Slashdot Mirror
NSA Says It Foiled Plot To Destroy US Economy Through Malware
mrspoonsi writes "Business Insider Reports: The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday's '60 Minutes.' Called a BIOS attack, the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy. Even more shocking, CBS goes as far as to point a finger directly at China for the plot — 'While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.' The NSA says it closed this vulnerability by working with computer manufacturers. Debora Plunkett, director of cyber defense for the NSA: One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."
...and subprime lending really DID destroy the U.S. economy.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
But we cant show it to you, its a privet.
Dear aunt, let's set so double the killer delete select all
I don't know the history of this, and the linked article is vague on timelines, but it always did seem like UEFI came out of nowhere...
Once those pesky real journalists that insist on facts and sources start digging into this, I'd expect the cataclysmic claims will be slowly walked back to something much less sinister, like almost all other claims of thwarted plots.
China holds a huge amount of our debt. They want us to buy their stuff and to borrow money from them. Why cripple our economy? Or, even worse, why do something like this that will point a finger back to them and stir up the pot against them? (and possibly lad to embargos, and so on)
If these attackers the NSA supposedly thwarted (the Chinese it is speculated), managed to gain control over large numbers of computers with access enough to damage their firmware, it would make far better sense to keep those machines alive and working for them instead. You could cause far more damage to the US economy by keeping those machines alive and pwn3d than if you simply bricked them. A bricked machine will cost a few hundred dollars to fix. A pwn3d machine is a gift that keeps on giving!
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Does this strike anyone else as being utterly ridiculous? "Cataclysmic"?? I mean, if a bunch of bricked computers could bring down our economy (and possibly the global economy) then isn't the whole thing in need of some serious attention? Maybe we've built an unreasonable amount of dependence on something that is entirely too frail to warrant such trust? - both the computer systems and our current economic system.
Alex, I'll take keybindings not used by Emacs for $400....
Mine's a flowerpot...with a wilted daisy
Right, sure they did. A BIOS attack of the sort hinted at in this interview is difficult to believe.
If they worked with computer manufacturers to close some such massive security hole, then they can easily point to the historical vulnerability. The technical community can verify their claims. Failing that, no, I do not believe such an attack ever existed outside the overheated imagination of some technically illiterate NSA bureaucrat.
In other news, I have a bridge I'd like to sell you.
Enjoy life! This is not a dress rehearsal.
Sorry, I'm not buying it. Despite the NSA's best efforts, Microsoft did release Vista.
Koans and fables for the software engineer
Have been known for years. The problem is you have to gain admin access to the machine first, so basically you are bricking your own botnet.
LOL.
The NSA is keeping us about as safe as the Mars rovers do from martian attacks.... which really is the reason we all know they are there. amiright?
http://en.wikipedia.org/wiki/CIH_(computer_virus)
ps. It didn't destroy the US economy.
because I can't imagine the scenario in which they uncovered that plot by looking at the metadata from American cellphones.
NSA needs to stop back pedaling and trying to prove they are a legitimate organization. It's their job to protect us from all types of stuff the general public has never heard of. Maybe they should watch some more Hollywood action films because those actors in the movie are more concerned about OPSEC then the NSA.
Ah the Chinese are so helpful ... oh wait!
I'm sure, due to their hard work, all new computer have hardware jumpers to write protect the BIOS....
A more dangerous cyber threat would be malware that collects all the users personal information and stores it until the malware writer is ready to use it against the victim.
Oops!
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
I found this part of that odd: The NSA says it closed this vulnerability by working with computer manufacturers.
Did they work with a time machine to take care of machines built with this vulnerability? Includes those that are set not to automatically upgrade BIOS, of course.
Time Bomber the Book coming soon.
China has discovered NSA's backdoor into computers, and worked with computer manufacturers to build a much more better and newer back door for NSA.
Hope is the currency of fools
Please. I saw this on 60 Minutes and that entire pandering two-parter on Sunday night was a such a load of bullshit, I could smell it through the TV.
