Mediaboss Marketing

Three years after the 9/11 attacks, a frustrated NSA employee complained that Osama bin Laden was alive and well, and yet the surveillance agency still had no automated way to search the Arabic language PDFs it had intercepted.

This is just one of many complaints and observations included in SIDtoday, the internal newsletter of the NSAs signals intelligence division. The Intercept today is publishing 251 articles from the newsletter, covering the second half of 2004 and the beginning of 2005. The newsletters were part of a large collection of NSA documents provided to The Intercept by Edward Snowden.

This latest batch of posts includes candid employee comments about over-classification, descriptions of tensions in the NSA-CIA relationship, and an interns enthusiastic appraisal of a stint in Pakistan.

Most revealing perhaps are insights into how NSA has operated domestically. The Intercept is publishing two stories on this topic, including one about NSA cooperation with law enforcement during American political conventions, and in a throwback to the movie Bladerunner, another article describes a spy balloon used over the United States.

Finally, The Intercept, in cooperation with the Japanese broadcaster NHK, is revealing the history of U.S. surveillance cooperation with Japan. Starting with the American occupation of Japan after World War II and reaching a standoff after the Soviet shoot-down of a South Korean aircraft, the long and sometimes tense relationship reveals how even close U.S. allies can find themselves targeted by the NSA.

The NSAs Follow-the-Money Branch (the actual name of the division) brings together experts from across a spectrum of disciplines and organizations. The division in 2004created a North Korea CRASH Team, short for Combined Rapid Analysis and Synthesis Hit, after the State Department issued a requirement for a new emphasis on regime finance and an increased emphasis on North Koreas financing of its nuclear proliferation. In response, the CRASH Team looked at North Korean transactions that went through foreign banks. In particular, the team targeted leadership finance, i.e. Kim Jong Il, the North Korean leader who died in 2011, and traced sales of precious metals allegedly owned by him, weapons shipments, and relationships among regime leaders.

The 6throck drill on Korea brought together NSA and officials from the U.K., Canada, Australia, and New Zealand to rehearse the scenarios involving civilian evacuations in Seoul and Pyongyang during a hypothetical Korean War. Participants planned a response to a North Korean attack and held a brainstorming session about signals intelligence operations in a hypothetical newly unified Korea. In the discussions, critical gaps were found in communications with trusted Five Eyes countries, which did not have access to the computer networks for the Korea Theater of Operations. Twenty-two other nations committed to defending South Korea are not included in intelligence sharing either.So NSA will be working through some of these problems, with the goal of exercising the resulting solutions sometime in early 2005.

Czech youngsters stand atop an overturned truck as the Soviet-led invasion by the Warsaw Pact armies crushes the so-called Prague Spring reform in former Czechoslovakia, in Prague on Aug. 21, 1968.

Photo: Libor Hajsky/AFP/Getty Images

Back in the late 1960s, Charlie Meals, the deputy director of SID, worked in the Soviet weather shop. The only way the U.S. could track weather in the Soviet Union was by listening to Soviet communications. The Soviets knew the U.S. was listening and so it encrypted the locations of weather reports. U.S. Strategic Air Command needed to have weather reports in case bombers ever had to fly into Soviet air space, and the weather reporting could also be an indicator of impending military action. For example, before the 1968 invasion of Czechoslovakia, the Soviets started including Czech weather reports in military broadcasts. (The intricacies of collecting weather data as intelligence is also described in this article by Jeffrey Richelson of National Security Archive.) The weather effort had at least 250 people at NSA and people at bases around the world. This desk was still in operation in 2004.

FBI field office staff made little use of signals intelligence and many didnt know how to access the information for themselves on the Intelligence Communitys Intelink system, according to an NSA intern, describing assignments at the bureau. The FBI field offices had little or no Sensitive Compartmented Information Facility space, which made it difficult to share the higher levels of intelligence between the agencies. The intern had higher regard for FBI headquarters. With data from the NSA, FBI analysts can now immediately tell if an individual in the U.S. has any foreign terrorism-related contacts.

A rebel is blessed during a Voodoo ceremony of the Gonaives Resistance Front, during a march in Gonaives, Haiti, on Feb. 13, 2004.

