Category Archives: NSA

Everyone is talking about WannaCry(pt), the latest ransomware worm that attacked over 150 countries across the globe. It hit hospitals, universities, businesses, a telco, train stations and more. Microsoft responded by releasing emergency security patches for Windows versions as far back as XP. To Microsoft's credit they had released a patch for the issue in February, well before this exploit hit, so those that did not update were the ones hit. The lesson here is to install your security patches when they are available.

The exploit was via a vulnerability in the SMB file share system. The bug was found after the NSA's EternalBlue tool was stolen, yes, the NSA was using the exploit. Initially the tool was used to hack into devices but this latest version was added to ransomware. The unlock cost is between US$300 (10,400 baht) to $600 regardless of the target. It also adds Doublepulsar, a backdoor that allows the machine to be remotely controlled, also stolen from the NSA. BitDefender sent an email saying I was already protected but many were not. The attack was stopped when a clever person in the UK found the kill switch. There are rumours that North Korea was behind this attack like they were with the big Sony hack a while back. Others are suggesting it was a much smaller group.

The potential next version of Android, or its replacement, called Fuchsia has been tested in an early development build. The need for such a product was triggered by Oracle's litigation against Google to get Android royalties. It is open source and you can find it on Github. Hotfix's Kyle Bradshaw compiled the most recent version and you can see what it looks like by searching for "Fuchsia OS Armadillo preview" on YouTube.

With the world moving away from the PC and towards the notebook many are looking for a solution for multi-monitor support. Modern notebooks are so thin they no longer have monitor ports but don't despair, there are many solutions to try. Thunderbolt ports support video, audio, standard data transmission and power. You will of course need a Thunderbolt compatible monitor. Another solution, for those with only one Thunderbolt or USB-C port, is to get a docking station. For older users, the options include a splitter cable, a splitter box and perhaps some USB-to-HDMI adaptors. If you have the right kind of notebook, e.g. a Razor, then you may even be able to use a proper graphics card inside an external box. Those that have tried or used multiple monitors rarely want to go back to one.

The MP3 or MPEG Audio Layer III format has been officially killed off by the Fraunhofer Institute, which did not renew the IP rights and ceased their licensing programme. No, MP3 is not gone, it has essentially become free. MP3 is still a popular format even though others like AAC variants and MPEG-H have more features, better audio quality and use less bandwidth. With the growth of memory on devices many also now use FLAC, a lossless format rather than MP3 which reduces information but "tricks" the ears into hearing all the sound. The most recent example is MQA that may be the basis for the next great streaming technology.

Since I didn't get the LG V20 phone I'm now looking at the Huawei P10 Plus. This is a 5.5-inch QHD+ phone with 6GB of memory and 128GB of storage for a fraction of the price of the Samsung S8. The Leica dual camera is very good and it comes with the latest Kirin 960 processor. It supports a microSD but you would have to be doing a lot of 4K recording to even need such an expansion of up to an additional 256GB. A 3,750mAh non-removable battery adds some extra life and it is Android 7. Unlocked versions are already available for as low as US$630 (21,750 baht) in some places.

I was at a presentation demonstrating the SQLServer on Linux recently and besides the fact that it installs quickly, the advantage of this is that you can set up a virtual machine on a Windows 7 PC and run the latest versions like 2016 or the newest 2017. For Red Hat, Ubuntu and SUSE the product is fully integrated and an update is a simple command line. In the demo using Oracle's free VM, an Ubuntu core virtual machine was created and then SQLServer installed, which was then accessible from the Windows SQL Server Management Studio. Apart from one step involving partitioning, it was all seamless and fast. There are plenty of tutorials on the internet to walk you through this.

Finally for this week, Cray the supercomputer people are moving to supercomputing as a service model, which given how everything else is going should come as no surprise.

The rest is here:
Thank the NSA for latest global ransomware - Bangkok Post

This story first appeared on CyberScoop.

Storm clouds are rising over the U.S. governments policy on software flawdisclosure after the massive WannaCry infection spread using a cyberweapon developed by the NSA, and even former agency leaders say it might be time to take a fresh look at the Vulnerability Equities Process.

