Nov. 14, 2017, “The NSA needs to stop hacking,“ The Week, Ryan Cooper
“Since August 2016, the National Security Agency has suffered a continual stream of devastating failures. Their internal hacking group, known as Tailored Access Operations (TAO), was breached 15 months ago by hackers calling themselves the “Shadow Brokers,” which has been dribbling out the contents of the NSA’s most prized hacking tools. The result has been a wave of internet crime — ransomware, lost files, and network attacks that disrupted businesses and cost hundreds of millions of dollars.
And as this New York Times story illustrates, the agency has been completely incapable of figuring out how the breach happened. Their computer networks could have been penetrated, or they could have someone on the inside leaking the tools. But after more than a year, they have not been able to plug the leak.
It’s long past time the NSA was forced to stop hacking, and to start protecting the American people from the sort of tools they create.
At the time of the leak last year [2016], I speculated that the NSA was exposing the American people to online attack, but I was not prepared for how bad it would be. Several huge ransomware attacks (in which a computer is infiltrated, its hard drive encrypted, and the de-encrypt key held for a bitcoin ransom) using NSA hacking tools have swept the globe, hitting companies like FedEx, Merck, and Mondelez International, as well as hospitals and telecoms in 99 countries.
Even NSA partisans admit that this leak is creating much worse problems than the Snowden revelations (which were, after all, carefully vetted by journalists before being published). And despite a months-long internal investigation, the NSA still isn’t even sure what sort of leaks these are, let alone how the hackers are doing it.
In theory, one could imagine a security trade-off between setting up a hacking program to spy on other countries, and a program to find and patch security vulnerabilities in American software and computer networks.
In practice, it’s now beyond question that the benefits of developing these hacking tools pale in comparison to the danger they pose simply by existing. The NSA might be able to hire the best computer scientists in the world, but they are manifestly incapable of keeping the tools they produce secure….
Software and computer systems are an integral part of American society, and private individuals and companies — not to mention government agencies and election administrators — need to be protected from every single tool [not just “90%”] the NSA has ever produced.
And after that, the TAO [Tailored Access Operations , NSA’s internal hacking group which was breached 15 months ago] needs to be shut down for the foreseeable future. Instead, the NSA should research computer vulnerabilities, and when they find one, quietly inform the afflicted party so they can fix it before word gets out. Indeed, the agency could do no small service by twisting arms to simply get people to install security patches — especially large corporations, who as a rule drag their feet about keeping their software (generally ancient and highly vulnerable versions of Windows) up to date until there is a crisis.
I think the real reason why the NSA has a hacking program can be found in the following phrase from the Times article, about why people join the agency: “[N]owhere else can they hack without getting into legal trouble…” Breaking into foreign computer networks, creating security exploits, calling yourself an “operator,” and generally doing cool spy stuff like in the movies is exciting and stimulating. People create excuses that legitimize this practice, despite the endless cavalcade of failure.
By contrast, stuff like walloping Equifax over the head with a metaphorical cricket bat until they fix their appallingly insecure computer systems, or helping government departments implement ironclad end-to-end encryption to protect sensitive communications, is rather dull. But until some future date when the American state has become competent enough to keep a secret again, that’s what our secret computer professionals should be doing. American national security simply can’t afford any more NSA bungling.”
………
Added: An NSA insider is likely responsible for 2016 elite NSA hacking tools appearing on the internet. “It’s one more reason to question the usefulness of an agency [NSA] that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us.”
8/21/2016, “Commentary: Evidence points to another Snowden at the NSA,“ Reuters, James Bamford, commentary
“Hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block….It’s one more reason to question the usefulness of an agency [NSA] that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us….NSA may prove to be one of Washington’s greatest liabilities rather than assets….“Without a doubt, they’re the keys to the kingdom,” one former TAO employee told the “Washington Post.” “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.” Another added, “From what I saw, there was no doubt in my mind that it was legitimate.””…
…………........
Added: NY Times article linked in The Week above: “N.S.A. employees say that with thousands of employees pouring in and out of the gates…it is impossible to prevent people from walking out with secrets.“…Among May 2017 WannaCry’s global targets using NSA hacking tools were UK hospitals as well as one or more hospitals in Pennsylvania.
11/12/2017, “Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core,“ NY Times, Scott Shane, Nicole Perlroth, David E. Sanger
“A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.”…
“Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers [in 2016 and 2017] already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.
Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves….