Photo: Walter Astrada/AP

The NSA tracked High Value Targets in Haiti following the 2004 coup, according to an article classified Top Secret. An NSA staffer reports that a task force on HVTs traveled to the central highlands of Haiti where they met with rebel leaders. During this trip they had collected several telephone numbers of these leaders and their associates, the staffer wrote. Soon thereafter, the NSA began to see multi-page reports of conversations between one important rebel leader and his wife which provided insight into his negotiating position and plans for control of the central highlands. Those private conversations proved useful. I received several emails from people who were incredulous that a conversation between an HVT target and his girlfriend was of any importance, the staffer went on. The truth is that a lot of SIGINT leavings that never make it into normal SIGINT reporting are actually valuable intelligence items for tactical warfighters.

NSA interns see the sights, even in Pakistan. An intelligence analysis intern working in SIDs Pakistan branch was deployed to assignments in Islamabad and Lahore. At the embassy, the intern focused on signals intelligence related to the non-tribal Settled Areas and coordinated communications among NSA, CIA and the local counterpart i.e. Pakistani partners, in tracking and targeting terrorists. The Settled Areas Office along with their local counterparts was responsible for the arrests of more than 600 alleged terrorists from September 11, 2001to 2004. Outside of working hours, the blonde American attracted a constant stream of stares and curious looks as she ventured out to tourist sites. Station Islamabad, which has been fictionalized in Homeland and Zero Dark Thirty, was to this staffer one of the most exciting, challenging, and fast-paced locations to work in the world.

Q: What do SIGINT and mad cows have in common?

A: Both are of critical interest to the U.S. Department of Agriculture

SIGINT isnt just for intelligence or military agencies. NSAs two-person Washington Liaison Office responds to signals intelligence requests from Departments of Agriculture, Health and Human Services, Interior, Transportation, the Environmental Protection Agency, Export-Import Bank, Federal Aviation Administration, Federal Communications Commission, Federal Reserve System, and National Aeronautics and Space Administration. With such a wide range of subject matter and competing priorities, the liaison officers have to balance topics from bovine spongiform encephalopathy to space launch vehicle capabilities; from narcotics interdiction techniques to wine labeling regulations; from toxin delivery technologies to secure communications options, and much, much more.

A protestor holding a portrait of Osama bin Laden shouts Allahu Akbar during a protest in front of Baiturrahman mosque, Banda Aceh, Indonesia, on Oct. 10, 2001.

Photo: AFP/Getty Images

Imagine if the NSA missed warning signs of an attack for no other reason than it couldnt search Arabic words in PDF format. If you were looking for Osama bin Laden, wrote an NSA employee in SIDtoday, and you had entered every Arabic word known to mankind in every possible encoding and Osama were doing nothing more than using PDF and writing in Arabic, youd never get a hit. Quite reassuring, isnt it?

Near the end of 2004, SIDtoday began publishing a technical advice column written by an experienced Digital Network Intelligence analyst under the pseudonym Raul. One articledescribes a gaping intelligence hole that NSA had at the time, three years after the 9/11 attacks. Though analysts at NSA understood exactly how foreign-language PDFs were encoded, they lacked the technology to untangle them in real-time in order to search them for keywords.

Apparently, this article hit a few nerves. Rauls subsequent column responded to a flood of complaints he had received. In the subsequent column, he outlined requirements for a hypothetical solution to the foreign-language PDF problem, and concluded with a bit of snark: Bin Laden is still safe and we, to the best of my knowledge, still have no reasonable solution to the PDF problem.

For some sensitive missions, NSA personnel need cover identities while working in the field. An article from October 2004 describes how agents go about making NSA personnel look like they actually work for an entity other than NSA. The Special Operational Support office is responsible for NSAs cover and sensitive personnel support programs. In addition to ensuring that cover operations comply with Department of Defense regulations, SOS provides logistics, transportation, personnel and medical support. The office also provides undercover operatives with DoD Common Access Cards (CAC), travel documents, state drivers licenses, credit cards, post office boxes, social security cards, pocket litter and telecommunications.

The NSA, it turns out, likes to stay on top of the latest scientific developments. Writing at the end of 2004, an NSA cryptanalyst described her experience working as an intern, and using her cryptography skills, on looking for information about genetic sequencing in the signals intelligence collected by the NSA. The ultimate goals of this project are to gain general knowledge about genetic engineering research activity by foreign entities, she wrote, and to identify laboratories and/or individuals who may be involved in nefarious use of genetic research.

Chairman Thomas Kean speaks during a news conference to release the 9/11 Commissions report in Washington on July 22, 2004.

