from the Who-knows-what-evil-lurks-in-the-hearts-of-machinery?-The-Shadow-Brokers-do! dept.
Excerpt:
"It's certainly possible that an NSA [National Security Agency] hacker goofed massively and left files in the wrong place at the wrong time. Human error can never be ruled out. Russian cybersleuths carefully watch for possible NSA operations online—just as we look for theirs—and even a single slip-up with Top Secret hacking tools could invite a disastrous compromise.
However, it's far more likely that this information was stolen by an insider. There's something fishy about the official story here. It's far-fetched to think a small group of unknown hackers could infiltrate NSA. Furthermore, explained a former agency scientist, the set-up implied in the account given by The Shadow Brokers makes little sense: "No one puts their exploits on a [command-and-control] server...That's not a thing." In other words, there was no "hack" here at all.
It's much more plausible that NSA has a Kremlin mole (or moles) lurking in its ranks who stole this information and passed it to Russian intelligence for later use. This isn't surprising, since NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them."
Related Stories
Cisco is releasing patches for an exploit disclosed by an entity calling itself the Shadow Brokers:
Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA.
ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers. The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction.
[...] There is a second Equation exploit in the Shadow Brokers leak that targets ASA software. It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported. Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.
There is speculation that the hacks are actually leaks from a "second (third?) Snowden". A linguistic analysis of the "broken English" used by the Shadow Brokers determined that the text was written by someone pretending to not know English.
Previously:
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
The Shadow Brokers are back, and they have a treat for you:
"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.
[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.
Previously:
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's 'Mistake'
NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
NSA-created cyber tool spawns global ransomware attacks
From Politico via Edward Snowden via Vinay Gupta:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.
One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.
Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.
Further sources: BBC (and here), Russia Today, DailyFail, Telegraph, Guardian.
Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.
It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.
According to unverifiable sources, an NSA contractor stored classified data and hacking tools on his home computer, which were made available to Russian hackers through the contractor's use of Kaspersky Lab anti-virus software:
Russian government-backed hackers stole highly classified U.S. cyber secrets in 2015 from the National Security Agency after a contractor put information on his home computer, two newspapers reported on Thursday.
As reported first by The Wall Street Journal, citing unidentified sources, the theft included information on penetrating foreign computer networks and protecting against cyber attacks and is likely to be viewed as one of the most significant security breaches to date.
In a later story, The Washington Post said the employee had worked at the NSA's Tailored Access Operations unit for elite hackers before he was fired in 2015.
[...] Citing unidentified sources, both the Journal and the Post also reported that the contractor used antivirus software from Moscow-based Kaspersky Lab, the company whose products were banned from U.S. government networks last month because of suspicions they help the Kremlin conduct espionage.
(Score: 3, Informative) by Anonymous Coward on Friday August 19 2016, @01:17PM
It's far-fetched to think a small group of unknown hackers could infiltrate NSA.
Yeah it's far fetched to believe that the NSA has insecure practices:
http://motherboard.vice.com/read/in-2012-edward-snowden-helped-nsa-fix-its-microsoft-macros-problem [vice.com]
(Score: 3, Insightful) by Jeremiah Cornelius on Friday August 19 2016, @02:43PM
If there's a mole in the ministry? I hope it's actually hundreds of them.
You're betting on the pantomime horse...
(Score: 1, Interesting) by Anonymous Coward on Friday August 19 2016, @11:38PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
It is not a surprise to anyone who realized that S in NSA stands for Surveillance. Their budget doubled after the twin tower incident, and while their spending is opaque, it seems that more than half of their budget is dedicated to surveillance now: it has truly became their primary goal. Incidentally, this goal directly conflicts with security, unless we understand by that the security of the state actors from they call the cancer of democracy, which would, if given a chance, work tirelessly to improve the conditions of 99% at the expense of the richest and most powerful 1%.
To stress the last point, the public security is harmed by the NSA-style total surveillance immensely. For one, it is utterly improbable that data products assembled at NSA will not leak to criminals. Most of them already have. It has been fashionable lately to point fingers at the Russian scene, but the source of cracks is irrelevant, as is the culture of security incompetence within NSA. Cases of Manning and Snowden demonstrate the ease of copying humongous quantities of classified data without detection; in both cases the leaks were sourced thanks to the voluntary confessions made by intruders themselves. It would be trivial for a competent, full-fledged insider to let out any amount of data without a risk of being uncovered, and shifting the agency's focus from security to surveillance only compounded this problem by presenting a wider attack surface to the outsiders.
