Monthly Archives: May 2017

The particularly nasty computer program dubbed WannaCry that attacked hospitals, businesses and government agencies around the world this past weekend was like a cybercrime highlight reel, a compilation of by-now familiar elements conscience-free cybercriminals, an obscure vulnerability in Microsoft Windows, older and ill-maintained corporate computer networks and computer users tricked into opening booby-trapped email attachments that played out on an epic scale.

Whats different this time is that the hackers apparently had considerable help from the U.S. government. They used a stolen tool reportedly developed by the National Security Agency to exploit a hidden weakness in the Windows operating system and spread their ransomware far and wide. The tool was one of many linked to the NSA that were leaked online last year, then finally decrypted in April for use by anyone with the requisite coding skills.

Its tempting to howl at the NSA for not alerting companies like Microsoft when its researchers find vulnerabilities in their products. The reality, though, is that doing so would reduce the effectiveness of cybertools that have become an integral part of modern efforts by agencies like the NSA to fight terrorism, international criminal organizations and rogue states. Whats needed is a better effort to determine if and when a vulnerability discovered by the feds represents too great a threat to keep it secret from the potential victims. Thats a difficult balance to strike, and the decision shouldnt be made solely by the executive branch without the input of independent experts and, potentially, lawmakers.

The even more important lesson here is that years, even decades of warnings from security experts simply arent getting through to the public. WannaCry should not have reached disastrous proportions Microsoft released a patch that could close the vulnerability in March, well before the NSAs tool was decrypted. Yet tens of thousands of computers werent updated, allowing the malware the room it needed to spread.

The problem could easily get much, much worse as more routine devices become smart, Internet-connected ones. Evidently we need stronger incentives not just for companies to release more secure products, but also for users to keep them updated and protect their data with encryption and backups. Thats what the lawmakers and federal officials should be focusing on not on trying to discourage consumers from using encryption on their smartphones, or on building stockpiles of malware based on vulnerabilities they alone have found.

Follow the Opinion section on Twitter @latimesopinion and Facebook

Read the original:
The 'WannaCry' malware: A public service announcement ...

After the WannaCry cyberattack hit computer systems worldwide, Microsoft says governments should report software vulnerabilities instead of collecting them. Here, a ransom window announces the encryption of data on a transit display in eastern Germany on Friday. AFP/AFP/Getty Images hide caption

After the WannaCry cyberattack hit computer systems worldwide, Microsoft says governments should report software vulnerabilities instead of collecting them. Here, a ransom window announces the encryption of data on a transit display in eastern Germany on Friday.

When the National Security Agency lost control of the software behind the WannaCry cyberattack, it was like "the U.S. military having some of its Tomahawk missiles stolen," Microsoft President Brad Smith says, in a message about the malicious software that has created havoc on computer networks in more than 150 countries since Friday.

"This is an emerging pattern in 2017," Smith, who is also chief legal officer, says in a Microsoft company blog post. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

On affected computers, the WannaCry software encrypts files and displays a ransom message demanding $300 in bitcoin. It has attacked hundreds of thousands of computers, security experts say, from hospital systems in the U.K. and a telecom company in Spain to universities and large companies in Asia. And the software is already inspiring imitators, as the Bleeping Computer site reports.

The malware behind WannaCry (also called WannaCrypt, Wana Decryptor or WCry) was reported to have been stolen from the NSA in April. And while Microsoft said it had already released a security update to patch the vulnerability one month earlier, the sequence of events fed speculation that the NSA hadn't told the U.S. tech giant about the security risk until after it had been stolen.

With his new statement, Smith seems to be confirming that version of events.

Two months after Microsoft issued its security patch, thousands of computers remained vulnerable to the WannaCry attack. That prompted the company to issue another patch on Friday for older and unsupported operating systems such as Windows XP, allowing users to secure their systems without requiring an upgrade to the latest operating software.

Urging businesses and computer users to keep their systems current and updated, Smith says the WannaCry attack shows the importance of collective action to fight cybercrime.

But he aimed his sharpest criticisms at the U.S. and other nations.

The attack, Smith says, "represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today nation-state action and organized criminal action."

