Group Linked To NSA Spy Leaks Threatens Sale of New Tech Secrets

Hacker group Shadow Brokers, which has taken credit for leaking NSA cyber spying tools -- including ones used in the WannaCry global ransomware attack -- has said it plans to sell code that can be used to hack into the world's most used computers, software and phones. From a report on Reuters: Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world's biggest commercial secrets. In the blog post, the group said it was setting up a "monthly data dump" and that it could offer tools to break into web browsers, network routers, phone handsets, plus newer exploits for Windows 10 and data stolen from central banks. It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft's latest software system, Windows 10. The post did not identify other products by name. It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.

Re:End of Bitcoin

Actually, I wonder if Bitcoin will prove their undoing.

Contrary to popular belief, Bitcoin is not anonymous. It's pseudonymous. Every single bitcoin transaction is recorded in the shared ledger of which account it went from, and which account it went to - it's HEAVILY tied to an identity. The thing is anyone can set up a bitcoin wallet with an encryption key, so we don't know which real person each wallet is associated with.

Why is this relevant? Because AT SOME POINT, the criminals need to get their money OUT of bitcoin and into the real world, where they can actually spend it on things. And at that point, they need to sell bitcoins out of some wallet, and exchange them for cash.

Because every single bitcoin transaction is traceable (this is the entire purpose of the ledger), it's easily knowable which wallet the ransom was paid to. It's easily knowable which other wallets that wallet transferred the bitcoins to. And, at some point, it will be knowable when one of those wallets attempts to trade bitcoins for cash. And, should the perpetrators be arrested at this point, there will be a forensically traceable trail tying them to every single ransom they were paid, and so to every crime they committed.

Re:How bad is this, really?

[Opportunist]

Erh... no. Allow me to shed some light onto this.

I've been in IT security for about 10 years now. For most of this time, security was but an afterthought. Security is the equivalent of insurance or military: Expensive and utterly useless unless you really, really need it. Be honest, do you need fire insurance? As long as it doesn't burn anywhere, it's just a waste of money. And for the longest time, there was no fire anywhere in IT. Yes, from time to time there was a bit of a problem. A worm that dug into millions of computers. Or some big company was hit by a hack that did minimal damage.

The problem here is that the damage was simply not high enough to warrant employing people who cost 6 figures a year and can't even guarantee you to be protected against anything that may come your way. Take this highly simplified risk calculation: If your potential damage in case the risk manifests isn't higher than the chance of it manifesting times the cost to mitigate it, it is more sensible to just carry the risk.

And for the longest time, this was the case. Imagine a potential damage of a million bucks per incident. If that happens once every ten years in your company, your annual cost to mitigate must not be higher than 100k. And 100k isn't really much money in ITsec.

If it costs more, you're better off just taking the hit once a decade.

For the longest time this was actually a sensible way to operate. Financially sensible. We've been warning about something like this for years. It was pointless, because the risk never manifested as incidents.

Now the incidents happen.

And now it is too late. We're in too deep to recover. Most of the software and hardware we use cannot be sensibly secured, because, as noted before, security is an afterthought and was not part of the fundamental design. Take HTTPS of all the things. What is it, essentially, but a thin security fig leaf on top of http? And we're still dealing with crucial infrastructure like DNS and DHCP that are by no means secure (not only because they still use a protocol where you can't even sensibly find out who the hell sent the packet in the first place), and while secure replacements exist, their implementation cost too much. Not only because we'd need new hardware.

More importantly, we'd need better trained administrators. Wait, more precisely: We'd need administrators that get at least basic security training. When you see people shrug at you when you tell them that using self signed certs is not ok and you get back a "what's your problem, it IS encrypted, what else do you want?", you know that the person does not even understand what he is doing here. We are critically underprepared for what's coming our way, what we see here is the tip of the spear that's going to hit us right into the chest.

And we will not have the time left to don armor.