways than one) russian & chinese hackers hammering away at the exact same systems. Unfortunately that means many of those unknown exploits won't stay hidden for too long.
[ link to this | view in chronology ]