In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc

I&#x27;m unclear on why I&#x27;m meant to take this particular Windows SMB exploit so seriously when there&#x27;s such a long history of comparable bugs that nobody ever referred to as &quot;stolen cyber weapons&quot;. I think it might be almost entirely because of the name; &quot;ETERNALBLUE&quot; sounds much scarier than &quot;CVE-2017-0144&quot;.<p>Don&#x27;t get me wrong: a reliable modern Windows drive-by RCE is nothing to sneeze at. But if it wasn&#x27;t this exploit, it&#x27;d be a different one --- <i>will</i> be a different one, likely not &quot;stolen from NSA&quot;, when the next half-life of this bug is reached.<p>The phenomenon of a single bug having intense, distinctive utility is not new. In any couple of years, there will usually be a couple bugs like that --- a very popular RCE that&#x27;s publicly known, and a very popular RCE that is somehow kept on the DL. Back when those RCEs were in things like UW IMAP, nobody wrote NYT stories about how the NSA had accidentally unleashed them on us like some filovirus from Zaire leaked from the CDC.<p>Meanwhile: seized on by North Korea, Russia, and China? Come on. We know roughly how much it costs to develop a reliable remote (Project Zero has written them up, what, a dozen times?). The smallest SIGINT agencies in the world can afford this kind of work out of petty cash. I&#x27;m sure none of them are going to look a gift bug in the mouth. But CVS-2017-0144 isn&#x27;t fundamentally enabling them to do anything they couldn&#x27;t have done themselves.<p>I think Mitre should just start assigning stupid NSA names to CVEs, so that people will take them more seriously.

&gt; “If Toyota makes pickup trucks and someone takes a pickup truck, welds an explosive device onto the front, crashes it through a perimeter and into a crowd of people, is that Toyota’s responsibility?” he asked. “The N.S.A. wrote an exploit that was never designed to do what was done.”<p>Let&#x27;s rework that analogy. If the NSA knows a trick to make Toyota pickup trucks explode, and they don&#x27;t tell Toyota about the trick for years because they want to keep using it, and then eventually they leak the trick and suddenly everyone&#x27;s Toyotas are exploding left and right, is that the NSA&#x27;s fault?<p>Yes, yes it sure is.<p>I wouldn&#x27;t go quite so far as to say the NSA was obligated to tell Microsoft (metaphorical Toyota) immediately about the exploit. For better or worse it&#x27;s in America&#x27;s interest for them to hack into foreign computers, and they take some risks as part of doing that. But they&#x27;re 100% responsible for the downside of the risks they take.

NYT again buried the lede. This was never a 0-day. How is it that companies and governments still fail to install updates years later?!?<p>“One month before the Shadow Brokers began dumping the agency’s tools online in 2017, the N.S.A. — aware of the breach — reached out to Microsoft and other tech companies to inform them of their software flaws. Microsoft released a patch, but hundreds of thousands of computers worldwide remain unprotected.”

<a href="https:&#x2F;&#x2F;twitter.com&#x2F;ErrataRob&#x2F;status&#x2F;1132345806177144833" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;ErrataRob&#x2F;status&#x2F;1132345806177144833</a><p>Some interesting rebuttal notes. Apparently it is the vulnerability that is being exploited, not eternalblue itself.

&quot;The tool exploits a vulnerability in unpatched software...&quot;<p>It&#x27;s a self inflicted wound by Baltimore.<p>Question is, what is the cost of actually maintaining their systems competently vs. the cost of the attack? Both are difficult to quantify, but if you factor in the likelihood of getting attacked I bet it&#x27;s still cheaper in the long run to just run your IT dept fast and loose and let the chips fall where they may.<p>As a government entity, they are probably making the soundest decision based on budget. Disruption in services hurts the populace, not the government.<p>As an anecdotal aside, I once worked as a contractor for over a year for a state government entity, run by a young, ambitious, dept head who was <i>all</i> about the security and soundness of the software they used. But he needed a good sized budget, to convert buggy and insecure systems over to something more sound, and every single meeting with his superiors was about money. He argued so vehemently (I was in some of these meetings and he couldn&#x27;t have been any more astute in his observations on the future of attacks) that eventually his superiors found a reason to fire him (using government bought software for personal use at home - for self education). And, no joke, literally all the work he and his team had done in the dept for years was just chucked when the next guy came in.<p>Government is about money, not security.