Under the VEP, U.S. officials weigh the benefits of disclosing a newly discoveredflaw to the manufacturer which can issue a patch to protect customers or having the government retain itfor spying on foreign adversaries who use the vulnerable software. The process has always had a bias toward disclosure, former federal officials said.

We disclose something like 90 percent of the vulnerabilities we find, said Richard Ledgett, who retired April 28 as the NSAs deputy director. Theres a narrative out there that were sitting on hundreds of zero days and thats just not the case, he told Georgetown University Law Centers annualcybersecurity law institute.

On the contrary, he said, the process, led by the [White House National Security Council], is very bureaucratic and slow and doesnt have the throughput that it needs. He said itwas an issue NSA leaders had raised with both the previous administration and the Trump White House and that currenthomeland security adviser Thomas Bossert had promised to fix.

A zero day vulnerability is a newly discovered software flaw one the manufacturer has zero days to patch before it can be exploited. An exploit is a piece of code that uses a vulnerability to work mischief on a computer, for instance allowing a remote hacker to download softwareand seize control. Not all zero days are created equal, one of the architects of the VEP, former White House Cybersecurity Coordinator J. Michael Daniel, told CyberScoop recently.

Some exploits might require physical access, or need other exploits to be pre-positioned. Some might even rely on known but widely unpatched vulnerabilities, he said. One of the reasons WannaCry spread so fast despite being relatively unsophisticated in design is that it utilizes a very powerful NSA exploit called EternalBlue.

EternalBlue was one of a large cache of NSA hacking tools dumped on the web last month by an anonymous group calling itself the Shadow Brokers an event that led to calls for the government to give up stockpiling vulnerabilities altogether.

That would be a mistake, Ledgett said, in part because even disclosed vulnerabilities can be exploited. Hackers can take apart the patch and reverse-engineer the vulnerability it is fixing, and then weaponize it with an exploit. Even when theres a patch available, Ledgett noted Many people dont patch, for all sorts of reasons. Large companies, for example, often have custom software that can breakwhen an operating system is updated.

The idea that ifyou disclose every vulnerability, everything would be hunky dory is just not true, he said.

Besides, the NSAs use of its cyber-exploit arsenal wasvery tailored, very specific, very measured, addedLedgett, agreeing that the VEP policy was in about the right place.

Indeed, he said, there was an argument to be made that Microsoft, which last weekend rushed out an unprecedented patch for discontinued but still widely used software like Windows XP, should bear some of the blame for not patching the discontinued products in March, when it patched its current products apparently in response to an advance warning from the NSA.

Daniel revealed theVEP in 2014, in response to suspicions that the NSA had known about the huge Heartbleed vulnerability in a very widely used piece of open-source software it hadnt, hesaid. But the policy has been in place since 2010, according to documents declassified in response to a Freedom of Information Act request from the Electronic Frontier Foundation an internet freedom advocacy group.

And Ledgett said the NSA had previously had a similar policy in place for decades. At the heart of the process, he said, is a balancing of how valuable the vulnerability in question is for the NSAs foreign intelligence mission, versus how damaging it might be U.S. companies or Americans generally, if it were discovered by an adversaryor revealed before it could be patched.

Ledgett said the new process balanced more or less the same factorsin more or less the same way although there were additional players like the State and Commerce Departments at the table in the National Security Council-led VEP.

The thing thats new since since 2014 is the risk of disclosure of a vulnerability, he said.

But former NSA director and retired four-star Air Force Gen. Michael Haydenpoints out two other things that have also changed affecting where NSA places the fulcrum in its balancing of offensive and defensive equities.

Far more often now the vulnerability in question is residing on a device that is in general use (including by Constitutionally protected US persons) than on an isolated adversary network, he wrote in a blog post for the Chertoff Group, where he now works.

He said that a comfort zone the NSA had previously enjoyed had also narrowed considerably. The comfort zone was called NOBUS, short for nobody but us. In other words,This vulnerability is so hard to detect and so hard to exploit that nobody but us (a massive, technological powerful, resource rich, nation state security service) could take advantage of it.

That playing field is being leveled, not just by competing nation states but also by powerful private sector enterprises, he concluded, The NOBUS comfort zone is considerably smaller than it once was.

