
In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc - SREinSF
https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html
======
tptacek
I'm unclear on why I'm meant to take this particular Windows SMB exploit so
seriously when there's such a long history of comparable bugs that nobody ever
referred to as "stolen cyber weapons". I think it might be almost entirely
because of the name; "ETERNALBLUE" sounds much scarier than "CVE-2017-0144".

Don't get me wrong: a reliable modern Windows drive-by RCE is nothing to
sneeze at. But if it wasn't this exploit, it'd be a different one --- _will_
be a different one, likely not "stolen from NSA", when the next half-life of
this bug is reached.

The phenomenon of a single bug having intense, distinctive utility is not new.
In any couple of years, there will usually be a couple bugs like that --- a
very popular RCE that's publicly known, and a very popular RCE that is somehow
kept on the DL. Back when those RCEs were in things like UW IMAP, nobody wrote
NYT stories about how the NSA had accidentally unleashed them on us like some
filovirus from Zaire leaked from the CDC.

Meanwhile: seized on by North Korea, Russia, and China? Come on. We know
roughly how much it costs to develop a reliable remote (Project Zero has
written them up, what, a dozen times?). The smallest SIGINT agencies in the
world can afford this kind of work out of petty cash. I'm sure none of them
are going to look a gift bug in the mouth. But CVS-2017-0144 isn't
fundamentally enabling them to do anything they couldn't have done themselves.

I think Mitre should just start assigning stupid NSA names to CVEs, so that
people will take them more seriously.

~~~
keyme
The reason is that there's a big difference between an exploit and a fully
weaponized utility that gives you a root shell for a given IP address.

You almost never see these lying around the Internet. There is a lot of work
involved in creating a tool that'll successfully identify and exploit every
single build of an executable, with 99.9% reliability. There is lots of
testing to be done, lots of tweaks required. Things that random individuals
just don't do by themselves.

~~~
dtornabene
but his point is that we're not talking about individuals. The article
breathlessly goes on about foreign states, you know _the bad ones_ , who have
used this to attack all over the world. Except as tptacek points out, these
states can do this kind of work on a slow day, in office. I actually disagree
with tptacek, I don't think its partially, or even at all because of the name.
I strikes me as more fear mongering, part of a narrative thats meant to drive
more defense spending. "Look at all these breaches, can't have this stuff
happening, be afraid lowly citizen, and support your security state".

~~~
Thorrez
>According to three former N.S.A. operators who spoke on the condition of
anonymity, analysts spent almost a year finding a flaw in Microsoft’s software
and writing the code to target it. Initially, they referred to it as
EternalBluescreen because it often crashed computers — a risk that could tip
off their targets. But it went on to become a reliable tool used in countless
intelligence-gathering and counterterrorism missions.

If it took the NSA a year to develop, then it can't be done "on a slow day".

~~~
tptacek
I didn't say it could be done "on a slow day". I said it could be done "out of
petty cash", in the context of a SIGINT agency. Google employs dozens of
people who do this stuff as a hobby.

We don't have to wonder whether this is some space alien technology that only
the NSA can develop; it's a reliable Windows remote in pre-Win8 SMB servers.
Read a writeup on it; it's less complicated than most type confusion browser
RCEs.

~~~
dtornabene
fair enough, my language, not yours. I was driving at a similar point however
inept my language was.

~~~
tptacek
I don't object to your language as a rhetorical flourish, because I think it's
true that this level of exploit development is not all that rarified. I'm just
saying, what I actually said is harder to knock down with a message board
rebuttal. :)

------
oconnor663
> “If Toyota makes pickup trucks and someone takes a pickup truck, welds an
> explosive device onto the front, crashes it through a perimeter and into a
> crowd of people, is that Toyota’s responsibility?” he asked. “The N.S.A.
> wrote an exploit that was never designed to do what was done.”

Let's rework that analogy. If the NSA knows a trick to make Toyota pickup
trucks explode, and they don't tell Toyota about the trick for years because
they want to keep using it, and then eventually they leak the trick and
suddenly everyone's Toyotas are exploding left and right, is that the NSA's
fault?

Yes, yes it sure is.

