Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Sunday May 21 2017, @08:07PM   Printer-friendly
from the better-late-than-never dept.

After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.

Those same NSA officials, according to Tuesday's report, failed to communicate the severity of the vulnerability to the outside world. A month after Microsoft released the patch, the Shadow Brokers published the attack code, code-named EternalBlue, that exploited the critical Windows vulnerability. A month after that, attackers used a modified version of EternalBlue to infect computers around the world with malware that blocked access to data. Within hours of the outbreak of the ransomware worm dubbed WCry, infected hospitals turned away patients; banks, telecommunications companies, and government agencies shut down computers.

"NSA identified a risk and communicated it to Microsoft, who put out an immediate patch," Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project, told The Washington Post. The problem, he said, is that no senior official took the step of shouting to the world: "This one is very serious, and we need to protect ourselves."

Source: ArsTechnica


Original Submission

Related Stories

Kaspersky Lab and Lax Contractor Blamed for Russian Acquisition of NSA Tools 23 comments

According to unverifiable sources, an NSA contractor stored classified data and hacking tools on his home computer, which were made available to Russian hackers through the contractor's use of Kaspersky Lab anti-virus software:

Russian government-backed hackers stole highly classified U.S. cyber secrets in 2015 from the National Security Agency after a contractor put information on his home computer, two newspapers reported on Thursday.

As reported first by The Wall Street Journal, citing unidentified sources, the theft included information on penetrating foreign computer networks and protecting against cyber attacks and is likely to be viewed as one of the most significant security breaches to date.

In a later story, The Washington Post said the employee had worked at the NSA's Tailored Access Operations unit for elite hackers before he was fired in 2015.

[...] Citing unidentified sources, both the Journal and the Post also reported that the contractor used antivirus software from Moscow-based Kaspersky Lab, the company whose products were banned from U.S. government networks last month because of suspicions they help the Kremlin conduct espionage.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Runaway1956 on Sunday May 21 2017, @08:14PM (2 children)

    by Runaway1956 (2926) Subscriber Badge on Sunday May 21 2017, @08:14PM (#513138) Journal

    NSA identifies a risk, and keeps it secret, until it's stolen, THEN they communicate the risk. Mikey makes it sound like they were being good citizens. Fuck you Mikey!!

    --
    Death smiles at everyone. Sailors smile back.
    • (Score: 4, Insightful) by Lagg on Sunday May 21 2017, @09:37PM

      by Lagg (105) Subscriber Badge on Sunday May 21 2017, @09:37PM (#513168) Homepage Journal

      Keep in mind that even the WP and Arse Technica aren't buying it. This is rather important and unusual compared to previous coverage of the NSA not all that long ago. Also I'm pretty sure people are having more trouble than they usually do with politicians' integrity these days. Too bad his cult isn't the elephant worshipping one. They'd take his attempt to PR even less seriously.

      Right after his quote they still made it clear it was dangerous. One thing I take issue with though: It being treated as an NSA security issue rather than an ethical one for responsible reporting - that they simply need to "secure" the exploits more.

      I also am getting very fucking tired of their constant comparisons to weapons. People are surely seeing what they're doing here by now. They need to knock it off.

      --
      http://lagg.me [lagg.me] 🗿
      8DF5 7CC6 9572 2282 4BD7 CC2C 1316 E8D2 AB04 0CBD
    • (Score: 2) by butthurt on Sunday May 21 2017, @10:19PM

      by butthurt (6141) on Sunday May 21 2017, @10:19PM (#513178) Journal

      > THEN they communicate the risk.

      As Mr. McNerney says, the NSA told Microsoft but they didn't tell the public. As far as I know, the agency hasn't publicly acknowledged that the EternalBlue exploit, or anything released by the Shadow Brokers, was stolen from the NSA.

  • (Score: 1) by Demena on Sunday May 21 2017, @11:19PM (11 children)

    by Demena (5637) on Sunday May 21 2017, @11:19PM (#513193)

    The prime responsibility for all the crap goes to there NSA not the Shadow brokers. They are both guilty as sin of unethical shit but the NSA made the door the Shadow Brokers used.

    The NSA should be forking out to repair the worldwide damage. It isn't that they are no better than criminals it is simply that they are criminals.

    • (Score: 0) by Anonymous Coward on Sunday May 21 2017, @11:59PM (4 children)

      by Anonymous Coward on Sunday May 21 2017, @11:59PM (#513208)

      No no, you see... imagine if there was a terrorist and a suitcase nuke and the terrorist locked his iPhone and demands a lawyer but there's a timer and we can't wait and it's New Year's Eve. You see?

      • (Score: 1) by Demena on Monday May 22 2017, @12:07AM (3 children)

        by Demena (5637) on Monday May 22 2017, @12:07AM (#513213)

        No. I do not see.

        • (Score: 1) by khallow on Monday May 22 2017, @02:55AM (2 children)

          by khallow (3766) Subscriber Badge on Monday May 22 2017, @02:55AM (#513286) Journal
          Jack Bauer was going to get the password out of the terrorist using the five dollar pliers, but the terrorist choked down a cyanide pill hidden in a tooth. Fortunately, five dollar pliers work on US Senators too, and Jack is able to pass the privacy-destroying laws he needs to save Manhattan.
          • (Score: 0) by Anonymous Coward on Monday May 22 2017, @04:09AM (1 child)

            by Anonymous Coward on Monday May 22 2017, @04:09AM (#513309)

            And they're rebooting that shit, pretty sure the protagonist is a woman this time. Gotta get the diversity in there, can't let a silly thing like feminism stop the police state.

