FBI Sat On Ransomware Decryption Key For Weeks As Victims Lost Millions Of Dollars

from the is-this-one-of-those-'greater-good'-things-I-don't-understand-becaus dept

The vulnerability equities process meets the FBI's natural tendency to find and hoard illegal things until it's done using them. And no one walks away from it unscathed. Welcome to the cyberwar, collateral damage!

If an agency like the NSA comes across an exploit or unpatched security flaw, it's supposed to notify affected tech companies so they can fix the problem to protect their customers and users. That's the vulnerability equities process in theory. In practice, the NSA (and others) weigh the potential usefulness of the exploit versus the damage it might cause if it's not fixed and make a disclosure decision. The NSA claims in public statements it's very proactive about disclosing discovered exploits. The facts say something different.

Then there's the FBI, which has engaged in criminal acts to further investigations. Perhaps most famously, the FBI took control of a dark web child porn server and ran it for a few weeks so it could deploy its malware (Network Investigative Technique, according to the FBI) to users of the site. Not only did it continue to distribute child porn during this time, but it reportedly optimized the system to maximize its malware distribution.

The trend continues. As Ellen Nakashima and Rachel Lerman report for the Washington Post (alternative link here), the FBI could have stopped a massive ransomware attack but decided it would be better if it just sat on what it knew and watched things develop.

The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.

The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

The worse news is it wasn't just the FBI, which is already known for running criminal enterprises while engaging in investigations. The report says this refusal to release the key was a joint agreement with "other agencies," all of which apparently felt the nation (and the rest of the world) would be better served by the FBI keeping the key to itself while it tried to hunt down the criminals behind the ransomware attack.

And it turned out to be totally worth it!

The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.

FBI Director Chris Wray, testifying before Congress, said the tradeoff was necessary because it could help prevent future attacks (unproven) and time was needed to develop a tool that would help those hit by the ransomware.

"These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”

He also suggested that “testing and validating” the decryption key contributed to the delay.

I, too, would testify before Congress that things were complex and time-consuming, especially when the end result was the bad guys getting away while victims remained victims. I would, however, perhaps consider not belaboring the "it will be long and hard" point when the private sector has demonstrated that it actually won't be that long, and possibly not even all that hard.

Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes, according to Fabian Wosar, Emsisoft chief technology officer. The process was speedy because the firm was familiar with REvil’s ransomware. “If we had to go from scratch,” Wosar said, “it would have taken about four hours.”

The FBI took three weeks to turn over the key to the first of many victims. During that time, it apparently failed to accomplish what Emisisoft developed in 10 minutes, as well as failing to catch any of the perpetrators. Faced with this not-so-subtle undercutting of its "we really were just trying to save the world" narrative, the FBI -- via its parent organization -- has decided to shut the fuck up.

The Justice Department and White House declined to comment.

Sure, the FBI could still be pursuing some leads, but the timing of REvil's disappearance and the FBI's release of the key to one of ransomware victims suggests the FBI only decided to release because it was no longer of any use to the investigation. It may still possess some limited use to those whose data is still locked up, but pretty much every victim has moved on and attempted to recover from the incident. The cost -- as is detailed in the Washington Post report -- is in the hundreds of millions. Some victims are still trying to recover. Others are back in business, but only after losing millions to downtime.

Who pays for this? Well, the victims do. And taxpayers will too, if the government decides to compensate some of the companies victimized by ransomware and victimized again by the FBI. The FBI, however, will hardly feel a thing, since the going rate for temporary chagrin is a rounding error in the agency's reputational damage column.

Filed Under: decryption, doj, fbi, ransomware, revil, vep, vulnerabilities, vulnerabilities equities process

NSA Denies Prior Knowledge Of Meltdown, Spectre Exploits; Claims It Would 'Never' Harm Companies By Withholding Vulns

from the lol-ok-then dept

News surfaced late last week indicating everything about computing is fucked. Two critical flaws with zero perfect fixes -- affecting millions of processors -- were exposed by security researchers. Patches have been deployed and more are on their way, but even the best fixes seem to guarantee a noticeable slowdown in processing speed.

The government has stepped up to say that, for once, it's not involved in making computing less safe.

Current and former U.S. officials... said the NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas. The agency often uses computer flaws to break into targeted machines, but it also has a mandate to warn companies about particularly dangerous or widespread flaws so that they can be fixed.

Rob Joyce, White House cybersecurity coordinator, said, “NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”

The veracity of this statement is largely dependent on the credibility attributed to the person making it. While it is conceivable the NSA did not know about the flaw (leading to it being unable to exploit it), it's laughable to assert the NSA wouldn't "put a major company in a position of risk" by withholding details on an exploit. We only have the entire history of the NSA's use of exploits/vulnerabilities and its hesitant compliance with the Vulnerability Equities Process to serve as a counterargument.

