Russian hackers stole “highly classified” NSA files laying out how the agency combats cyberattacks and spies on other countries’ networks, according to a new report in The Wall Street Journal.
The hackers reportedly found the files via Kaspersky’s antivirus software after an National Security Agency contractor put the files on his home computer.
The attack, which happened in 2015 though it was only discovered last year, “is considered by experts to be one of the most significant security breaches in recent years.” The files reportedly lay out key parts of the NSA’s strategy for spying and defending itself against cyberattack.
As the WSJ notes, the stolen data could have big implications for Russia’s ability to both attack U.S. networks and defend itself from the NSA.
Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said.
The report also goes a long way toward explaining government officials’ recent concerns over Kaspersky’s software. The Russian company’s software was banned from U.S. government agencies last month after a report in Bloomberg alleged the company had been working closely with the Russian government for years.
In a statement, Kaspersky CEO Eugene Kaspersky said his company “has not been provided any evidence substantiating the company’s involvement in the alleged incident.”
“The only conclusion sees to be that Kaspersky Lab is caught in the middle of a geopolitical fight.”
Others in the cybersecurity community were quick to point out that the WSJ’s report stops short of suggesting that Kaspersky worked directly with the Russian government on the hack. Instead, it’s possible that the Russians exploited vulnerabilities within Kaspersky’s software to get the data.
Note that story doesn’t say Kaspersky helped Russian hackers — just that hackers leveraged the software to find valuable files on computer https://t.co/3We8KHY70z
WannaCry paralyzed hospitals. NotPeya crashed banks. But how to know if you’re vulnerable to the stolen National Security Agency exploit that fueled two major cyber attacks and helped bring down computers across the globe?
Thankfully, a new tool has your back.
After the Shadow Brokers hacking group dumped a cache of stolen NSA exploits in April, the cybersecurity community issued dire warnings that things were about to get really, really bad. But then Microsoft quickly chimed in to note that it had already patched the vulnerabilities in question.
“We’ve investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products,” a Microsoft spokesperson told Mashable at the time. “Customers with up-to-date software are already protected.”
One of the hoarded NSA vulnerabilities, dubbed EternalBlue, allows for the worm-like spread of malware across computer systems. And despite Microsoft’s assurances, it turns out that many people and organizations did not in fact update their computers with the available patch. WannaCry and NotPetya, which made use of EternalBlue, were the result.
That, in the face of clear warnings and readily available safeguards, people failed to protect themselves is a clear sign that many of those at risk don’t realize the precarious nature of their position.
“The majority of latest WannaCry, NoPetya (Petya, GoldenEye or whatever) victims, are not technical organizations and sometimes just small business who don’t have a security team, or even just an IT team to help them mitigate this,” writes Erez on his blog. “Running NMap, Metasploit [a penetration testing software] (not to mention more commercial products) is something they will never do. I aimed to create a simple ‘one-button’ tool that tells you one thing and one thing only – which systems are vulnerable in your network.”
The free software simply checks networks to see if they are still susceptible to EternalBlue.
“[Eternal Blues] helps finding the blind spots in your network, these endpoints that are still vulnerable to EternalBlue,” continues Erez. “Just hit the SCAN button and you will immediately start to get which of your computers are vulnerable and which aren’t. That’s it.”
Importantly, Erez does collect anonymized data on the results of the scan, but he also details a way to disable this information-sharing feature for the extra security conscious.
And if you do find that your computer is vulnerable? Make sure you install the Microsoft patch. And, as always, keep your operating system up to date.
June 30, 2017 / Comments Off on A new tool will check if you’re vulnerable to the hack that brought down computers across the globe
Ransomware is not new. The malware, which encrypts data and demands payment in exchange for decryption keys, has been with us for almost 30 years.
So why does it feel like it’s getting worse? Well, that’s because it is getting worse.
In seemingly no time at all, ransomware has gone from an obscure threat faced by a select few to a plague crippling hospitals, banks, public transportation systems, and even video games. Frustratingly, the explosive growth of ransomware shows no signs of abating — leaving victims wondering why them, and why now?
