Mediaboss Marketing

Microsoft's president and chief legal officer Brad Smith: "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem."

Microsoft president and chief legal officer Brad Smith has called for "urgent collective action" in response to Friday's WannaCrypt ransomware attack on Windows machines that didn't have Microsoft's March patch for a flaw in the Windows Server Message Block (SMB) protocol.

Governments, in particular intelligence agencies such as the National Security Agency (NSA), need to rethink the practice of stockpiling cyberweapons, Smith said in a blogpost on Sunday detailing how Microsoft, governments, and industry can prevent a repeat of Friday's devastating and widespread WannaCrypt ransomware attack.

While improvements can be made by all groups, as Smith emphasized, the WannaCrypt exploit that caused Friday's chaos was "drawn from the exploits stolen from the National Security Agency". In other words, had the NSA reported the flaw to Microsoft instead of keeping it and eventually leaking it, Friday's attack might not have been so widespread.

The WannaCrypt attacks hit Europe first, crippling around 45 UK hospital groups among others, before being accidentally contained by security researchers at MalwareTech, minimizing the impact on US organizations.

The specific NSA exploit that WannaCrypt adopted as a replicating mechanism was called EternalBlue, which targeted a flaw in Windows SMB and was leaked by the mystery hacker group, Shadow Brokers, in April.

Microsoft fortunately released a patch for the flaw in the MS17-010 bulletin in March, but as Friday's attacks revealed, many organizations don't or can't apply patches within two months, even for critical, highly publicized flaws.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," said Smith, comparing the exploit's theft to stolen missiles.

"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," he wrote.

"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today -- nation-state action and organized criminal action."

Smith highlighted Microsoft's decision on Friday to release a patch for unsupported Windows XP, Windows 8, and Windows Server 2003, as evidence of the priority it places on security, alongside updates in Windows Defender and its Advanced Threat Protection service.

And while he reminded users that "there is simply no way for customers to protect themselves against threats unless they update their systems", Smith does concede that some organizations face a "formidable" challenge in applying patches immediately.

Exactly how Microsoft plans to make it easier for organizations to patch their systems without breaking operational equipment remains to be seen. However, Smith said Microsoft is "dedicated to developing further steps to help ensure security updates are applied immediately to all IT environments".

Finally, Smith believes the WannaCrypt attack illustrates why it makes sense governments for to agree to Microsoft's proposal for a 'digital Geneva convention', which would require governments to report vulnerabilities to vendors, rather than stockpile or buy and sell them.

"We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it's needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part," Smith finished.

According to Reuters, Russian president Vladimir Putin agrees with Microsoft on this issue.

"I believe that the leadership of Microsoft have announced this plainly, that the initial source of the virus is the US intelligence services," Putin said.

"Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators," he added.

"So this question should be discussed immediately on a serious political level, and a defense needs to be worked out from such phenomena."

See the original post:
Windows ransomware: WannaCrypt shows why NSA shouldn't stockpile exploits, says Microsoft - ZDNet

In mid-April,an arsenal of powerful software tools apparently designed by the NSA to infect and control Windows computers was leaked by an entity known only as the Shadow Brokers. Not even a whole month later, the hypothetical threat that criminals would use the tools against the general public has become real, and tens of thousands of computers worldwide are now crippled by an unknown party demanding ransom.

An infected NHS computer in Britain

Gillian Hann

The malware worm taking over the computers goes by the names WannaCry orWanna Decryptor. It spreads from machine to machine silently and remains invisible to users until it unveils itself as so-called ransomware, telling users that all their files have been encrypted with a key known only to the attacker and that they will be locked out until they pay $300 to an anonymous party using the cryptocurrency Bitcoin. At this point, ones computer would be rendered useless for anything other than paying said ransom. The pricerises to $600 after a few days; after seven days, if no ransom is paid, the hacker (or hackers) willmake the data permanently inaccessible (WannaCry victims will have a handy countdown clocktosee exactly how much time they have left).

Ransomware is not new; for victims, such an attack is normally a colossal headache. But todays vicious outbreak has spread ransomware on a massive scale, hitting not just home computers but reportedly health care, communications infrastructure, logistics, and government entities.

Reuters saidthathospitals across England reported the cyberattack was causing huge problems to their services and the public in areas affected were being advised to only seek medical care for emergencies, and that the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

The worm has also reportedly reached universities, a major Spanish telecom, FedEx, and the Russian Interior Ministry. In total, researchers have detected WannaCry infections in over 57,000 computersacross over 70 countries(and counting these things move extremely quickly).

According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs asMalwareTech told The Intercept, Ive never seen anything like this with ransomware, and the last worm of this degree I can remember is Conficker. Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over 9million computers in nearly 200 countries.

Most importantly, unlike previous massively replicating computer worms and ransomware infections, todays ongoing WannaCry attack appears to be based onan attack developed by the NSA, code-named ETERNALBLUE. The U.S. software weapon would have allowed the spy agencys hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixedthe ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in government) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them but from the moment the agency lost control of its own exploit last summer, theres been no such assurance. Today shows exactly whats at stake when government hackers cant keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, I am actually surprised that a weaponized malware of this nature didnt spread sooner.

