Mediaboss Marketing

Sign Up for

Our free email newsletters

The National Security Agency (NSA) is supposed to protect American citizens from high-tech threats. But who will protect Americans from their screw-ups?

Last week, countries around the world reeled as a virulent piece of ransomware (which forcibly encrypted local data, then demanded payment in bitcoins to release the files) spread through tens of thousands of computer systems, including in banks and hospitals. Russia was worst hit, but the U.K. suffered serious damage as well, with its National Health Service suffering serious disruptions to medical services.

The story got much more infuriating when experts figured out that the computer worm was a slightly modified version of an exploit built by the NSA one stolen by the "Shadow Brokers" and leaked over the internet. Luckily, a 22-year-old British researcher accidentally tripped the worm's off switch, containing the damage at least for now. Different versions have already cropped up without that off-switch, though none as yet has spread to the same degree.

It's time for American security agencies to actually start securing the safety of American computer networks and the first step is to stop building and stockpiling computer security exploits.

As Charles Stross explains, neither the worm nor the ransomware adaptation of it were exactly masterpieces of cyber crime. The worm only worked on older Windows computers which hadn't disabled legacy file-sharing. What's more, when the Shadow Brokers leaked all the NSA tools, Microsoft had actually already released updates to patch most of its vulnerabilities (suggesting someone had tipped them off about what had been hacked).

Additionally, the ransomware's off-switch was simply a long gobbledygook domain name that was hard-coded into the program. It turned out the worm checked to see if the domain was active before it delivered its payload, so when the security researcher stumbled across it and registered it out of curiosity, he accidentally stopped the spread of the worm.

However, it turns out there are tons and tons of computers still running outdated version of Windows, and tons and tons of people who procrastinate about annoying software updates or don't even know how to do them. Even a poorly designed, weak piece of malware can do terrible damage when directed at the most outdated computer networks.

This brings me back to the NSA. If you ask why they are building and stockpiling security exploits for the most common operating systems, they will say it's for espionage operations against foreign enemies.

But the actual benefits of such things are highly questionable. Probably the most successful one ever was the fearsome Stuxnet worm, which did moderate damage to Iranian uranium enrichment facilities back in 2009. But the damage was quickly repaired, and did not do nearly as much to control the Iranian nuclear program as the diplomatic agreement signed under President Obama.

Conversely, as we are seeing today, the damage from building and piling up malware is potentially catastrophic. The NSA obviously cannot secure its own networks, and so any such weapon is one misstep away from falling into the hands of foreign governments, gangsters, or terrorists. And again, this worm was rather amateurish, and built from known materials thus giving Microsoft a bit of a head start for patches. But suppose some real professionals secretly hacked unknown NSA zero-day exploits, and built a worm designed to attack American financial systems or critical infrastructure?

If we had any sense, we would be dedicating at least the majority of our computer security spending to, you know, security: investigating, upgrading, and maintaining American computer systems to defend them against attack. (In reality, it's roughly 90 percent offense, 10 percent defense.) The NSA could probe commercial software for vulnerabilities, and then quietly inform the developer so they could be patched, as Microsoft President Brad Smith argues. Second, instead of trying to coerce tech companies to build back doors into their devices and software, the government could help them with security, particularly user-friendly end-to-end encryption. They could help support open-source software ecosystems, which are part of many pieces of critical internet infrastructure.

Perhaps most importantly, the government could help keep older operating systems secure (like Windows XP, which Microsoft was forced to update this week after abandoning it three years ago), and help people upgrade their equipment and software.

Of course, the NSA will do nothing of the sort. They helplessly define "national security" in a way that excludes their own failures enabling crime and terrorism. But if we had a lick of sense, we'd just abolish the NSA and start a new agency with a more sensible definition.

See original here:
The NSA is running amok - The Week Magazine

A massive cyberattack hit tens of thousands of computers in dozens of nations. Reports of the attack first surfaced in Britain, where the National Health Service described serious problems. (Sarah Parnass/The Washington Post)

The hacking group that leaked the bugs that enabled last week's global ransomware attack is threatening to make public even more computer vulnerabilities in the coming weeks potentially including compromised network data pertaining to the nuclear or missile programs of China, Iran, North Korea and Russia, as well as vulnerabilities affecting Windows 10, which is run by millions of computers worldwide.

