Mediaboss Marketing

McClatchy Washington Bureau

Hacker group that leaked NSA spy tools likely includes a U.S. insider, experts say McClatchy Washington Bureau One of those leaked NSA tools allowed extortionists to spark havoc last Friday by encrypting the hard drives of more than 200,000 computers in 150 countries, the largest such cyberattack ever to hit the globe. The attackers demanded $300 or more to ... and more »

Read more from the original source:
Hacker group that leaked NSA spy tools likely includes a U.S. insider, experts say - McClatchy Washington Bureau

Sign Up for

Our free email newsletters

The National Security Agency (NSA) is supposed to protect American citizens from high-tech threats. But who will protect Americans from their screw-ups?

Last week, countries around the world reeled as a virulent piece of ransomware (which forcibly encrypted local data, then demanded payment in bitcoins to release the files) spread through tens of thousands of computer systems, including in banks and hospitals. Russia was worst hit, but the U.K. suffered serious damage as well, with its National Health Service suffering serious disruptions to medical services.

The story got much more infuriating when experts figured out that the computer worm was a slightly modified version of an exploit built by the NSA one stolen by the "Shadow Brokers" and leaked over the internet. Luckily, a 22-year-old British researcher accidentally tripped the worm's off switch, containing the damage at least for now. Different versions have already cropped up without that off-switch, though none as yet has spread to the same degree.

It's time for American security agencies to actually start securing the safety of American computer networks and the first step is to stop building and stockpiling computer security exploits.

As Charles Stross explains, neither the worm nor the ransomware adaptation of it were exactly masterpieces of cyber crime. The worm only worked on older Windows computers which hadn't disabled legacy file-sharing. What's more, when the Shadow Brokers leaked all the NSA tools, Microsoft had actually already released updates to patch most of its vulnerabilities (suggesting someone had tipped them off about what had been hacked).

Additionally, the ransomware's off-switch was simply a long gobbledygook domain name that was hard-coded into the program. It turned out the worm checked to see if the domain was active before it delivered its payload, so when the security researcher stumbled across it and registered it out of curiosity, he accidentally stopped the spread of the worm.

However, it turns out there are tons and tons of computers still running outdated version of Windows, and tons and tons of people who procrastinate about annoying software updates or don't even know how to do them. Even a poorly designed, weak piece of malware can do terrible damage when directed at the most outdated computer networks.

This brings me back to the NSA. If you ask why they are building and stockpiling security exploits for the most common operating systems, they will say it's for espionage operations against foreign enemies.

But the actual benefits of such things are highly questionable. Probably the most successful one ever was the fearsome Stuxnet worm, which did moderate damage to Iranian uranium enrichment facilities back in 2009. But the damage was quickly repaired, and did not do nearly as much to control the Iranian nuclear program as the diplomatic agreement signed under President Obama.

Conversely, as we are seeing today, the damage from building and piling up malware is potentially catastrophic. The NSA obviously cannot secure its own networks, and so any such weapon is one misstep away from falling into the hands of foreign governments, gangsters, or terrorists. And again, this worm was rather amateurish, and built from known materials thus giving Microsoft a bit of a head start for patches. But suppose some real professionals secretly hacked unknown NSA zero-day exploits, and built a worm designed to attack American financial systems or critical infrastructure?

If we had any sense, we would be dedicating at least the majority of our computer security spending to, you know, security: investigating, upgrading, and maintaining American computer systems to defend them against attack. (In reality, it's roughly 90 percent offense, 10 percent defense.) The NSA could probe commercial software for vulnerabilities, and then quietly inform the developer so they could be patched, as Microsoft President Brad Smith argues. Second, instead of trying to coerce tech companies to build back doors into their devices and software, the government could help them with security, particularly user-friendly end-to-end encryption. They could help support open-source software ecosystems, which are part of many pieces of critical internet infrastructure.

Perhaps most importantly, the government could help keep older operating systems secure (like Windows XP, which Microsoft was forced to update this week after abandoning it three years ago), and help people upgrade their equipment and software.

Of course, the NSA will do nothing of the sort. They helplessly define "national security" in a way that excludes their own failures enabling crime and terrorism. But if we had a lick of sense, we'd just abolish the NSA and start a new agency with a more sensible definition.