            • (Score: 2) by DECbot on Monday May 22 2017, @04:22PM

              by DECbot (832) on Monday May 22 2017, @04:22PM (#513565) Journal

              Technically , in the US, a male is a minority*. So you should still be able to cast a man. LGBTBBQLOLBRBWTF man if you're still trying to fill the diversity quota.

              *You'll have first trust Wikipedia, then second trust the 2012 CIA World Factbook, and third add up the numbers yourself.
              https://en.wikipedia.org/wiki/Demography_of_the_United_States#Ages [wikipedia.org]

              --
              cats~$ sudo chown -R us /home/base
    • (Score: 0) by Anonymous Coward on Monday May 22 2017, @01:14AM (5 children)

      by Anonymous Coward on Monday May 22 2017, @01:14AM (#513239)

      The prime responsibility for all the crap is Micro$oft for releasing a shitty operating system.

      • (Score: 1, Informative) by Anonymous Coward on Monday May 22 2017, @02:04AM (3 children)

        by Anonymous Coward on Monday May 22 2017, @02:04AM (#513262)

        Look up ping of death as applicable to lunix. Yeah, RCE via ping, now sod off.

        • (Score: 0) by Anonymous Coward on Monday May 22 2017, @02:12AM (1 child)

          by Anonymous Coward on Monday May 22 2017, @02:12AM (#513266)

          My router will block that before it gets to my LAN... try again.

          • (Score: 1, Touché) by Anonymous Coward on Monday May 22 2017, @06:58AM

            by Anonymous Coward on Monday May 22 2017, @06:58AM (#513368)

            No need to try again, because the same applies to this M$ asploit.

        • (Score: 3, Informative) by Chromium_One on Monday May 22 2017, @06:13AM

          by Chromium_One (4574) on Monday May 22 2017, @06:13AM (#513348)

          Seriously, people need to quit referring to Linux as Lunix. They really don't have much in common, though the 7-node clustering capabilities were kind of neat considering the hardware.
          https://en.wikipedia.org/wiki/LUnix [wikipedia.org]

          --
          When you live in a sick society, everything you do is wrong.
      • (Score: 1) by anubi on Monday May 22 2017, @06:15AM

        by anubi (2828) Subscriber Badge on Monday May 22 2017, @06:15AM (#513350)

        My feeling is Microsoft deliberately inserts backdoors presented to them by the TLA's in order to be a "team player" in exchange for adoption of Microsoft by government contractors, and favorable law regarding "hold harmless" clauses.

        I have no proof of this, but having so many backdoors constantly being found and replaced sure leads me to speculate.

        Seems like in any other industry, this far along, we would have had this whole thing nailed by now. We should at least have a trustworthy computational foundation by now. No, we still have stuff that falls apart.

        Every successive version of Windows seems to be even more full of holes than the one it replaces.

        Especially with our own government allowing "hold harmless" clauses to be OK, but not letting anyone else off nearly that easy.

        The adoption of Microsoft by governments damn near mandates the adoption of the same by the citizens, so as to be able to talk to the governments. Just like we are forced to use the dollar as currency, as taxes are paid in it.

        --
        "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 4, Interesting) by Snotnose on Monday May 22 2017, @02:14AM (2 children)

    by Snotnose (1623) on Monday May 22 2017, @02:14AM (#513268)

    Presidential Medal of Freedom sounds appropriate. These assholes (NSA et all) find vulnerabilities that make us all insecure and hoard them for their own use. Never mind the Chinese, Russians, and random hacker groups find the same vulnerabilities.

    This "leak" has made everyfuckingone of us a hell of a lot safer in the long run.

    --
    Being cremated is my last chance of having a smoking hot body.
    • (Score: 2, Interesting) by anubi on Monday May 22 2017, @05:59AM (1 child)

      by anubi (2828) Subscriber Badge on Monday May 22 2017, @05:59AM (#513341)

      That was the first thing that came to my mind, too. You beat me to it.

      Now, I am finally beginning to understand why my cries about computer security went ridiculed when I worked in the lower levels ( engineering ) of the aerospace industry.

      I now sincerely believe that at the same time I was expressing security concerns about Microsoft and the motherboard manufacturers, at the upper levels of the Military-Industrial Complex, hands were already shaking and pens were signing, implementing the very things I was concerned about.

      Its the only plausible explanation I can think of as to why my concerns fell on such deaf ears.

      I am now concerned with how much longer we will be able to buy hardware that will run linux, or will running linux one day be illegal?

      I see the day coming where only things like Raspberry PI's may be known to be trustworthy.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
      • (Score: 2) by pkrasimirov on Monday May 22 2017, @04:08PM

        by pkrasimirov (3358) Subscriber Badge on Monday May 22 2017, @04:08PM (#513561)

        > Its the only plausible explanation I can think of as to why my concerns fell on such deaf ears.
        You underestimate the human laziness and corporate comfort zones.

  • (Score: 3, Interesting) by meustrus on Monday May 22 2017, @02:13PM

    by meustrus (4961) <meustrusNO@SPAMgmail.com> on Monday May 22 2017, @02:13PM (#513492)

    This disclosure is great! Props to Shadow Brokers for making us all safer from the NSA.

    Now let's close all the holes the Russians, Chinese, N. Korean, and other hostile foreign powers have. While we're at it let's eliminate the hacks that criminal organizations use to competently extort money and steal corporate secrets. And can we please fix the design vulnerabilities in HTML and other interfaces that allow our new tech overlords to track us and establish Orwellian profiles of our behavior for uses still not entirely decided upon?

    There isn't just one NSA-shaped boogeyman. The enemy to our personal liberty is found in all such large concentrations of power.

    --
    If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(1)