This week, bipartisan bills in both chambers sought to give the VEP a basis in law.Sens. Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory Gardner, R-Colo., and Reps. Ted Lieu, D-Calif., and Blake Farenthold, R-Texas, put forwardtheProtecting Our Ability to Counter Hacking Act, or PATCH Act.

Read more:
Government not 'sitting on hundreds of zero days,' former NSA official says - FedScoop

By Ms. Smith, Network World | May 21, 2017 8:58 AM PT

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Your message has been sent.

There was an error emailing this page.

While you wont be forgetting the WannaCry ransomware attack, it is likely you will be hearing a lot more about the alleged NSA-linked EternalBlue exploit and DoublePulsar backdoor as it seems a wide range of bad guys have them in their toyboxes. At least one person is leveraging seven leaked NSA hacking tools for a new EternalRocks network worm.

EternalBlue and DoublePulsar

Malwarebytes believes WannaCry did not spread by a malicious spam email campaign, but by an scanning operation that searched for vulnerable public facing SMB ports, then used EternalBlue to get on the network and DoublePulsar to install the ransomware.

EternalBlue was part of the Shadow Brokers April 14 dump of NSA hacking tools. Almost immediately, since late April, sophisticated attackers started repackaging the EternalBlue exploit. Security firm Secdo reported that three weeks before the WannaCry attack, at least three different actors were leveraging the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the US.

The attack leaves no trace; by spawning threads inside legitimate apps, to impersonate those apps, the attack can evade advanced next-gen antivirus solutions. The attacks, according to Secdo, might pose a much bigger risk than WannaCry as many endpoints may still be compromised despite having installed the latest security patch.

The security firm suggested one threat actor was stealing credentials using a Russian-based IP and another threat actor seemed to be using EternalBlue in opportunistic attacks to create a Chinese botnet.

Secdo added:

Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

Security firm Proofpoint spotted an attack using EternalBlue and DoublePulsar to install a cryptocurrency mining botnet. This attack, which also began before WannaCry, may be larger in scale and may even have limited the spread of WannaCry because this attack shuts down SMB networking to prevent further infections with other malware via that same vulnerability. Every time Proofpoint exposed a lab box vulnerable to EternalBlue attacks, it was added to the cryptocurrency mining botnet within 20 minutes.

EternalRocks uses 7 NSA hacking tools

Perhaps the most worrying news about attacks came from researcher Miroslav Stampar. It is the most worrying because the EternalRocks network worm doesnt just use EternalBlue and DoublePulsar like WannaCry did. Oh no, it uses seven different NSA hacking tools: EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Doublepulsar, Architouch and SMBtouch.

Stampar learned of EternalRocks after it infected his SMB honeypot. Its original name was MicroBotMassiveNet, but EternalRocks is listed as a product name under Taskhost Properties. It disguises itself as WannaCry as if hoping to fool security researchers, yet it doesnt drop ransomware. Instead, it seems to be gaining a foothold to launch future attacks.

During the first stage, EternalRocks installs TOR as a C&C communications channel. The second stage doesnt begin immediately; instead, the C&C server waits 24-hours before responding with shadowbrokers.zip. Stampar said the delayed downloader for the zipped file, which contains NSA hacking tools leaked by the Shadow Brokers, seems to be a full scale cyber weapon.

After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.

There is no kill switch like there was in WannaCry. Stampar told Bleeping Computer, The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch.

The second stage of the infection currently has a detection rate of 45/61 on VirusTotal, but Stampar warned that EternalRocks was going to be huge.

He later added:

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Sponsored Links

Follow this link:
EternalRocks network worm uses 7 NSA hacking tools | Network World - Network World

McClatchy Washington Bureau

Hacker group that leaked NSA spy tools likely includes a US insider, experts say McClatchy Washington Bureau One of those leaked NSA tools allowed extortionists to spark havoc last Friday by encrypting the hard drives of more than 200,000 computers in 150 countries, the largest such cyberattack ever to hit the globe. The attackers demanded $300 or more to ... Shadow Brokers hacker group says more NSA leaks to comeCBS News Shadow Brokers threaten to release even more NSA-sourced malwareInfoWorld 'Shadow Brokers' threaten to release more hacking tools in JuneEngadget The Conversation AU -Yahoo News -The Official Microsoft Blog - Microsoft -Steemit all 139 news articles »

See more here:
Hacker group that leaked NSA spy tools likely includes a US insider, experts say - McClatchy Washington Bureau

Theres not much more topical than cyber security right now. And who better to talk about itthan former director of the NSA and ex-chief of the Central Security Service, general Keith Alexander?

