The NSA Confronts a Problem of Its Own Making

[tao]

Recent cyberattacks show what happens when America’s secret-keepers can’t keep their secrets.

 

It is hard to imagine more fitting names for code-gone-bad than WannaCry and Eternal Blue. Those are just some of the computer coding vulnerabilities pilfered from the National Security Agency’s super-secret stockpile that have been used in two separate global cyber attacks in recent weeks. An attack on Tuesday featuring Eternal Blue was the second of these to use stolen NSA cyber tools—disrupting everything from radiation monitoring at Chernobyl to shipping operations in India. Fort Meade’s trove of coding weaknesses is designed to give the NSA an edge. Instead, it’s giving the NSA heartburn. And it’s not going away any time soon.

 

As with most intelligence headlines, the story is complicated, filled with good intentions and unintended consequences. Home to the nation’s codebreakers and cyber spies, the NSA is paid to intercept communications of foreign adversaries. One way is by hunting for hidden vulnerabilities in the computer code powering Microsoft Windows and and all sorts of other products and services that connect us to the digital world. It’s a rich hunting ground. The rule of thumb is that one vulnerability can be found in about every 2,500 lines of code. Given that an Android phone uses 12 million lines of code, we’re talking a lot of vulnerabilities. Some are easy to find. Others are really hard. Companies are so worried about vulnerabilities that many—including Facebook and Microsoft—pay “bug bounties” to anyone who finds one and tells the company about it before alerting the world. Bug bounties can stretch into the hundreds of thousands of dollars.

 

The NSA, which employs more mathematicians than any organization on Earth, has been collecting these vulnerabilities. The agency often shares the weaknesses they find with American manufacturers so they can be patched. But not always. As NSA Director Mike Rogers told a Stanford audience in 2014,“the default setting is if we become aware of a vulnerability, we share it,” but then added, “There are some instances where we are not going to do that.” Critics contend that’s tantamount to saying, “In most cases we administer our special snake bite anti-venom that saves the patient. But not always.”

 

In this case, a shadowy group called the Shadow Brokers (really, you can’t make these names up) posted part of the NSA’s collection online, and now it’s O.K. Corral time in cyberspace. Tuesday’s attacks are just the beginning. Once bad code is “in the wild,” it never really goes away. Generally speaking, the best approach is patching. But most of us are terrible about clicking on those updates, which means there are always victims—lots of them—for cyber bad guys to shoot at.

 

 

WannaCry and Eternal Blue must be how folks inside the NSA are feeling these days. America’s secret-keepers are struggling to keep their secrets. For the National Security Agency, this new reality must hit especially hard. For years, the agency was so cloaked in secrecy, officials refused to acknowledge its existence. People inside the Beltway joked that NSA stood for “No Such Agency.” When I visited NSA headquarters shortly after the Snowden revelations, one public-affairs officer said the job used to entail watching the phones ring and not commenting to reporters.

 

Now, the NSA finds itself confronting two wicked problems—one technical, the other human. The technical problem boils down to this: Is it ever possible to design technologies to be secure against everyone who wants to breach them except the good guys? Many government officials say yes, or at least “no, but…” In this view, weakening security just a smidge to give law-enforcement and intelligence officials an edge is worth it. That’s the basic idea behind the NSA’s vulnerability collection: “If we found a vulnerability, and we alone can use it, we get the advantage.” Sounds good, except for the part about “we alone can use it,” which turns out to be, well, dead wrong.

 

That’s essentially what the FBI argued when it tried to force Apple to design a new way to breach its own products so that special agents could access the iPhone of Syed Rizwan Farook, the terrorist who, along with his wife, killed 14 people in San Bernardino. Law-enforcement and intelligence agencies always want an edge, and there is a public interest in letting them have it.

 

 

As former FBI Director James Comey put it, “There will come a day—and it comes every day in this business—where it will matter a great deal to innocent people that we in law enforcement can’t access certain types of data or information, even with legal authorization.”