Photo: Mark Wilson/Getty Images

Even though the 9/11 Commission report harshly criticized intelligence agencies failures to share information, the NSA touted its contribution to the July 22, 2004, report. It goes without saying that NSA Cooperation was absolutely vital to this effort, an article in SIDtoday says. SID staff aided in the declassification of material, turned over documents, and patiently explained the intricacies of their work. SID workers also scrubbed references to the NSA from the final report, rewording sections to avoid indications that certain pieces of intelligence derived from SIGINT. You should all feel proud, writes the posts author.

Yet the report itself points to specific SIGINT that could have led to the discovery of the attackers conspiracy that remained unshared due to agencies fear of disclosing intelligence to inappropriate channels and a culture of secrecy in which agencies feeling they own the information they gathered at taxpayer expense.

A prior SIDtoday article touted the agencys extraordinary level of cooperation and provision of large volumes of SIGINT assessment reporting on terrorism, strategic business plans, and a wide range of other topics.

Cooperation between the NSA and CIA runs deep, but it hasnt always been smooth. An August 6 post, CIAs Directorates . . . Understanding More About Them, talks about turf wars due to real or perceived mission overlap, particularly within the CIAs technical division. Yet the Special Collection Service (SCS), which surveils foreign communications from U.S. embassies, is seen as a positive example of joint CIA-NSA work. SIDtoday cites the achievements of that highly classified organization, which came under scrutiny in 2013 for reports that its Berlin office had been intercepting Chancellor Angela Merkels mobile phone data. The August 18 post, SCS and Executive Protection details the interception of Philippine police communications about a bomb that had been placed on President Clintons motorcade route, which the police were trying to defuse without informing the Americans. SCS passed this information to the Secret Service, who re-routed the cars.

The NSA-CIA relationship was also the subject of two SIDtoday articles in 2003.

Even the NSA acknowledges that it classifies too much. In an article, Do We Overclassify? Are We Sharing Enough Information? a senior SID leader echoes language from the 9/11 Commission report, specifically citing the need to go from a climate of need to know to one of need to share. This interview shares the reports concern that intelligence agencies err on the side of over-classification: If we continue to insist on classifying information which has already become known to our adversaries or for which disclosure would cause little or no harm to national security, we risk losing control over the really sensitive stuff. Tellingly, though, he fears that Congress itself will act to force the NSA to disclose more information.

Post-9/11, the NSA has expanded its cooperation with law enforcement agencies, including the U.S. Marshals Service. In February 2004, SID formalized a relationship with the Marshals and its Electronic Surveillance Unit, which functions like an intelligence operations team, as it both monitors fugitives and provides support and threat assessments to other agencies. The U.S. Marshals Service represents an ideal client for the NSA given its interest in stay(ing) out of the public limelight and courthouses.

Top photo: North Korean soldiers carry a portrait of late leader Kim Jong Il during a military parade to mark 100 years since the birth of the countrys founder Kim Il Sung in Pyongyang on April 15, 2012.

Read the rest here:
Why Soviet Weather Was Secret, a Critical Gap in Korea, and Other NSA Newsletter Tales - The Intercept

By Ms. Smith, Network World | Apr 24, 2017 7:50 AM PT

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Your message has been sent.

There was an error emailing this page.

The number of Windows computers infected with NSA backdoor malware continues to rise sinceShadow Brokers leaked the hacking tools on April 14.

Two different sets of researchers scanning for the DoublePulsar implant saw a significant bump in the number of infected Windows PCs over the weekend.

For example, Dan Tentler, CEO of the Phobos Group, suggested that Monday would not be a good day for many people, as his newest scan showed about 25 percent of all vulnerable and publicly exposed SMB machines are infected.

On Sunday, Tentler had scanned 1.17 million hosts and found 33,468 to be infected.

The infection rate had been holding steady at 2.85percentbefore it climbed to 2.91 percent and then 2.95 percent. Tentler explained:

It is important to note that DoublePulsar is like a stealthy malware downloader; infected devices are open for more exploitation, as it can be used to download other malware.

The presence of DoublePulsar doesnt mean theyre infected by the NSA. It means there is a loading dock ready and waiting for whatever malware anyone wants to give it, Tentler told CyberScoop. The chances are none that all these hosts [were hacked by] the NSA. It is effectively trivial to go compromise all these hosts with the flick of a wrist.

