WannaCry paralyzed hospitals. NotPeya crashed banks. But how to know if you’re vulnerable to the stolen National Security Agency exploit that fueled two major cyber attacks and helped bring down computers across the globe?
Thankfully, a new tool has your back.
After the Shadow Brokers hacking group dumped a cache of stolen NSA exploits in April, the cybersecurity community issued dire warnings that things were about to get really, really bad. But then Microsoft quickly chimed in to note that it had already patched the vulnerabilities in question.
“We’ve investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products,” a Microsoft spokesperson told Mashable at the time. “Customers with up-to-date software are already protected.”
One of the hoarded NSA vulnerabilities, dubbed EternalBlue, allows for the worm-like spread of malware across computer systems. And despite Microsoft’s assurances, it turns out that many people and organizations did not in fact update their computers with the available patch. WannaCry and NotPetya, which made use of EternalBlue, were the result.
That, in the face of clear warnings and readily available safeguards, people failed to protect themselves is a clear sign that many of those at risk don’t realize the precarious nature of their position.
“The majority of latest WannaCry, NoPetya (Petya, GoldenEye or whatever) victims, are not technical organizations and sometimes just small business who don’t have a security team, or even just an IT team to help them mitigate this,” writes Erez on his blog. “Running NMap, Metasploit [a penetration testing software] (not to mention more commercial products) is something they will never do. I aimed to create a simple ‘one-button’ tool that tells you one thing and one thing only – which systems are vulnerable in your network.”
The free software simply checks networks to see if they are still susceptible to EternalBlue.
“[Eternal Blues] helps finding the blind spots in your network, these endpoints that are still vulnerable to EternalBlue,” continues Erez. “Just hit the SCAN button and you will immediately start to get which of your computers are vulnerable and which aren’t. That’s it.”
Importantly, Erez does collect anonymized data on the results of the scan, but he also details a way to disable this information-sharing feature for the extra security conscious.
And if you do find that your computer is vulnerable? Make sure you install the Microsoft patch. And, as always, keep your operating system up to date.
June 30, 2017 / Comments Off on A new tool will check if you’re vulnerable to the hack that brought down computers across the globe
Ransomware is not new. The malware, which encrypts data and demands payment in exchange for decryption keys, has been with us for almost 30 years.
So why does it feel like it’s getting worse? Well, that’s because it is getting worse.
In seemingly no time at all, ransomware has gone from an obscure threat faced by a select few to a plague crippling hospitals, banks, public transportation systems, and even video games. Frustratingly, the explosive growth of ransomware shows no signs of abating — leaving victims wondering why them, and why now?
The answer to both of those questions involves cryptocurrency and the National Security Agency.
But first, a little history
The first known ransomware attack hit the healthcare industry way back in 1989. According to the cybersecurity blog Practically Unhackable, a biologist by the name of Joseph Popp sent close to 20,000 floppy disks to researchers claiming they contained a survey which would help scientists determine a patient’s risk for contracting HIV.
What was left unmentioned in the promotional material was that the disks also encrypted file names on infected computers — rendering them practically unusable. Instead of their typical boot screens, victims were shown a message demanding a $189 payment in order to unlock the system.
Popp, who had a PhD from Harvard, was an evolutionary biologist and fell outside of what we think of today as a stereotypical hacker. According to The Atlantic, after he was arrested and charged with blackmail, Popp insisted that he intended to donate the proceeds from his scheme to HIV-related research.
Regardless of his true motives, the success of Popp’s attack was limited by two key factors: The floppy disks were sent out via the mail system, and the encryption employed by what became known as PC Cyborg was reversible without his help.
Twenty-eight years later, things have changed for the worse in the world of ransomware.
Cryptocurrency and the NSA
When we talk about the scale of modern ransomware attacks, it’s important to keep two criteria in mind: frequency and reach.
A 2016 report from the U.S. Department of Justice noted 7,694 ransomware complaints since 2005, which it acknowledged is probably undercounting the number of actual attacks. The May WannaCry ransomware, for its part, hit over 150 countries. Two factors played a key role in those jaw-dropping figures: the rise of cryptocurrency and the availability of dumped hacking exploits hoarded by the NSA.