 

Many leading cryptographers (the geniuses who design secure communications systems) and some senior intelligence officials say that a technical backdoor for one is a backdoor for all. If there’s a weakness in the security of a device or system, anyone can eventually exploit it. It may be hard, it may take time, it may take a team of crack hackers, but the math doesn’t lie. It’s nice to imagine that the FBI and NSA are the only ones who can exploit coding vulnerabilities for the good of the nation. It’s also nice to imagine that I’m the only person my teenage kids listen to. Nice isn’t the same thing as true. Former NSA Director Mike Hayden publicly broke with many of his former colleagues last year. “I disagree with Jim Comey,” Hayden said. “I know encryption represents a particular challenge for the FBI. ... But on balance, I actually think it creates greater security for the American nation than the alternative: a backdoor.”

 

Hayden and others argue that digital security is good for everyone. If people don’t trust their devices and systems, they just won’t use them. And for all the talk that security improvements will lock out U.S. intelligence agencies, that hasn’t happened in the 40 years of this raging debate. That’s right. 40 years. Back in 1976, during the first “crypto war,” one of my Stanford colleagues, Martin Hellman, nearly went to jail over this dispute. His crime: publishing his academic research that became the foundational technology used to protect electronic communications. Back then, some NSA officials feared that securing communications would make it harder for them to penetrate adversaries’ systems. They were right, of course—it did get harder. But instead of “going dark,” U.S. intelligence officials have been “going smart,” finding new ways to gather information about the capabilities and intentions of bad guys through electronic means.

 

The NSA’s second wicked problem is humans. All the best security clearance procedures in the world cannot eliminate the risk of an “insider threat.” The digital era has supersized the damage that one person can inflict. Pre-internet, traitors had to sneak into files, snap pictures with hidden mini-cameras, and smuggle documents out of secure buildings in their pant legs or a tissue box. Edward Snowden could download millions of pages onto a thumb drive with some clicks and clever social engineering, all from the comfort of his own desktop.  

 

There are no easy solutions to either the technical or human challenge the NSA now faces. Tuesday’s global cyber attack is a sneak preview of the movie known as our lives forever after.

 

Talk about WannaCry.

 

< Here >

 

[humble3d]

What is the expression ?

 

It came home to roost ?

 

We are surrounded by rocket scientists...Thank God we're not astronauts ......

[Karlston]

That's right, let's blame the NSA for it all.

 

The evil Shadow Brokers dickheads that release it and the malware bastards that use it are of course totally innocent...

[steven36]

7 hours ago, Karlston said:

That's right, let's blame the NSA for it all.

 

The evil Shadow Brokers dickheads that release it and the malware bastards that use it are of course totally innocent...

The topic itself is misleading because the NSA not  said nothing at all  to give anyone a clue since 2014  ..  I doubt anyone  in the NSA is even being held accountable things are no longer like they was under Obama ..  All the leaks so far i seen were from Obama being Admin

 

The NSA is partly is at fault because they wrote the virus but they used it against people suspected of crimes and there at fault for not having better security . The Shadow Brokers  are more at fault than the NSA are because they stole the Virus from the NSA,  they sold the virus on the black market  and NSA are not the ones who are  packing a virus full  of ransomware and letting it lose on the innocent.

 

NSA , CIA and  now the FBI since they got rid of that leaker James Comey  is staying MUM. So any thing wrote about the NSA is not something they said it's something the press said to gets hits . The press are preying on the innocent as well because they make a load of money off reporting any thing bad happens.. if nothing bad happened they would be out of  jobs. And most of there stories are fabricated to get hits. The NSA  didn't say they was confronting shit  and they haven't in public since the Snowden leaks.

Quote

 

The NYT notes that the NSA hides its role in the development of cyber weapons, rejecting a lot of questions. So, a press-the Secretary of Council of national safety of the USA Michael Anton in White house said that the government “responsibly balance between the interests of national security, public security and safety”. The administration declined to comment on the origin of any virus, including Petya.

