
Leaked NSA Malware Threatens Windows Users Around the World - Futurebot
https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/
======
vmarsy
I think jlgaddis' link[1] is more informative than the theintercept.com
article : [https://www.bleepingcomputer.com/news/security/shadow-
broker...](https://www.bleepingcomputer.com/news/security/shadow-brokers-
release-new-files-revealing-windows-exploits-swift-attacks/)

I feel the HN submission should point to that instead.

The Outlook Exchange, RDP, Kerberos, ... exploits are scary, even though some
only seem to affect older Windows versions.

[1]
[https://news.ycombinator.com/item?id=14117336](https://news.ycombinator.com/item?id=14117336)

------
israrkhan
I find it very irresponsible that NSA did not report these vulnerabilities to
Microsoft after they had fallen into hands of shadow broker (no longer
zeroday). Shadowbroker announced possession of these zerodays around 3 months
ago. NSA had good 3 months to work with Microsoft to patch these. They chose
not to.

~~~
SomeStupidPoint
It's possible the NSA isn't sure what the Shadow Brokers have.

~~~
emn13
...which doesn't make it any less irresponsible.

However, judging by [https://technet.microsoft.com/en-
us/library/security/ms17-01...](https://technet.microsoft.com/en-
us/library/security/ms17-010.aspx) it's likely somebody had some advance
knowledge, somehow.

Oh, and hey:
[https://blogs.technet.microsoft.com/msrc/2017/04/14/protecti...](https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-
customers-and-evaluating-risk/)

------
cm2187
What I find sort of (a little) comforting is that the NSA seems to be relying
on zero days. All these leaks have not really revealed any structural backdoor
in any of the major operating systems.

~~~
stordoff
1\. I imagine they'd be more or less the same thing. Any mandated/deliberate
backdoor is probably going to look very similar to an accidental bug - it lets
you deny it exists, gives a valid explanation for if/when it is found, and
potentially lets an NSA/software company "double-employee" add it without the
company knowing.

2\. It'd probably be a method of last resort, so the NSA et al. would gather
and use zero days anyway. Any use of the backdoor risks it being noticed, so
using other entry points make sense if possible.

A less comforting interpretation would be that relying on zero days suggests
they are confident in their ongoing ability to find them and/or have a
sizeable cache of unknown exploits already, so adding a deliberate backdoor
wouldn't provide any additional access.

~~~
rdtsc
> lets an NSA/software company "double-employee" add it without the company
> knowing.

I always wondered how that works. I am a full time employee at software
company. Cannot imagine having extra time to report to another employer (NSA)
and deal with their red tape and crap as well.

Or does NSA show up at their doorstep with a bag full of cash - "Here you go,
have this, and install a backdoor in your company's software. And we never met
<wink>, <wink>"

That sounds good on paper so to speak, I just have a hard time imagining a
realistic scenario.

Now finding 0-days and hoarding them, I can see that.

~~~
toyg
You assume the mole is an MS employee first and an NSA op second.
Traditionally, the opposite is true: if you want to infiltrate a somewhat
friendly entity, you do it by engineering the hire of trusted individuals.
This is more secure, since there is no risk that one of the guys will get cold
feet and blow the whistle.

So you monitor universities and you make contact with some of the brightest
sparks. You promise them a good job in exchange for the possibility that, one
day, they might have to act For The Good of The Country; and in the meantime
they'll even be In The Know, which will place them above their peers -
excitement! Ambition! Then you lobby a few higher-ups you're friend with, to
hire these guys in this or that group. They are top-notch talent, immaculate
credentials, so the hire is a slam dunk. They go about their business, being
good kernel devs or whatnot, and every few months you give them a quick call
to catch up - there is no need for extensive briefing, nobody really cares
about the going-ons of Team Kernel A356. When "the favour" is required, the
guy is comfortable in his position and doesn't want to leave it, so there is
no chance he'll say no.

------
deanclatworthy
I've been following this closely over the last couple of hours on Twitter as
the news broke. What does it mean in practice?

From what I have read one of the vulnerabilities seems to be a 0day targeting
SMB on Windows. One commentator suggested it's enabled by default on the
majority of Windows machines (of that I am sceptical). Presumably most people
are behind a router which would stop this in its tracks?

A lot of people (who I would probably take seriously) suggest disconnecting
Windows machines from the internet for the time-being. Is it really this bad?
Are there millions of Windows (home-)users who are vulnerable (by default)
today?

~~~
BinaryIdiot
> Presumably most people are behind a router which would stop this in its
> tracks?

Trouble is there are millions of IoT devices with terrible security some of
which are alway owned and inside the network. They could be used as a delivery
tool to attack multiple machines inside of a network.

I'm not sure how many folks connect directly to the internet anymore.
Hopefully not many.

~~~
Teichopsia
"Connect directly". Could you please elaborate on that?