~ Anonymous 0x9932FE2729B1D963
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXt5fDAAoJEJky/icpsdljioMQAJR/ktoIjl9B+8kh1/B8DqIo
8KrMqd1KC+F8eXu+d2YHpx6lOUc0xaXeK5BX+0W5B3VQEzmAjjsQRKKzEQx3q2Tr
OReYhFD1dnsLNmyj2PENoZucQUf9kW8AWhvyHndSHzv85ggXVjofEUPgHmWggWxt
iLpvVjSmGwczIWAoxr8isl64A6zXB1me3H72JEaZp0/b891ewZBDeRKq89e5BIhb
8bnC2MC/wg7uQfD97kCQcaCbnEQEsRm4Een+z3KS5BgPER1f4JVThYmVvANbbf/Q
3YP7EJg5dwkPkBk3QOhEUGb9OfG/aTkt8eDacF8qjkotW0YN2Ug4DFHx7JhfDrUV
AKN0lpVMfhmllzw9R4BRpCvBzlv0uz6Rv6uOQiwBQf5yQDeiAFEBHSEkqTIMczVY
/FfqfAZBQdAdeX3ZcNoTRgcc2W8k+LSsglAPxXa7fXQfiA79GumPzyLNq+3SQSBy
WlEP4izB+jGlbGO9JBeIDG+Fg8vXbFfNPfIE+bnK1y54kh9QNtURhvUwm+Xmm9hD
mgZyUS8jpb0l/ySeNmXETWe44EoEgTveh5odUTToxhZbEJPfJKuK8r5gXp5tJoJD
JRFER+xqx8FCsyGBcWxQvh4AXo03+KONGrRhloxHQsDAnxmR30TVVve9PNSvHphH
EmQ80r/u8boOoJXDqWF5
=QjpK
-----END PGP SIGNATURE-----
(Score: 5, Insightful) by Ethanol-fueled on Friday August 19 2016, @01:23PM
Hoooooookay, Senator McCarthy. Yes, the criminal malfeasance of the US government is alllllll Russia's fault!
(Score: 4, Insightful) by Anonymous Coward on Friday August 19 2016, @02:13PM
If anything, EVERYONE in the NSA is a Russian mole. If they adhered to the US constitution they'd all be dead or where Snowden is today. Real Americans wouldn't touch the Orwellian apparatus with a 10-foot pole.
(Score: 2) by dingus on Friday August 19 2016, @06:18PM
It really annoys me that because there's some evidence that Russia was probably involved in the DNC hack(the evidence is nowhere near conclusive, though), all hacks that happen on American organizations are now because of the Russians.
(Score: 2, Insightful) by Ethanol-fueled on Friday August 19 2016, @09:01PM
It really annoys me that Russia is being accused of "meddling with the election" when, if they are in fact behind the leaks, the leaks are true and are to the benefit of the public.
That's like blaming your neighbor for truthfully warning you that your babysitter is a murderous babykiller.
(Score: 4, Insightful) by Gravis on Friday August 19 2016, @02:22PM
NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them."
why haven't they caught them in six years and why would they tell anyone there is a mole? everything about this runs counter to logic. what makes more sense is this story is simply speculative enough to be a cover story and you can't prove a negative which makes it irrefutable.
(Score: 2, Insightful) by Anonymous Coward on Friday August 19 2016, @04:13PM
NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them."
why haven't they caught them in six years and why would they tell anyone there is a mole? everything about this runs counter to logic. what makes more sense is this story is simply speculative enough to be a cover story and you can't prove a negative which makes it irrefutable.
What doesn't make sense about this? Let's take a more intuitive example to illustrate what could be going on: Hollywood.
You have Galactic Films, a major producer of movies. They notice that their latest movie, "Y-Men: Apocalypse Tomorrow," was distributed on a bittorrent website a week before their film opening weekend. Moreover, their previous movie, "Iced," likewise was on bittorrent a week before release, as had their previous movie, "What About Susan?"
It's easy to know they have a mole in their ranks, as their movies have leaked inappropriately. However, there are so many people (actors, producers, directors, critics, etc) who have had contact with their movies that they don't know who the person is. They may be able to narrow it down to a few hundred, or maybe a few dozen people, but that's still a lot. Moreover, these are among the most important people to their business; who wants to risk offending a powerful movie critic with a false accusation?
So they know they have a mole, but aren't sure who it is. As for why they would discuss it, that could be to either get the mole to stop (from fear) or to react in a way they can spot.
I'm sure you can see the parallels between this and the situation an intelligence agency may (or may not) be in.
(Score: 0) by Anonymous Coward on Friday August 19 2016, @02:45PM
Americans are greedy prostitutes and would sell their own mother if it meant more money. It's easy for Russia to recruit moles this way.
(Score: 3, Insightful) by DannyB on Friday August 19 2016, @04:45PM
You could narrow the scope of your statement from "Americans" to MBAs. It would remain just as true, but not falsely accuse other Americans. Even with it being true of a much smaller group than the general population, that is still more than enough to destroy everything.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 0) by Anonymous Coward on Friday August 19 2016, @02:48PM
After the Snowden incident, I remember the NSA was talking about eliminating sysadmins so that nobody would have the same kind of access again that Snowden had.
Did they implement that plan?
(Score: 1, Interesting) by Anonymous Coward on Friday August 19 2016, @03:12PM
Sort of like an alcoholic determining that his problem is the empty beer cans in his room, so he resolves to eliminate them so empty beer cans laying about won't happen again. What does he do with the $20 he gets for returning them to the store? You guessed it.
(Score: 0) by Anonymous Coward on Friday August 19 2016, @09:54PM
Wait, you're saying I can return sysadmins to their parents for a refund so I can buy more sysadmins?
(Score: 2) by butthurt on Saturday August 20 2016, @12:15AM
The organisation's Web site was giving errors for most of Tuesday.
http://www.politico.com/story/2016/08/nsa-website-hacking-rumors-227088 [politico.com]