International standards should compel countries not to stockpile or exploit software vulnerabilities, Smith says. He adds that governments should report vulnerabilities like the one at the center of the WannaCry attack.

Governments "need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world," Smith says, urging agencies to "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Smith's blog post did not address another factor in the ransomware's spread, one that hints at the difficulty of uniting against a hacking attack: Users of pirated Microsoft software are unable to download the security patch, forcing them to fend for themselves or rely on a third-party source for a solution.

See the article here:
is calling out the NSA

A top Microsoft executive partly blamed the US government for the WannaCry ransomware attack, saying hackers found a crucial Windows vulnerability in data that had been stockpiled by the NSA.

First noticed on Friday, the WannaCry attack has affected at least 200,000 computers in more than 150 countries, with attackers locking people out of their computers while demanding a Bitcoin ransom.

This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem, Microsoft President Brad Smith wrote in a Sunday blog post.

At the same time, Smith tried to deflect criticism of Microsoft in the disaster, noting that the software giant issued a patch for the vulnerability earlier this year that many organizations ignored.

Smith said the crisis is a wake-up call, and that Microsoft has been working around the clock to assist affected customers, including those on older versions of Windows that are no longer supported.

We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world, Smith griped.

Some security experts expect a fresh wave of attacks will begin Monday, as employees arrive at work and turn on affected computers. The WannaCry attack is particularly powerful because it doesnt necessarily require users to click a link or download software to spread.

Governments worldwide need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world, Smith said. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Continued here:
Microsofts president blames NSA for WannaCry attack

The U.S. Capitol is seen in Washington, DC, April 28, 2017. Saul LoebAFP/Getty Images

A bill proposed in Congress on Wednesday would require the U.S. National Security Agency to inform representatives of other government agencies about security holes it finds in software like the one that allowed last week's "ransomware" attacks.

Under former President Barack Obama, the government created a similar inter-agency review, but it was not required by law and was administered by the NSA itself.

The new bill would mandate a review when a government agency discovers a security hole in a computer product and does not want to alert the manufacturer because it hopes to use the flaw to spy on rivals. It also calls for the review process to be chaired by the defense-oriented Department of Homeland Security rather than the NSA, which spends 90% of its budget on offensive capabilities and spying.

Republican Senator Ron Johnson of Wisconsin and Democratic Senator Brian Schatz of Hawaii introduced the legislation in the U.S. Senate Homeland Security and Governmental Affairs Committee.

et Data Sheet , Fortune's technology newsletter.

Striking the balance between U.S. national security and general cyber security is critical, but its not easy, said Senator Schatz in a statement. This bill strikes that balance.

Tech companies have long criticized the practice of withholding information about software flaws so they can be used by government intelligence agencies for attacks.

Hackers attacked 200,000 in more than 150 countries last week using a Microsoft Windows software vulnerability that had been developed by the NSA and later leaked online.

Microsoft president Brad Smith harshly criticized government practices on security flaws in the wake of the ransomware attacks. "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," Smith wrote in a blog post.

Agencies like the NSA often have greater incentives to exploit any security holes they find for spying, instead of helping companies protect customers, cyber security experts say.

"Do you get to listen to the Chinese politburo chatting and get credit from the president?" said Richard Clayton a cyber-security researcher at the University of Cambridge. "Or do you notify the public to help defend everyone else and get less kudos?"

Susan Landau, a cyber security policy expert at Worcester Polytechnic Institute, said that in putting DHS in charge of the process, the new bill was an effort to put the process "into civilian control."

The new committee's meetings would still be secret. But once a year it would issue a public version of a secret annual report.

The NSA did not immediately respond to a request for comment.

Go here to see the original:
US Cyber Bill Would Shift Power From Spy Agency - Fortune

After last weeks massive ransomware attack shut down machines around the world, the NSA, which knew of the exploit before it was public, became a target for criticism. Microsoft patched the problem before the attack, but its still raised questions about how, and when, the NSA decides to hold on to software vulnerabilities.