The NSA has left major companies in vulnerable positions, often for years -- something exposed in the very recent past when an employee/contractor left the NSA in a vulnerable position by leaving TAO tools out in the open. The Shadow Brokers have been flogging NSA exploits for months and recent worldwide malware/ransomware attacks are tied to exploits the agency never informed major players like Microsoft about until the code was already out in the open.

These recently-discovered exploits may be the ones that got away -- ones the NSA never uncovered and never used. But this statement portrays the NSA as an honest broker, which it isn't. If the NSA had access to these exploits, it most certainly would have used them before informing affected companies. That's just how this works. As long as exploits are returning intel otherwise inaccessible, the NSA will use the exploits for as long as possible before disclosing this info to US companies. The agency has historically shown little concern about collateral damage and I don't believe putting someone new in charge of the VEP is going to make that much of a difference in the future.

Filed Under: meltdown, nsa, rob joyce, spectre, vep, vulnerabilities, vulnerabilities equities process
Companies: intel

Vulnerability Equities Process Gets A Facelift From The New Administration

from the more-things-change-the-more-they-improve-incrementally dept

The Trump Administration has released a new version of the Vulnerabilities Equities Process -- one nominally slanted towards greater transparency and outside participation. The previous process was broken in multiple ways, not the least of which was intelligence oversight's general belief everything was fine even though the NSA didn't follow the previous rules, despite statements to the contrary.

It's unclear why this new VEP is appearing now. The new administration doesn't seem particularly concerned about surveillance overreach or the legality of tactics deployed by the Intelligence Community. On the other hand, the up-cycling of undisclosed NSA exploits by malicious hackers has probably forced the government's hand. It's impossible to get ahead of criticism, especially when so many of the exploited exploits dated back several years. But perhaps it's possible to head off future criticism with a diplomatic gesture, which is what this appears to be.

The new process does add more transparency, at least theoretically. White House Cybersecurity Coordinator Rob Joyce had this to say in his post announcing the remodeled VEP:

Improved transparency is critical. The American people should have confidence in the integrity of the process that underpins decision making about discovered vulnerabilities. Since I took my post as Cybersecurity Coordinator, improving the VEP and ensuring its transparency have been key priorities, and we have spent the last few months reviewing our existing policy in order to improve the process and make key details about the VEP available to the public. Through these efforts, we have validated much of the existing process and ensured a rigorous standard that considers many potential equities.

But there's not much in the underlying documents that indicates how the new process will lend itself to more transparency. The mere existence of these documents is certainly more transparency than we've seen previously, which give outsiders a better view of the process. But beyond saying the vulnerabilities review process "may" result in additional reporting to Congress, nothing states definitively that more transparency will result from the new VEP's implementation.

There are other concerns as well. As Bruce Schneier sees it, the VEP has been improved, but still allows the government to act as it pleases with minimal outside interference.

The devil is in the details, and we don't know the details -- and it has giant loopholes that pretty much anything can fall through…

[...]

This is me from last June:

There's a lot we don't know about the VEP. The Washington Post says that the NSA used EternalBlue "for more than five years," which implies that it was discovered after the 2010 process was put in place. It's not clear if all vulnerabilities are given such consideration, or if bugs are periodically reviewed to determine if they should be disclosed. That said, any VEP that allows something as dangerous as EternalBlue -- or the Ciscovulnerabilities that the Shadow Brokers leaked last August -- to remain unpatched for years isn't serving national security very well. As a former NSA employee said, the quality of intelligence that could be gathered was "unreal." But so was the potential damage. The NSA must avoid hoarding vulnerabilities.

I stand by that, and am not sure the new policy changes anything.

That the NSA and others must make use of software/hardware exploits to gather intelligence is inarguable. The problem isn't the use of exploits, but rather that the government, almost without exception, sided with itself when balancing intelligence gathering against potential harm to innocent computer users. While the NSA insisted it turned over 90% of everything it found, personnel involved with the NSA's Tailored Access Operations claimed they'd gone years without seeing a disclosure.

Joyce's post also takes a swing at those opposed to the current implementation of the VEP. But his blow only hits strawmen.

There are advocates on both sides of the vulnerability equity issue who make impassioned arguments. Some argue that every vulnerability should be immediately disclosed to the vendor and patched. In my view, this is tantamount to unilateral disarmament. Our adversaries, both criminal and nation state, are unencumbered by concerns about transparency and responsible disclosure and will certainly not end their own programs to discover and exploit vulnerabilities.