The answer to both of those questions involves cryptocurrency and the National Security Agency.
But first, a little history
The first known ransomware attack hit the healthcare industry way back in 1989. According to the cybersecurity blog Practically Unhackable, a biologist by the name of Joseph Popp sent close to 20,000 floppy disks to researchers claiming they contained a survey which would help scientists determine a patient’s risk for contracting HIV.
What was left unmentioned in the promotional material was that the disks also encrypted file names on infected computers — rendering them practically unusable. Instead of their typical boot screens, victims were shown a message demanding a $189 payment in order to unlock the system.
Popp, who had a PhD from Harvard, was an evolutionary biologist and fell outside of what we think of today as a stereotypical hacker. According to The Atlantic, after he was arrested and charged with blackmail, Popp insisted that he intended to donate the proceeds from his scheme to HIV-related research.
Regardless of his true motives, the success of Popp’s attack was limited by two key factors: The floppy disks were sent out via the mail system, and the encryption employed by what became known as PC Cyborg was reversible without his help.
Twenty-eight years later, things have changed for the worse in the world of ransomware.
Cryptocurrency and the NSA
When we talk about the scale of modern ransomware attacks, it’s important to keep two criteria in mind: frequency and reach.
A 2016 report from the U.S. Department of Justice noted 7,694 ransomware complaints since 2005, which it acknowledged is probably undercounting the number of actual attacks. The May WannaCry ransomware, for its part, hit over 150 countries. Two factors played a key role in those jaw-dropping figures: the rise of cryptocurrency and the availability of dumped hacking exploits hoarded by the NSA.
Cryptocurrency like Bitcoin allows attackers a real shot at actually receiving ransom payments. In a major step up from the payment mechanism implemented by Joseph Popp, hackers no longer need to set up a PO box and hope the physical cashier’s checks flow in. Instead, they can simply direct victims to make payments to specific Bitcoin addresses.
According to the cybersecurity company Palo Alto Networks, the first ransomware to demand payment in Bitcoin was the 2013 Cryptowall. It was by no means the last, however. The relative ease of cryptocurrency payments combined with the growing popularity of Bitcoin surely contributed to what a 2016 IBM report found was a 300 percent increase in ransomware incidents over the preceding year.
As for the growing reach of such attacks? While there are many factors at play, one obvious inflection point can be found in the April Shadow Brokers dump where the hacking group notoriously released a host of exploits originating from the National Security Agency. Among that list was one vulnerability by the name EternalBlue, which, when paired with ransomware, allowed for the worm-like propagation of the WannaCry attack.
The same exploit reportedly played a key (but not exclusive) role in the spread of NotPetya — ransomware that has hit at least 65 countries and whose likely primary goal is to cause destruction.
And while Microsoft had already released a patch for EternalBlue by the time is swept the globe, the wildfire spread of WannaCry and NotPetya serve as a stark reminder that not everyone stays up to date with security patches.
So where does that leave us?
The unprecedented scale of these two attacks, powered by stolen NSA exploits and facilitated by cryptocurrency, suggests we have entered a new age of virulent ransomware. To make matters worse, attacks like WannaCry are likely to become more common, not less, as evidenced by a 2017 report from cybersecurity firm Symantec which found “a 36 percent increase in ransomware attacks worldwide.”
Interestingly, however, ransomware may end up becoming a victim of its own success. The sheer number of infected computers, combined with the practically nonfunctional payment mechanisms of both NotPetya and WannaCry, mean that even if people did elect to pay the ransom, they weren’t going to get their decryption keys.
Why pay up if you know you’re not getting your files back either way?
And the word has gotten out. At the time of this writing, the Bitcoin address associated with NotPetya has received only 46 payments totaling approximately $10,317.
All of this suggests that while the form of digital extortion first developed by Joseph Popp shows no signs of slowing down, the money may no longer be in it. And that, in the end, may be the only hope we have of an end to the growing ransomware scourge.
June 29, 2017 / Comments Off on Ransomware has been around for almost 30 years, so why does it feel like it’s getting worse?