See original here:
The NSA is running amok - The Week Magazine

A massive cyberattack hit tens of thousands of computers in dozens of nations. Reports of the attack first surfaced in Britain, where the National Health Service described serious problems. (Sarah Parnass/The Washington Post)

The hacking group that leaked the bugs that enabled last week's global ransomware attack is threatening to make public even more computer vulnerabilities in the coming weeks potentially including compromised network data pertaining to the nuclear or missile programs of China, Iran, North Korea and Russia, as well as vulnerabilities affecting Windows 10, which is run by millions of computers worldwide.

A spokesperson for the group, which calls itself the Shadow Brokers, claimed in a blog postTuesdaythat some of those computer bugs may be released on a monthly basis as part of a new subscription-based business model that attempts to mimic what has proved successful for companies such as Spotify, Netflix, Blue Apron and many more.

[Clues point to possible North Korean involvement in massive cyberattack]

Is being like wine of month club, readthe blog post, which is written in broken English. "Each month peoples can be paying membership fee, then getting members only data dump each month."

The moveshows the growing commercial sophistication of groups such as the Shadow Brokers, which already has demonstrateda fearsome technical ability to compromise the world's top intelligence agencies. And it underscoresthe waymuch of theunderground trade forcomputer bugs resembles a real-world commercial market.

Security experts have been analyzing the blog post for clues aboutthe Shadow Brokers' intentions and capabilities.

[How to protect yourself from the global ransomware attack]

Marcy Wheeler, a longtime independent researcher, said in a blog post Tuesday that the Shadow Brokers' postbrings the hammer down both on Microsoft, whose products could be affected by any further leaks, and the U.S. National Security Agency, whose information the Shadow Brokers leaked in April. That leakled indirectly to the creation of WannaCry and the subsequent crisis,security experts say.

Simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government, Wheeler wrote.

Microsoft didn't immediately respond to a request for comment. On Sunday, the company criticized the NSA for stockpiling digital weapons. The tech industry opposes efforts by the government to weaken the security of its products, while national security advocates say it could help combat terrorism.

[Russia warns against intimidating North Korea after its latest missile launch]

Although experts say the Shadow Brokers do not appear to have been directly involved in the WannaCry attack, leaking the exploitin the first place was a major step toward facilitating the cyberattack.

The group's new claim that it possesses information on the nuclear programs of state governments is extremely worrisome, said Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, a Washington think tank."While they don't seem to have the most amazing PR department," he said, "they've already proved that they had some pretty serious access. The nuke facility stuff is particularly concerning, [speaking] as a former physicist.

Previously, the group had sought to sell its hacking tools to the highest bidder. Few buyers came forward, the group said in its blog post. But now, the monthly subscription model might mean the bugs will find their way into the hands of more people, spreading far and wide, Hall said.

Go here to see the original:
The hacking group that leaked NSA secrets claims it has data on foreign nuclear programs - Washington Post

A bipartisan bill introduced Wednesday in Congress would force the NSA to share any security vulnerabilities it finds in software with other government agencies.

Known as the PATCH Act (Protecting Our Ability To Counter Hacking), the legislation mandates a larger review when a federalagency discovers a security hole in a computer system.

The government sometimes coordinates with tech companies and creators of technology vendors, but in certain instances it chooses to keep the exploits for itselfand use them for national security purposes.

Such a policy would essentially compel the U.S. governments top spying agency to turn over its arsenal of cyber weapons and hacking tools, seemingly sacrificing offense for the prospect of better defense.

Do you get to listen to the Chinese politburo chatting and get credit from the president? said Richard Clayton, a cyber-security researcher at the University of Cambridge, according to Reuters. Or do you notify the public to help defend everyone else and get less kudos?

While co-sponsors of the bill at least partially agree that it can be difficult to find a middle ground, they apparently want the equilibrium shifted more towards domestic virtual security. (RELATED: The Internet Has Officially Become A Domain Of Warfare)

Striking the balance between U.S. national security and general cybersecurity is critical, but its not easy, Hawaiian Sen. Brian Schatzsaid in an official statement. This bill strikes that balance.

The review meetings would reportedly still be a secret, and only data pursuant to the law would be made public once eachyear.

