Mediaboss Marketing

A bipartisan bill introduced Wednesday in Congress would force the NSA to share any security vulnerabilities it finds in software with other government agencies.

Known as the PATCH Act (Protecting Our Ability To Counter Hacking), the legislation mandates a larger review when a federalagency discovers a security hole in a computer system.

The government sometimes coordinates with tech companies and creators of technology vendors, but in certain instances it chooses to keep the exploits for itselfand use them for national security purposes.

Such a policy would essentially compel the U.S. governments top spying agency to turn over its arsenal of cyber weapons and hacking tools, seemingly sacrificing offense for the prospect of better defense.

Do you get to listen to the Chinese politburo chatting and get credit from the president? said Richard Clayton, a cyber-security researcher at the University of Cambridge, according to Reuters. Or do you notify the public to help defend everyone else and get less kudos?

While co-sponsors of the bill at least partially agree that it can be difficult to find a middle ground, they apparently want the equilibrium shifted more towards domestic virtual security. (RELATED: The Internet Has Officially Become A Domain Of Warfare)

Striking the balance between U.S. national security and general cybersecurity is critical, but its not easy, Hawaiian Sen. Brian Schatzsaid in an official statement. This bill strikes that balance.

The review meetings would reportedly still be a secret, and only data pursuant to the law would be made public once eachyear.

The latest global ransomware attack revealed the importance of locating and patching vulnerabilities before malicious actors can attack our most critical systems, saysSen. Cory Gardner of Colorado, one of the original sponsors of the bill, referring to the recent incident that allegedlyaffected more than 150 countries. (RELATED: Massive Cyber Attack Reportedly Hits 16 British Health Facilities, Causing Chaos In Emergency Rooms)

DemocraticRep. Ted Lieu of California, Republican Rep. Blake Farenthold of Texas, and Republican Sen. Ron Johnson of Wisconsin co-sponsored the bill with Schatz and Gardner.

This legislation ensures the American public has greater transparency into how vulnerabilities and threats are shared between federal government actors, intelligence organizations, and the private sector, Gardner concludes.

Follow Eric on Twitter

Send tips to [emailprotected].

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [emailprotected].

See original here:
Congress Introduces Bill Requiring NSA To Share Its Secrets - The Daily Caller

Microsoft President Brad Smith speaks at the annual Microsoft shareholders meeting on Nov. 30, 2016, in Bellevue, Wash. Elaine Thompson/AP hide caption

Microsoft President Brad Smith speaks at the annual Microsoft shareholders meeting on Nov. 30, 2016, in Bellevue, Wash.

Microsoft has had a whirlwind last few days. The company's operating system, Windows, was the target of a massive cyberattack that took down hundreds of thousands of computers across 150 countries. While it's too soon to say the worst is over there could be another wave the president of the company does have two big takeaways.

One takeaway is sexy, edgy. The other is boring, plain vanilla but no less important to Brad Smith, president of Microsoft.

Let's start there.

Simple maintenance would solve a lot of problems

"We need to make it as easy as we can for people to patch their systems, and then customers have to apply those patches," Smith says.

Patching! That's it. Instead of hitting "ignore, ignore" when a pop-up on your screen asks, "Do you want to install a critical update and reboot?" You should just do it. Two months ago, Microsoft released the patch that could have prevented the outbreak. But because so many companies didn't apply it, the so-called WannaCry attack spread like cholera.

Some victims were using computers that run on Windows XP, a 16-year-old operating system. In digital years, that's old.

"It's worth remembering Windows XP not only came out six years before first iPhone. It came out two months before the very first iPod. Think about how antiquated that feels to us today," Smith says.

Because this attack is so contagious it self-propagates, slithering from computer to computer without any human help Microsoft decided it had to build a patch for that antique system too. Microsoft also found itself giving tech support to one more unusual group: thieves, people who used pirated, illegal copies of Windows.

Smith does not want to make a habit of that, but he says, "It was the right thing to do for this particular incident."

Microsoft calls for a "Digital Geneva Convention"

The Microsoft president's second takeaway is not about what businesses of every size need to do. It's about what intelligence agencies, like the CIA and the NSA, need to do.

"A lot has changed in the world just in the last 12 months," Smith says. "We've seen a huge focus on nation-state hacking by other countries including Russia and North Korea."

According to a New York Times report, North Korea may be behind this recent attack. And according to many security researchers, the attack method was first developed inside the NSA. Criminals got a hold of it and tweaked it.

Many countries are racing to create more cyber weapons. Smith says there's a real risk that criminals will steal them. He'd like governments to limit the creation of cyber weapons, just like they did for nuclear weapons. Microsoft wants a "Digital Geneva Convention" he explains, "something that would commit governments to do less hoarding of exploits and vulnerabilities, do more to work with software vendors so that we can all keep systems secure."

Meaning, as he wrote in a blog post this past weekend, agencies like that NSA should have a "new requirement" to report vulnerabilities they find to software makers like Microsoft, instead of stockpiling or selling or exploiting them.

"This is not a conversation that has even begun, at least with the general public," Smith says.

McAfee's Grobman counters Smith's position

Steve Grobman, chief technology officer at McAfee, which makes the popular antivirus software, disagrees with Smith. "Microsoft has a very strong position that is an absolute, whereas my position is a little bit more balanced," he says.

Grobman says governments should stockpile cyber weapons in some instances. For example, we're fighting a war and our military needs to take down a power plant, and there are only two options: "to drop a bomb on it, or to use a cyberattack to temporarily disable it. The cyberattack can in many cases limit the amount of loss of life."

Clearly, there is a difference of opinion among tech leaders. Though Grobman agrees with his colleague at Microsoft: These last few days, battling the WannaCry attack, have been very long.