While it's true our nation's enemies don't participate in vulnerability disclosure, to claim we should act as irresponsibly is basically like saying it should be acceptable for US military forces to use children's hospitals as operations headquarters just because our opponents have resorted to these tactics.

Vulnerability disclosure isn't zero sum, no matter what Rob Joyce may imagine. The problems are nuanced. Discussions about solutions should be similarly refined.

Katie Moussouris, CEO of Luta Security Inc., said Joyce's statement "is a false dichotomy between 100% disclosure versus the current process that puts zero-day vulnerabilities at the heart of the matter."

"My assertion has always been to err on the side of disclosure to the vendor and seek a mission-focused alternative to using zero-day vulnerabilities in broadly deployed software," Moussouris told SearchSecurity. "In some cases, not all, the objective of the mission could be completed via other means, such as exploiting misconfigurations or well-crafted phishing attacks, or even via zero-day exploits in localized, country-specific software instead. Exploitation of vulnerabilities for which a patch exists, but hasn't been applied on the target system yet, is one such alternative."

Is the new VEP better than the old one? Tough to say. We won't know until it's implemented, unfortunately. But the simple fact that there's more information about the process brings it a step or two ahead of its predecessor.

Filed Under: disclosure, nsa, vep, vulnerabilities, vulnerabilities equities process

Latest Exploit Dump By Shadow Brokers Contains Easy-To-Use Windows Exploits, Most Already Patched By Microsoft

from the menu-driven-God-Mode dept

The Shadow Brokers -- having failed to live up to half their name -- released more NSA exploits last week when it became apparent no one was willing to purchase the exploits from them. This dump was far more interesting than previous releases, as it contained a large number of Windows exploits and -- for some -- a very handy, easy-to-use front end for malware deployment.

This dump probably ruined a few Easter weekends at Microsoft, but not nearly as many as was first presumed. While the exploits targeted older versions of Windows, they would have caused trouble for government and corporate networks still relying those versions. Those targeting unsupported versions are the most dangerous, as those holes will never be patched. They're also the ones with the smallest user bases, so that mitigates the damage somewhat.

As Marcy Wheeler points out, the NSA had plenty of time to warn Microsoft about unpatched holes prior to the Shadow Brokers' latest dump.

That’s a critical detail for the debate going on on Twitter and in chats about how shitty it was for SB to release these files on Good Friday, just before (or for those with generous vacation schedules, at the beginning of) a holiday weekend. While those trying to defend against the files and those trying to exploit them are racing against the clock and each other, it is not the case that the folks at NSA got no warning. NSA has had, at a minimum, 96 days of warning, knowing that SB could drop the files at any time.

The big question, of course, is whether NSA told Microsoft what the files targeted. Certainly, Microsoft had not fully responded to that warning, as hackers have already gotten a number of these files to work.

Unlike the CIA dump happening at Wikileaks, the NSA had a pretty good idea what was contained in the Shadow Brokers stash. Microsoft, however, says it was never contacted by the NSA or "any agency" about the exploits ahead of their release.

Despite this statement, the exploits appear to have already been patched by Microsoft.

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched.

The most interesting patch on the list is MS17-010, released March 14th. It patched several remote code execution holes in older Windows versions. These patches weren't applied to test machines, resulting in the mistaken conclusion these vulnerabilities hadn't been fixed.

But the patch notes say nothing about who disclosed the vulnerabilities, which makes it an anomaly. Microsoft's denial, combined with its blank "acknowledgements" page, suggests the NSA itself warned the company about the vulnerabilities. It seems unlikely Shadow Brokers would have given Microsoft a heads up, as it hadn't warned any other affected vendor up to this point.

If so, the Vulnerabilities Equity Process sort of works. I mean, the NSA held onto these as long as it could, but finally informed the affected party when it became apparent it might have to share its "exclusive" exploits with the rest of the world. Better late than never, and certainly better when delivered ahead of a very public disclosure.

What's in the latest dump is now mostly useless. But not completely useless. There are still plenty of machines running older Microsoft software that are still vulnerable, many of them possessed by corporations and government agencies. If the software is old enough, the security holes are permanent.

Not that those with the latest and greatest should rest easy. The NSA hasn't stopped producing and purchasing exploits. The SB stash was a few years old. Current Microsoft software remains under attack from state intelligence agencies and criminals. But this dump of tools shows just how powerful the NSA's toolkit is -- one made even more dangerous by its apparent ease of use. It makes exploit delivery possible for anyone, not just those with a very specific skillset.

