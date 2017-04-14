NSA-Leaking Shadow Brokers Just Dumped Its Most Damaging Release Yet (arstechnica.com) 35
An anonymous reader quotes a report from Ars Technica: The Shadow Brokers -- the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits -- just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world. Friday's release -- which came as much of the computing world was planning a long weekend to observe the Easter holiday -- contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date. One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and "slick" code. Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday's release contains several tools with the word "eternal" in their name that exploit previously unknown flaws in Windows desktops and servers.
Sitting on a zero-day vulnerability without telling the maintainers certainly makes the USA less secure and runs afoul of their duty to protect the USA...
...But have they actually prevented a company from fixing exploits? Like a court order telling Microsoft to leave a vulnerability in place?
It's their duty to protect their own goddam security and all Americans.
Given that they know millions of Americans are at risk from exploits they have not reported to the vendors, by your logic, the NSA is a traitor organization and qualifies for a drone strike.
C'mon, if you're going to hold yourself out as a professional propagandist, at least put in the effort to get your possessive pronoun number agreement correct.
TPFTDL: $52.06 billion in 2013, according to an imperfectly legitimate Edward Snowden release of government information.
Years removed from the lessons of Iran/Contra, governments have learned to just fund the cloak & dagger bunch... saves on eventual, inevitable, embarassment as you're employing folks who have proven eager to scam the funds they need clandestinely.
The Shadow Brokers advertised the names of these exploits in January. The NSA had 3 months to warn Microsoft. But nope. Enjoy the 0day shitstorm that's about to drop.
Eventually, right?
I wonder how many of this "unknown bugs" used by "slick code" where put there on purpose in windows and how much is actual bugs.
I wonder how many of this "unknown bugs" used by "slick code" where put there on purpose in windows and how much is actual bugs.
If you talk to people who have seen the older parts of Windows source, you start to become less conspiratorial. Much of the code was written when these machines were only networked if the company had a Novell network (yeah, yeah, both of you who ran LANMan can pipe down) and security wasn't even on the RADAR. Modern programmers at Microsoft are either disgusted or terrified by it
I'm glad I use Linux and not have to worry about these exploits and zero day attacks.
Hey, the NSA probably has more people working on breaking linux than we have working on building it. Be ready to apply updates when SB drops that tranche. Practice defense-in-depth.
