Critics and defenders of the National Security Agency faced off this weekend over a New York Times report detailing how hackers who locked up Baltimore’s computer networks for the past two weeks relied partly on a leaked NSA hacking tool.
The tool, dubbed EternalBlue, has also been used to lock up city networks in San Antonio and Allentown, Pa., the Times’s Nicole Perlroth and Scott Shane reported.
Critics say the NSA is hellbent on developing dangerous hacking tools to use against adversaries and isn’t adequately preparing for what happens when those tools leak and are used against U.S. targets.
Frank Baitman, a former chief information officer at the Health and Human Services Department, compared the situation to biological weapons that make their way out of a U.S. government lab and infect citizens. The federal government, he tweeted, should shoulder some of the cost of Baltimore’s ransomware attack and other such breaches using the leaked code.
Baltimore City Council President Brandon M. Scott echoed that call and urged President Trump to declare a federal disaster, which could speed federal funding.
“Given the new information and circumstances it’s even more clear that the federal government needs to have a larger role in supporting the city’s recovery,” he said in a statement.
Council President Brandon Scott calls for Federal Emergency & Disaster Declaration for Baltimore Cyber Attack pic.twitter.com/HQf1QusDmA— Brandon M. Scott (@CouncilPresBMS) May 26, 2019
Many security researchers, however, say the real problem isn’t with the NSA. They say that hacking victims like Baltimore still haven't taken sufficient measures against EternalBlue two years after it first leaked -- and aren't using a software patch released by Microsoft to to protect themselves
“If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that's squarely the fault of the organization, not Eternalblue,” security researcher Robert Graham tweeted.
Eternalblue was released over two years ago.. If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that's squarely the fault of the organization, not Eternalblue.— Robᵇᵉᵗᵒ Graham (@ErrataRob) May 25, 2019
Robert M. Lee, a former NSA hacker who’s now CEO of the cybersecurity company Dragos, said the NSA deserves some blame for EternalBlue being stolen. But he added but that culpability shifts as more time elapses with victims not taking measures to protect themselves:
It’s an odd discussion and I don’t know it’s fully fleshed out but I do think over time the culpability changes. 2 years after patches are available I’m more inclined to blame the actual adversary using the exploits.— Robert M. Lee (@RobertMLee) May 25, 2019
In the Baltimore case, EternalBlue wasn’t the main element of the malware that permitted hackers to take control of the city’s networks. But it allowed them to move more easily from system to system and to broaden the scope of the attack, the Times reported.
And that’s enough to cause alarm among some traditional defenders of the NSA.
Sen. Chris Van Hollen (D-Md.) and Rep. Dutch Ruppersberger (D-Md.), whose district includes Fort Meade and part of Baltimore, are asking the NSA for a briefing on EternalBlue’s role in the Baltimore attack, the Baltimore Sun’s Ian Duncan and Kevin Rector reported.
Update: Sen. Chris Van Hollen says he is also seeking NSA briefing about report agency tool was used in Baltimore ransomware attack.— Ian Duncan (@iduncan) May 25, 2019
And Council President Brandon Scott now says the federal government ought to step in and pay some of the recovery bill https://t.co/KenKTYn9qF
The cybersecurity community has long battled over whether the U.S. government draws the right lines when it decides whether to alert companies about hackable vulnerabilities it finds in their software and hardware or to exploit those vulnerabilities to spy on foreign adversaries.
The Trump administration says it vets those computer bugs through a governmentwide process called a "vulnerabilities equities review" and alerts industry roughly 90 percent of the time. But critics point out the bugs government holds onto are usually the most damaging.
The debate has grown fiercer in recent years as leaks and breaches have exposed a trove of government hacking tools used by foreign intelligence agencies and criminal hackers.Those leaks have raised serious questions about whether the government is capable of keeping its covert hacking capabilities truly secret.
That includes the 2017 leak of NSA tools — including EternalBlue — by a hacking group called Shadow Brokers and a leak of CIA tools dubbed Vault 7 to WikiLeaks that same year. Officials have not publicly tied Shadow Brokers to any foreign government or other organization. The Justice Department charged a former CIA employee with the Vault 7 leak in 2018.
EternalBlue was a component in the WannaCry ransomware that North Korea used in 2017, affecting more than 230,000 computers in 150 countries, and in the NotPetya attack launched by Russia the same year that wiped data from computers at banks, energy firms and government agencies.
