Sunday, 14 May 2017

Washington Post/Henry Farrel: Cybercriminals have just mounted a massive worldwide attack. Here’s how NSA secrets helped them

The Washington Post 
Monkey Cage Analysis

By Henry Farrell May 12

Computers around the world are suffering an attack from malicious software. The compromised computers have been hit by “ransomware” — software that encrypts the computer’s hard drive so that all the information on it is unavailable, and refuses to release it until a ransom is paid in Bitcoin, an online currency that is difficult to trace. Among the victims are FedEx, Britain’s National Health Service and computers belonging to Russia’s Ministry for the Interior.

Ransomware attacks have happened before. What is unusual is how quickly this attack is compromising large numbers of critical computers. It has been so successful because it has made use of a so-called “zero-day exploit” — a previously unknown flaw in Windows software that makes it easy to take control of vulnerable systems. This zero day exploit became publicly known last month, when it was released as part of a treasure trove of NSA data by the “Shadow Brokers,” a shadowy group of hackers who many believe are associated with Russian intelligence. Criminal hackers appear to have combined this exploit with ransomware tools to mount a worldwide campaign. Here’s what you need to know to understand what happened.

The NSA collects zero day exploits

One of the NSA’s key functions is to spy on intelligence targets in other countries. This, very often, involves compromising their computer systems. Hence, zero-day exploits for commonly used software, such as Windows, are potentially very valuable to the NSA and to its rival intelligence agencies. Big complex pieces of software like operating systems have a myriad of bugs, some of which can allow hostile outsiders to take control of computers running the software. Such exploits can be used to gain surreptitious control of computers or other devices running software, scoop up information, or even turn computers or phones into silent spying devices by, for example, taking control of their cameras and microphones. There are even clandestine markets where zero day exploits are bought and sold.

But the NSA has a dual role

The complicating factor for the NSA is that it is not only supposed to hack into the computers of interesting foreigners — it is supposed to protect the computers of U.S. citizens and firms from outside attacks. This poses problems, because foreigners and U.S. citizens tend to use the same kinds of software, and be subject to the same kind of attack. Every time the NSA discovers a new vulnerability, it is supposed to go through an “equities process,” in which it determines whether it is better to disclose the vulnerability to software companies (so that U.S. citizens, firms and the government can be protected) or keep it for its own use (so that it can compromise foreign systems).

When the NSA discloses the vulnerability, the creators of the software can modify the software through a “patch,” which can then be downloaded by users to close the vulnerability. When the NSA doesn’t disclose it, nothing gets done unless someone independently discovers the problem (or the hole gets closed inadvertently thanks to other changes). When Microsoft, Apple or Google make you update your computer or phone operating system (or else suffer a series of annoying reminders), they are sometimes patching real vulnerabilities.

This zero-day exploit was kept by the NSA

The Shadow Brokers leak revealed a number of NSA documents, including zero-day exploits that were previously unknown to the general public. Importantly, the Shadow Brokers leaked the files they had compromised in multiple stages, saving the zero-day exploits for a later release, which happened a couple of months later. Although no one is saying so in public, it appears likely that the NSA contacted Microsoft as soon as they realized that the zero-day exploits had been compromised by hostile actors. Certainly — contrary to initial reports — Microsoft patched its software soon after the initial Shadow Brokers release in ways that suggested the company had become aware of the vulnerabilities. This meant that when the zero-day exploits were released last month, people with up-to-date installations of the relevant version of Windows were already protected against these particular zero day attacks.

Patching is not always enough

The problem is that many users take time to patch their systems. Sometimes this is because of laziness, ignorance or lack of resources. Sometimes, it is because organizations have to run a variety of complex software packages and may worry that if they change one software component (especially a crucial platform or operating system) the other software will stop working. Thus, big organizations often want to take time to test newly patched software before they start running it.

Monkey Cage newsletter

Commentary on political science and political issues.

For whatever reason, a variety of organizations appear not to have downloaded and implemented the patches. This meant that their systems had a gaping vulnerability, which the ransomware has now taken advantage of, compromising systems in hospitals, businesses and government ministries.

There are no easy solutions

There are many causes for the current impasse. If the NSA had weighed the vulnerabilities differently, and quietly informed Microsoft years ago, the problem would never have happened at a wider scale, because Microsoft would have issued the patch long before criminals could take advantage. Obviously, if the Shadow Brokers had kept quiet, criminals would not have been able to take advantage (although the Shadow Brokers themselves could have used the exploits against U.S. and other targets with nearly complete impunity).

The bigger problem is that no one is in charge. Responsible software producers will issue patches to protect against vulnerabilities (although they may not be obliged to under the law), but there is no way to ensure that everyone implements them. Unfortunately, the problem is getting worse rather than better over time. As Bruce Schneier points out, many of the devices on the Internet these days are not computers or phones. They are DVD players, TVs, webcams and, maybe soon, even salt shakers. The companies building such devices are not always careful about looking for, or keeping track of vulnerabilities, so that hackers can target huge numbers of poorly secured devices (and use these devices to attack other Internet users). While experts have identified the importance of the problem, it isn’t clear that there is any plausible solution without radical changes to the ways we build technologies, and shape incentives for businesses and users to keep these technologies secure.
Henry Farrell is associate professor of political science and international affairs at George Washington University. He works on a variety of topics, including trust, the politics of the Internet and international and comparative political economy.
Follow @henryfarrell
Most Read

    Analysis White House ‘systems failed’ with Comey firing, but Trump pushed the buttons
    Trump’s own words add fuel to questions about the legality of firing Comey
    Trump to Liberty graduates: Be an outsider — because there’s nothing ‘more pathetic’ than ‘being a critic’
    At Mar-a-Lago, the star power of the presidency helps charities — and Trump — make more money
    Analysis At last: A map of Trump’s acreage victory that’s to the proper scale

The story must be told.
Subscribe to The Washington Post.
Inside 'Trump Revealed'
Read stories based on reporting for “Trump Revealed,” a broad, comprehensive biography of the life of the president.

    Reporting archive: Trump’s financial records, depositions and interview transcripts

Monkey Cage newsletter

Commentary on political science and political issues.
    © 1996-2017 The Washington Post
Post a Comment