 

 

The Press don't  know nothing anymore, so they post about stuff from years ago and make up stuff as they go. it's not even relevant to what the NSA does are dont do today not even the same person is in charge. the NSA is part of the military and the president is leader and Chief of the military so if something like this happened under there watch it's there fault too.   They passed new laws even were if you want ask them questions  you can't even do it via email no more you have too use snail mail and  they dont have to answer you back . It could be a week before you get a reply back that they rejected you.

 

The press is not judge, jury and executioner. Too here them tell it everyone is guilty unless they support that person for political reasons then they make like there innocent. That's not how the system works in the USA  . You're innocent unless proven guilty in a court of law without a shadow of doubt  . And still  the judge and jury don't really know and does the wrong thing sometimes. The press trying to weaken national security is just as dangerous as letting a virus lose . If the Government done everything the press said we all be dead now or ruled by some dictatorship government.  

 

Back when the CIA helped the Contra Rebels smuggle drugs into the USA they had a trial and they were convicted   . The liberal press couldn't sway the vote and when Bush got in office he pardon those CIA officers . That right there shows  national security is above the law and they dont care unless you are a spy .

[straycat19]

And I might add that SMB v1, the vehicle for these exploits, has been known to be outdated and vulnerable for years.  Enterprises were not able to get rid of it (most enterprises that is, we started blocking its ports in 2000) because they used software that required the use of SMB v1 and wouldn't work with its later versions.  Everybody wants to blame the NSA but there is plenty of blame to go around.  Microsoft, for example, with all its heavy handed patching and deciding what is acceptable for you to do with YOUR computer, could have put out an alert in 2000, with the release of Blaster, that they were going to block SMB v1 and developers needed to patch their software or rewrite it.  But they didn't, they didn't even do anything to fix the problem in the next 17 years, even knowing that ports 445 and 139, those used by SMB v1, were targeted with malware.  And the Shadow Warriors.  When is it time to say enough is enough and cyber attacks  of any type are a form of offensive warfare?  Maybe when Seal Team 6 or Delta Force comes knocking on their doors with silenced MP5s and other special op weapons in the middle of the night, or that drone launched Hellfire takes out half their neighborhood.  

 

SMB v2 which was released in Vista in 2006, was used as a malware gateway in 2008, and is still being used 9 years later.  What has Microsoft done to patch that glaring hole?  

 

Their is still the problem with the access to the NSA Tools, and though it hasn't been publicly released, it is always possible that it was an inside job.  If not the actual copying of the tools, the relaxing of security protections that made the tools available for an outside source.  The problem with the NSA is it relies on a lot of civilian contractors for pieces of its mission, which allows individuals like Snowden to gain clearances and have access to data they shouldn't have access to, but it is difficult to judge the motives of an individual through psychological and polygraph tests.  So a lot of the problem rests with the internal organization of the NSA.  I have a strong feeling that is being fixed.

 

You want somebody to blame, then quit listening to the bias media, and blame the developer of the vulnerabilities...MICROSOFT.

[steven36]

Back in the 80 , 90s and early  2000s hackers knew how too write virus of there own , stealing  a virus , selling it on the darknet and buying it off the darknet means they are just doing it for money or political clout . You think the NSA is the only ones that know how too write a virus ? Viruses use too be very conman that's the reason they  invented antivirus .The hackers of yesteryear puts these script kiddies too shame  because there not even codeing there just compiling it from stuff they got from others that's not even hacking in my book.  So called hackers  that can't even  code is the same as a  Ripper who can't code thermself  so they steal a crackers work too try too make a name for themself !

[steven36]

 

Quote

 

WannaCry: Don't Believe the Hype

 

 

The media hype machine has gone into overdrive about WannaCry. It made the US national televised news. It’s in my family’s Twitter feed. It’s got sponsored ads from countless security companies. It’s officially “big” news.