On stage here at TechCrunch Disrupt New York, Alexander discussedthe WannaCry(pt) ransomware that disrupted systems in multiple countrieson Friday and was only stopped by accident after a security researcher registered a web domain that had been hard coded into it as a kill switch.

Alexander warned there would be more such attacks this year, and urged industry to work with government to try to defend against global cyber threats.

I think this is just one of many that were going to see, he said. Many people said this is the year of ransomware.

Alexander was asked how much responsibility the NSA bears for the WannaCrypt virus given reportshave indicated the virusutilizes an exploit that was stolen from the NSA.

Yesterday Microsoft also explicitly called outgovernment agencies for undermining global cyber security by stockpiling exploits.

The NSA didnt use the WannaCry, criminals did - someone stole it, heshot back on that.

This WannaCrystarts to split [government agencies and industry]apart but our nation needs industry and government to work together, headded.

He also implicitly defended the NSAs use of exploits saying the agency needs capabilitiesto allow it to know what adversaries are doing, and should not be required to release all the exploits it finds.

Weve got to have tools, he said. [NSA]dont hoard exploits; they release90+ percent of what they get but to go after a terrorist you need an exploit.

Alexanders big pitch was for government and industry towork together to try to de-risk these intelligence agency tools i.e. to patch up and firefight critical scenarios whereby an intelligence agency exploit has been leaked and is in the hands of cyber criminals.

The fact that Microsoft actually put a patch out in March how do you make sure that those things goout? And is there a way that government and industry can work together so that those things are done seamlessly, he suggested. And the answers yes. And should we do that? Yes.

Alexander also discussed his views on Trumps executive order on cyber security, and the ongoing reform of Section 702 of FISA.

You can watch the full interview in the below video.

Go here to see the original:
After WannaCry, ex-NSA director defends agencies holding exploits ... - TechCrunch

From the Archive: Official Washington is thrilled by the choice of ex-FBI Director Mueller as Russia-gate special counsel, hailing him as a straight-shooter, but he cut some legal corners in office, ex-CIA analyst Ray McGovern wrote in 2014.

By Ray McGovern (Originally published on June 12, 2014)

Rarely do you get a chance to ask a just-retired FBI director whether he had any legal qualms about what, in football, is called illegal procedure, but at the Justice Department is called parallel construction.

Government wordsmiths have given us this pleasant euphemism to describe the use of the National Security Agencys illegal eavesdropping on Americans as an investigative tool to pass on tips tolaw enforcement agencies which then hide the source of the original suspicion and construct a case using parallel evidence to prosecute the likes of you and me.

For those interested in quaint things like the protections that used to be afforded us by the Fourth and Fifth Amendments to the Constitution, information about this parallel construction has been in the public domain, including the mainstream media, for at least a year or so.

So, I welcomed the chance to expose this artful practice to still more people with cameras rolling at a large conference on Ethos & Profession of Intelligence at Georgetown University on June 11, 2014, during the Q & A after former FBI Director Robert Mueller spoke.

Mueller ducked my question regarding whether he had any legal qualms about this parallel construction arrangement.He launched into a discursive reply in which he described the variousauthorities enjoyed by the FBI (and the CIA), which left the clear impression not only that he was without qualms but that he considered the practice of concealing the provenance of illegally acquired tip-off information somehow within those professed authorities.

Bottom line? Beware, those of you who think you have nothing to hide when the NSA scoops up your personal information. You may think that the targets of these searches are just potential terrorists. But the FBI, Internal Revenue Service, Drug Enforcement Administration and countless other law enforcement bodies are dipping their cursors into the huge pool of mass surveillance.