Screenshot of an infected computer via Avast.

The infection will surely reignite arguments over whats known as the Vulnerabilities Equity Process, the decision-making procedure used to decide whether the NSA should use a security weakness it discovers (or creates) for itself and keep it secret, or share it with the affected companies so that they can protect their customers. Christopher Parsons, a researcher at the University of Torontos Citizen Lab, told The Intercept plainly: Todays ransomware attack is being made possible because of past work undertaken by the NSA, and that ideally it would lead to more disclosures that would improve the security of devices globally.

But even if the NSA were more willing to divulge its exploits rather than hoarding them, wed still be facing the problem that too many people really dont seem to care about updating their software. Malicious actors exploit years old vulnerabilities on a routine basis when undertaking their operations, Parsons pointed out. Theres no reason that more aggressive disclose of vulnerabilities through the VEP would change such activities.

A Microsoft spokesperson provided the following comment:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update: May 12, 2017, 3:45 p.m. This post was updated with a comment from Microsoft.

Update: May 12, 2017, 4:10 p.m. This post was updated with a more current count of the number ofaffected countries.

Here is the original post:
Leaked NSA Malware Is Helping Hijack Computers Around the World - The Intercept

New York Times

Hackers Hit Dozens of Countries Exploiting Stolen NSA Tool New York Times The attacks on Friday appeared to be the first time a cyberweapon developed by the N.S.A., funded by American taxpayers and stolen by an adversary had been unleashed by cybercriminals against patients, hospitals, businesses, governments and ordinary ... NSA-created cyber tool spawns global attacksPolitico An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware OutbreakForbes Ransomware Cyber Attack Using NSA Tools Hits Russian Government, Global Firms and HospitalsNewsweek TechCrunch -Sacramento Bee -The Providence Journal -NHS Digital all 1,870 news articles »

See the original post here:
Hackers Hit Dozens of Countries Exploiting Stolen NSA Tool - New York Times

Foreign Policy (blog)

Report: NSA Analysts Frequently Broke Rules on Intelligence Collection Foreign Policy (blog) NSA analysts had a startling error rate of 85 percent on another, smaller part of the NSA's foreign intelligence programs, a statistic that raises questions about the propriety of current powers to search that data, the court wrote. That program ...

More:
Report: NSA Analysts Frequently Broke Rules on Intelligence Collection - Foreign Policy (blog)

Some media reports about the ransomware -- called WannaCry -- that rocked the UK health system, Spain's telecom industry, and other targets in Europe Friday say that hackers pulled it from a leaked NSA tool kit.

That's not really accurate.

Instead, computing experts say and a review of the computing code shows, the leaked NSA tool kit demonstrated to the hackers how they could attack these systems. The hackers didn't use NSA code, but they did copy something from the tool kit.

"WannaCry ransomware uses one of the exploitsreleased recently by Shadowbrokers in the leaked NSA tools archive," said Andrew Komarov, chief intelligence officer for the cybersecurity firm InfoArmor. "This is pretty normal practice, where cybercriminals are using the latest vulnerabilities in order to increase the efficiency of their malware."

The name of the NSA tool that the hackers drew on to develop the new ransomware is called "Eternalblue".

The software fix for the vulnerability that the ransomware exploits came out in March, before the Shadowbrokers leak, so experts say there was theoretically time to patch systems in advance of an attack.

Komarov said there was no indication that WannaCry or Friday's attack had anything to do with the NSA "or any other state-sponsored cyber offensive activities."

The FBI is warning that unknown hackers have launched cyberattack with 'destructive malware' in the U.S. Kacper Pempel

The Agency announced late Tuesday that it has established a "Korea Mission Center" to "harness the full resources, capabilities, and authorities of the Agency in addressing the nuclear and ballistic missile threat posed by North Korea." The CIA also announced that Director Mike Pompeo has named a "veteran intelligence officer" to run the center but declined to name the officer for security reasons.

Both publicly and privately, the agency has said North Korea has been one of, if not the most, difficult of intelligence targets.

"Creating the Korea Mission Center allows us to more purposefully integrate and direct CIA efforts against the serious threats to the United States and its allies emanating from North Korea," said Pompeo. "It also reflects the dynamism and agility that CIA brings to evolving national security challenges."

Oregon Democrat Ron Wyden says he will block the nomination of Donald Trumps pick to be the top Treasury intelligence official until Treasurys anti-money-laundering agency produces documents requested by the Senate Intelligence Committee related to Trump.

Sen. Wyden says he will maintain a hold on the nomination of Sigal Mandelker to be under secretary of the Treasury for terrorism and financial intelligence until the documents are produced.

This week, Intelligence Committee Ranking Member Sen. Mark Warner, D-Virginia, announced that the committee had asked the Treasury Departments Financial Crimes Enforcement Network (FinCEN) for records relating to President Trump and his associates.