Filed Under: 0days, exploits, hacks, nsa, shadow brokers, vep, vulnerabilities, vulnerabilities equities process, windows
Companies: microsoft

Why The NSA's Vulnerability Equities Process Is A Joke (And Why It's Unlikely To Ever Get Better)

from the 'national'-security-still-the-best-kind-of-security,-apparently dept

Two contributors to Lawfare -- offensive security expert Dave Aitel and former GCHQ information security expert Matt Tait -- take on the government's Vulnerability Equities Process (VEP), which is back in the news thanks to a group of hackers absconding with some NSA zero-days.

The question is whether or not the VEP is being used properly. If the NSA discovered its exploits had been accessed by someone other than its own TAO (Tailored Access Operations) team, why did it choose to keep its exploits secret, rather than inform the developers affected? The vulnerabilities exposed so far seem to date as far back as 2013, but only now, after details have been exposed by the Shadow Brokers are companies like Cisco actually aware of these issues.

According to Lawfare's contributors, there are several reasons why the NSA would have kept quiet, even when confronted with evidence that these tools might be in the hands of criminals or antagonistic foreign powers. They claim the entire process -- which is supposed to push the NSA, FBI, et al towards disclosure -- is broken. But not for the reasons you might think.

The Office of the Director of National Intelligence claimed last year that the NSA divulges 90% of the exploits it discovers. Nowhere in this statement were any details as to what the NSA considered to be an acceptable timeframe for disclosure. It's always been assumed the NSA turns these exploits over to developers after they're no longer useful. The Obama administration may have reiterated the presumption of openness when reacting to yet another Snowden leak, but also made it clear that national security concerns will always trump personal security concerns -- even if the latter has the potential to affect more people.

The main thrust of the Lawfare article is that the "broken" part of the equities process is that there should be a presumption of disclosure at all. The authors point out that it might take years to discover or develop a useful exploit and -- given the nature of the NSA's business -- it should be under no pressure to make timely disclosures to developers whose software/hardware the agency is exploiting.

[F]rom an operational standpoint, it takes about two years to fully utilize and integrate a discovered vulnerability. For the intelligence officer charged with managing the offensive security process, the VEP injects uncertainty by requiring inexpert intergovernmental oversight of the actions of your offensive teams, effectively subjects certain classes of bugs to time limits and eventual public exposure—all without any strategic or tactical thought governing the overall process.

[...]

Individual exploitable software vulnerabilities are difficult to find in the first place. But to engineer the discovered vulnerability into an operationally deployable exploit that can bypass modern anti-exploit defenses is far harder. It is a challenge to get policymakers to appreciate how rare the skills are for building operationally reliable exploits. The skillset exists almost exclusively within the IC and in a small set of commercial vendors (many of whom were originally trained in intelligence). This is not an area where capacity can be easily increased by throwing money at it—meaningful development here requires monumental investment of time and resources in training and cultivating a workforce, as well as crafting mechanisms to identify traits of innate talent.

The authors do point out that disclosure can also be useful to intelligence services. If these disclosures result in safer computing for everyone else, then that's apparently an acceptable side effect.

[T]here are three major, non-technical reasons for vulnerability disclosure.

First, disclosure can provide cover in the event that an OPSEC failure leads you to believe a zero-day has been compromised—if there is a heightened risk of malicious use, it allows the vendor time to patch. Second, disclosing to vendors allows the government to out an enemy’s zero-day vulnerability without disclosing how it was found. And third, government disclosure can form the basis of building a better relationship with Silicon Valley.

Saddling intelligence agencies with a presumption of disclosure is possibly a dangerous idea. Less-than-useful exploits that could be divulged to developers might be tied to other exploits still being deployed by intelligence services. Any suggested timeframe for mandatory disclosure would likely cause further harm by forcing the NSA, FBI, etc. to turn over exploits just as they're generating optimal results. On top of that, the authors point out that a push towards disclosure hamstrings US intelligence services as agencies in unfriendly nations will never be constrained by requirements to put the public ahead of their own interests.

But the process is definitely broken, no matter whose side of the argument you take. The NSA says it discloses 90% of the vulnerabilities it discovers, but former personnel involved in these operations note they've never seen a vulnerability disclosed during their years in the agency.

It's unlikely that the process will ever be fixed to everyone's satisfaction. The most likely scenario is that the VEP will continue to trundle along doing absolutely nothing while being ineffectually attacked by those opposing intelligence community secrecy. As it stands now, the presumption of disclosure is completely subject to any national security concerns raised by intelligence and law enforcement agencies. Occasional political climate shifts may provoke transparency pledges from various administrations, but those should be viewed as sympathetic noises -- presidential pats on the head meant to fend off troubling questions and legislative pushes to put weight behind the administration's words.

Filed Under: 0days, exploits, nsa, sharing, surveillance, vep, vulnerabilities, vulnerabilities equities process, zero days