Mediaboss Marketing

The NSA's exploit toolkit has been weaponized to target critical systems all over the world. So much for the debate over the theoretical downside of undisclosed vulnerabilities. (It also inadvertently provided the perfect argument against encryption backdoors.) The real world has provided all the case study that's needed.

It appears the NSA finally engaged in the Vulnerabilities Equity Process -- not when it discovered the vulnerability, but rather when it became apparent the agency wouldn't be able to prevent it from being released to the public. What's happened recently has been devastating and Microsoft -- whose software was targeted -- has expressed its displeasure at the agency's inaction.

Maybe the agency will be a bit more forthcoming in the future. Ellen Nakashima and Craig Timberg of the Washington Post report former NSA employees and officials had concerns about the undisclosed exploit long before the Shadow Brokers gave it to the world.

When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.

Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.

Officials called it "fishing with dynamite." The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn't bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.

But there were plenty of others who viewed disclosure as "disarmament." Somehow, despite three straight years of leaked documents, the NSA still felt it had everything under control. The Shadow Brokers NSA exploit auction made it clear the NSA was no better at securing its software stash than it was at keeping thousands of internal documents from wandering out the door.

The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands. Since the agency cannot possibly ensure this sort of thing won't happen again, the question now is how much of other people's security is the agency willing to sacrifice in the name of national security?

The NSA appears to believe it handled this as well as it could given the circumstances, but the outcome could have so much worse. The chain of events leading to the NSA's eventual disclosure helped minimize the collateral damage. It has very little to do with the steps the NSA took (or, more accurately, didn't take).

What if the Shadow Brokers had dumped the exploits in 2014, before the [US] government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

There's your intelligence community nightmare fuel. Had the vulnerability managed to take down US government hardware and software, the NSA would be facing even more criticism and scrutiny that it already is.

The NSA appears to only disclose vulnerabilities when forced to. It may possibly hand over those it finds to be of limited use. Former NSA head Keith Alexander says the agency turns over "90%" of the vulnerabilities it discovers, but that percentage seems inflated. The NSA spent years as "No Such Agency." It's only been the last four years that it's been forced to engage in more transparency and accountability, so it's tough to believe it's spent years proactively informing affected companies about the flaws in their products.

In any event, the NSA's second-guesswork will have do for now. Some legislators are hoping to shore up the vulnerabilities reporting process, but it's likely by the time it heads for the Oval Office desk, it will be riddled with with enough national security exceptions to make it useless. With the Shadow Brokers hinting they still have more dangerous exploits to release (including one affecting Windows 10), the decision to disclose these vulnerabilities will once again be informed by the NSA's inability to keep its hacking tools secure, rather than any internal examination of its hoarder mentality.

Follow this link:
NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked - Techdirt

By Ms. Smith, Network World | May 21, 2017 8:58 AM PT

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Your message has been sent.

There was an error emailing this page.

While you wont be forgetting the WannaCry ransomware attack, it is likely you will be hearing a lot more about the alleged NSA-linked EternalBlue exploit and DoublePulsar backdoor, as it seems a wide range of bad guys have them in their toy boxes. At least one person is leveraging seven leaked NSA hacking tools for a new EternalRocks network worm.

Malwarebytes believes WannaCry did not spread by a malicious spam email campaign but by a scanning operation that searched for vulnerable public-facing SMB ports, then used EternalBlue to get on the network and used DoublePulsar to install the ransomware.

EternalBlue was part of the Shadow Brokers April 14 dump of NSA hacking tools. Almost immediately, sophisticated attackers started repackaging the EternalBlue exploit. Security firm Secdo reported that three weeks before the WannaCry attack, at least three different actors were leveraging the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the U.S.

The attack leaves no trace. By spawning threads inside legitimate apps to impersonate those apps, the attack can evade advanced next-gen antivirus solutions. The attacks, according to Secdo, might pose a much bigger risk than WannaCry because many endpoints may still be compromised despite having installed the latest security patch.

The security firm suggested one threat actor was stealing credentials using a Russian-based IP, and another threat actor seemed to be using EternalBlue in opportunistic attacks to create a Chinese botnet.

Secdo added:

Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

Security firm Proofpoint spotted an attack using EternalBlue and DoublePulsar to install a cryptocurrency mining botnet. This attack, which also began before WannaCry, may be larger in scale and may even have limited the spread of WannaCry because this attack shuts down SMB networking to prevent further infections with other malware via that same vulnerability. Every time Proofpoint exposed a lab box vulnerable to EternalBlue attacks, it was added to the cryptocurrency mining botnet within 20 minutes.

Perhaps the most worrying news about attacks came from researcher Miroslav Stampar. It is the most worrying because the EternalRocksnetwork worm doesnt just use EternalBlue and DoublePulsar like WannaCry did. Oh no, it uses seven different NSA hacking tools: EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Doublepulsar, Architouch and SMBtouch.

Stampar learned of EternalRocks after it infected his SMB honeypot. Its original name was MicroBotMassiveNet, but EternalRocks is listed as a product name under Taskhost Properties. It disguises itself as WannaCry as if hoping to fool security researchers, yet it doesnt drop ransomware. Instead, it seems to be gaining a foothold to launch future attacks.

During the first stage, EternalRocks installs TOR as a C&C communications channel. The second stage doesnt begin immediately; instead, the C&C server waits 24 hours before responding with shadowbrokers.zip. Stampar said the delayed downloader for the zipped file, which contains NSA hacking tools leaked by the Shadow Brokers, seems to be a full-scale cyber weapon.