As the leaked NSA report on Russian efforts to hack the computers of U.S. election officials before the 2016 presidential election demonstrates, we are all often our own biggest security weakness. The document, published by The Intercept, shows that hackers found a way around the protections offered by two-factor authentication that is striking in its simplicity: They asked the targets for their verification codes.
“If the victim had previously enabled two-factor authentication (2FA),” explains a slide detailing the Russian attack, “the actor-controlled website would further prompt the victim to provide their phone number and their legitimate Google verification code that was sent to their phone.”
To translate, after tricking victims into entering their email and password into a fake Google site, the hackers found that some victims had 2FA set up on their accounts. This meant that even with the password, hackers were unable to gain access to the Gmail accounts in question — that is, unless they could get the verification codes as well.
So, again, they just straight up asked for them.
“Once the victim supplied this information to the actor-controlled website, it would be relayed to a legitimate Google service, but only after [redacted] actors had successfully obtained the victim’s password (and if two-factor, phone number and Google verification code) associated with that specific email account.”
Basically, the hackers were able to bypass the email security measures by requesting that the victims give them the keys to the digital castle.
Once access was gained to the accounts, which reportedly belonged to an electronic-voting vendor, the hackers would then email election officials from the hacked accounts and attempt to trick those same officials into opening script-laden Word docs that would compromise their computers.
It’s an elaborate bit of spear phishing, and it reminds us that no matter what digital security practices we put in place, we can all still slip up.
In the face of everyday online threats, the best defense (other than setting up 2FA — which you should definitely still do) might be the simplest: exercise caution with every email you receive, and be paranoid as hell.
In the face of skilled Russian hackers? Well, that one’s trickier, but maybe start with not handing over your email password, phone number, and 2FA verification code.
June 6, 2017 / Comments Off on The leaked NSA report shows 2-factor authentication has a critical weakness: You
On Monday, she was charged after the FBI arrested her Saturday at her home in Augusta, Georgia. She faces up to 10 years in prison for the classified leak, according to CNN. She’s back in court on Thursday.
Winner was accused of leaking a report that showed Russian intelligence tried to hack U.S. voting systems before the election in November. The Intercept shared printed pages of the report, and the folds and creases in the documents gave away that they had been “printed and hand-carried out of a secured space.” From that, the agency saw six people had printed the report and then tracked down the one person from the group who had emailed the news outlet.
Her motivations for leaking are not yet known. But she left a lot information about herself online. She was active on Facebook, Instagram and Twitter for years and shared her anti-Trump and other political sentiments on the platforms.
Active on social media
Winner, who uses the name Sara Winners on her Twitter account, had been active on the site up until the end of February. She often tweeted anti-Trump messages. She follows only 50 people on Twitter, including Edward Snowden, WikiLeaks, and Anonymous.
A linguist and an athlete
The Texas native was an Air Force linguist who studied Farsi and other languages. According to the Department of Justice, she was a contractor with Pluribus International Corporation and had been assigned to a government agency facility in Georgia since Feb. 13. She had top secret clearance.
Reality Winner, arrested for alleged classified leak, is a former US Air Force linguist who speaks Pashto, Farsi & Dari, her mother tells me pic.twitter.com/SQjt13wRw6
She last posted on her Facebook page a day before her arrest. She shared many videos of her working out, and posted often about CrossFit and lifting.
Her mother, Billie Winner-Davis, spoke to the Daily BeastSunday and told the publication that Winner is “very passionate,” but her mother didn’t think she’d even been active in politics. The family didn’t know much about her new job as a government contractor.
Winners last Facebook post the day before her arrest showed some of that passion.
She strongly opposed the Dakota Access Pipeline and had posted about it often with anti-Trump hashtags.
While some were already calling Winner a traitor and worse, others have come out to support the whistleblower, like Julian Assange, the creator of WikiLeaks.
Alleged NSA whistleblower Reality Leigh Winner must be supported. She is a young women accused of courage in trying to help us know. pic.twitter.com/B4aIdt7qz6