I wouldn't go quite so far as to say the NSA was obligated to tell Microsoft
(metaphorical Toyota) immediately about the exploit. For better or worse it's
in America's interest for them to hack into foreign computers, and they take
some risks as part of doing that. But they're 100% responsible for the
downside of the risks they take.

~~~
tedunangst
Imagine Toyota makes a faulty truck, and then they issue a recall, and there's
headline news about the danger this issue poses, and truck drivers all over
Twitter are pleading for people to fix their trucks, but you nevertheless
continue driving around for 799 days without fixing it, and then your truck
explodes. I know who I'm blaming.

~~~
oconnor663
Both points are true. Think about having giant holes in the sidewalk. On the
one hand, if you walk into a giant hole in the sidewalk in broad daylight,
that's pretty much your fault, and your friends will laugh at you. On the
other hand, everyone understands that some people will inevitably walk into a
giant hole in the sidewalk if it's there, and so we consider it negligent to
dig one without putting up bright orange barriers around it. In part that's
because some people are more vulnerable than others (maybe it's nighttime,
maybe their eyesight isn't very good, maybe they're going fast on a bicycle),
and in part that's because with a large enough group of people some of them
are bound to be careless, distracted, or unlucky.

------
votepaunchy
NYT again buried the lede. This was never a 0-day. How is it that companies
and governments still fail to install updates years later?!?

“One month before the Shadow Brokers began dumping the agency’s tools online
in 2017, the N.S.A. — aware of the breach — reached out to Microsoft and other
tech companies to inform them of their software flaws. Microsoft released a
patch, but hundreds of thousands of computers worldwide remain unprotected.”

~~~
dubbel
Of course it was a 0-day. It was one until the day that Microsoft released
patch MS17-010 on the 12th of March 2017. So for around 5 years it was a 0-day
that was used by the NSA and possibly other unknown actors.

~~~
azernik
0-day generally refers to the day the vulnerable party learns of the
vulnerability, so it would be substantially earlier.

~~~
dubbel
True, I was wrong about that. I looked at it from the perspective of the
affected customers.

In that case it was a 0-day until probably February 2017.

------
NikolaeVarius
[https://twitter.com/ErrataRob/status/1132345806177144833](https://twitter.com/ErrataRob/status/1132345806177144833)

Some interesting rebuttal notes. Apparently it is the vulnerability that is
being exploited, not eternalblue itself.

~~~
thinkling
I find one of the responses pretty compelling:

> This is a distinction without meaning. Infosec frequently uses the same name
> to refer to a vulnerability and a corresponding exploit. I don't agree with
> the framing of the story either, but calling it "fake news" is a serious
> accusation that goes too far.

[https://twitter.com/mehaase/status/1132366433491533824](https://twitter.com/mehaase/status/1132366433491533824)

~~~
NikolaeVarius
I'm less interested in the accusations and more about the content.

------
redleggedfrog
"The tool exploits a vulnerability in unpatched software..."

It's a self inflicted wound by Baltimore.

Question is, what is the cost of actually maintaining their systems
competently vs. the cost of the attack? Both are difficult to quantify, but if
you factor in the likelihood of getting attacked I bet it's still cheaper in
the long run to just run your IT dept fast and loose and let the chips fall
where they may.

As a government entity, they are probably making the soundest decision based
on budget. Disruption in services hurts the populace, not the government.

As an anecdotal aside, I once worked as a contractor for over a year for a
state government entity, run by a young, ambitious, dept head who was _all_
about the security and soundness of the software they used. But he needed a
good sized budget, to convert buggy and insecure systems over to something
more sound, and every single meeting with his superiors was about money. He
argued so vehemently (I was in some of these meetings and he couldn't have
been any more astute in his observations on the future of attacks) that
eventually his superiors found a reason to fire him (using government bought
software for personal use at home - for self education). And, no joke,
literally all the work he and his team had done in the dept for years was just
chucked when the next guy came in.

Government is about money, not security.

~~~
AdamM12
One thing I didn't realize till I talked to someone who works in IT
procurement for a populous county in KC was that they can capitalize buying
servers, and finance via bonds, vs. using cloud providers, which comes out of
their operational budget.