The Protecting Our Ability to Counter Hacking Act of 2017

A new bill would help bring accountability to how the NSA deals with those vulnerabilities. Introduced by Sen. Brian Schatz, the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act, would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available.

The law would also legally establish a review board with high-ranking members of the federal government. The board would be chaired by the secretary of homeland security and include agency directors from the intelligence community as well as the secretary of commerce. The law would also require annual reports to Congress on the boards activities.

A version of the governments process, known as "vulnerabilities equities process," has been in place for some time, although its exact details are unclear. A version of the board already exists, but some have criticized the process as opaque, and a law would go some way toward binding the federal government to the system.

The NSA most famously faced criticism for its exploit process in 2014, when Bloomberg reported that the agency had exploited the Heartbleed bug, which exposed vulnerabilities in devices around the world. (The agency denied the report.) Microsoft obliquely criticized the US after the WannaCry ransomware attack last week, calling the incident a wake-up call about vulnerability hoarding.

Read the rest here:
After WannaCry, a new bill would force the NSA to justify its hacking ... - The Verge

Sign Up for

Our free email newsletters

The National Security Agency (NSA) is supposed to protect American citizens from high-tech threats. But who will protect Americans from their screw-ups?

Last week, countries around the world reeled as a virulent piece of ransomware (which forcibly encrypted local data, then demanded payment in bitcoins to release the files) spread through tens of thousands of computer systems, including in banks and hospitals. Russia was worst hit, but the U.K. suffered serious damage as well, with its National Health Service suffering serious disruptions to medical services.

The story got much more infuriating when experts figured out that the computer worm was a slightly modified version of an exploit built by the NSA one stolen by the "Shadow Brokers" and leaked over the internet. Luckily, a 22-year-old British researcher accidentally tripped the worm's off switch, containing the damage at least for now. Different versions have already cropped up without that off-switch, though none as yet has spread to the same degree.

It's time for American security agencies to actually start securing the safety of American computer networks and the first step is to stop building and stockpiling computer security exploits.

As Charles Stross explains, neither the worm nor the ransomware adaptation of it were exactly masterpieces of cyber crime. The worm only worked on older Windows computers which hadn't disabled legacy file-sharing. What's more, when the Shadow Brokers leaked all the NSA tools, Microsoft had actually already released updates to patch most of its vulnerabilities (suggesting someone had tipped them off about what had been hacked).

Additionally, the ransomware's off-switch was simply a long gobbledygook domain name that was hard-coded into the program. It turned out the worm checked to see if the domain was active before it delivered its payload, so when the security researcher stumbled across it and registered it out of curiosity, he accidentally stopped the spread of the worm.

However, it turns out there are tons and tons of computers still running outdated version of Windows, and tons and tons of people who procrastinate about annoying software updates or don't even know how to do them. Even a poorly designed, weak piece of malware can do terrible damage when directed at the most outdated computer networks.

This brings me back to the NSA. If you ask why they are building and stockpiling security exploits for the most common operating systems, they will say it's for espionage operations against foreign enemies.

But the actual benefits of such things are highly questionable. Probably the most successful one ever was the fearsome Stuxnet worm, which did moderate damage to Iranian uranium enrichment facilities back in 2009. But the damage was quickly repaired, and did not do nearly as much to control the Iranian nuclear program as the diplomatic agreement signed under President Obama.

Conversely, as we are seeing today, the damage from building and piling up malware is potentially catastrophic. The NSA obviously cannot secure its own networks, and so any such weapon is one misstep away from falling into the hands of foreign governments, gangsters, or terrorists. And again, this worm was rather amateurish, and built from known materials thus giving Microsoft a bit of a head start for patches. But suppose some real professionals secretly hacked unknown NSA zero-day exploits, and built a worm designed to attack American financial systems or critical infrastructure?

If we had any sense, we would be dedicating at least the majority of our computer security spending to, you know, security: investigating, upgrading, and maintaining American computer systems to defend them against attack. (In reality, it's roughly 90 percent offense, 10 percent defense.) The NSA could probe commercial software for vulnerabilities, and then quietly inform the developer so they could be patched, as Microsoft President Brad Smith argues. Second, instead of trying to coerce tech companies to build back doors into their devices and software, the government could help them with security, particularly user-friendly end-to-end encryption. They could help support open-source software ecosystems, which are part of many pieces of critical internet infrastructure.

