By Andrew Paulette
1.) NSA-leaking Shadow Brokers just dumped its most damaging release yet (April 14, 2017)
Summary: The Shadow Brokers—the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency’s weaponized software exploits—just published its most significant release yet. Friday’s dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.
Why it matters: In conjunction with the additional article titled “Mysterios Microsoft patch killed 0-days released by NSA-leading Shadow Brokers” which is commented on below, this story details an interesting timeline of security researchers’ response to a cache of NSA exploits and vulnerabilities disclosed by the Shadow Brokers last Friday.
First and foremost, its important to note that the report of 0-days against Microsoft products is misleading/erroneous, and was the result of security researchers testing the exploits against unpatched versions on Windows operating systems. True, there are a few 0-days that do work, but these are against unsupported operating systems such as Windows XP – hardly an accomplishment. While good cybersecurity is beyond the hand-wringing of 0-day exploits (many successful intelligence campaigns are accomplished using the social engineering such as spear-phishing mixed with macro viruses in Microsoft office documents), something about the concept of an exploit that we cannot defend against makes for a much better news headline and grabs the public’s attention – it suggests that while cybersecurity is boring, the perceived unstoppable potential of 0-days is exciting, terrifying, and newsworthy.
0-days aside, reporting from various cybersecurity publications/podcasts such as the Risky Business podcast points to these tools providing the means for exceptional operational security to cover the NSA’s tracks while conducting intelligence against their adversaries. The tools and methods for using these tools is reported to be meticulous and patient, learning the “lay of the land” of their adversaries’ networks before making a move to exfiltrate information or move throughout the network to more valuable targets.
If nothing else, this disclosure illustrates the proper way to infiltrate a targeted network – know the network as well as or better than its owner, and you can slowly but surely gain the knowledge you seek without arousing suspicion.
2.) Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers (April 15, 2017)
Summary: Contrary to what Ars and the rest of the world reported Friday, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products. This is according to a Microsoft blog post published late Friday night.
Why it matters: There has been an interesting turn of events in the story of the Shadow Brokers theft and disclosure last Friday of sophisticated attacks and exploits reportedly developed by the NSA. Initial doom-and-gloom reports of 0-day exploits in Microsoft operating system have turned out to be false, with Microsoft issuing a statement that the various “0-day” vulnerabilities had in fact been patched.
Of special note is the fact that four of these vulnerabilities were patched in March, shortly after the initial release of the first part of the Shadow Brokers’ stash and a month before the additional disclosure that occurred Friday. Of the theories presented in this article that explain the timely remediation of these exploits, the possibility of the NSA aiding Microsoft in identifying these exploits seems most likely. While there is often a large degree of apprehension over 0-day exploits held by nation state intelligence agencies, there are a number of policies such as the vulnerability equities process (VEP) in the US that are designed the help these agencies determine whether to keep vulnerabilities for the purpose of intelligence activities or to disclose them to ensure the safety of US citizens and businesses. In this case, knowledge that these vulnerabilities were in the hands of foreign nation states would undoubtedly tip the scales in favor of disclosing those vulnerabilities which had not yet been patched by Microsoft. A detailed primer on how the VEP works can be found at https://motherboard.vice.com/en_us/article/vulnerabilities-equities-process-zero-days.
3.) Could the US take out North Korea’s missiles before launch? (April 18, 2017)
Summary: John tapped out a simple text message to his wife in January 2016. “I love you,” it read. But this wasn’t the only message she saw. Unbeknownst to John, his wife had bugged his smart phone. She was spying on John, eavesdropping on all of his texts and multimedia messages, and tracking his every move through the device’s GPS.
Why it matters: There’s an unsettling market for consumer spyware similar to that used by nation states and the volume of this technology purchased from “reputable” (i.e., not on the dark web) sources is an eye opener to the degree of data that we can unwittingly transmit simply through the use of our smartphones. This article points out the risk of carrying a device that serves as a computer/camera/phone/microphone/GPS on us at all times, and how it can be used for questionable means by those close to us.
5.) Google Won’t Trust Symantec and Neither Should You (April 19, 2017)
Summary: As bad as this controversy is for Symantec, the real damage will befall the company and individual web sites deemed untrustworthy by a Chrome browser on the basis of a rejected Symantec certificate.
Why it matters: This article investigates the damage done by Symantec’s decisions to issue certificates insecurely to both themselves, and consumers who bought these certificates. While touched upon briefly at the end, the thought of the private-sector serving as an enforcer of proper security practice brings up interesting questions on who should and should not be serving in this role. While Symantec is a big company that should be able to meet the rigourous standards for certificate issuance, what about smaller start ups who may not meet the expectations of a company (like Google) for other areas of proper security implementation and practice? Is a company with as much revenue (and business interests) such as Google the right group to be enforcing security policies that may reduce innovation and competition from smaller start ups? While someone taking the lead in handling shoddy security practices is welcome, it does open Pandora’s box.