NSA-Leaking Shadow Brokers Just Dumped Its Most Damaging Release Yet (arstechnica.com) 111
An anonymous reader quotes a report from Ars Technica: The Shadow Brokers -- the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits -- just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world. Friday's release -- which came as much of the computing world was planning a long weekend to observe the Easter holiday -- contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date. One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and "slick" code. Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday's release contains several tools with the word "eternal" in their name that exploit previously unknown flaws in Windows desktops and servers.
Need to order a drone strike against these traitor (Score:1, Insightful)
The NSA has done nothing wrong. It's their duty to protect the United States by spying on threats to national security. Whoever is leaking this information needs to be on the receiving end of a drone strike.
Re: (Score:1)
And all the other nations are using the same exploits to spy on americans. Deal with that dumbass.
Re: (Score:1)
Preventing companies from repairing exploitable flaws in major software products is NOT something they should be doing.
Re: (Score:2)
Sitting on a zero-day vulnerability without telling the maintainers certainly makes the USA less secure and runs afoul of their duty to protect the USA...
...But have they actually prevented a company from fixing exploits? Like a court order telling Microsoft to leave a vulnerability in place?
Re:Need to order a drone strike against these trai (Score:4, Insightful)
It's their duty to protect their own goddam security and all Americans.
Given that they know millions of Americans are at risk from exploits they have not reported to the vendors, by your logic, the NSA is a traitor organization and qualifies for a drone strike.
Re: Need to order a drone strike against these tra (Score:2)
Re: (Score:1)
Re: (Score:2)
C'mon, if you're going to hold yourself out as a professional propagandist, at least put in the effort to get your possessive pronoun number agreement correct.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
you idiot, they are spying on innocent americans too. this is the early stages of a supranational surveillance system paid for by idiot whores like you.
Re: (Score:1)
Re: Why are these fucking Americans hacking banks? (Score:3)
Re: (Score:2)
TPFTDL: $52.06 billion in 2013, according to an imperfectly legitimate Edward Snowden release of government information.
Years removed from the lessons of Iran/Contra, governments have learned to just fund the cloak & dagger bunch... saves on eventual, inevitable, embarassment as you're employing folks who have proven eager to scam the funds they need clandestinely.
Why not read the article before ranting about it? (Score:1)
"This would make a lot of sense that the NSA compromise this specific SWIFT Service Bureau for Anti-money laundering (AML) reasons in order to retrieve ties with terrorists groups," Suiche wrote.
Re: (Score:2)
https://wikileaks.org/nsa-fran... [wikileaks.org]
"French contract proposals or feasibility studies and negotiations for international sales or investments in major projects or systems of significant interest to the foreign host country or $200 million or more in sales and/or services, including financing information or projects of high interest... "
Re: (Score:1)
I agree the US is corrupt. However - I do not agree with watching those French by breaking in their banking systems.
Re: (Score:3)
They're monitoring transfers into and out of what appear to be primarily middle eastern banking institutions. This is a legitimate national security interest for the United States. It's helpful to see that (e.g.) Saudi Prince #1,804 is wiring money to AQAP principals or what have you.
This is exactly the sort of activity NSA is supposed to be engaging in, as opposed to trawling through every American's emails and credit card bills.
Doesn't affect me (Score:5, Funny)
Thanks, NSA (Score:2, Informative)
The Shadow Brokers advertised the names of these exploits in January. The NSA had 3 months to warn Microsoft. But nope. Enjoy the 0day shitstorm that's about to drop.
Re: Thanks, NSA (Score:1)
Because these are the sort of people that shoot you if you don't pay them to screw around doing whatever they want.
They should have been incarcerated instead of employed.
Really old (Score:2)
Re: (Score:2)
In ten more years people will be saying the same about JSON.
Re: (Score:2)
{
"question": "What?"
}
Advance notice? (Score:5, Insightful)
Re: (Score:2)
Why has the NSA found them and M$ hasn't, dude seriously, now tell me where is the profit for M$ to find and fix bugs in their software. Does it help them to sell the next version, hmm, NO. Does it make them profit to do so, paying coders to review code that just barely works, hmm, NO. Does it prevent M$ from being prosecuted for failing to secure systems (when the users of M$ do get prosecuted for failing to secure systems, which once windows has been installed, apparently can not be secured), hmm, NO. Why
Re: (Score:2)
BTW, where is the NSA's trove of Linux and MacOS exploits? How about an NSA trove of Android and iOS exploits? They must have them.
Re: (Score:2)
bugs or backdoors? (Score:1)
I wonder how many of this "unknown bugs" used by "slick code" where put there on purpose in windows and how much is actual bugs.
Re:bugs or backdoors? (Score:5, Informative)
I wonder how many of this "unknown bugs" used by "slick code" where put there on purpose in windows and how much is actual bugs.
If you talk to people who have seen the older parts of Windows source, you start to become less conspiratorial. Much of the code was written when these machines were only networked if the company had a Novell network (yeah, yeah, both of you who ran LANMan can pipe down) and security wasn't even on the RADAR. Modern programmers at Microsoft are either disgusted or terrified by it, from what I hear.
Backwards compatibility cuts both ways.