------
xoa
I think the national security establishment are applying pre-digital paradigms
and thinking to cyberspace and as a result have gotten things almost entirely
backwards. In the physical real world, "the best defense is a good offense"
often has a lot of truth to it as in limited resources situations force
concentration to defeat hostile forces can be fundamentally more effective.
But when it comes to information which can be infinitely and losslessly copied
it might make more sense to think of security in terms of information
_gradients_ and societal model. For a liberal democracy/market economy a lot
of useful information gets generated, but it can be less effective at
utilizing it and more leaky. Whereas (at least in examples so far in human
history) centralized command authoritarian societies don't seem to as
effectively come up with new stuff, but if offered the chance to take it from
elsewhere can act with more of a long term vision (and of course with
panopticons and massive restrictions on individual freedoms can more
effectively insulate themselves).

So maybe from a strategic point of view government security should be working
to shore up the weaknesses of the societal model while maximizing the
strengths, the best strategy for each model are opposites. So for the USA, I
think it'd be better if nobody had any ability to hack anything and the
government acted aggressively to maintain an unequal information gradient.
Then the problems that come from short term incentives, less decisive/unified
responses, and so on continue to get made up for by a major technological
edge. Whereas for a polity like China in a world where information is smoothed
out they can leverage their authoritarian governance for more advantage.

Which means the NSA has been doing the opposite of what they should, because
for America in the digital domain "the best offense is a good defense".
America has the most to lose from having all of its information
generation/infrastructure (R&D, networking/governing systems etc) get taken
and/or disrupted. Rather then thinking of digital security issues as weapons
to be exploited against less technologically advanced enemies who by
definition have far less to lose, they should have long since been thinking of
them as big strategic risks and working to eliminate all of them as
aggressively as possible, and to be a dependable source for best practices in
general. I think maybe there is a basic mindset mixup in the leadership given
the last 50 years and their military backgrounds, and that's really caused
America to squander enormous amounts of strategic value (and goodwill as well
for that matter). Very foolish and unfortunate, and I'm not sure if anyone in
government is currently thinking about reworking the NSA into a role focused
on actual national security.

~~~
pcnix
This is a very interesting take on the road we should have taken with respect
to cybersecurity. I agree with what you said, but I think there's still scope
for this sort of thinking in current nation states. It's a strategic mistake,
but one that a generation more in touch with technology would probably not
make as easily, so I expect that there's already people thinking this way in
most governments, and that will only increase in the future.

------
natch
“We can’t protect our own dangerous secret software tools, but trust us to
protect your keys in escrow.”

~~~
Godel_unicode
You don't see a difference in protection posture between something which has
to be used in the wild vs something which could be kept in a vault for it's
entire lifetime? I'm not arguing that escrow is a good idea, I'm arguing that
this argument is not why that's true.

Edit: consider how often keymat has leaked.

~~~
Nasrudith
There isn't one really - if they had access to it the same logistical issues
would come up no matter how much they pinky promise not to abuse it. The more
it spreads the more vulnerable it is

The only way key escrow would be remotely trustworthy would be if there were
"hostages" to provide an intrinsic punishment for their failures or
stonewalling of transparency.

------
mirimir
> EternalBlue was so valuable, former N.S.A. employees said, that the agency
> never seriously considered alerting Microsoft about the vulnerabilities, and
> held on to it for more than five years before the breach forced its hand.

This has been common "conspiracy theory" for at least a decade. And not just
about Microsoft.

------
olliej
I feel that given the US government prosecution of the MalwareTech guy for use
of an exploit package he wrote, but was not using, the US government should
accept financial responsibility for the misuse of their own exploit.

------
ne9xt
I just want to mention how Tim Cook rightfully pushed back on government
pressure to develop a tool to break into an accused terrorist’s iphone, citing
the dangerous precident it would set, as well as the enevitable theft of said
tool. if the NSA can’t fully secure its arsenal, who are they (government) to
demand a private company to develop (and expect to secure) a tool that
_everyone_ would want to get their hands on. alas, while the effort was noble,
state sponsored actors have made this a moot point.

------
sschueller
This is on the NSA. They decided not the tell the vendors about this and that
makes them responsible. They failed their task which I thought was to keep the
Unites States safe and secure.