 

 

But many have gone way over the top with the excitement about this attack. This isn’t game over for businesses. It’s just another in a series of exploits and attacks that are making their way into mainstream news.

So why did this make so much news?

Interestingly, many “regular people” have approached me over the last couple of days and asked me about the attack. “You work in security—Is this the worst thing ever? Is it unstoppable? How much money do you think these attackers are making?” Conversations with security minded folks tend to focus more specifically, “I’ve patched my systems, but how do I know I’m covered? Can I test to be sure?” (The short answer to that last part is yes. Testing is critical here, which is why SafeBreach Labs worked hard simulating these attacks.)

But people also just want to also know why this attack has garnered so much attention. The truth is, this isn’t a particularly sophisticated attack. In fact, I think it’s popular for all the wrong reasons:

It’s easy to explain

• There’s a clear “bad guy” who is literally holding something important for ransom. That’s a tale as old as time, the plot of countless books and movies, and something that the “regular” press can explain without an advanced degree in human-computer interaction.

It’s widespread, and seems relentless

• This adds to the drama: People are generally scared by things that have a big impact, and seem hard to stop. See “The Terminator,” or “Outbreak,” or every zombie movie ever made.

Regular people don’t trust “The Internets”

• Okay, I have no stats for this, but I truly believe it. Many people, in a weird perverse way, are almost hoping that the Internet eats itself alive. Some folks are quick to point to “computers” as terrible things that introduce huge risk that will just plain ruin everything (see the aforementioned “The Terminator” for example). When something bad happens and makes the news, they like to point and say, “See! See! I knew it!” (Also, cynics like me see that this involved an NSA backdoor, and say “See! See! I knew it!”)

The truth behind the sensation

So besides the fact that it’s got all the high-drama things a story needs to make news, what’s really going on with WannaCry? While it’s certainly not good, this attack is really quite simple, and not much different from thousands of other attack campaigns that use worm-like behavior to infect many machines. Remember Conficker? Well What’s old is new again.

Worms are bad. Ransomware is bad. Stopping business, especially when literal lives are on the line, as in healthcare, is much, much worse. In no way am I suggesting that WannaCry isn’t a real threat. But it isn’t that novel, and it isn’t that sophisticated. Yet it still works.

 

And that’s the real lesson for all of us.

 

If we allow ourselves—through lack of proper patching, and inability to validate our security controls—to fall victim to these simple attacks, we should expect this kind of news to continue. The sensational headlines are masking the real issue: This is not a new problem. This is not a novel crime. It’s one we can get ahead of. We just need to realize that the power is in our hands.

It’s time to get proactive. Let’s get patching! And let’s also start validating security controls after a patch, update, config change. Let’s break this cycle of headline hype, and get back to business as usual!

 

 

https://safebreach.com/Post/WannaCry-Dont-Believe-the-Hype

 

Quote

 

‘NotPetya’: Latest Ransomware is a Warning Note From the Future

First it “slammed” the Internet and “swept” Europe, then it was “something much worse,” and now it’s a “distraction.” This week’s “NotPetya” malware attack on Windows systems has, depending on who you believe, either spread like a devastating cyber-pandemic or amounted to an over-hyped flash-in-the-pan.

 

 

 

http://spectrum.ieee.org/tech-talk/computing/it/notpetya-latest-ransomware-is-a-warning-note-from-the-future

The problem is not who wrote this virus the problem is sometime in the future someone is going to write  a virus  that really going cause some damage and it's happen before this is nothing new. People are so blind form the forest they cant see the trees. it dont matter who written the code so much as  it matters what happens  once it goes in the wild.   The NSA predates back too 1917 so there not going stop being spies  because some idiot let there virus lose on people just like no other countries spies are going stop what the do..

[Jogs]

First CIA gave arms to the mujaheddin and the world had to suffer, now NSA makes hacking tools and others have to suffer. Its easy to see who is the real culprit here.