BreachExchange mailing list archives
The Cybersecurity 202: Security pros divided over NSA's responsibility for Baltimore hack
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 28 May 2019 09:06:17 -0500
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/05/28/the-cybersecurity-202-security-pros-divided-over-nsa-s-responsibility-for-baltimore-hack/5cec79771ad2e52231e8e80f/?noredirect=on&utm_term=.cc9143528be6 Critics and defenders of the National Security Agency faced off this weekend over a New York Times report detailing how hackers who locked up Baltimore’s computer networks for the past two weeks relied partly on a leaked NSA hacking tool. The tool, dubbed EternalBlue, has also been used to lock up city networks in San Antonio and Allentown, Pa., the Times’s Nicole Perlroth and Scott Shane reported. Critics say the NSA is hellbent on developing dangerous hacking tools to use against adversaries and isn’t adequately preparing for what happens when those tools leak and are used against U.S. targets. Frank Baitman, a former chief information officer at the Health and Human Services Department, compared the situation to biological weapons that make their way out of a U.S. government lab and infect citizens. The federal government, he tweeted, should shoulder some of the cost of Baltimore’s ransomware attack and other such breaches using the leaked code. Baltimore City Council President Brandon M. Scott echoed that call and urged President Trump to declare a federal disaster, which could speed federal funding. “Given the new information and circumstances it’s even more clear that the federal government needs to have a larger role in supporting the city’s recovery,” he said in a statement. Many security researchers, however, say the real problem isn’t with the NSA. They say that hacking victims like Baltimore still haven't taken sufficient measures against EternalBlue two years after it first leaked -- and aren't using a software patch released by Microsoft to to protect themselves “If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that's squarely the fault of the organization, not Eternalblue,” security researcher Robert Graham tweeted. Robert M. Lee, a former NSA hacker who’s now CEO of the cybersecurity company Dragos, said the NSA deserves some blame for EternalBlue being stolen. But he added but that culpability shifts as more time elapses with victims not taking measures to protect themselves: In the Baltimore case, EternalBlue wasn’t the main element of the malware that permitted hackers to take control of the city’s networks. But it allowed them to move more easily from system to system and to broaden the scope of the attack, the Times reported. And that’s enough to cause alarm among some traditional defenders of the NSA. Sen. Chris Van Hollen (D-Md.) and Rep. Dutch Ruppersberger (D-Md.), whose district includes Fort Meade and part of Baltimore, are asking the NSA for a briefing on EternalBlue’s role in the Baltimore attack, the Baltimore Sun’s Ian Duncan and Kevin Rector reported. The Trump administration says it vets those computer bugs through a governmentwide process called a "vulnerabilities equities review" and alerts industry roughly 90 percent of the time. But critics point out the bugs government holds onto are usually the most damaging. The debate has grown fiercer in recent years as leaks and breaches have exposed a trove of government hacking tools used by foreign intelligence agencies and criminal hackers.Those leaks have raised serious questions about whether the government is capable of keeping its covert hacking capabilities truly secret. That includes the 2017 leak of NSA tools — including EternalBlue — by a hacking group called Shadow Brokers and a leak of CIA tools dubbed Vault 7 to WikiLeaks that same year. Officials have not publicly tied Shadow Brokers to any foreign government or other organization. The Justice Department charged a former CIA employee with the Vault 7 leak in 2018. EternalBlue was a component in the WannaCry ransomware that North Korea used in 2017, affecting more than 230,000 computers in 150 countries, and in the NotPetya attack launched by Russia the same year that wiped data from computers at banks, energy firms and government agencies. Thomas Drake, a former NSA official and early whistleblower about the agency’s warrantless phone and email surveillance programs, accused the NSA on Twitter of sacrificing the nation’s security because of an “obsession with offensively owning the ‘net.’ ” Some security researchers, however, say the NSA is being unfairly blamed for a proliferation of dangerous hacking tools that would have happened whether or not the agency's tools had leaked. If those tools hadn't leaked, they say, hackers would just use other ones that are equally damaging. Here’s a take from Beau Woods, founder of I am the Cavalry, a group that focuses on transparency and public safety in computer security: _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- The Cybersecurity 202: Security pros divided over NSA's responsibility for Baltimore hack Destry Winant (May 28)