Perhaps most importantly, the government could help keep older operating systems secure (like Windows XP, which Microsoft was forced to update this week after abandoning it three years ago), and help people upgrade their equipment and software.

Of course, the NSA will do nothing of the sort. They helplessly define "national security" in a way that excludes their own failures enabling crime and terrorism. But if we had a lick of sense, we'd just abolish the NSA and start a new agency with a more sensible definition.

Read the original here:
The NSA is running amok - The Week Magazine

A massive cyberattack hit tens of thousands of computers in dozens of nations. Reports of the attack first surfaced in Britain, where the National Health Service described serious problems. (Sarah Parnass/The Washington Post)

The hacking group that leaked the bugs that enabled last week's global ransomware attack is threatening to make public even more computer vulnerabilities in the coming weeks potentially including compromised network data pertaining to the nuclear or missile programs of China, Iran, North Korea and Russia, as well as vulnerabilities affecting Windows 10, which is run by millions of computers worldwide.

A spokesperson for the group, which calls itself the Shadow Brokers, claimed in a blog postTuesdaythat some of those computer bugs may be released on a monthly basis as part of a new subscription-based business model that attempts to mimic what has proved successful for companies such as Spotify, Netflix, Blue Apron and many more.

[Clues point to possible North Korean involvement in massive cyberattack]

Is being like wine of month club, readthe blog post, which is written in broken English. "Each month peoples can be paying membership fee, then getting members only data dump each month."

The moveshows the growing commercial sophistication of groups such as the Shadow Brokers, which already has demonstrateda fearsome technical ability to compromise the world's top intelligence agencies. And it underscoresthe waymuch of theunderground trade forcomputer bugs resembles a real-world commercial market.

Security experts have been analyzing the blog post for clues aboutthe Shadow Brokers' intentions and capabilities.

[How to protect yourself from the global ransomware attack]

Marcy Wheeler, a longtime independent researcher, said in a blog post Tuesday that the Shadow Brokers' postbrings the hammer down both on Microsoft, whose products could be affected by any further leaks, and the U.S. National Security Agency, whose information the Shadow Brokers leaked in April. That leakled indirectly to the creation of WannaCry and the subsequent crisis,security experts say.

Simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government, Wheeler wrote.

Microsoft didn't immediately respond to a request for comment. On Sunday, the company criticized the NSA for stockpiling digital weapons. The tech industry opposes efforts by the government to weaken the security of its products, while national security advocates say it could help combat terrorism.

[Russia warns against intimidating North Korea after its latest missile launch]

Although experts say the Shadow Brokers do not appear to have been directly involved in the WannaCry attack, leaking the exploitin the first place was a major step toward facilitating the cyberattack.

The group's new claim that it possesses information on the nuclear programs of state governments is extremely worrisome, said Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, a Washington think tank."While they don't seem to have the most amazing PR department," he said, "they've already proved that they had some pretty serious access. The nuke facility stuff is particularly concerning, [speaking] as a former physicist.

Previously, the group had sought to sell its hacking tools to the highest bidder. Few buyers came forward, the group said in its blog post. But now, the monthly subscription model might mean the bugs will find their way into the hands of more people, spreading far and wide, Hall said.

Originally posted here:
The hacking group that leaked NSA secrets claims it has data on foreign nuclear programs - Washington Post

Last week a malicious computer worm dubbed WannaCry 2.0 began attacking older, unpatched versions of Microsoft operating systems, infecting hundreds of thousands of systems with ransomware that held user data hostage in exchange forBitcoin payments.

The cyberattack used code from a powerful National Security Agencytool called EternalBlue, which a mysterious group of hackers known as The Shadow Brokers leaked earlier this year. Tech companies have been quick to blame the NSA for finding and exploiting vulnerabilities in commercial products like Windows, to say nothing of losing them.

On Sunday, Brad Smith, Microsofts (MSFT) president and chief legal officer, argued that an equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.