And, chances are that if some of your scooped-up data gets shared with law enforcement and the Feds conclude that youve violated some law, youll never become aware of how they got onto you in the first place. Theyll just find some parallel evidence to nail you.

After all, its altogether likely for a great majority of us that some dirt can be retrieved with the NSAs voluminous files an inviting starting point. AT&T, for example, apparently has kept metadata about its customers, as well as all other traffic going through its switches, for the past 27 years.

For those who are Caesars-wife pure and whose loved ones also approach perfection, constructing a prosecutable case may be more of a challenge. But relax not. If for some reason the government decides to get you if youve popped up as somehow an obstacle to national security it is not impossible. Even in recent decades, critics of government policies have ended up facing dredged-up, if not trumped-up, criminal charges over some past indiscretion or misdeed.

Learning Curve

It has been my good fortune to sponge up data and wisdom in equal measure from NSA alumni like Bill Binney, Kirk Wiebe, Tom Drake, and Ed Loomis, who in early January 2014 authored NSA Insiders Reveal What Went Wrong.

More recently (on May 31, 2014), Bill and I took part in a panel discussion in New York, so this freshly sponged-up learning still dwelled in my frontal lobe when I was interviewed by RT on June 5, 2014, the anniversary of the first-published disclosure from Edward Snowden.

When asked how ordinary people in the U.S. were being affected by the disclosures about bulk collection, I passed along what I had recently learned from Bill and other whistleblowers regarding how law enforcement is masking illegal surveillance to the severe detriment of defendants constitutional rights.

Former FBI Division Counsel in Minneapolis Coleen Rowley who, with Jesselyn Radack, Tom Drake and me, visited Snowden in Russia in October 2013 told me of two legal doctrines established many decades ago: the exclusionary rule and the rule regarding the fruit of the poisonous tree.

These were designed to force over-zealous law enforcement officers to adhere to the Constitution by having judges throw out cases derived from improperly obtained evidence. To evade this rule, law enforcement officials who have been on the receiving end of NSAs wiretap data must conceal what tipped off an investigation.

After the Tip-Off

Among the revelations over the past year was DEAs definition of parallel construction as the use of normal [read legal] investigative techniques to re-create the information received by DEAs Special Ops Division from NSA or other sources that cant be acknowledged. Some of these sources may be confidential informants whose identities need protecting, but the NSAs massive database has become a very inviting place to trawl for valuable leads.

As Reuters reported in August 2013, A secretive U.S. Drug Enforcement Administration unit is funneling information from intelligence intercepts, wiretaps, informants and a massive database of telephone records to authorities across the nation to help them launch criminal investigations of Americans.

Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin not only from defense lawyers but also sometimes from prosecutors and judges.

The undated documents show that federal agents are trained to recreate the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendants Constitutional right to a fair trial. If defendants dont know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence information that could reveal entrapment, mistakes or biased witnesses.

So, in this way, the NSAs warrantless surveillance can result in illegal law enforcement. And the FBI, the DEA and other organs of the deep state have become quite good at it, thank you very much.

Heres how it works:NSAs domestic surveillance though supposedly restricted to detecting terrorism gets wind of some potentially illegal activity unrelated to terrorism. So, NSA passes the information on to the relevant law enforcement agency. It could be a vehicle transporting illegal drugs or a transfer of suspicious funds or pretty much anything.

This evidence then sparks an investigation, but the original informationcant be used legally because it was acquired illegally for national security purposes. After the tip, parallel law enforcement techniques are introduced to collect other evidence and arrest and charge the suspects/defendants.

The arrest is made to appear the splendid result of traditional detective techniques. However, if the court learns of the initial shenanigans, the defendant may be released because her/his constitutional rights were violated.

To avoid that possibility, the government simply perjures itself during the court discovery process by concealing the key role played by the NSA database, exculpatory evidence that could weaken or destroy the governments case.

Blackmail?

Last week a journalist asked me why I thought Congress initial outrage seemingly genuine in some quarters over bulk collection of citizens metadata had pretty much dissipated in just a few months. What started out as a strong bill upholding Fourth Amendment principles ended up much weakened with only a few significant restraints remaining against NSAs flaunting of the Constitution?