Cryptocurrency like Bitcoin allows attackers a real shot at actually receiving ransom payments. In a major step up from the payment mechanism implemented by Joseph Popp, hackers no longer need to set up a PO box and hope the physical cashier’s checks flow in. Instead, they can simply direct victims to make payments to specific Bitcoin addresses.
According to the cybersecurity company Palo Alto Networks, the first ransomware to demand payment in Bitcoin was the 2013 Cryptowall. It was by no means the last, however. The relative ease of cryptocurrency payments combined with the growing popularity of Bitcoin surely contributed to what a 2016 IBM report found was a 300 percent increase in ransomware incidents over the preceding year.
As for the growing reach of such attacks? While there are many factors at play, one obvious inflection point can be found in the April Shadow Brokers dump where the hacking group notoriously released a host of exploits originating from the National Security Agency. Among that list was one vulnerability by the name EternalBlue, which, when paired with ransomware, allowed for the worm-like propagation of the WannaCry attack.
The same exploit reportedly played a key (but not exclusive) role in the spread of NotPetya — ransomware that has hit at least 65 countries and whose likely primary goal is to cause destruction.
And while Microsoft had already released a patch for EternalBlue by the time is swept the globe, the wildfire spread of WannaCry and NotPetya serve as a stark reminder that not everyone stays up to date with security patches.
So where does that leave us?
The unprecedented scale of these two attacks, powered by stolen NSA exploits and facilitated by cryptocurrency, suggests we have entered a new age of virulent ransomware. To make matters worse, attacks like WannaCry are likely to become more common, not less, as evidenced by a 2017 report from cybersecurity firm Symantec which found “a 36 percent increase in ransomware attacks worldwide.”
Interestingly, however, ransomware may end up becoming a victim of its own success. The sheer number of infected computers, combined with the practically nonfunctional payment mechanisms of both NotPetya and WannaCry, mean that even if people did elect to pay the ransom, they weren’t going to get their decryption keys.
Why pay up if you know you’re not getting your files back either way?
And the word has gotten out. At the time of this writing, the Bitcoin address associated with NotPetya has received only 46 payments totaling approximately $10,317.
All of this suggests that while the form of digital extortion first developed by Joseph Popp shows no signs of slowing down, the money may no longer be in it. And that, in the end, may be the only hope we have of an end to the growing ransomware scourge.
June 29, 2017 / Comments Off on Ransomware has been around for almost 30 years, so why does it feel like it’s getting worse?
As the leaked NSA report on Russian efforts to hack the computers of U.S. election officials before the 2016 presidential election demonstrates, we are all often our own biggest security weakness. The document, published by The Intercept, shows that hackers found a way around the protections offered by two-factor authentication that is striking in its simplicity: They asked the targets for their verification codes.
“If the victim had previously enabled two-factor authentication (2FA),” explains a slide detailing the Russian attack, “the actor-controlled website would further prompt the victim to provide their phone number and their legitimate Google verification code that was sent to their phone.”
To translate, after tricking victims into entering their email and password into a fake Google site, the hackers found that some victims had 2FA set up on their accounts. This meant that even with the password, hackers were unable to gain access to the Gmail accounts in question — that is, unless they could get the verification codes as well.
So, again, they just straight up asked for them.
“Once the victim supplied this information to the actor-controlled website, it would be relayed to a legitimate Google service, but only after [redacted] actors had successfully obtained the victim’s password (and if two-factor, phone number and Google verification code) associated with that specific email account.”
Basically, the hackers were able to bypass the email security measures by requesting that the victims give them the keys to the digital castle.
Once access was gained to the accounts, which reportedly belonged to an electronic-voting vendor, the hackers would then email election officials from the hacked accounts and attempt to trick those same officials into opening script-laden Word docs that would compromise their computers.
It’s an elaborate bit of spear phishing, and it reminds us that no matter what digital security practices we put in place, we can all still slip up.
In the face of everyday online threats, the best defense (other than setting up 2FA — which you should definitely still do) might be the simplest: exercise caution with every email you receive, and be paranoid as hell.
In the face of skilled Russian hackers? Well, that one’s trickier, but maybe start with not handing over your email password, phone number, and 2FA verification code.