And this segment of it was the worst, because it made no sense. I mean, they dumbed the story down for Ma and Pa in Pigsknuckle Arkansas, but for anyone with even a hint of technical acumen, it came off as complete tripe.
Why *exactly* would China want to destroy the global economy? Such a move would hurt them more than us, because they are in a period of crazy growth, and their entire stability *depends* upon that growth or they'd have rioting.
Secondly, if a nation wanted to destroy us, why use "malware"? A better way would be to use lobbyists to force more deregulation and let us cut our own throats as we've already seen. Our own greedy bastards will happily destroy the global economy if it means 6 more dollars in *their* pockets.
The whole thing is fishy and smells of NSA desperation to look good to the average american, and paint the Chinese and Edward Snowden as bad guys we need to be afraid of so that the NSA can "protect" us, by of course, stripping us of all our rights.
If telephones are outlawed, then only outlaws will have telephones.
This doesn't pass the sniff test. What would China gain by *destroying* our economy?
Sure, China planting surveillance software on every computer, I can believe that. But bricking all the computers in the US doesn't make sense as an espionage move, it doesn't make sense as an economic move (do you think anyone would trust Chinese-made computers when rebuilding?), it doesn't make sense as a propaganda move. It might make sense as a military move as a prelude to invasion, but a) China doesn't want that, b) China probably couldn't do it if they wanted to, and c) even if not fired, the risks of such a weapon being uncovered outweighs any benefit.
So it doesn't seem like something China would do. So who could it be? Even the NSA is explicitly calling it a nation-state, so it's not a terrorist group like al-Qaeda. If it's a nation-state, it has to be one that thinks (correctly or not) that they can beat the US when it is inevitably discovered (either before or after the attack). Russia's on that list, but I don't see how they would benefit except, again, as a pre-invasion attack, and our relations aren't that bad yet. North Korea might be dumb enough to think they can get away with it, but for the same reasons they probably don't have the capabilities of developing an attack like this. Iran is probably smart enough not to provoke the US with a direct attack, but maybe I'm wrong, or maybe they thought framing China would work.
Honestly, if someone in the Chinese government got on TV and said "yeah, we made that as a training exercise for defense drills, how the hell did you guys find it in the wild?", I'd believe them more than I'm believing CBS/NSA right now, because that at least makes sense with all the other information.
Especially since it's REAL FUCKING CONVENIENT for the NSA to suddenly have a major "victory" when they're being revealed as basically a bunch of puppy-kicking freedom-hating fascists.
Further, with their biggest customer deep in the mire, who would they sell their goods to? The same goods they depend on for revenue to keep their own growth moving forward?
This has got to be the dumbest scare story, no: xenophobic, boogy-man, fiction to come out this year (and it has lots of competition). Although the american debt is a big drag on its economy, it's also so large that it's a problem for the debt holders, too. They are in just as much trouble if the value of that debt drops and therefore have an interest in making sure the USA does not crash and burn - despite what some scared, bigoted and ill-informed media commentators might think.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
"We had to destroy the village in order to save it."
And if you believe any of this I've got a bridge over troubled waters I'll sell you! But the real problem is there are way too many Americans out there who will fall for this lame tactic.
That was my thought. The only countries who have attempted something on the scale of what the NSA is alleging are (allegedely) the United States and Isreal, who (allegedely) unleashed Stuxnet on the world.
And I agree with the poster above - why would China wish to cripple the economy of one of the largest customers of its goods.
This isn't passing the smell test.
I don't care why you're posting AC
Includes those that are set not to automatically upgrade BIOS, of course
Two words: BIOS backdoor!
More importantly, they need to show that the massive dragnet of surveillance of all Americans was essential to find out about this.
Another thing, ironic that the US worries about other people doing things that it has already done. For example, the US created Stuxnet and is worried someone else will follow our lead. The US dropped a nuclear bomb on civilians and we are worried someone else will follow our lead.
I routinely stop alien invasions. Their lazors are no match for my hands (and let's not mention my other weapon... in my pants).