Let me be politically incorrect and mention the possibility of blackmail or at least the fear among some politicians that the NSA has collected information on their personal activities that could be transformed into a devastating scandal if leaked at the right moment.

Do not blanch before the likelihood that the NSA has the book on each and every member of Congress, including extramarital affairs and political deal-making.We know that NSA has collected such information on foreign diplomats, including at the United Nations in New York, to influence votes on the Iraq War and other issues important to U.S. national security.

We also know how the late FBI Director J. Edgar Hoover used much more rudimentary technology a half century ago to develop dossiers on the personal indiscretions of political and ideological opponents. It makes sense that people with access to the NSAs modern surveillance tools would be sorely tempted to put these new toys to use in support of their own priorities.

I happened to be with a highly accomplished attorney one not involved in security law when we saw TV reporting that the Solicitor General of the United States had misled the U.S. Supreme Court. My lawyer friend kept shaking his head, with his mouth agape: Now THAT is not supposed to happen is all he could muster.

Other than the Supreme Court justices themselves, the Solicitor General is among the most influential members of the legal community. Indeed, the Solicitor General has been called the tenth justice as a result of the relationship of mutual trust that tends to develop between the justices and the Solicitor General.

Thus, while it is sad, it is hardly surprising that no one took President Obamas Solicitor General Donald Verrilli Jr. to the woodshed. There are seldom penalties in Washington for playing fast and loose with the truth.

Verrilli assured the Court in the Clapper v. Amnesty International USA case that defendants would be informed of evidence coming from NSA.The Department of Justice had reviewed his draft testimony and did not tell Verrilli that this was not the truth.

In the case, a majority of the Supreme Court justicesdecided to wait until a criminal defendantwasactually convicted with the admitted use ofNSA evidencebefore ruling on whether this violates the Fourth Amendment and the requirement of court warrants based on probable cause before police searches can be conducted.

The result of the Supreme Courts decision was that the challenge to the constitutionality of NSAs mass collection was abruptly stopped, and the mass surveillance continued. But Verrilli subsequently found out that his assurances had been false, and there ensued an argument with the Department of Justice, which opposed revealing use of NSA sources in any court.

Verrilli apparently prevailed partially, with the government subsequently notifying a fewdefendants inongoing terrorism cases thatNSA sources were used.

Separation of Powers?

We cannot escape some pretty dismal conclusions here. Not only havethe Executive andLegislative branches been corrupted by establishing, funding, hiding and promoting unconstitutional surveillance programs during the war on terror, but the Judicial branch has been corrupted, too.

The discovery process in criminal cases is now stacked in favor of the government through its devious means for hidingunconstitutional surveillance and using it in ways beyond the narrow declared purpose of thwarting terrorism.

Moreover, federal courts at the district, appeals and Supreme Court levelshave allowed the government to evade legal accountability by insisting that plaintiffs must be able to prove what often is not provable, that they were surveilled through highly secretive NSA means. And, if the plaintiffs make too much progress, the government can always get a lawsuit thrown out by invoking state secrets.

The Separation of Powers designed by the Constitutions Framers to prevent excessiveaccumulation of power by one of the branches has stopped functioning amid the modern concept of permanent war and the unwillingness of all but a few hearty souls to challenge the invocation of national security. Plus, the corporate-owned U.S. media, with very few exceptions, is fully complicit.

Thus, a massive, intrusive power now looms overevery one of us and especially those few brave individuals with inside knowledge who might be inclined to inform the rest of us about the threat. Whistleblowers, like Chelsea Manning and Edward Snowden, have faced decades in prison for divulging important secrets to the American people. And so the legal rot continues.

The concept of a United Stasi of America, coined by Pentagon Papers whistleblower Daniel Ellsberg, has been given real meaning by the unconstitutional behavior and dereliction of duty on the part of both the George W. Bush and Obama administrations.

Just days after the first published disclosure from Snowden, Ellsberg underscored that the NSA, FBI and CIA now have surveillance capabilities that East Germanys Stasi secret police could scarcely have imagined.

What, We Worry?

In June 2013, Mathew Schofield of McClatchy conducted an interesting interview ofWolfgang Schmidt, a former lieutenant colonel in the Stasi, in Berlin. With the Snowden revelations beginning to tumble out into the media, Schofield described Schmidt as he pondered the sheer magnitude of domestic spying in the United States.