Elsewhere, using the detection script developed by Luke Jennings of Countercept, security firm Below0Day tweeted that it had detected 30,626 DoublePulsar implants on April 18. Of those, 11,078 were in the U.S. A few days later, Below0Day had detected an additional 25,960 implants.

On Sunday, Below0Day wrote:

On the afternoon of April 21st, we initiated another masscan to get a new list of hosts with open 445 port. This time around we identified 5,190,506 hosts with port 445 open. We then ran Countercepts detect script and identified 56,586 hosts with DOUBLEPULSAR SMB implant.

The U.S. was still the most infected country, but 14,091 DoublePulsar implants were detected this time. That's up 3,013 from a few short days ago.

It was widely reported on Friday that thousands of Windows machines were infected with DoublePulsar. As it does now, the exact number of affected Windows boxes varied, depending upon which security researcher's numbers you trusted.

Microsoft, which issued patches to mitigate most of the exploits, expressed doubts about the accuracy of the number of real-world infections. However, Microsoft did tell Ars Technica on Friday that people should know that there's growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.

John Matherly, the creator of Shodan, added detection for DoublePulsar last week.

Matherly told CyberScoop that Shodan had indexed over 2 million IPs running a public SMB service on port 445 that are vulnerable to DoublePulsar. Last Friday, Matherly said more than 100,000 devices could be impacted, with 45,000 confirmed to be infected thus far.

Tiago Henriques, CEO of BinaryEdge, also said the number of devices infected with DoublePulsar is still climbing. The total number of infections on Monday morning, according to BinaryEdge, has increased 76,697 since the Friday. The company showed the total number of infections per day:

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Sponsored Links

Go here to read the rest:
More Windows PCs infected with NSA backdoor DoublePulsar - Network World

In its second year, the free cybersecurity day camp will host about 20 students on the Mount Vernon Campus from June 19 to June 30.

Updated: April 24, 2017 at 11:48 a.m.

A National Security Agency grant will fund a free camp for middle school girls on campus this summer.

The free GenCyber cybersecurity day camp will host about 20 students on the Mount Vernon Campus from June 19 to June 30. Shelly Heller, a professor of engineering and applied science who is overseeing the camp, said the event will stimulate the campers interest in computer science at a young age and encourage more women to pursue careers in computer science.

The NSA is providing a $100,000 grant to fund the camp this year, $20,000 more than a year ago. Heller said the new increased funding will help create an online camp with lessons and activities that the students will be able to access nightly with their parents.

The virtual camp will include an activity and review of that days topic, which will range from networking to forensics.

This will strengthen what the campers learned during the day, but it will teach the parents, Heller said. The parents will learn alongside them and learn good internet practices themselves.

Heller said the camp was designed a year ago with the intention of exposing young women to science, technology, engineering and math fields while advertising safe online practices like creating secure passwords. Heller applied for the NSA grant again this year and decided to include a proposal for the virtual camp.

Two middle school STEM teachers and two GW computer science students will teach the students and help with daily activities like scavenger hunts, case studies and question and answer sessions. The camp will also take students on field trips to the National Cryptologic Museum and the Spy Museum in downtown D.C.

Heller said having two college student counselors will allow the campers to learn about potential majors and career opportunities in computer science through a relationship with a near peer, someone close to the students but a bit older in age.

It is one thing for me to tell a junior high kid, boy or girl, that this is a career for them, but I am so far away from them, she said. These near peers have much more relevance to high school and junior high kids.

Students in the local area can apply for the camp online and need to answer open-ended questions about why they care about computer science or cybersecurity. The camp runs for two weeks from 9 a.m. to 4 p.m. daily, with aftercare provided from 8 a.m. to 5 p.m.

Heller, who has been at GW since 1985, said much of her work has involved recruiting and retaining women in the STEM fields, an effort that inspired her to start thecamp last year. She said to increase the number of female professors in STEM, students must be introduced to the fields at a young age to build confidence and interest in the subject.

Ive worked with students and you need to raise the womens interest early and you need to give them the confidence that this is an interesting opportunity and they can do it, Heller said.

Women are consistently underrepresented in computer science and STEM fields. A recent study by the National Science Boards Science found just 10.7 percent of electrical or computer hardware engineers are women, and only 17.9 percent of bachelors degrees earned in the computer science field are by women.

GW has been working to increase the numbers of women in STEM undergraduate and graduate programs. Out of the 15 computer science professors at GW, six are women.