Millions of people saw their computers shut down by ransomware [in May 2017 WannaCry global attack], with demands for payments in digital currency to have their access restored. Tens of thousands of employees at Mondelez International, the maker of Oreo cookies, had their data completely wiped. FedEx reported that an attack on a European subsidiary had halted deliveries and cost $300 million. Hospitals in Pennsylvania, Britain and Indonesia had to turn away patients. The attacks disrupted production at a car plant in France, an oil company in Brazil and a chocolate factory in Tasmania, among thousands of enterprises affected worldwide.
American officials had to explain to close allies-and to business leaders in the United States-how cyberweapons developed at Fort Meade in Maryland came to be used against them. Experts believe more attacks using the stolen N.S.A. tools are all but certain.
Inside the agency’s Maryland headquarters and its campuses around the country, N.S.A. employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s arsenal is still being replaced, curtailing operations….
Some veteran intelligence officials believe a lopsided focus on offensive weapons and hacking tools has, for years, left American cyberdefense dangerously porous.
“We have had a train wreck coming,” said Mike McConnell, the former N.S.A. director and national intelligence director. “We should have ratcheted up the defense parts significantly.”
At the heart of the N.S.A. crisis is Tailored Access Operations, the group where Mr. Williams worked, which was absorbed last year [2016] into the agency’s new Directorate of Operations.
T.A.O. — the outdated name is still used informally — began years ago as a side project
at the agency’s research and engineering building at Fort Meade. It was
a cyber Skunk Works, akin to the special units that once built stealth
aircraft and drones.
As Washington’s need for hacking capabilities grew, T.A.O. expanded into a separate office park in Laurel, Md., with additional teams at facilities in Colorado, Georgia, Hawaii and Texas.
The hacking unit attracts many of the agency’s young stars, who like the thrill of internet break-ins in the name of national security, according to a dozen former government officials who agreed to describe its work on the condition of anonymity. T.A.O. analysts start with a shopping list of desired information and likely sources — say, a Chinese official’s home computer or a Russian oil company’s network. Much of T.A.O.’s work is labeled E.C.I., for “exceptionally controlled information,” material so sensitive it was initially stored only in safes….
As Washington’s need for hacking capabilities grew, T.A.O. expanded into a separate office park in Laurel, Md., with additional teams at facilities in Colorado, Georgia, Hawaii and Texas.
The hacking unit attracts many of the agency’s young stars, who like the thrill of internet break-ins in the name of national security, according to a dozen former government officials who agreed to describe its work on the condition of anonymity. T.A.O. analysts start with a shopping list of desired information and likely sources — say, a Chinese official’s home computer or a Russian oil company’s network. Much of T.A.O.’s work is labeled E.C.I., for “exceptionally controlled information,” material so sensitive it was initially stored only in safes….
The more experienced T.A.O. operators devise ways to break into foreign networks….T.A.O. operators must constantly renew their arsenal to stay abreast of changing software and hardware, examining every Windows update and new iPhone for vulnerabilities. “The nature of the business is to move with the technology,” a former T.A.O. hacker said.
Long known mainly as an eavesdropping agency, the N.S.A. has embraced hacking as an especially productive way to spy on foreign targets. The intelligence collection is often automated, with malware implants — computer code designed to find material of interest — left sitting on the targeted system for months or even years, sending files back to the N.S.A.
The same implant can be used for many purposes: to steal documents, tap into email, subtly change data or become the launching pad for an attack. T.A.O.’s most public success was an operation against Iran called Olympic Games, in which implants in the network of the Natanz [Iran] nuclear plant caused centrifuges enriching uranium to self-destruct. The T.A.O. was also critical to attacks on the Islamic State and North Korea.
It was this arsenal that the Shadow Brokers got hold of, and then began to release….
N.S.A. analysts have tried to figure out what the Shadow Brokers took. None of the leaked files date from later than 2013 — a relief to agency officials assessing the damage. But they include a large share of T.A.O.’s collection, including three so-called ops disks — T.A.O.’s term for tool kits — containing the software to bypass computer firewalls, penetrate Windows and break into the Linux systems most commonly used on Android phones.
Evidence shows that the Shadow Brokers obtained the entire tool kits intact, suggesting that an insider might have simply pocketed a thumb drive and walked out.
But other files obtained by the Shadow Brokers bore no relation to the ops disks and seem to have been grabbed at different times. Some were designed for a compromise by the N.S.A. of Swift, a global financial messaging system, allowing the agency to track bank transfers. There was a manual for an old system code-named UNITEDRAKE, used to attack Windows.