Schmidt: You know, for us, this would have been a dream come true.

Schofield continues: In those days, his department was limited to tapping 40 phones at a time, he recalled. Decide to spy on a new victim and an old one had to be dropped, because of a lack of equipment. He finds breathtaking the idea that the U.S. government receives daily reports on the cellphone usage of millions of Americans and can monitor the Internet traffic of millions more.

So much information, on so many people, says Schmidt who, at that point, volunteers a stern warning for Schofield and the rest of us:

It is the height of naivete to think that, once collected, this information wont be used. This is the nature of secret government organizations. The only way to protect the peoples privacy is not to allow the government to collect their information in the first place. [emphasis added]

(For those who missed it, The Lives of Others, a 2006 film, offers a chilling depiction of the Stasi, a far more capable incarnation of which may soon be coming to your home or neighborhood with assistance of parallel construction.)

Take note, those of you who may still feel fearless, those of you with nothing to hide.

Ray McGovern works with Tell the Word, a publishing arm of the ecumenical Church of the Saviour in inner-city Washington. He was an Army officer and CIA analyst for a total of 30 years and is now on the Steering Group of Veteran Intelligence Professionals for Sanity (VIPS).

See the rest here:
How NSA Can Secretly Aid Criminal Cases - Consortium News

The particularly nasty computer program dubbed WannaCry that attacked hospitals, businesses and government agencies around the world this past weekend was like a cybercrime highlight reel, a compilation of by-now familiar elements conscience-free cybercriminals, an obscure vulnerability in Microsoft Windows, older and ill-maintained corporate computer networks and computer users tricked into opening booby-trapped email attachments that played out on an epic scale.

Whats different this time is that the hackers apparently had considerable help from the U.S. government. They used a stolen tool reportedly developed by the National Security Agency to exploit a hidden weakness in the Windows operating system and spread their ransomware far and wide. The tool was one of many linked to the NSA that were leaked online last year, then finally decrypted in April for use by anyone with the requisite coding skills.

Its tempting to howl at the NSA for not alerting companies like Microsoft when its researchers find vulnerabilities in their products. The reality, though, is that doing so would reduce the effectiveness of cybertools that have become an integral part of modern efforts by agencies like the NSA to fight terrorism, international criminal organizations and rogue states. Whats needed is a better effort to determine if and when a vulnerability discovered by the feds represents too great a threat to keep it secret from the potential victims. Thats a difficult balance to strike, and the decision shouldnt be made solely by the executive branch without the input of independent experts and, potentially, lawmakers.

The even more important lesson here is that years, even decades of warnings from security experts simply arent getting through to the public. WannaCry should not have reached disastrous proportions Microsoft released a patch that could close the vulnerability in March, well before the NSAs tool was decrypted. Yet tens of thousands of computers werent updated, allowing the malware the room it needed to spread.

The problem could easily get much, much worse as more routine devices become smart, Internet-connected ones. Evidently we need stronger incentives not just for companies to release more secure products, but also for users to keep them updated and protect their data with encryption and backups. Thats what the lawmakers and federal officials should be focusing on not on trying to discourage consumers from using encryption on their smartphones, or on building stockpiles of malware based on vulnerabilities they alone have found.

Follow the Opinion section on Twitter @latimesopinion and Facebook

Read the original:
The 'WannaCry' malware: A public service announcement ...

After the WannaCry cyberattack hit computer systems worldwide, Microsoft says governments should report software vulnerabilities instead of collecting them. Here, a ransom window announces the encryption of data on a transit display in eastern Germany on Friday. AFP/AFP/Getty Images hide caption

After the WannaCry cyberattack hit computer systems worldwide, Microsoft says governments should report software vulnerabilities instead of collecting them. Here, a ransom window announces the encryption of data on a transit display in eastern Germany on Friday.

When the National Security Agency lost control of the software behind the WannaCry cyberattack, it was like "the U.S. military having some of its Tomahawk missiles stolen," Microsoft President Brad Smith says, in a message about the malicious software that has created havoc on computer networks in more than 150 countries since Friday.