~~~
pcnix
They did tell the vendors about this, and the vendors actually released a
patch too, all this before the tools were leaked.

~~~
dubbel
The patch was released just one month before the exploits were leaked to the
public, and the NSA only decided to act after they were certain that their
tools had been extracted. But we still don't know when it was extracted from
the NSA. If they would have brought this to Microsofts attention 5 years
earlier (and without releasing an easily adaptable exploit for the
vulnerability) a lot of damage could have been avoided.

------
OliverJones
You know what's bizarre? Amidst all this drumbeat of news about cybercrime
trashing government, and with the clear evidence that the US 2016 turned, at
least partially, on cybercrime:

NOT ONE of the candidates for US President has undertaken any effort to boost
their own infosec. (Or if they have, they keep it quiet.)

What can they do? The same stuff we do in any SaaS business:

Rudimentary security training for everybody, including bigshots and
candidates. (Podesta got phished, twice!)

Make sure their laptops and office computer equipment are up to patch levels
and the malware detectors work.

Engage one of the large-scale email providers; they have topnotch dedicated
infosec people, good spam traps, and a lot to lose if they visibly mess up.

Adopt strong multifactor authentication.

Hire compentent pentesters and remediate any vulnerabilities they find, fast.

Let their donors and the public know they're taking action (not WHAT action of
course, just that they're on it.)

Governments should do the same for their constituents and taxpayers.

Now, maybe candidates will argue they don't have time for the extra security.
But, in 2019, that argument shows they're unfit for public office. One
candidate learned that the hard way in 2016. No more of this.

------
mathieubordere
shouldn't it be patched by now?

~~~
lucb1e
Elsewhere in the thread it is said to never even have been a zero day, i.e.
before it was publicly released, Microsoft was forewarned and released a
patch.

So yes, it is patched in the sense that the vendor did, and in the sense that
the Microsoft customers should long, long have patched a vuln from 2017.

~~~
cf498
>is said to never even have been a zero day, i.e. before it was publicly
released, Microsoft was forewarned and released a patch.

Which is nonsense. It was an exploit that was actively used for at least 5
years before Microsoft was informed about it. The "not a zeroday" is pretty
close to doublespeak. There is nothing to sugarcoat here. It was a zeroday
that was exploited for years and Microsoft wasnt informed until the very end.
All the while millions of devices were vulnerable. I have to say I am having a
hard time assuming good faith when people make such statements, here of all
places.

A vulnerability is a zero day until the day the maker is informed about it.
Its not an ambiguous definition.

~~~
sneak
The dangerous assumption here is that nobody else ever got hold of the
EternalBlue exploit outside of those they wanted to have it.

This is a bad assumption. Others could have developed it independently, or
intercepted it from NSA usage, and used it for years prior to the leak of the
tools.

Hoarding 0days makes everyone less safe.

------
panarky
_> The tool exploits a vulnerability in unpatched software_

Eternal Blue exploits a vulnerability in unpatched _Microsoft Windows_
software

------
wyclif
Slightly off-topic, but does anyone know who makes those standing desks shown
in the pic of the MSFT office?

------
HocusLocus
Bed, Bath, Baltimore and Beyond

NSA knew that EternalBlue was in the wild and possibly being used by other bad
state actors, and just sat on it. For years. In case you are wondering whose
side they're on.

------
Sephr
The Shadowbrokers announced their access to EternalBlue many months before
Microsoft released a patch.

The NSA was negligent in not immediately informing Microsoft after the
Shadowbrokers announced their access to the NSA tools with clear proof
(codenames, etc) on Reddit.

------
dead_mall
Wreaking havoc on outdated computers...

------
davidf18
Two years ago, in 2017, Microsoft distributed the security update to fix this
problem. The issue has nothing to do with the NSA and everything to do with
the City of Baltimore failing to keep their capital equipment, in this case
computers, up-to-date applying security and other updates.

The article also discuses healthcare systems hacked by other exploits. This
again was not caused by the computer virus, but by the fact that Microsoft
vendor issued security updates were not applied to the systems.

Often there are security upgrades in hardware as well as software which means
that the computer hardware needs to be upgraded as well.

As is the case with most of these security hacks, it is the failure of the
agency to budget appropriately for equipment maintenance and having competent
leadership that actually understands the importance of budgeting for and
implementing security upgrades including upgrading to the latest version of
the OS, in this case, Windows 10.