After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.

There is no kill switch like there was in WannaCry. Stampar told Bleeping Computer, The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch.

The second stage of the infection currently has a detection rate of 45/61 on VirusTotal, but Stampar warned that EternalRocks was going to be huge.

He later added:

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Sponsored Links

Read the original here:
EternalRocks network worm uses 7 NSA hacking tools - Network World

The National Security Agency has decided to halt a controversial surveillance program, but this was just the tip of an iceberg of government abuses of privacy and due process.

The NSA said recently that it will no longer engage in warrantless spying on Americans' digital communications that merely mention a foreign intelligence target, referred to in the intelligence community as "about" communications. The agency had claimed the authority to engage in such surveillance under Section 702 of the Foreign Intelligence Surveillance Act, which allows it to target non-U.S. citizens or residents believed to be outside the country, although Americans' communications are oftentimes swept up as well.

"NSA will no longer collect certain internet communications that merely mention a foreign intelligence target," the agency announced in a statement. "Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target."

"Even though NSA does not have the ability at this time to stop collecting 'about' information without losing some other important data, the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target," it continued.

The agency's decision is certainly welcome, though we must make the perhaps generous assumption that it will do -- or not do, in this case -- what it says it will, and that it will not simply change its mind in the future.

We are reminded of the public testimony of then-National Intelligence Director James Clapper at a March 2013 Senate Intelligence Committee hearing. At one point, Sen. Ron Wyden, D-Ore., asked Clapper plainly, "Does the NSA collect any type of data at all on millions, or hundreds of millions of Americans?" Clapper then lied to his face, and the faces of all Americans, saying, "No, sir," and then, "Not wittingly." Within a matter of months, news stories based on information from the Edward Snowden leaks would reveal the NSA's bulk collection of Americans' phone metadata and internet communications.

Then there is the matter of the "backdoor search loophole," by which the FBI or other agencies may search NSA databases for information about Americans collected under Section 702 without having to go through all that pesky business of obtaining a warrant.

The Fourth Amendment is quite clear: Government searches require a warrant issued by a judge based on probable cause and describing the specific "place to be searched, and the persons or things to be seized." New technology may make our communications quicker and more convenient -- as well as more easily recorded -- but it does not alter that fundamental principle.

-- By the L.A. Daily News editorial board, Digital First Media

See original here:
EDITORIAL: NSA halts one abuse, but many remain - Lowell Sun

New York Times

Malware Case Is Major Blow for the NSA New York Times In 2013, Edward J. Snowden gave journalists hundreds of thousands of N.S.A. documents he had taken as a contractor, igniting a global debate over the agency's targeting of allies as well as foes. Last August, shortly after the Shadow Brokers' debut, ... Watertown Daily Times | Ellen Nakashima & Craig Timberg: NSA ...WatertownDailyTimes.com NSA officials worried about the day its potent hacking tool would get loose. Then it did.Washington Post Hackers behind stolen NSA tool for WannaCry: More leaks comingCNET Reuters -McClatchy Washington Bureau -Steemit -The Official Microsoft Blog - Microsoft all 133 news articles »

Originally posted here:
Malware Case Is Major Blow for the NSA - New York Times

If there is one thing to take away from the entire WannaCry ransomware debacle, it is how the NSA is largely responsible for these problems. To be more specific, the intelligence agency successfully kept a Windows vulnerability hidden from the public. Although the agency reported said issue to Microsoft, it is doubtful they did so right away. That may come to change, thanks to a new legislative proposal.

It is not entirely surprising to learn the US government is not too happy with NSA exploits being used to shut down computers all over the world. The WannaCry ransomware attack makes use of the EternalBlue vulnerability affecting the Windows SMB protocol. The NSA was all too aware of this problem, and it is their exploit code which was distributed on the internet which facilitated this global attack. Moreover, it continues to fuel other ransomware attacks as well.

To put things in order, a new legislative proposal has been drafted by Democratic Texas Senator Brian Schatz. If his bill were to be approved, the NSA will be legally obligated to share cyber exploits with the manufacturer immediately. Disclosure of such undocumented attack vectors will allow for companies to patch security holes a lot quicker and keep enterprises and consumers safe.

Part of this legislative proposal revolves around establishing a Vulnerability Equities Review Board. This board is made up of heads of US security agencies and Presidential Cabinet members. Their goal would be to create new policies and regulations to determine when non-government entities will need to be informed regarding tech exploits. Doing so should eventually reduce the number of cyber attacks as a whole.

For the time being, it remains to be seen if this bill will gain any major support from other politicians. Its a public secret the NSA has a lot more sway among politicians than most people would like. Keeping the country safe at all times is a very demanding job, even though the NSA as overextended its legal powers numerous times in the past. It is due time something changes to address this problem.

Moreover, Microsoft publicly criticizes the existing US cybersecurity policies for allowing security agencies not to disclose these vulnerabilities in a timely manner. In fact, the NSA did the opposite, as they created an in-house developed exploit to take advantage of this weakness whenever they wanted. Stockpiling such powerful weapons is a very dangerous business, as is evident in this particular case.

Although it took a group of hackers stealing the NSA exploits to bring this information to light, it is evident the NSA is not always acting in the publics best interest. In a strange way, the entire world should be grateful for what The Shadow Brokers did, as they exposed some of the NSAs most powerful hacking tools known to date. Unfortunately, their publication of said exploits has been used for nefarious purposes.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

Read the original:
Legislative Proposal Wants to Force NSA to Disclose Tech Exploits Sooner - The Merkle