"I have stated repeatedly that we have to follow the money if we are going to get to the bottom of how Russia has attacked our democracy," Wyden said. "That means thoroughly review any information that relates to financial connections between Russia and President Trump and his associates, whether direct or laundered through hidden or illicit transactions. The office which Ms. Mandelker has been nominated to head is responsible for much of this information."

Wyden-0702508-18401- 0010

Three senior defense officials report that Iran test-fired a high-speed torpedo near the Strait of Hormuz on Sunday.

The Hoot torpedo is still in the testing phase, the officials report, but once it is fully operational it should be able to travel about12,000 yards (approximately six nautical miles) at a speed of about 200 knots per hour (approximately 250 miles per hour). None of the officials couldsay whether the test was successful or not.

The USS George HW Bush strike group is in the Gulf right now but all three officials said the test did not pose a threat to U.S. shipsor assets in the region.

Two of the officials said that the Iranian military last tested this torpedo in February 2015.

The ACLU is suing four federal agencies for records related to the Jan. 29 raid in Yemen that killed a Navy SEAL and civilians, including children.

The civil liberties organization filed a freedom of information request for documents in March and then filed a lawsuit in Manhattan federal court on Monday to force the government to respond.

"After conducting an internal investigation, the government released little information about the circumstances surrounding the Raid, the legal or factual justifications for it, and its consequences," the suit said.

Among the information the ACLU wants is an accounting of the civilians killed in the raid, which erupted in a deadly firefight after, as one senior U.S. intelligence official told NBC News, "almost everything went wrong."

The head of U.S. Central Command told Congress between four and 12 civilians were killed, but Human Rights Watch and others have put the toll higher.

The Trump administration has characterized the raid as a huge success. However, NBC News has reported in March that none of the intelligence gleaned from the operation so far has proven actionable or vital.

A man stands on the rubble of a house destroyed by a Saudi-led airstrike in the outskirts of Sanaa, Yemen, Feb. 16, 2017. At least one Saudi-led airstrike near Yemen's rebel-held capital killed at least five people on Wednesday, the country's Houthi rebels and medical officials said. Hani Mohammed / AP

Gregory Lepsky appeared in a New Jersey federal courtroom Friday to face charges that he planned to detonate a pressure cooker bomb in New York City in the name of ISIS.

Seamus Hughes of George Washington's Program on Extremism pulled this inventory of the defendant's internet search history from the case file.

Eight men accused of plotting to attack the 2016 Olympic Games in Rio de Janeiro on behalf of ISIS were sentenced Thursday.

The men were found guilty in a Brazilian court of recruiting and promoting terrorism and face sentences that range from five to 15 years in prison. They were arrested in a series of raids in late July 2016, several weeks before the Games.

They had all pledged allegiance to an ISIS offshoot, authorities said, anddiscussed a plan to contaminate one of Rio de Janeiro's water reservoirs.

"All of the accused were dedicated to promoting the terrorist organization called the Islamic State through the social networks Facebook, Twitter and Instagram," said the judge in the case, Marcos Josegrei da Silva.

The suspects, all Brazilian citizens, discussed plans in email threads, and via messaging apps like Telegram and WhatsApp, according to court documents reviewed by NBC News.

Some celebrated other terrorist attacks, like the shooting at the Orlando nightclub.

It doesn't appear any of them knew each other aside from conversations online and messaging apps.

The convictions are the first under Brazil's new anti-terrorism law. Previously, terrorism was not clearly defined in Brazil and was treated like any other crime; now an individual can face up to 22 years in jail if found guilty of preparing terrorist acts.

One of the men sentenced under Brazil's new terrorism law for a plot against the 2016 Olympic Games in Rio. Court Documents

The newest issue of the ISIS magazine Rumiyah includes instructions for would-be terrorists about how to kill pedestrians with trucks. In infographic form, the instructions list the characteristics of the ideal vehicles ("slightly raised chassis and bumper"), where to buy, steal or rent the trucks, and the ideal targets.

The latest installment of the magazine's "Just Terror Tactics" feature comes as the U.S. Transportation Security Administration has just sent a warning about truck attacks to law enforcement agencies across the U.S.

Truck Attacks Poster Propaganda

We've got a bad feeling about this.

The Russian government jumped on the "May the 4th Be With You" bandwagon by tweeting the message "Come to our side" over a photo of a key Star Wars character.

Han Solo? Nope.

Luke Skywalker? Nah.

Yoda, you ask? Nyet.

The Russian Embassy in the U.K. chose a photo of Darth Vader, a villain bent on galactic domination, to personify itself on what's come to be known as Star Wars Day.

Hopefully it's just a snarky joke from a Twitter account known for trolling. Otherwise, someone tell the Pentagon to fire up the Millennium Falcon.

See more here:
Ransomware That Hit Europe's Computers Did Not Come From NSA Leak - NBCNews.com