"This is an emerging pattern in 2017," Smith, who is also chief legal officer, says in a Microsoft company blog post. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

On affected computers, the WannaCry software encrypts files and displays a ransom message demanding $300 in bitcoin. It has attacked hundreds of thousands of computers, security experts say, from hospital systems in the U.K. and a telecom company in Spain to universities and large companies in Asia. And the software is already inspiring imitators, as the Bleeping Computer site reports.

The malware behind WannaCry (also called WannaCrypt, Wana Decryptor or WCry) was reported to have been stolen from the NSA in April. And while Microsoft said it had already released a security update to patch the vulnerability one month earlier, the sequence of events fed speculation that the NSA hadn't told the U.S. tech giant about the security risk until after it had been stolen.

With his new statement, Smith seems to be confirming that version of events.

Two months after Microsoft issued its security patch, thousands of computers remained vulnerable to the WannaCry attack. That prompted the company to issue another patch on Friday for older and unsupported operating systems such as Windows XP, allowing users to secure their systems without requiring an upgrade to the latest operating software.

Urging businesses and computer users to keep their systems current and updated, Smith says the WannaCry attack shows the importance of collective action to fight cybercrime.

But he aimed his sharpest criticisms at the U.S. and other nations.

The attack, Smith says, "represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today nation-state action and organized criminal action."

International standards should compel countries not to stockpile or exploit software vulnerabilities, Smith says. He adds that governments should report vulnerabilities like the one at the center of the WannaCry attack.

Governments "need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world," Smith says, urging agencies to "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Smith's blog post did not address another factor in the ransomware's spread, one that hints at the difficulty of uniting against a hacking attack: Users of pirated Microsoft software are unable to download the security patch, forcing them to fend for themselves or rely on a third-party source for a solution.

See the article here:
is calling out the NSA

A top Microsoft executive partly blamed the US government for the WannaCry ransomware attack, saying hackers found a crucial Windows vulnerability in data that had been stockpiled by the NSA.

First noticed on Friday, the WannaCry attack has affected at least 200,000 computers in more than 150 countries, with attackers locking people out of their computers while demanding a Bitcoin ransom.

This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem, Microsoft President Brad Smith wrote in a Sunday blog post.

At the same time, Smith tried to deflect criticism of Microsoft in the disaster, noting that the software giant issued a patch for the vulnerability earlier this year that many organizations ignored.

Smith said the crisis is a wake-up call, and that Microsoft has been working around the clock to assist affected customers, including those on older versions of Windows that are no longer supported.

We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world, Smith griped.

Some security experts expect a fresh wave of attacks will begin Monday, as employees arrive at work and turn on affected computers. The WannaCry attack is particularly powerful because it doesnt necessarily require users to click a link or download software to spread.

Governments worldwide need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world, Smith said. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Continued here:
Microsofts president blames NSA for WannaCry attack

After last weeks massive ransomware attack shut down machines around the world, the NSA, which knew of the exploit before it was public, became a target for criticism. Microsoft patched the problem before the attack, but its still raised questions about how, and when, the NSA decides to hold on to software vulnerabilities.

The Protecting Our Ability to Counter Hacking Act of 2017

A new bill would help bring accountability to how the NSA deals with those vulnerabilities. Introduced by Sen. Brian Schatz, the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act, would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available.

The law would also legally establish a review board with high-ranking members of the federal government. The board would be chaired by the secretary of homeland security and include agency directors from the intelligence community as well as the secretary of commerce. The law would also require annual reports to Congress on the boards activities.

A version of the governments process, known as "vulnerabilities equities process," has been in place for some time, although its exact details are unclear. A version of the board already exists, but some have criticized the process as opaque, and a law would go some way toward binding the federal government to the system.

The NSA most famously faced criticism for its exploit process in 2014, when Bloomberg reported that the agency had exploited the Heartbleed bug, which exposed vulnerabilities in devices around the world. (The agency denied the report.) Microsoft obliquely criticized the US after the WannaCry ransomware attack last week, calling the incident a wake-up call about vulnerability hoarding.

Read the rest here:
After WannaCry, a new bill would force the NSA to justify its hacking ... - The Verge