There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers.
Some officials doubt that the Shadow Brokers got it all by hacking the most secure of American government agencies — hence the search for insiders. But some T.A.O. hackers think that skilled, persistent attackers might have been able to get through the N.S.A.’s defenses — because, as one put it, “I know we’ve done it to other countries.”
The Shadow Brokers have verbally attacked certain experts, including Mr. Williams. When he concluded from their Twitter hints that they knew about some of his hacks while at the N.S.A., he canceled a business trip to Singapore. The United States had named and criminally charged hackers from the intelligence agencies of China, Iran and Russia. He feared he could be similarly charged by a country he had targeted and arrested on an international warrant.
He has since resumed traveling abroad. But he says no one from the N.S.A. has contacted him about being singled out publicly by the Shadow Brokers….
For decades after its creation in 1952, the N.S.A. — No Such Agency, in the old joke — was seen as all but leakproof....
The Snowden trauma led to the investment of millions of dollars in new technology and tougher rules to counter what the government calls the insider threat. But N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets….
Because the N.S.A. hacking unit has grown so rapidly over the past decade, the pool of potential leakers has expanded into the hundreds. Trust has eroded as anyone who had access to the leaked code is regarded as the potential culprit….
[NSA employee] Mr. Martin’s gargantuan collection of stolen files included much of what the Shadow Brokers have, and he has been scrutinized by investigators as a possible source for them. Officials say they do not believe he deliberately supplied the material, though they have examined whether he might have been targeted by thieves or hackers.
But according to former N.S.A. employees who are still in touch with active workers, investigators of the Shadow Brokers thefts are clearly worried that one or more leakers may still be inside the agency.”…
……………
Added: NSA’s EternalBlue is “in every hacker’s toolbox.“ EternalBlue can mask or give false clue about geographic location of the hacker. “EternalBlue’s widespread use [for at least 5 years] is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar. It is also frequently used by an array of nation state hackers….It will be years before enough computers are patched against EternalBlue.” EternalBlue can mask or give false clue about the geographic location of the hacker.
3/7/18, “The Leaked NSA Spy Tool That Hacked the World,” Wired, Lily Hay Herman
“Leaked to the public not quite a year ago, EternalBlue has joined a long line of reliable hacker favorites. The Conficker Windows worm infected millions of computers in 2008, and the Welchia remote code execution worm wreaked havoc 2003.
EternalBlue is certainly continuing that tradition—and by all indications it’s not going anywhere. If anything, security analysts only see use of the exploit diversifying as attackers develop new, clever applications, or simply discover how easy it is to deploy….
EternalBlue is the name of both a software vulnerability in Microsoft’s Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release of alleged NSA tools by the still mysterious group known as the Shadow Brokers.
Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports corroborate its origin—and even Microsoft has publicly attributed its existence to the NSA.
The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.
Microsoft released its EternalBlue patches on March 14 of last year [2017]. But security update adoption is spotty, especially on corporate and institutional networks. Within two months, EternalBlue was the centerpiece of the worldwide WannaCry ransomware attacks….As WannaCry hit, Microsoft even took the “highly unusual step” of issuing patches for the still popular, but long-unsupported Windows XP and Windows Server 2003 operating systems.
In the aftermath of WannaCry, Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers, like the kernel backdoor known as DarkPulsar, which burrows deep into the trusted core of a computer where it can often lurk undetected.
The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue’s profile, many attackers had already realized the exploit’s potential by then.
Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners on target devices. “WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them,”
says Jérôme Segura, lead malware intelligence analyst at the security
firm Malwarebytes. “There are definitely a lot of machines that are
exposed in some capacity.”
Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. “EternalBlue will be a go-to tool for attackers for years to come,” says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked at the NSA. “Particularly in air-gapped and industrial networks, patching takes a lot of time and machines get missed.
There are many XP and Server 2003 machines that were taken off of patching programs before the patch for EternalBlue was backported to these now-unsupported platforms.”
At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker’s toolbox—much like the password extraction tool Mimikatz. But EternalBlue’s widespread use [for at least 5 years] is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar. It is also frequently used by an array of nation state hackers including those in Russia’s Fancy Bear group, who started deploying EternalBlue last year as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks.