A spokesperson for the group, which calls itself the Shadow Brokers, claimed in a blog postTuesdaythat some of those computer bugs may be released on a monthly basis as part of a new subscription-based business model that attempts to mimic what has proved successful for companies such as Spotify, Netflix, Blue Apron and many more.

[Clues point to possible North Korean involvement in massive cyberattack]

Is being like wine of month club, readthe blog post, which is written in broken English. "Each month peoples can be paying membership fee, then getting members only data dump each month."

The moveshows the growing commercial sophistication of groups such as the Shadow Brokers, which already has demonstrateda fearsome technical ability to compromise the world's top intelligence agencies. And it underscoresthe waymuch of theunderground trade forcomputer bugs resembles a real-world commercial market.

Security experts have been analyzing the blog post for clues aboutthe Shadow Brokers' intentions and capabilities.

[How to protect yourself from the global ransomware attack]

Marcy Wheeler, a longtime independent researcher, said in a blog post Tuesday that the Shadow Brokers' postbrings the hammer down both on Microsoft, whose products could be affected by any further leaks, and the U.S. National Security Agency, whose information the Shadow Brokers leaked in April. That leakled indirectly to the creation of WannaCry and the subsequent crisis,security experts say.

Simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government, Wheeler wrote.

Microsoft didn't immediately respond to a request for comment. On Sunday, the company criticized the NSA for stockpiling digital weapons. The tech industry opposes efforts by the government to weaken the security of its products, while national security advocates say it could help combat terrorism.

[Russia warns against intimidating North Korea after its latest missile launch]

Although experts say the Shadow Brokers do not appear to have been directly involved in the WannaCry attack, leaking the exploitin the first place was a major step toward facilitating the cyberattack.

The group's new claim that it possesses information on the nuclear programs of state governments is extremely worrisome, said Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, a Washington think tank."While they don't seem to have the most amazing PR department," he said, "they've already proved that they had some pretty serious access. The nuke facility stuff is particularly concerning, [speaking] as a former physicist.

Previously, the group had sought to sell its hacking tools to the highest bidder. Few buyers came forward, the group said in its blog post. But now, the monthly subscription model might mean the bugs will find their way into the hands of more people, spreading far and wide, Hall said.

Go here to see the original:
The hacking group that leaked NSA secrets claims it has data on foreign nuclear programs - Washington Post

A bipartisan bill introduced Wednesday in Congress would force the NSA to share any security vulnerabilities it finds in software with other government agencies.

Known as the PATCH Act (Protecting Our Ability To Counter Hacking), the legislation mandates a larger review when a federalagency discovers a security hole in a computer system.

The government sometimes coordinates with tech companies and creators of technology vendors, but in certain instances it chooses to keep the exploits for itselfand use them for national security purposes.

Such a policy would essentially compel the U.S. governments top spying agency to turn over its arsenal of cyber weapons and hacking tools, seemingly sacrificing offense for the prospect of better defense.

Do you get to listen to the Chinese politburo chatting and get credit from the president? said Richard Clayton, a cyber-security researcher at the University of Cambridge, according to Reuters. Or do you notify the public to help defend everyone else and get less kudos?

While co-sponsors of the bill at least partially agree that it can be difficult to find a middle ground, they apparently want the equilibrium shifted more towards domestic virtual security. (RELATED: The Internet Has Officially Become A Domain Of Warfare)

Striking the balance between U.S. national security and general cybersecurity is critical, but its not easy, Hawaiian Sen. Brian Schatzsaid in an official statement. This bill strikes that balance.

The review meetings would reportedly still be a secret, and only data pursuant to the law would be made public once eachyear.

The latest global ransomware attack revealed the importance of locating and patching vulnerabilities before malicious actors can attack our most critical systems, saysSen. Cory Gardner of Colorado, one of the original sponsors of the bill, referring to the recent incident that allegedlyaffected more than 150 countries. (RELATED: Massive Cyber Attack Reportedly Hits 16 British Health Facilities, Causing Chaos In Emergency Rooms)

DemocraticRep. Ted Lieu of California, Republican Rep. Blake Farenthold of Texas, and Republican Sen. Ron Johnson of Wisconsin co-sponsored the bill with Schatz and Gardner.

This legislation ensures the American public has greater transparency into how vulnerabilities and threats are shared between federal government actors, intelligence organizations, and the private sector, Gardner concludes.