June 6, 2017 / Comments Off on The leaked NSA report shows 2-factor authentication has a critical weakness: You
On Monday, she was charged after the FBI arrested her Saturday at her home in Augusta, Georgia. She faces up to 10 years in prison for the classified leak, according to CNN. She’s back in court on Thursday.
Winner was accused of leaking a report that showed Russian intelligence tried to hack U.S. voting systems before the election in November. The Intercept shared printed pages of the report, and the folds and creases in the documents gave away that they had been “printed and hand-carried out of a secured space.” From that, the agency saw six people had printed the report and then tracked down the one person from the group who had emailed the news outlet.
Her motivations for leaking are not yet known. But she left a lot information about herself online. She was active on Facebook, Instagram and Twitter for years and shared her anti-Trump and other political sentiments on the platforms.
Active on social media
Winner, who uses the name Sara Winners on her Twitter account, had been active on the site up until the end of February. She often tweeted anti-Trump messages. She follows only 50 people on Twitter, including Edward Snowden, WikiLeaks, and Anonymous.
A linguist and an athlete
The Texas native was an Air Force linguist who studied Farsi and other languages. According to the Department of Justice, she was a contractor with Pluribus International Corporation and had been assigned to a government agency facility in Georgia since Feb. 13. She had top secret clearance.
Reality Winner, arrested for alleged classified leak, is a former US Air Force linguist who speaks Pashto, Farsi & Dari, her mother tells me pic.twitter.com/SQjt13wRw6
She last posted on her Facebook page a day before her arrest. She shared many videos of her working out, and posted often about CrossFit and lifting.
Her mother, Billie Winner-Davis, spoke to the Daily BeastSunday and told the publication that Winner is “very passionate,” but her mother didn’t think she’d even been active in politics. The family didn’t know much about her new job as a government contractor.
Winners last Facebook post the day before her arrest showed some of that passion.
She strongly opposed the Dakota Access Pipeline and had posted about it often with anti-Trump hashtags.
While some were already calling Winner a traitor and worse, others have come out to support the whistleblower, like Julian Assange, the creator of WikiLeaks.
Alleged NSA whistleblower Reality Leigh Winner must be supported. She is a young women accused of courage in trying to help us know. pic.twitter.com/B4aIdt7qz6
The story of a leaked NSA report detailing Russia’s alleged attempts to infiltrate US voting infrastructure ahead of the 2016 presidential election just took a sharply unexpected turn.
Reality Leigh Winner, 25, has been arrested and is in custody, with officials saying they have identified her as the source of the documents leaked to The Intercept.
The Interceptbroke the story of the National Security Agency report on June 5, noting that it “indicates that Russian hacking may have penetrated further into U.S. voting systems than was previously understood.”
This was based on leaked documents provided to the site, which, allegedly before going public with the story, showed them to NSA officials to confirm their authenticity.
This, reportedly, is where the publication known for its security-conscious reporters may have messed up.
The government affidavit states that The Intercept showed them “folded and/or creased” documents, “suggesting they had been printed and hand-carried out of a secured space.” This clue was enough for officials to “determine who accessed the intelligence reporting since its publication, and, after seeing that “six individuals printed this reporting,” narrow the list of suspects down.
NBC News: Senior federal official says that Reality Leigh Winner, age 25, has been arrested & charged with leaking document to The Intercept
Importantly, if we are to take the government at its word, investigators could have conceivably identified the leaker regardless of the folded nature of the docs. That’s because the alleged source had “e-mail contact” with The Intercept—possibly from her work computer. She also, allegedly, printed the material out at work.
Feds go “yeup.” Who printed? 6 people… Who emailed the Intercept… 1. Lets talk to her. Bingo.
Either way, the arrest is a blow for the national security-focused Intercept. The site takes pains to detail secure ways for sources to share info with it in a page titled “The Intercept Welcomes Whistleblowers.”
“So whether you are in government or the private sector, if you become aware of behavior that you believe is unethical, illegal, or damaging to the public interest, consider sharing your information securely with us,” the webpage explains. “We’ve taken steps to make sure that people can leak to us as safely as possible.”
Under the section “What not to do if you want to remain anonymous,” the top piece of advice is “Don’t contact us from work.”
WATCH: Adele’s Amazing Anniversary Surprise
June 5, 2017 / Comments Off on Someone’s already been arrested for allegedly leaking an NSA report to The Intercept