New examples of EternalBlue’s use in the wild still crop up frequently. In February, more attackers leveraged EternalBlue to install cryptocurrency-mining software on victim computers and servers, refining the techniques to make the attacks more reliable and effective. “EternalBlue is ideal for many attackers because it leaves very few event logs,” or digital traces, Rendition Infosec’s Williams notes. “Third-party software is required to see the exploitation attempts.”
And just last week, security researchers at Symantec published findings on the Iran-based hacking group Chafer, which has used EternalBlue as part of its expanded operations. In the past year, Chafer has attacked targets around the Middle East, focusing on transportation groups like airlines, aircraft services, industry technology firms, and telecoms.
“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors,” says Vikram Thakur, technical director of Symantec’s security response. “To [a hacker] it’s just a tool to make their lives easier in spreading across a network. Plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three.“
It will be years before enough computers are patched against EternalBlue that hackers retire it from their arsenals. At least by now security experts know to watch for it—and to appreciate the clever innovations hackers come up with to use the exploit in more and more types of attacks.”
……………………
Added: Re: 2017 WannaCry attack, US city of Atlanta, Georgia now said to have been among those attacked per Georgia cyber security firm. City of Atlanta unable to provide comment.
Added: Re: 2017 WannaCry attack, US city of Atlanta, Georgia now said to have been among those attacked per Georgia cyber security firm. City of Atlanta unable to provide comment.
………….
3/28/18, “Atlanta, hit by ransomware attack, also fell victim to leaked NSA exploits,“ ZDNet, Zack Whittaker
………
“According to one security firm, last
week’s cyberattack was not a surprise because the city had fallen
victim to leaked government exploits used in the [2017] WannaCry outbreak [which used leaked hacking tools developed by the National Security Agency.]
New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city’s network was silently infected last year [2017] with leaked exploits developed by the National Security Agency.
New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city’s network was silently infected last year [2017] with leaked exploits developed by the National Security Agency.
The cybersecurity firm’s founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017.
That was more than a month after Microsoft released critical patches for the exploits and urged users to install.
The NSA exploits were stolen in 2016 in one of the biggest breaches of classified files since the Edward Snowden disclosures.
The [alleged] hackers [described as “leakers” in headline and elsewhere in this article] who stole the exploits, known as the
Shadow Brokers, attempted to auction off the files but failed.
Microsoft learned of the theft of these tools and, fearing that they would be used or publicly released, the company quietly released security patches for the exploit in March. Weeks later, the tools were dumped online for anyone to use.
According to Williams, the city’s networks were left unpatched for weeks — making them vulnerable to ransomware attacks.
“Based on our data, we can say for an organization of its size, the city of Atlanta had a substandard security posture in April 2017, making the scope of the ransomware attack far from surprising,” Williams told ZDNet.
Williams also wrote up his findings Tuesday in a detailed blog post.
Just two weeks later, the WannaCry ransomware attack hit.
The attack was the biggest of its kind — spreading throughout several countries, infecting hundreds of thousands of computers. The ransomware used the leaked NSA exploit dubbed EternalBlue, which attacks a flaw in Windows SMB, and drops the DoublePulsar backdoor and waits. It’s that DoublePulsar backdoor that allows an attacker to remotely execute a malicious payload — such as ransomware.
Williams said his firm detected 148,000 infected machines at its peak — machines that were directly connected to the internet.
But that doesn’t account for the vast number of machines connected to those infected servers — likely putting the final number of machines at risk significantly higher.
Williams stopped scanning for infected servers only by chance before the WannaCry attack, because as security patches were applied, the number of vulnerable systems was going down.
It’s not known if Atlanta patched its network during that two week period before the WannaCry attack.
When reached, a spokesperson for the City of Atlanta was unable to comment on specific questions we had.
Williams confirmed that as of Monday, none of Atlanta’s systems are still infected by the NSA exploits –– though, he said, it’s not known if the clean-up is a response to Thursday’s cyberattack or not.
Atlanta’s recovery efforts continue “around the clock,” said Bottoms.
CSO security reporter Steve Ragan reported earlier Tuesday that the portal used to pay the ransom — if the city decides to do so — has been pulled offline by the ransomware attacker. A screenshot of a city employee’s computer, which included the dark-web address used to access the payment portal, was publicized by local media.
Although some of the city’s machines are slowly coming back online, many systems remain locked. For now, it’s not known when — or even if — the city will get fully back up and running.”
No comments:
Post a Comment