Vernecia Griffin, an instructional technology teacher and academic support team leader at Jeffers Hill Elementary School in Columbia, Md., will be one of the camps instructors. She said the camp will bring in female professionals in the field, helping attendees learn about potential careers within the cybersecurity field and giving them a bit of insight into their job title and education path.

They also discuss the challenges they may encounter, being a female in a male-dominated field, Griffin said.

This post was updated to reflect the following correction: The Hatchet incorrectly reported that Shelly Heller is the associate provost for academic affairs at the Mount Vernon Campus. She no longer holds this title. We regret this error.

This article appeared in the April 24, 2017 issue of the Hatchet.

Go here to see the original:
NSA grant funds free GW cybersecurity camp for middle school girls - GW Hatchet (subscription)

Enlarge / A script scanning the Internet for computers infected by DoublePulsar. On the left, a list of IPs Shodan detected having the backdoor installed. On the right are pings used to manually check if a machine is infected.

Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

A map of affected countries.

Below0day

Countries most affected based on IP addresses returned in a scan performed by Below0day.

Below0day

Partial results of a Below0day scan.

Below0day

Not everyone is convinced the results are accurate. Even 30,000 infections sounds extremely high for an implant belonging to the NSA, a highly secretive agency that almost always prefers to abort a mission over risking it being detected. Critics speculate that a bug in a widely used detection script is generating false positives. Over the past 24 hoursas additional scans have continued to detect between 30,000 and 60,000 infectionsa new theory has emerged: copycat hackers downloaded the DoublePulsar binary released by Shadow Brokers. The copycats then used it to infect unpatched Windows computers.

"People [who] have gotten their hands on the tools just started exploiting hosts on the Internet as fast as they could," Dan Tentler, founder of security consultant Phobos Group, told Ars. "On the part of Shadow Brokers, if their intention was to get mass infections to happen so their NSA zerodays got burned, the best [approach] is to release the tools [just before] the weekend. DoublePulsar is a means to an end."

Tentler is in the process of doing his own scan on the Shodan computer search service that makes use of the DoublePulsar detection script. So far, he has run a manual spot check on roughly 50 IP addresses that were shown to be infected. All of the manual checks detected the hosts as running the NSA backdoor. Once installed, DoublePulsar waits for certain types of data to be sent over port 445. When DoublePulsar arrives, the implant provides a distinctive response. While security practices almost always dictate the port shouldn't be exposed to the open Internet, Tentler said that advice is routinely overridden.

In a statement issued several hours after this post went live, Microsoft officials wrote: "We doubt the accuracy of the reports and are investigating." For the moment, readers should consider the results of these scans tentative and allow for the possibility that false positives are exaggerating the number of real-world infections. At the same time, people should know that there's growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.

Post updated to add Microsoft comment.

View original post here:
10000 Windows computers may be infected by advanced NSA backdoor - Ars Technica

Undergroundhackers are now sharing, promoting and working to adopt executable computer code evident in NSA documents that were published last week by the Shadow Brokers, private sector intelligence analysts tell CyberScoop.

Tutorials on how to utilize some of the tools began appearing the same day the NSA documents were originally published, according to researchers at Israel-based dark web intelligence firm SenseCy. Forum members have shown a particular interest in a leakedframeworksimilar to Metasploit thats unique to the NSA called Fuzzbunch.

SenseCy, a firm focused on the dark web staffed by former intelligence officials, identifieda series of conversationsoccurring in a hidden Russian cybercrime forum discussing how members could exploit a bug in Windows Server Message Block, a network file sharing protocol.

Hackers [have] shared the leaked [NSA] information on various platforms, including explanations [for how to use the tools]published by Russian-language blogs, said SenseCy Director Gilles Perez. We identified [one] discussion dealing with the SMB exploit [ETERNALBLUE], where hackers expressed interest in its exploitation and share instruction on how to do so.

Perez declined to name the dark web forums surveilled by SenseCy, but provided CyberScoop with screenshots of conversations between members discussing the matter indiscussion boards We can never provide the names of the forums as that could jeopardize our operations, he wrote in an email.

One of the powerful tools shared by the Shadow Brokers last week, and addressed by a March Microsoft security update, is codenamed ETERNALBLUE in the leaked documents it is also referred to as vulnerability MS17-010 by Microsoft.

ETERNALBLUE allows for an attacker to remotely cause older versions of Windows to execute code.