Security removed for good reasons (Score:5, Informative)
> Much of the code was written when these machines were only networked if the company had a Novell network (yeah, yeah, both of you who ran LANMan can pipe down) and security wasn't even on the RADAR.
Indeed. Historically, it was DISK Operating System (DOS) on a PERSONAL Computer (PC) as opposed to the then-traditional NETWORK operating system on a time-sharing computer (which cost over $100,000). The point of DOS, the difference between Microsoft and what was already common place, was that the Microsoft OS was for cheap little computers used by one person, and not connected to a big corporate network. Instead of requiring many MBs of RAM, DOS could run in as little as 16KB pf RAM by getting rid of all the stuff that wasn't needed on a PERSONAL, DISK-based computer - stuff like security, stuff like isolating the files and processes of one user from the rest of the system.
This was a great idea. It worked brilliantly. Then the internet happened. Microsoft had a shit fit. Not only was their entire company based on PCs rather than the client-server model, but they had just spent millions upgrading Object Linking and Embedding (OLE), and named the new version COM. It was really cool - it let you do things like embed a picture in a Word document, or link a sound file from a picture. It was awesome. Then the web showed up with "img src" and "a href". Oh shit!
Microsoft did exactly the right thing, making an OS for personal, home computers, which weren't on a network and therefore any security was unnecessary overhead that they removed. Then the sudden popularity of the web screwed them and they had to play catch-up for 15 years.
Running the browser as root/Admin is bad (Score:2)
> The only reason systems like Linux were more secure (hard to say if they are overall now**) is they were part of the front line of attacks which meant a lot of the direct network facing stuff had to be patched ASAP
Remember iitially on Windows, any program run by any user was allowed to do anything and everything to the computer. Programs did in fact interact with the system, writing registry entries wherever they felt like, putting files in system directories, etc. You can't just suddenly prevent tha
Not just money, but compatibilty, user experience (Score:1)
It's not *just* a matter of money, but compatibilty was / is a huge issue and also user experience. It took ten years for Microsoft to slowly transition not only users, but all of their legacy software, away from essentially running as "root" (Administrator) all the time. Initially on Windows, any program run by any user was allowed to do anything and everything to the computer. Programs did in fact interact with the system, writing registry entries wherever they felt like, putting files in system director
Re: (Score:2)
An old employer was a Windows 2.0 licensee: it wasn't even supposed to be secure, it was to run on a machine that wan't on a network, or was on a secure network.
Can you say "red-book at system-low" ? It was logical, but assumed there was no internet.
Re: (Score:2)
That's true. The first Ethernet adapters that came along for PC's were huge cards with a physical key lock and a user ID card. Everything was intended to run on offical Ethernet cable; bright yellow or blue coaxial cables connected by vampire taps, which were simple blocks with three spikes that went through the coaxial sheathing and connected to the core copper, with LAN's connected by bridges, routers and firewalls. Everything was intended to be static and predefined.
For home business use, ISDN was the on
Re: (Score:2)
I'm glad I use Linux and not have to worry about these exploits and zero day attacks.
Hey, the NSA probably has more people working on breaking linux than we have working on building it. Be ready to apply updates when SB drops that tranche. Practice defense-in-depth.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
Not "every linux kernel before 4.5". Whether a kernel is vulnerable depends on whether the bug was backported by distros. RHEL never backported it, and Debian quietly fixed it a good while ago (kernels of any version shipped Sep 2015 to Jan 2016)
http://www.zdnet.com/article/r... [zdnet.com]
Re: (Score:2)
Worry about what servers your Firefox web browser is settting up (SSDP) and why it needs to send out multicast broadcasts. Does your wifi router block those packets? Does it allow them to come in on your network? Why doesn't the menu option disable this feature? Apparently it's to provide competition to ChromeCast which allows you to stream the contents of your screen to other mobile devices across the Internet.
The other submission (Score:2, Informative)
Now we know why he went to FL early (Score:1)
And why a certain foreign agent went to Korea a while back.
Not too happy about this one (Score:2)
I think I'd prefer if the NSA *could* see those bank transactions. I'm not a fan of privacy in banking. If you want to do a transaction privately, that's what cash (and maybe cryptocurrency, that genie's out of the bottle) is for. Any privacy beyond that only provides enhanced convenience to criminals IMO. I'd prefer if all bank transactions were visible to law enforcement and tax authorities.
Re: (Score:3)
Well I'm glad that someone without a vested interest in banking secrecy has some idea about what's going on. If the NSA sees terrorists laundering money or companies violating sanctions they can tip off the relevant authorities.
I'd say that the FBI and IRS should be monitoring all global banking. along with their equivalents in every country. Interpol as well, sure.
Re: (Score:3)
Well I'm glad that someone without a vested interest in banking secrecy has some idea about what's going on. If the NSA sees terrorists laundering money or companies violating sanctions they can tip off the relevant authorities.
Wait... what about this recent news has you believing the NSA wants to tip of anyone about anything they discover?
Re: (Score:2)
Microsoft said they patched these last month (Score:2)
"... the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks."
https://arstechnica.com/securi... [arstechnica.com]
Re: (Score:2)
Yeah! Beat Auburn! Roll Tide!