I think the national security establishment are applying pre-digital paradigms and thinking to cyberspace and as a result have gotten things almost entirely backwards. In the physical real world, &quot;the best defense is a good offense&quot; often has a lot of truth to it as in limited resources situations force concentration to defeat hostile forces can be fundamentally more effective. But when it comes to information which can be infinitely and losslessly copied it might make more sense to think of security in terms of information <i>gradients</i> and societal model. For a liberal democracy&#x2F;market economy a lot of useful information gets generated, but it can be less effective at utilizing it and more leaky. Whereas (at least in examples so far in human history) centralized command authoritarian societies don&#x27;t seem to as effectively come up with new stuff, but if offered the chance to take it from elsewhere can act with more of a long term vision (and of course with panopticons and massive restrictions on individual freedoms can more effectively insulate themselves).<p>So maybe from a strategic point of view government security should be working to shore up the weaknesses of the societal model while maximizing the strengths, the best strategy for each model are opposites. So for the USA, I think it&#x27;d be better if nobody had any ability to hack anything and the government acted aggressively to maintain an unequal information gradient. Then the problems that come from short term incentives, less decisive&#x2F;unified responses, and so on continue to get made up for by a major technological edge. Whereas for a polity like China in a world where information is smoothed out they can leverage their authoritarian governance for more advantage.<p>Which means the NSA has been doing the opposite of what they should, because for America in the digital domain &quot;the best offense is a good defense&quot;. America has the most to lose from having all of its information generation&#x2F;infrastructure (R&amp;D, networking&#x2F;governing systems etc) get taken and&#x2F;or disrupted. Rather then thinking of digital security issues as weapons to be exploited against less technologically advanced enemies who by definition have far less to lose, they should have long since been thinking of them as big strategic risks and working to eliminate all of them as aggressively as possible, and to be a dependable source for best practices in general. I think maybe there is a basic mindset mixup in the leadership given the last 50 years and their military backgrounds, and that&#x27;s really caused America to squander enormous amounts of strategic value (and goodwill as well for that matter). Very foolish and unfortunate, and I&#x27;m not sure if anyone in government is currently thinking about reworking the NSA into a role focused on actual national security.

“We can’t protect our own dangerous secret software tools, but trust us to protect your keys in escrow.”

&gt; EternalBlue was so valuable, former N.S.A. employees said, that the agency never seriously considered alerting Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand.<p>This has been common &quot;conspiracy theory&quot; for at least a decade. And not just about Microsoft.

I feel that given the US government prosecution of the MalwareTech guy for use of an exploit package he wrote, but was not using, the US government should accept financial responsibility for the misuse of their own exploit.

I just want to mention how Tim Cook rightfully pushed back on government pressure to develop a tool to break into an accused terrorist’s iphone, citing the dangerous precident it would set, as well as the enevitable theft of said tool. if the NSA can’t fully secure its arsenal, who are they (government) to demand a private company to develop (and expect to secure) a tool that _everyone_ would want to get their hands on. alas, while the effort was noble, state sponsored actors have made this a moot point.

This is on the NSA. They decided not the tell the vendors about this and that makes them responsible. They failed their task which I thought was to keep the Unites States safe and secure.

You know what&#x27;s bizarre? Amidst all this drumbeat of news about cybercrime trashing government, and with the clear evidence that the US 2016 turned, at least partially, on cybercrime:<p>NOT ONE of the candidates for US President has undertaken any effort to boost their own infosec. (Or if they have, they keep it quiet.)<p>What can they do? The same stuff we do in any SaaS business:<p>Rudimentary security training for everybody, including bigshots and candidates. (Podesta got phished, twice!)<p>Make sure their laptops and office computer equipment are up to patch levels and the malware detectors work.<p>Engage one of the large-scale email providers; they have topnotch dedicated infosec people, good spam traps, and a lot to lose if they visibly mess up.<p>Adopt strong multifactor authentication.<p>Hire compentent pentesters and remediate any vulnerabilities they find, fast.<p>Let their donors and the public know they&#x27;re taking action (not WHAT action of course, just that they&#x27;re on it.)<p>Governments should do the same for their constituents and taxpayers.<p>Now, maybe candidates will argue they don&#x27;t have time for the extra security. But, in 2019, that argument shows they&#x27;re unfit for public office. One candidate learned that the hard way in 2016. No more of this.

shouldn&#x27;t it be patched by now?

<i>&gt; The tool exploits a vulnerability in unpatched software</i><p>Eternal Blue exploits a vulnerability in unpatched <i>Microsoft Windows</i> software

Slightly off-topic, but does anyone know who makes those standing desks shown in the pic of the MSFT office?

Bed, Bath, Baltimore and Beyond<p>NSA knew that EternalBlue was in the wild and possibly being used by other bad state actors, and just sat on it. For years. In case you are wondering whose side they&#x27;re on.

The Shadowbrokers announced their access to EternalBlue many months before Microsoft released a patch.<p>The NSA was negligent in not immediately informing Microsoft after the Shadowbrokers announced their access to the NSA tools with clear proof (codenames, etc) on Reddit.

Wreaking havoc on outdated computers...

Two years ago, in 2017, Microsoft distributed the security update to fix this problem. The issue has nothing to do with the NSA and everything to do with the City of Baltimore failing to keep their capital equipment, in this case computers, up-to-date applying security and other updates.<p>The article also discuses healthcare systems hacked by other exploits. This again was not caused by the computer virus, but by the fact that Microsoft vendor issued security updates were not applied to the systems.<p>Often there are security upgrades in hardware as well as software which means that the computer hardware needs to be upgraded as well.<p>As is the case with most of these security hacks, it is the failure of the agency to budget appropriately for equipment maintenance and having competent leadership that actually understands the importance of budgeting for and implementing security upgrades including upgrading to the latest version of the OS, in this case, Windows 10.