Your move NSA - what have you done lately?
I thought it was odd too untli I read the article and realised they were not talking about a real threat, they were talking about an analysts scenario. To quote:
"One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."
So basically this is a fear-mongering story since if the country in question had had the intention and capability to deploy such an attack, it would have been SUCCESSFUL. Only a small proportion on PCs would have been "fixed" if they had "worked with computer manufacturers".
They really do think everyone is stupid don't they?
This is just bullshit! If they stopped this attack by "closed this vulnerability by working with computer manufacturers", this would only fix the vulnerability on new computers built after the fix was created, but not on machines already produced and sold.
This sounds more like a PR campaign to garner positive support after all the negative impact of the releases of the documents Edward Snowden leaked.
- "Every demand is a prison, and wisdom is only free when it asks nothing." Sir Betrand Russell
The NSA has become the Ministry of Truth.
Proverbs 21:19
> Called a BIOS attack, the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy.
This is stupid. Malware writers learned a long-long time ago not to kill computers, because virus code cannot run on paper or thin air. They need living but ill computers, whose processing and communication capabilities can be exploited by the infection, to spread spam or mine Bitcoins, etc.
The black plague killed some 33-40% of medieval european population within weeks. It did that trick 3-4 times during history. Where is yersinia pestis nowadays? It is a Level-4 biohazard lab curiosity, displayed in vials. In contrast, common cold is still with us and successfully exploits your nose to produce green soya, year after year.
Furthermore, it is not possible to destroy computers by overwriting the BIOS. There is a unwritiable "brain stem" part of the BIOS, which knows only one thing: if the main BIOS mass fails to boot, read first file from floppy disk and overwrite BIOS with it. Even if the BIOS chip is soldered onto the motherboard (say laptop) and cannot be removed for re-writing in an external EEPROM programmer, this trick will save the computer.
Honestly, NSA is making a Rigoletto of itself, in public. Or maybe it's Yorick, with NSA threatrically proclaming "To be or not to be..."
From your link:
Matt Blaze, a computer and information sciences professor at the University of Pennsylvania, said that BIOS could be overwritten by malware, bricking an unsuspecting computer. But the vagueness of the description of the “BIOS Plot” made him suspicious.
“It would take significant resources – and an extraordinary bit of co-ordination and luck – to actually deploy malware that could do this at scale,” Blaze said.
“And it's not clear how you'd ‘thwart’ such a scheme if you found out about it if you were NSA, since it's basically a combination of a large number of vulnerabilities spread among a zillion computers rather than one big problem that can be fixed with a single patch.”
The lack of specificity made cybersecurity expert Robert David Graham dubious that the plot NSA claimed to discover matched the one it described on TV. “All they are doing is repeating what Wikipedia says about BIOS,” Graham blogged, “acting as techie talk layered onto the discussion to make it believable, much like how Star Trek episodes talk about warp cores and Jeffries Tubes.”
Maybe one part of the NSA wrote the malware and another part found out about it and stopped them.
If Slashdot were chemistry it would look like this:Cadaverine
Yes.they do. And they're mostly right. there's only a majority of 535 people they need to convince though.
Like all caught criminals....
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I hear there is a tribe of super-weathy elites running the U.S. behind the scenes who have effectively succeeded in making it rain-bullshit on the American people. Foil that one for me.
There have been BIOS destroying viruses before. Now the NSA is in the antivirus business? And by doing so, they save the U.S. economy? Even Norton and McAfee don't make this claim.
There's this moment when you're acting out when you cross from plausible belief to total, in-your-face disbelief. Does NSA seriously imply that such an attack would have lasting consequences? Do they really think that there wouldn't be many BIOS recovery solutions popping up left, right and center literally within hours? My bet is that within a week there'd be a thriving BIOS recovery business going on all around us, and the damage would be well contained in spite of whatever bullshit the clueless media would be spewing around.
A successful API design takes a mixture of software design and pedagogy.
Now that they have committed themselves to the role of protecting the country, can they track down the people who wish to bring down our country by exploiting our fears?
"Hi [insert computer bios maker here], I'm with the NSA - we've detected a BIOS damaging malware and we would like to you implement these changes to prevent it - No, we totally aren't actually just making shit up to get you to install a backdoor for us, okthxbie"-
The Digital Sorceress
... this wasn't a Microsoft plot to advance UEFI Secure Boot, while implicating Chine?
Maybe it could use one of the backdoors or zero-day exploits that NSA keeps under its belt. They don't tell computer manufacturers about those threats because they want to use them themselves. Yeah, you guys are real heroes.
BIOS attack? Beyond not likely on a scale where you would have to target such a multitude of vendors running at different patch levels. This was aimed at the technically less inclined (most people).
As a lot of people have already pointed out, our economies are intimately intertwined. Such an attack on us would equal the same level of damage on them. Further, if this would have thrown the entire world into economic chaos, it would have been a double whammy against China. Triple since we would attack. Again: the Chinese are not so short sighted or stupid.
Fact: The NSA lied to the government about what they are up to. Lying to the American people is a cake walk compared to that.
Two things here:
1. My sig becomes more relevant with every passing day.
2. Yes the NSA effectively did say it was China - through "cyber security experts" instructed to say so and that are likely NSA contractors if they could have known that in the first place. The NSA accusing China of nearly pulling of an attack of military escalation proportions is so extraordinary reckless it scares me that they would do it at all.
This is so fucked up. If you don't have a passport get one now and plan where you're going to escape to while there is still time.
Brought to you by Carl's Junior.
1) China supposedly destroys most pc's (and servers), we have our pants down. Insurance companies probably say not paying over terrorism clause but government stops that with "executive order" 2) i go on a hiring spree and sell more PC's than i can make, as does everyone else 3) service sector goes nuts installing and re-updating infrastructure 4) even homeless drunks with no skills can unwrap keyboards and set out system units for more skilled people 5) people get short-lived (1-2 years) but paying jobs and training 6) I make tons of money and blow it on strippers, houses, cars, and whatever i can think of, putting it back into the economy 7 most every small and medium business makes out on this deal. Sure, some insurance companies go bankrupt, but it would trigger some much needed liquidity oversight in that industry. THANK GOD YOU STOPPED ALL THAT!
If we really cared about viruses destroying the US economy, we wouldn't be still running windows in the business world.
FTFY
I don't always agree with Techdirt, I think they exaggerate, omit and sometimes distort for effect. That being said, they do good stuff also. They have a pretty good take down of the whole 60 Minutes puff piece, including the interviewer (hint- when you've never seen that interviewer before, you might be interested to know more about him) and also claims about the whole BIOS attack thing.
http://www.techdirt.com/articles/20131216/12580425582/cbs-airs-nsa-propaganda-informercial-masquerading-as-hard-hitting-60-minutes-journalism-reporter-with-massive-conflict-interest.shtml
I am sure there's more out there that's even more damning. This is the problem with the people running this organization. They've somehow enabled themselves to lie lie lie and think they're doing everyone a favor so it's OK.
That's just not how a democracy is run. If you've given up on democracy, like say Peter Thiel apparently has
http://techcrunch.com/2013/11/22/geeks-for-monarchy/
then that's cool. But you don't need to be running the organs of that democracy in that case. Have a nice retirement. It's on us.
Edward Snowden claims to have uncovered a plot to subvert our constitutional rights by a super secret organization. Both claims are far fetched... which do we have more proof of?
Computers, manufactured in China. Had a defect that led large number of machines to crash and brick. These were sold to the NSA. Who pointed the flaw out to the manufacturer. And received an update, and a scathing email addressing the NSA sysadmin for having updated all the machines with the wrong BIOS firmware.
a better response than my previous...
If such a virus was found that affected a large portion of the computers out there. If that is so, stopping a single virus deployment attempt is worthless; the virus still exists, and more importantly the vulnerability still exists. If they are being truthful in any way, then they have done absolutely nothing useful. As you say, where's the CVE? Where's the details? Without details this is useless.
With a terrorist attack or something, "trust us, it happened!" can sortof work...I guess. For this though - it's useless without details. More, without details - we're forced to believe that the NSA is just making crap up. Did they think about getting a person with any sort of compsci background to help the marketing/PR at NSA person come up with a valid "threat" that was being stopped? In theory there should be one or two there....
Lies! Iraq had WMDs! Didn't you see the 3D renderings of the mobile port-potties that Saddam had?!?
How does the fact that the US government lied tell us whether Saddam had or did not have WMD? It doesn't. It merely shows that the US gov't did not know but wanted to sell the war to the public. The truth is Saddam worked to maintain the IMPRESSION that he had WMD, he was scared of Iran and thought the fear of WMD could keep them at bay. He was afraid to admit he no longer had any. He explained it all to his FBI interrogator. It was a proper humane interrogation where the interrogator builds confidence and trust and uses psychology to persuade. A documentary was made. Its often cited as an example that "enhanced" interrogations are not needed.
NSA Says It Foiled Plot To Destroy US Economy Through Malware
What a coincidence. So did I!
I often don't like the choices people make, but I like the fact that people make choices. That's why I'm a conservative.
Seriously, they should be working hard to bring back manufacturing to America. Obama is, but the DOD should insist on all of their communications, including phones and networks, being made in the west. Just as China blocks goods from the west based on defense needs, we should be doing the same. This should include our telcos, utilities, etc. Ideally, we should push other western nations to do the same.
I prefer the "u" in honour as it seems to be missing these days.
Our governments certainly lied but they did not know what Saddam had. Not until there were US/UK boots on the ground did we really know one way or the other.
Sorry, but no. Many other foreign countries had a look at the evidence and they voted "no WMD". Only US lapdogs went along (coalition of the willing), everyone else took a pass. So people were able to tell "one way or another".
Operation McCall on CNN
IAEA Al-Tuwaitha site report
A little bit of critical reading of the two sources in conjunction with each other will show some discrepancies. I have a nice award from the OSD hung up in my basement that says I was at Al-Tuwaitha. My time in Iraq with dosimeter badges and looking at the abandoned fortifications atop the depicted berms (in the IAEA report) convince me that there was every appearance of a WMD program in Iraq. There may have been no nuclear weapon produced, but the theater was excellent.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Arguably this goes for anything on TV; but I found myself keeping it particularly in mind while watching the NSA segment. You have to watch it thinking, "How much of this will later be revealed as a lie?".
I bet a lot of people took that approach. It's called "credibility" and the NSA has lost it. They can't get it back with one dog and pony show. At least... you shouldn't let them get it back that easily.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
You have suggested we look at the hash-tag #badBIOS , to see the system in action, that deploys PC firmware updates via Windows. This is one of the several articles written on the Web about this, all from the same guy, who goes by the name "Ruiu": Suggested Link What I find the most dubious about all this, is the ability "to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed." Also note, "(badBIOS) has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps." Can I be forgiven for not taking such claims seriously? To the best of my own knowledge, (1) Actual BIOS updates are infrequent, not a part of any routine workflow. (2) Even though virus-writers can use them to cripple computers - via a running O/S - SysAdmins can't use them unless they shut down the computer first, precisely because they do not work as described in this article. (3) Attempts are frequently made to bypass Protected Memory on the O/S, to result in viruses gaining access to all the hardware. But this cannot - presently - be used to produce a changed BIOS which works normally. (4) Instead of using floppy disks, we use USB sticks today. We put a file onto that USB drive, which has the filename extension .ROM . It stands for 'a ROM Image'. And because some advanced File Systems require than special drivers be loaded, even in this day and age we format those USB sticks with FAT32, just in case.
(5) It's considered gauche, if there is even more than one .ROM File on the stick, even though technically, the BIOS itself, booted into admin mode, displays the .ROM Files in a list, for the user to choose from.