~~~
BinaryIdiot
Connecting a computer directly to a modem, not a router.

~~~
Teichopsia
Thanks.

------
alpb
Relevant tweets from/retweeted_by @snowden

\-
[https://twitter.com/Snowden/status/852950725881712640](https://twitter.com/Snowden/status/852950725881712640)
\-
[https://twitter.com/campuscodi/status/852885596221689856](https://twitter.com/campuscodi/status/852885596221689856)
\-
[https://twitter.com/Snowden/status/852989758364147712](https://twitter.com/Snowden/status/852989758364147712)
\-
[https://twitter.com/josephfcox/status/852983848862461953](https://twitter.com/josephfcox/status/852983848862461953)
\-
[https://twitter.com/Snowden/status/852987207170371587](https://twitter.com/Snowden/status/852987207170371587)
\-
[https://twitter.com/alexstamos/status/852984589463175169](https://twitter.com/alexstamos/status/852984589463175169)
\-
[https://twitter.com/Snowden/status/852974864461963265](https://twitter.com/Snowden/status/852974864461963265)
\-
[https://twitter.com/TalBeerySec/status/852869388067844096](https://twitter.com/TalBeerySec/status/852869388067844096)
\-
[https://twitter.com/Snowden/status/852967606088806401](https://twitter.com/Snowden/status/852967606088806401)
\-
[https://twitter.com/Snowden/status/852966739084275712](https://twitter.com/Snowden/status/852966739084275712)
\-
[https://twitter.com/josephfcox/status/852908421703753728](https://twitter.com/josephfcox/status/852908421703753728)

~~~
spangry
I really regret reading some of the replies to those tweets. There's something
I need to know: the people going on about Snowden being a traitor, helping
'the Russians' etc... On the 'average American' to 'village idiot' scale,
which end are these people closer to?

This is not a rhetorical question btw. I just want to get some insight into
what the 'average American' thinks about Snowden.

~~~
asddddd
Average American.

[http://www.newsmax.com/Newsfront/edward-snowden-rasmussen-
po...](http://www.newsmax.com/Newsfront/edward-snowden-rasmussen-poll-hero-
russia/2016/09/23/id/749866/)

~~~
spangry
Thanks.

And now I feel ill.

------
eps
Is there a list of exact attack vectors for the lazy?

Both tools in the demo video are SMB-based. I wonder how exploitable is a
machine if it has SMB properly disabled and blocked.

~~~
jlgaddis
There's an incomplete "summary of leaked data" at
[https://www.bleepingcomputer.com/news/security/shadow-
broker...](https://www.bleepingcomputer.com/news/security/shadow-brokers-
release-new-files-revealing-windows-exploits-swift-attacks/)

~~~
cm2187
Looking at this list it seems to affect mostly older versions of windows
servers and servers with SMB running. I'd say it would mostly be a problem on
intranets than windows based web servers.

~~~
noinsight
> and servers with SMB running.

Which is going to be Domain Controllers, the most highly privileged servers on
most corporate networks. And accessible to the "entire" network too. Group
Policy is distributed through SMB shares.

------
ChuckMcM
Wouldn't it be nice if the NSA turned over all of its now compromised zero
days to Microsoft so that Microsoft could patch them all?

------
nthcolumn
So MSFT to take a pasting when the exchange reopens?

------
symlinkk
Direct link to the leak:
[https://steemit.com/shadowbrokers/@theshadowbrokers/lost-
in-...](https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-
translation)

RIP Windows users.

------
fixxer
Using Windows threatens Windows Users Around the World.

------
UnoriginalGuy
This entire article is a gross mischaracterisation of the facts and risks.

The only major zero days released for Windows in this bundle targeted SMB
(SMBv1, SMBv2, & SMBv3). By default Windows firewalls SMB and has since
Windows XP SP2. Many home and business users then typically have a NAT between
the Windows Firewall and the internet, offering a second layer of protection.

Few companies intentionally expose SMB to the internet. Generally users are
required to VPN in before then being able to contact an SMB endpoint.

The type of language in this article is designed to mislead non-technical
readers into believing they're at risk e.g.:

> The software could give nearly anyone with sufficient technical knowledge
> the ability to wreak havoc on millions of Microsoft users.

So either the article author lacks the technical literacy to understand why
this is untrue, or they know it to be untrue and are trying to implant fear
into their readership. In either case, not a good look for The Intercept.

~~~
jacquesm
> Few companies intentionally expose SMB to the internet.

True, but in your average coffee shop setup if a user has SMB running you
could reach them via a local IP if it isn't firewalled off on the machine
itself.

~~~
eps
And why would it not be firewalled off on the machine itself?

~~~
bigbugbag
why would it be ?

~~~
eps
Because it's a standard Windows policy for public, non-trusted networks?