Read the rest here:
Microsoft's President Reflects On Cyberattack, Helping Pirates And The NSA - NPR

Enlarge / A cryptocurrency mining farm.

On Friday, Ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency.

Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry.

Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. In a blog post published Monday afternoon Kafeine wrote:

In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.

The attack is launched from several virtual private servers which are massively scanning the Internet on TCP port 445 for potential targets.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

It appears that at any given time there are multiple Adylkuzz command and control (C&C) servers hosting the cryptominer binaries and mining instructions.

Figure 2 shows the post-infection traffic generated by Adylkuzz in this attack.

Symptoms of the attack include a loss of access to networked resources and system sluggishness. Kafeine said that some people who thought their systems were infected in the WannaCry outbreak were in fact hit by the Adylkuzz attack. The researcher went on to say this overlooked attack may have limited the spread of WannaCry by shutting down SMB networking to prevent the compromised machines from falling into the hands of competing botnets.

Proofpoint researchers have identified more than 20 hosts set up to scan the Internet and infect vulnerable machines they find. The researchers are aware of more than a dozen active Adylkuzz control servers. The botnet then mined Monero, a cryptocurrency that bills itself as being fully anonymous, as opposed to Bitcoin, in which all transactions are traceable.

Monday's report came the same day that a security researcher who works for Google found digital fingerprints tying a version of WCry from February to Lazarus Group, a hacking operation with links to North Korea. In a report published last month, Kaspersky Lab researchers said Bluenoroff, a Lazarus Group offshoot responsible for financial profit, installed cryptocurrency-mining software on computers it hacked to generate Monero coins. "The software so intensely consumed system resources that the system became unresponsive and froze," Kaspersky Lab researchers wrote.

Assembling a botnet the size of the one that managed WannaCry and keeping it under wraps for two to three weeks is a major coup. Monday's revelation raises the possibility that other botnets have been built on the shoulders of the NSA but have yet to be identified.

Continue reading here:
Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry - Ars Technica

Forbes

Microsoft Just Took A Swipe At NSA Over The WannaCry Ransomware Nightmare Forbes After software vulnerabilities exploited and leaked by the NSA were used by cybercriminals to infect as many as 200,000 Windows PCs with ransomware over the last three days, Microsoft has criticized government agencies for hoarding those flaws and ... Microsoft Blasts the CIA and NSA for 'Stockpiling' Software VulnerabilitiesTheStreet.com A large-scale cyber attack highlights the structural dilemma of the NSAThe Economist all 2,140 news articles »

Original post:
Microsoft Just Took A Swipe At NSA Over The WannaCry Ransomware Nightmare - Forbes

The U.S. National Security Agency could have headed off the global ransomware attack that has crippled hospitals, train stations and other infrastructure around the world, according to Edward Snowden, the former CIA contractor and whistleblower.

They knew about this flaw in U.S. software, U.S. infrastructure, hospitals around the world, these auto plants and so on and so forth, but they did not report it to Microsoft until after the NSA learned that that flaw had been stolen by some outside group, Snowden said Monday.

Related: What is ransomware? Computers around the world infected by malware demanding money

Subscribe to Newsweek from $1 per week

The fugitive former private security contractor made his remarks during a speech on privacy and security delivered via satellite from Moscow to a Washington, D.C., conference on big data. The conference, organized by a former Google executive, Travis Jarae, founder and CEO of One World Identity, has drawn 800 industry experts from data collection and cybersecurity firms, as well as government lawyers, to discuss questions about online identity, security and privacy.

Snowden in 2013 downloaded and then publicized an estimated 1.7 million documents related to global and domestic U.S. surveillance programs, which the Pentagon has said is the largest trove of American secrets ever purloined. Federal prosecutors subsequently charged him with theft and Espionage Act violations. Since 2013, he has been living in Moscow.

Beamed by satellite onto huge screens in the Ronald Reagan Building and International Trade Center, a federal building a few blocks from the White House, Snowden blamed the NSA for the unprecedented power of the so-called wannacry virus, which is being blamed for the worlds biggest cyberattack, affecting 150 countries so far. Among the affected in the U.S. have been Fedex and Nissan; in China, colleges and gas stations; in India, the state police; in Russia, the Central Bank, Russian railways and the Interior Ministry; and in the U.K., at least 16 National Health System hospitals.

It is still unclear who released the virus or exactly why.

Had the NSA not waited until our enemies already had this exploit to tell Microsoft, [so that] Microsoft could begin the patch cycle, we would have had years to prepare hospital networks for this attack rather than a month or two, which is what we actually ended up with, Snowden said.

Members of the audience submitted questions to the 33-year-old. One asked for his number one piece of advice for balancing privacy and security. Snowden said companies should opt for the bare minimum in determining what information they harvest and save about customer behavior, and urged them provide users with an opt-out from data collection upfront. He accused companies that say they are collecting data to improve products and services of using a legal fiction to collect data in order to monetize it, generating an extra source of revenue.

He compared the psychological effects of unchecked mass data collection to an errant high school kid being threatened that certain behavior would remain on his or her record. In a world of mass tracking and commercial and government data collection, he said, you have a permanent record that can never be erased.

A child thats born in this world wont have the same benefit you had of saying something stupid that they can move on from, he said. When people can be tracked and have no way to live outside this chain of records, what we have become is a quantified spiderweb. Its a very negative thing for a free and open society. Now, everybody in the world will think twice before they even open their mouth. That is a very, very dark future. But its not inevitable. You should reflect: Is that something we can do? Or should do?

See the original post here:
Edward Snowden Slams NSA Over Ransomware Attack - Newsweek