The next day, Former NSA contractor Edward Snowden, speaking via video chat to the K(NO)W Identity Conference in Washington D.C. from an undisclosed location in Russia, repeated Smiths argument.

An equivalent scenario to what were seeing happening today would be conventional weapons, produced and held by the U.S. military, being stolen, such as Tomahawk missiles, Snowden said while describing Smiths letterto a crowd less than a mile from the White House.

Edward Snowden speaking via video chat from Russia at the K(NO)W Identity Conference in Washington, D.C. on May 15. (image: One World Identity)

U.S. officials acknowledge that the NSA deserves scrutiny about protecting tools it develops to collect foreign intelligence. Theyve absolutely got to do a better job protecting [the hacking tools], General Keith Alexander, head of the NSA from 2005 to 2014, told The Washington Post. You cant argue against that.

However, the Tomahawk analogy may be a stretch. Dave Aitel, a former NSA research scientist and CEO of the cybersecurity company Immunity, explained why hacking tools are not like bombs.

The very first thing is you can steal a Tomahawk missile from me, but you cannot steal it from me without me knowing youve stolen it, Aitel said. And of course, you can steal an exploit or other intellectual property from me and I may never find out. Another is that two people can have [the same exploit] at the same time.

Aitel, who specializes in the offensive side of cybersecurity, added that deep down, the biggest difference is that you have to learn a lot about exploits to protect yourself, and I dont really have to learn a lot about Tomahawk missiles to protect myself from Tomahawk missiles.

This is the screen youll see if your computer is infected with the WannaCry 2.0 ransomware.

Nevertheless, the analogy has been relatively well received. Travis Jarae, CEO and Founder of One World Identity, which hosted the conference in Washington, and paid a speakers bureau to digitally host Snowden, saidthat the Tomahawk analogy is not wrong given the contemporary threat environment.

Warfare is digital, explained Jarae, who was previously Global Head of Identity Verification at Google. We spy on people digitally I thought it was a little aggressive to compare it to a missile, but [government hacking] is very damaging.

Aitel noted that it makes sense why Smith and others in the tech business would make that argument.

[Brad Smiths] job is to create favorable economic conditions for Microsoft at a strategic level, and if he pressure governments to stop using exploits, then that helps him from a PR perspective, Aitel said. It doesnt help the users because people are still going to have exploits. Thats always going to be true.

Read More

Microsoft president and chief legal officer Brad Smith speaks at a Microsoft tech gathering in Dublin, Ireland October 3, 2016. REUTERS/Clodagh Kilcoyne

Snowden also echoed Smiths criticisms of the U.S. governments decision to develop secret software exploits, telling the audience at the K(NO)W Identity Conference that secret government exploits are a problem, and the NSA should have voluntarily revealed the EternalBlue exploit long ago.

But other former NSA officialshave pushed back against that idea, telling the Washington Post that EternalBlue netted an unreal foreign intelligence haul that was like fishing with dynamite.

Edward Snowden knows full well the value of the signals intelligence program and that includes the NSAs hacking to our national security, Aitel said. This is not for play. Theyre not building exploits for fun. Its not a hobby. Its for distinct and important national security needs.

So when he says Give up your exploits, he essentially is saying, We dont need signals intelligence, which we do.

Ultimately, according to Aitel, companies like Microsoft placing the blame on the NSA with crude analogies equating NSA hacking tools to U.S. cruise missiles only serves to muddy the larger debate.

The bigger issue is Brad Smith and Microsoft, who continue to insist that everything fall their way in terms of how vulnerabilities are handled, which I dont think helps the conversation around cybersecurity, Aitel said. There are a lot of very interesting things in cybersecurity that dont involveMicrosofts bottom line, and those are worth talking about.

READ MORE:

The simple reason so many companies were hit by the WannaCry 2.0 ransomware

As tensions rise with Russia, U.S. colleges still pay for Snowden speeches

No, your Apple computer isnt immune from ransomware

Risk director discusses the tragedy of Julian Assange and WikiLeaks

The rest is here:
Why leaked NSA hacking tools are not like stolen Tomahawk missiles - Yahoo News