Security researcher Matthew Hickeywas able to show in a video that ETERNALBLUE is effective against machines running Windows Server 2008 R2 SP1, an old but popular version of Windows Server.

SenseCy researchers told CyberScoop theyve already seen cybercriminals attempt to utilize the MS17-010 vulnerability in ransomeware-style attacks.

We are now seeing a trend, that most likely will gain momentum in the following weeks, of infecting Windows servers with Ransomware utilizing the [NSA] leaked exploits, Gilles said.

Some security researchers believe that exploiting MS17-010will become popular amongst cybercrime gangs because it allows for a more damaging ransomware infection.

Researchers at cyber intelligence firm Recorded Future told CyberScoop that they too have spotted separate discussions in several Russian and Chinese hacker forums in which users successfully reversed engineered some of the Windows tools and were openly sharing their findings.

The surprising recent release one of the most comprehensive and up to date of hacking tools and exploits by the notorious Shadow Brokers group stirred up great interest among Russian-speaking cyber criminals, said Andrei Barysevich, Recorded Futures director of advanced collection. Only three days after the data was leaked, we identified a discussion among members of an elite dark web community sharing expertise in weaponizing the EternalBlue exploit as well as the DoublePulsar kernel payload.

He added, considering that Microsoft patched the EternalBlue vulnerability as recently as March 14, the number of potentially affected systems could still be tremendous.

Recorded Future similarly declined to name the forums where they discovered this content.

[In the Chinese forum], they were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE) and privilege escalation tool (ETERNALROMANCE), members of Recorded Futures research team wrote in an email. Actors were focused on the unique trigger point for [ETERNALBLUE] and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.

These discussions indicate that theres broad interest in the unique malware triggers published by the Shadow Brokers and a belief that the underlying vulnerabilities being exploited had not been completely mitigated by Microsofts patches, according to Recorded Future. These two factors combine to increase the risk that malicious Chinese actors may reuse or repurpose this malware in the future, a spokesperson explained.

Most of the exploits and implants mentioned in the latest release are designed to exploit software vulnerabilities apparent in older Microsoft products, including Office and various operating systems. The technology giant stated in a blog post over the weekend that it had patched most of the exploits. Discontinued, end of life version of Windows, such as XP and 2003, remain vulnerable as they did not receive a security patch.

More than 65 percent of desktop computers connected to the internet last month ran on older versions of Windows like Vista, according to estimates from the tracking firm Net Market Share.

While many of the Microsoft Windows-specific exploits contain remote code execution vulnerabilities, they need to be deployed against a host in order to be successful. In other words, a connection to the organization must already be established for many of these exploits to work as port 445, which is used in Microsofts SMB, is typically blocked internet-wide.

Microsoft declined to answer questions pertaining to how the company originally became aware of the aforementioned vulnerabilities, which were supposedly once exploited by the NSA.

Though it remains unclear whether anyone has been able to successfully leverage any of the leaked hacking tools to launch their own computer intrusion, security researchers fully expect and are preparing for a barrage of new attacks supported by NSAs quality engineering.

Even though the vulnerabilities released were patched, we feel confident that it will only be a matter of time before we see exploitation in the wild, said Cylance Chief Research Officer Jon Miller. The scale will be on par with any other known and patched vulnerability. Only those that arent judicious in patching their systems will be affected, mitigating the risk that comes from a true zero day.

Liam OMurchu, the director of Symantecs security technology and response group, said he expects it will take a little longer for attackers to begin incorporating the leaked tools into their own attacks.

From a defensive perspective, one of the main problems is the volume of data released, said OMurchu. We need to analyze all the files to understand how they could be changed or used to fit in with current cybercrime attacks with ~7000 files disclosed, it is very resource intensive to understand all of the tools, the full capabilities and how they can be used. That is what we are working on now.

A cohort of independent researchers and security firms are finding new capabilities and targeted software vulnerabilities hidden in the massive trove of documents on a near daily basis since Fridays release.

We have only begun to scratch the surface on these tools and now that they are out there its important we can analyze them to determine servers that are impacted as well as what steps can be taken to protect against them, Hickey wrote in a blog post, Wednesday.

The tools are released in binary format and as reverse engineering efforts are underway. We will likely discover more interesting features about the attacks, wrote Hickey. We are under no illusion that such a huge data trove will not be completely analyzed in its first few days of discovery and neither should you.

The rest is here:
Leaked NSA hacking tools are a hit on the dark web - CyberScoop