Follow Eric on Twitter

Send tips to [emailprotected].

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [emailprotected].

See original here:
Congress Introduces Bill Requiring NSA To Share Its Secrets - The Daily Caller

If you're in the managed IT services business, there's a good chance you use open source software to help deliver services to clients.

In order to make the most of open source, it's important to understand the different strategies that can add value to open source platforms.

In other words, if you're an MSP, you should understand how open source code which is usually (but not always) given away for free can be leveraged to provide products or services that people are willing to pay for.

This is a topic that has been central to the development of open source and free software since they emerged in the 1980s and developers who gave code away for free began thinking of ways to make money.

Open Source Business Models

Over the years, free and open source software developers have tried a number of different strategies for monetizing their software.

The main ones include:

This list is not exhaustive.

Other open source business models have been tried, sometimes with success, over the years.

But for MSPs, the five open source business strategies discussed above are the ones that are likely to be of greatest interest.

Again, that matters if you're in the managed services business and use free or open source software.

You need a way to convince your customers that obtaining that software from you, or getting your help in managing it, is a service worth paying for even though the software itself is free of cost.

See original here:
Five Ways MSPs Can Add Value to Free and Open Source Software - MSPmentor

Read to know why adopting free software can stop WannaCry like cyber-attacks in the future.

The world is still under the shock from the recent WannaCry attack. Though experts claim the situation is under control, they don't rule out the possibilities of more such attacks in the coming days. As per reports, WannaCry ransomware (a type of malware) affected approximately 230,000 computers in 150 countries, bringing regular operations to a halt in many places. The most affected are America shipping companies and healthcare systems in the United Kingdom. The impact of this attack is comparatively low in India.

Want to keep your computers safe? Experts suggest adopting free software

Ransomware is a malware (or a malicious programme) which encrypts files in computers or smartphones and makes them unusable and demand money for decrypting the files. In the recent attack, which is considered one of the massive ransomware attacks, crackers were demanding $300 to $500 bitcoin for decrypting the file.

WannaCry is the name of the ransomware that targets the Microsoft Windows operating system. This malware was used to launch the WannaCry ransomware attack on May 12. Sometimes it uses different names like WannaCrypt, WannaCry, WanaCrypt0r, WCrypt and WCRY, to name a few.

Crackers used the loophole present in Microsoft SMB Protocol to spread this program to other computers. All machine running the version of Windows operating system before windows 10 without MS17 -010 security patch are prone to this ransomware attack.

Fixing a problem permanently lies on how better we understand the root cause of the problem. I don't think anyone can build completely foolproof programmes or an operating system that is not prone to any sort of such attacks.

But a programme and its source code under public scrutiny can identify the loopholes in the system and patch immediately before crackers exploit that vulnerability. This is the main reason all major malware attacks are mainly affecting proprietary software like Microsoft Windows operating systems.

When a user does not have any control over the programme that she is running, the program controls the user. That also makes it is easy for someone else to take complete control over that computer or smartphone. In the case of free software, user controls the program and the source code is open for everyone to access that in turns make free software very much secured compared to any other proprietary software.

Unlikely from the past, nowadays, free software operating systems (GNU/Linux ) are more user-friendly and easy to use. Ubuntu, Mint, Debian Fedora are widely used PC operating system with a greater community support. By taking a decision to migrate from proprietary operating system to a GNU/Linux operating systems, you are not only staying safe but also become part of culture and community who believe in sharing and collaborating.

The malware is spread on the network by leveraging the vulnerability in "Server Message Block" (SMB), a network protocol in the Windows Operating System. Last month it was revealed that the software "EternalBlue" developed by the American National Security Agency (NSA) and has used to leak personal information using this security vulnerability. WannaCry is believed to be using the same software. The unholy alliance between the American IT giants and the National Security Agency is no more a secret.

Edward Snowden, a national security contractor, was one of the first persons to disclose this illicit relationship between the NSA and American IT giants which revealed the massive surveillance programme targeting the citizens with the direct help of American IT giants.

Hence, any long-term solutions need to be discussed and developed outside the ambit of the unholy alliance between the NSA and IT giants, the free software way.

(The writer is a software engineer and a member of Free Software Movement Karnataka)

View post:
WannaCry: Free software is the way forward - Oneindia