Thomas Drake, a former NSA official and early whistleblower about the agency’s warrantless phone and email surveillance programs, accused the NSA on Twitter of sacrificing the nation’s security because of an “obsession with offensively owning the ‘net.’ ”
Tragically, warnings & perils ignored due to NSA arrogance & obsession with offensively owning the ‘net by back dooring device, operating system & IT infrastructures & sacrificing cyber defense security for sake of insecurity & secret access. NSA —Not Secret (or Secure) Anymore.— Thomas Drake (@Thomas_Drake1) May 26, 2019
Some security researchers, however, say the NSA is being unfairly blamed for a proliferation of dangerous hacking tools that would have happened whether or not the agency's tools had leaked.
If those tools hadn't leaked, they say, hackers would just use other ones that are equally damaging.
Here’s a take from Beau Woods, founder of I am the Cavalry, a group that focuses on transparency and public safety in computer security:
Two years after #WannaCry, and #NotPetya, this thread is more true. Focus on a specific exploit is short sighted. Adversaries understand this and adopt new exploit modules to stay ahead of defenders. Why is @nytimes still writing the same story today? https://t.co/pUmoHNlxeF— Beau Woods (@beauwoods) May 27, 2019
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Chinese telecom giant Huawei, which the Trump administration is trying to oust from U.S. networks, has built much of its technological superiority by stealing from competitors, according to an extensive review of 10 legal cases by the Wall Street Journal’s Chuin-Wei Yap, Dan Strumpf, Dustin Volz, Kate O’Keeffe and Aruna Wiswanatha.
“Huawei’s accusers describe a wide-ranging, brazen, and opportunistic appetite: the targets of the alleged thefts range from longtime tech peers, including Cisco Technology Inc., and T-Mobile U.S. Inc., to a musician in Seattle barely making minimum wage in his day job,” the authors report.
The conclusion, they write, is that “Huawei had a corporate culture that blurred the boundary between competitive achievement and ethically dubious methods of pursuing it.”
One “alarm bell” was “the discovery around 2012 of secure rooms impenetrable to electronic eavesdropping built in Huawei’s U.S. offices, akin to facilities in intelligence stations around the world, American security officials say.”
Robert Read, a contract engineer from 2002 to 2003 in Huawei’s Swedish office, told the Journal: “They spent all their resources stealing technology … You’d steal a motherboard and bring it back and they’d reverse-engineer it.”
The report comes after the Commerce Department barred U.S. companies from supplying Huawei with software and components over concerns it could aid Chinese spying. The State Department is also lobbying allies to bar Huawei from their next-generation 5G wireless networks.
Huawei has steadfastly denied assisting Chinese spying or stealing technology. The company noted to the Journal that its research budget was $15.2 billion last year, among the highest in the world for global technology companies.
PATCHED: First American Financial Corporation, a leading mortgage settlement company, left hundreds of millions of customer records exposed on the web, cybersecurity blogger Brian Krebs reported Friday.
The exposure of 885 million records relating to an unknown number of customers marks one of the largest such exposures in history.
There’s no indication hackers stole any of the records, which include Social Security numbers, bank account numbers and other personal information, Krebs reported.
But stealing records would have been relatively easy and “the information exposed by First American would be a virtual gold mine for phishers and scammers,” Krebs reported.
“Based on a tip from a real estate developer who found the vulnerability, Krebs wrote that anybody with access to a Web portal for the company could have gained access to documents from other customers by altering digits in the Web address,” my colleagues Craig Timberg and Renae Merle explained.
First American acknowledged the exposure in a statement to Krebs and said it had shut down access to the vulnerable site. The company said it is “currently evaluating what effect, if any, this had on the security of customer information.”
PWNED: There was deep disagreement within the Justice Department over the decision last week to charge WikiLeaks founder Julian Assange with violating the Espionage Act, my colleagues Devlin Barrett, Matt Zapotosky and Rachel Weiner reported.
“The previously undisclosed disagreement inside the Justice Department underscores the fraught, high-stakes nature of the government’s years-long effort to counter Assange, an Internet-age publisher who has repeatedly declared his hostility to U.S. foreign policy and military operations,” my colleagues write. “The Assange case also illustrates how the Trump administration is willing to go further than its predecessors in pursuit of leakers — and those who publish official secrets.”
Prosecutors initially charged Assange with violating a computer hacking law after he was expelled from the Ecuadoran embassy in London in April — a far less serious charge. The alleged crime was that he offered to help Chelsea Manning crack the password on a Defense Department computer system.
Charging Assange under the Espionage Act carries harsher penalties but is far more controversial because his alleged crimes — basically seeking and publishing classified information — are far more difficult to distinguish from conventional journalism, my colleagues write.
There’s also a greater risk that British officials will refuse to extradite Assange to the United States to face those charges, they write.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: