NSA Says It Foiled Plot To Destroy US Economy Through Malware

mrspoonsi writes "Business Insider Reports: The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday's '60 Minutes.' Called a BIOS attack, the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy. Even more shocking, CBS goes as far as to point a finger directly at China for the plot — 'While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.' The NSA says it closed this vulnerability by working with computer manufacturers. Debora Plunkett, director of cyber defense for the NSA: One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."

NSA failed to halt subprime lending, though.

[fractoid]

...and subprime lending really DID destroy the U.S. economy.

Re:NSA failed to halt subprime lending, though.

And Iraq had WMDs. And the NSA never lied to congress or the people... how stupid do they think we are?

Re:NSA failed to halt subprime lending, though.

[afxgrin]

It's a fucking propaganda piece. It's quite easy to see right through the bullshit.

If a BIOS exploiting malware was a real threat where's the CVE for it? Where's the advisory?? A BIOS crippling virus released into the wild has no need for secrecy unless the NSA themselves released it. It's quite convenient they mention they thwarted a "major cyber attack" without releasing the name of the virus nor when this supposedly happened.

What a fucking joke that entire interview was....

Re:NSA failed to halt subprime lending, though.

[Cenan]

This is exactly what the NSA _should_ be doing. It's too bad that they have spent so much focus on stuff _other_ than this.

Which begs the question, how come this was not among the first things touted as their reason for being? How come this was not mentioned before Congress? Or to the media? How come this whole thing sounds utterly made up?

Re:NSA failed to halt subprime lending, though.

[Desler]

Recently? The intelligence agencies were doing all manner of inappropriate things throughout the 50s, 60s and in the 70s until the Church Committee was created to investigate. Their gross abuses of power during those decades was the entire point of why the FISA legislation was passed. And it was not to create the rubber-stamp court that we have now.

It's amazing how 9/11 has made so many people forget the rampant abuse of power in the NSA's and CIA's history.

Re:NSA failed to halt subprime lending, though.

[number6x]

The NSA probably commissioned some vendor to write a key-logger that would install in a computer's BIOS. They probably paid billions of dollars for development and research.

Then they tested it on a few computers and the NSA malware bricked them all.

So the NSA canceled the project, saving America from a malware threat that would have tanked the economy. See how diligently they work to save Americans from cyber threats?

Next week they'll stimulate the economy by breaking everyone's windows (pun intended).

Re:NSA failed to halt subprime lending, though.

[Runaway1956]

More accurately, Iraq had a lot of chemical weapons in the 1980's, and we stood idly by while Saddam expended them. When I say "we", I mean that very literally, and very personally. I was there, along with my shipmates, to see it happening. We helped to document it. We stood idly by while Saddam expended huge quantities of chemical weapons.

By 2002, when we decided that Sadman was so very sad that we had to do something about him, he had very little to nothing left.

Our governments (US and UK) knew very well what Saddam had, and what Saddam was capable of. Our governments exaggerated everything by orders of magnitude, and bald faced LIED TO US. Those truckloads of stuff that went to Syria? Probably some bad stuff. Most of it was far more likely to have been plundered treasures, destined to ensure a life of security, if not ease, for certain select people dear to Sadman.

But, you go on believing the propaganda.

You will note, I hope, that I've said nothing in Saddam Hussein's defense. I have ONLY pointed out how dishonest our own governments are.

Re:NSA failed to halt subprime lending, though.

[Phreakiture]

It is entirely possible that they did, indeed, halt a plot, just as they said they did. It is also possible they did not. It's very difficult to tell at this point, because the one thing of which I am sure of, and I speculate most Americans are as well, is that they lie and they do it without hesitation. My confidence in anything they say is near enough to zero that the difference can be written off as rounding error.

As a consequence, it really does not matter what they say.

Re:NSA failed to halt subprime lending, though.

[mrchaotica]

Regardless of the truth, the NSA will not get credit. If they did stop a malware attack, most Americans won't believe it. If they didn't, I'm sure they wouldn't bother trying to appeal to a dubious populace.

I'll happily believe the NSA stopped the malware attack in question, and I'll happily give them credit for it.

However, it does not give them even a single tiny shred of excuse for all the unconstitutional totalitarian treason, for which I will continue to call for their prosecution.

Re:NSA failed to halt subprime lending, though.

[dAzED1]

No. It is not possible they did this. Doing this would require fixing the vulnerability - did they hack into the bios programming tools at all the motherboard manufacturers and secretly fix this problem? Did they hack everyone's computer and install the firmware update? An OS patch is one thing, but a firmware patch? This particular problem can not have been fixed with just a handwaving. It's one thing to say they intercepted a phone call and foiled a terrorist plot. It's another thing to claim they updated all current and future disparate BIOS firmware to protect against an undisclosed vulnerability. That is impossible, and makes them even more ridiculous.

Re:NSA failed to halt subprime lending, though.

[sexconker]

It is entirely possible that they did, indeed, halt a plot, just as they said they did.

Not it fucking isn't.

The NSA says it closed this vulnerability by working with computer manufacturers.

Where are motherboards and BIOS shit is fucking manufactured / written? (Hint: China and Taiwan)

Do you really think it's possible that a BIOS update was created by those manufacturers that:
1: Applied to all the vulnerable systems, many of which are 10+ years old and manufactured by a now defunct-company
2: Worked
3: Got deployed
4: Had all of the above happen with no one knowing about it outside of the NSA, the manufacturers, and the one guy in the world who writes BIOS patch notes
?

Hell, I'll GIVE you the fucking BIOS patch notes.

BIOS Version 2.3.5

1 - Updated tables to half-support new Intel processors. Buy a new motherboard with new socket if you want it to actually work, though.
2 - Updated Intel Option ROM. Just kidding, we're not updating that anymore, this motherboard has been out for 2 months already.
3 - Various menu items have been slightly changed, and some of your settings will be wiped, we won't document which or why, though.

At least this shit is believable.

Expect these claims to be walked back

[the_scoots]

Once those pesky real journalists that insist on facts and sources start digging into this, I'd expect the cataclysmic claims will be slowly walked back to something much less sinister, like almost all other claims of thwarted plots.

Re:Expect these claims to be walked back

[Raenex]

I suspect the those pesky real journalists probably don't enough about the tech side of things to ask the questions they really need to be asking in order to debunk this.

The 60 Minutes piece has already been trashed by multiple outlets:

http://nymag.com/daily/intelligencer/2013/12/60-minutes-hearts-the-nsa.html

http://www.theguardian.com/world/2013/dec/16/nsa-surveillance-60-minutes-cbs-facts

http://www.thewire.com/national/2013/12/60-minutes-nsa-good-snowden-bad/356174/

http://www.theatlantic.com/politics/archive/2013/12/why-did-em-60-minutes-em-let-the-head-of-the-nsa-fool-its-audience/282377/

http://www.thenation.com/blog/177598/sad-decline-60-minutes-continues-weeks-nsa-whitewash

Not buying this

[Akratist]

China holds a huge amount of our debt. They want us to buy their stuff and to borrow money from them. Why cripple our economy? Or, even worse, why do something like this that will point a finger back to them and stir up the pot against them? (and possibly lad to embargos, and so on)

Re:Not buying this

[WankersRevenge]

China holds a huge amount of our debt.

Our debt is around 17 trillion dollars. Of that 17 trillion, China owns around 1.2 trillion. A large number for sure, but not something I'd say is a rather small percentage of the total debt. The debt owned by the public equates to 12 trillion which is something I'd call huge.

National debt of the United States

Re:Not buying this

[Rob+the+Bold]

China holds a huge amount of our debt. They want us to buy their stuff and to borrow money from them. Why cripple our economy? Or, even worse, why do something like this that will point a finger back to them and stir up the pot against them? (and possibly lad to embargos, and so on)

Ya, it makes no sense. Like if I pulled up to the Starbucks drive-thru to order a venti double-skinny mocha latteachio with no foam and instead they went all Goldfinger on my car. You don't try to kill your best customer.

Likewise if this was some freelance/rogue/criminal/terrorist operation inside China, I'd think they (the Chinese) would be motivated to foil it themselves for the same reasons.

The NSA should have cooked up a more plausible bogus plot to foil, but instead they don't even respect us enough to make up a believable lie.

What a load of bollocks

[dido]

If these attackers the NSA supposedly thwarted (the Chinese it is speculated), managed to gain control over large numbers of computers with access enough to damage their firmware, it would make far better sense to keep those machines alive and working for them instead. You could cause far more damage to the US economy by keeping those machines alive and pwn3d than if you simply bricked them. A bricked machine will cost a few hundred dollars to fix. A pwn3d machine is a gift that keeps on giving!

house of cards?

[AntEater]

Does this strike anyone else as being utterly ridiculous? "Cataclysmic"?? I mean, if a bunch of bricked computers could bring down our economy (and possibly the global economy) then isn't the whole thing in need of some serious attention? Maybe we've built an unreasonable amount of dependence on something that is entirely too frail to warrant such trust? - both the computer systems and our current economic system.

Prove it

[bradley13]

Right, sure they did. A BIOS attack of the sort hinted at in this interview is difficult to believe.

If they worked with computer manufacturers to close some such massive security hole, then they can easily point to the historical vulnerability. The technical community can verify their claims. Failing that, no, I do not believe such an attack ever existed outside the overheated imagination of some technically illiterate NSA bureaucrat.

In other news, I have a bridge I'd like to sell you.

It's obviously false.

[QilessQi]

the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy

Sorry, I'm not buying it. Despite the NSA's best efforts, Microsoft did release Vista.

BIOS Attacks

[the+eric+conspiracy]

Have been known for years. The problem is you have to gain admin access to the machine first, so basically you are bricking your own botnet.

LOL.

We've been there, done that; CIH virus

[freax]

http://en.wikipedia.org/wiki/CIH_(computer_virus)

ps. It didn't destroy the US economy.

Re:We have all the evidence!

[phrostie]

and this lame vague shit is the best they can do.

100% of the NSA budget needs to be given to NASA.

Which is really irrelevant to the debate

[davidannis]

because I can't imagine the scenario in which they uncovered that plot by looking at the metadata from American cellphones.

Yeah, right, NSA, we believe you soooo much (not)

[tekrat]

Please. I saw this on 60 Minutes and that entire pandering two-parter on Sunday night was a such a load of bullshit, I could smell it through the TV.

And this segment of it was the worst, because it made no sense. I mean, they dumbed the story down for Ma and Pa in Pigsknuckle Arkansas, but for anyone with even a hint of technical acumen, it came off as complete tripe.

Why *exactly* would China want to destroy the global economy? Such a move would hurt them more than us, because they are in a period of crazy growth, and their entire stability *depends* upon that growth or they'd have rioting.

Secondly, if a nation wanted to destroy us, why use "malware"? A better way would be to use lobbyists to force more deregulation and let us cut our own throats as we've already seen. Our own greedy bastards will happily destroy the global economy if it means 6 more dollars in *their* pockets.

The whole thing is fishy and smells of NSA desperation to look good to the average american, and paint the Chinese and Edward Snowden as bad guys we need to be afraid of so that the NSA can "protect" us, by of course, stripping us of all our rights.

Re:Guys seriously please dont hate us!

[danceswithtrees]

Includes those that are set not to automatically upgrade BIOS, of course

Two words: BIOS backdoor!

More importantly, they need to show that the massive dragnet of surveillance of all Americans was essential to find out about this.

Another thing, ironic that the US worries about other people doing things that it has already done. For example, the US created Stuxnet and is worried someone else will follow our lead. The US dropped a nuclear bomb on civilians and we are worried someone else will follow our lead.

Re:Guys seriously please dont hate us!

[MrBandersnatch]

I thought it was odd too untli I read the article and realised they were not talking about a real threat, they were talking about an analysts scenario. To quote:

"One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."

So basically this is a fear-mongering story since if the country in question had had the intention and capability to deploy such an attack, it would have been SUCCESSFUL. Only a small proportion on PCs would have been "fixed" if they had "worked with computer manufacturers".

They really do think everyone is stupid don't they?

Re:Piss-poor reporting

From your link:

Matt Blaze, a computer and information sciences professor at the University of Pennsylvania, said that BIOS could be overwritten by malware, bricking an unsuspecting computer. But the vagueness of the description of the “BIOS Plot” made him suspicious.

“It would take significant resources – and an extraordinary bit of co-ordination and luck – to actually deploy malware that could do this at scale,” Blaze said.

“And it's not clear how you'd ‘thwart’ such a scheme if you found out about it if you were NSA, since it's basically a combination of a large number of vulnerabilities spread among a zillion computers rather than one big problem that can be fixed with a single patch.”

The lack of specificity made cybersecurity expert Robert David Graham dubious that the plot NSA claimed to discover matched the one it described on TV. “All they are doing is repeating what Wikipedia says about BIOS,” Graham blogged, “acting as techie talk layered onto the discussion to make it believable, much like how Star Trek episodes talk about warp cores and Jeffries Tubes.”