The latest global ransomware attack revealed the importance of locating and patching vulnerabilities before malicious actors can attack our most critical systems, saysSen. Cory Gardner of Colorado, one of the original sponsors of the bill, referring to the recent incident that allegedlyaffected more than 150 countries. (RELATED: Massive Cyber Attack Reportedly Hits 16 British Health Facilities, Causing Chaos In Emergency Rooms)

DemocraticRep. Ted Lieu of California, Republican Rep. Blake Farenthold of Texas, and Republican Sen. Ron Johnson of Wisconsin co-sponsored the bill with Schatz and Gardner.

This legislation ensures the American public has greater transparency into how vulnerabilities and threats are shared between federal government actors, intelligence organizations, and the private sector, Gardner concludes.

Follow Eric on Twitter

Send tips to [emailprotected].

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [emailprotected].

See original here:
Congress Introduces Bill Requiring NSA To Share Its Secrets - The Daily Caller

Microsoft President Brad Smith speaks at the annual Microsoft shareholders meeting on Nov. 30, 2016, in Bellevue, Wash. Elaine Thompson/AP hide caption

Microsoft President Brad Smith speaks at the annual Microsoft shareholders meeting on Nov. 30, 2016, in Bellevue, Wash.

Microsoft has had a whirlwind last few days. The company's operating system, Windows, was the target of a massive cyberattack that took down hundreds of thousands of computers across 150 countries. While it's too soon to say the worst is over there could be another wave the president of the company does have two big takeaways.

One takeaway is sexy, edgy. The other is boring, plain vanilla but no less important to Brad Smith, president of Microsoft.

Let's start there.

Simple maintenance would solve a lot of problems

"We need to make it as easy as we can for people to patch their systems, and then customers have to apply those patches," Smith says.

Patching! That's it. Instead of hitting "ignore, ignore" when a pop-up on your screen asks, "Do you want to install a critical update and reboot?" You should just do it. Two months ago, Microsoft released the patch that could have prevented the outbreak. But because so many companies didn't apply it, the so-called WannaCry attack spread like cholera.

Some victims were using computers that run on Windows XP, a 16-year-old operating system. In digital years, that's old.

"It's worth remembering Windows XP not only came out six years before first iPhone. It came out two months before the very first iPod. Think about how antiquated that feels to us today," Smith says.

Because this attack is so contagious it self-propagates, slithering from computer to computer without any human help Microsoft decided it had to build a patch for that antique system too. Microsoft also found itself giving tech support to one more unusual group: thieves, people who used pirated, illegal copies of Windows.

Smith does not want to make a habit of that, but he says, "It was the right thing to do for this particular incident."

Microsoft calls for a "Digital Geneva Convention"

The Microsoft president's second takeaway is not about what businesses of every size need to do. It's about what intelligence agencies, like the CIA and the NSA, need to do.

"A lot has changed in the world just in the last 12 months," Smith says. "We've seen a huge focus on nation-state hacking by other countries including Russia and North Korea."

According to a New York Times report, North Korea may be behind this recent attack. And according to many security researchers, the attack method was first developed inside the NSA. Criminals got a hold of it and tweaked it.

Many countries are racing to create more cyber weapons. Smith says there's a real risk that criminals will steal them. He'd like governments to limit the creation of cyber weapons, just like they did for nuclear weapons. Microsoft wants a "Digital Geneva Convention" he explains, "something that would commit governments to do less hoarding of exploits and vulnerabilities, do more to work with software vendors so that we can all keep systems secure."

Meaning, as he wrote in a blog post this past weekend, agencies like that NSA should have a "new requirement" to report vulnerabilities they find to software makers like Microsoft, instead of stockpiling or selling or exploiting them.

"This is not a conversation that has even begun, at least with the general public," Smith says.

McAfee's Grobman counters Smith's position

Steve Grobman, chief technology officer at McAfee, which makes the popular antivirus software, disagrees with Smith. "Microsoft has a very strong position that is an absolute, whereas my position is a little bit more balanced," he says.

Grobman says governments should stockpile cyber weapons in some instances. For example, we're fighting a war and our military needs to take down a power plant, and there are only two options: "to drop a bomb on it, or to use a cyberattack to temporarily disable it. The cyberattack can in many cases limit the amount of loss of life."

Clearly, there is a difference of opinion among tech leaders. Though Grobman agrees with his colleague at Microsoft: These last few days, battling the WannaCry attack, have been very long.

Read the rest here:
Microsoft's President Reflects On Cyberattack, Helping Pirates And The NSA - NPR