Slashdot Mirror
Group Linked To NSA Spy Leaks Threatens Sale of New Tech Secrets (reuters.com)
Hacker group Shadow Brokers, which has taken credit for leaking NSA cyber spying tools -- including ones used in the WannaCry global ransomware attack -- has said it plans to sell code that can be used to hack into the world's most used computers, software and phones. From a report on Reuters: Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world's biggest commercial secrets. In the blog post, the group said it was setting up a "monthly data dump" and that it could offer tools to break into web browsers, network routers, phone handsets, plus newer exploits for Windows 10 and data stolen from central banks. It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft's latest software system, Windows 10. The post did not identify other products by name. It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.
It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.
Are they attempting to ensure that there's no safe harbor for them anywhere in the whole world? Seems like if one pisses off the USA, Russia, and China, that there's no country in the entire world that wouldn't give up these people to someone if their identities are uncovered.
This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.
Do not look into laser with remaining eye.
It's only a matter of time before some hair brained bureaucrat suggests blocking bitcoin transactions as a means to prevent criminals from funding themselves.
Considering their last attempt to sell such data was somewhat lacking in buyers, I'm curious why they don't just ring up WikiLeaks, get a semi-decent payday and be done with it.
Unless, of course, it's the intel agencies themselves playing the part of TSB seeing who they can reel in on their fishing expedition.
Last time they pulled that stunt I think the bid went up to 3 or even 5 bitcoins.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Erh... no. Allow me to shed some light onto this.
I've been in IT security for about 10 years now. For most of this time, security was but an afterthought. Security is the equivalent of insurance or military: Expensive and utterly useless unless you really, really need it. Be honest, do you need fire insurance? As long as it doesn't burn anywhere, it's just a waste of money. And for the longest time, there was no fire anywhere in IT. Yes, from time to time there was a bit of a problem. A worm that dug into millions of computers. Or some big company was hit by a hack that did minimal damage.
The problem here is that the damage was simply not high enough to warrant employing people who cost 6 figures a year and can't even guarantee you to be protected against anything that may come your way. Take this highly simplified risk calculation: If your potential damage in case the risk manifests isn't higher than the chance of it manifesting times the cost to mitigate it, it is more sensible to just carry the risk.
And for the longest time, this was the case. Imagine a potential damage of a million bucks per incident. If that happens once every ten years in your company, your annual cost to mitigate must not be higher than 100k. And 100k isn't really much money in ITsec.
If it costs more, you're better off just taking the hit once a decade.
For the longest time this was actually a sensible way to operate. Financially sensible. We've been warning about something like this for years. It was pointless, because the risk never manifested as incidents.
Now the incidents happen.
And now it is too late. We're in too deep to recover. Most of the software and hardware we use cannot be sensibly secured, because, as noted before, security is an afterthought and was not part of the fundamental design. Take HTTPS of all the things. What is it, essentially, but a thin security fig leaf on top of http? And we're still dealing with crucial infrastructure like DNS and DHCP that are by no means secure (not only because they still use a protocol where you can't even sensibly find out who the hell sent the packet in the first place), and while secure replacements exist, their implementation cost too much. Not only because we'd need new hardware.
More importantly, we'd need better trained administrators. Wait, more precisely: We'd need administrators that get at least basic security training. When you see people shrug at you when you tell them that using self signed certs is not ok and you get back a "what's your problem, it IS encrypted, what else do you want?", you know that the person does not even understand what he is doing here. We are critically underprepared for what's coming our way, what we see here is the tip of the spear that's going to hit us right into the chest.
And we will not have the time left to don armor.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Releasing exploits and sensitive data that harms the USA is understandable as the US government is just a pussy (and yes I live in the US). Piss on Russia or China and they may find there cohorts dead with their genitals in their mouths or polonium in their veins. Do you really think the Russian equivalent of Snowden would still be alive today????
Conservative, mod down for violating
> Using trademark garbled English,
I wonder if they translate and reverse their releases to help defeat style-analysis on what they write.
Your hair look like poop, Bob! - Wanker.
Wait, more precisely: We'd need administrators that get at least basic security training. When you see people shrug at you when you tell them that using self signed certs is not ok and you get back a "what's your problem, it IS encrypted, what else do you want?", you know that the person does not even understand what he is doing here.
Yes, because we *ALL* know how trustworthy the CA's are. With a self-signed cert, you have direct and immediate control over it. Going through a CA, you're trusting (there's that concept again) that they know what they're doing, that they're not issuing... alternative... certs that you didn't authorize, and that should your cert be compromised, they'll inform you in a timely (if at all) manner.
I suspect that one of these choices is incorrect. Correct.
they are profiteers wanting to make money selling computer exploits, they wont care who buys them, even if some terrorists buys them to extort or rob banks and corporations with to fund terrorist activity, they need to be found and stopped
Politics is Treachery, Religion is Brainwashing
See subject: THIS is your proof as to exactly HOW & WHY https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/ via "Windsor Green"... there's some SECURITY INFO for you.
* Plus, the stupid LIBS used for https? Always break backward compatibility EVERY SINGLE F'ING TIME so when old model's found to be breakable (ala TLS & SSL)? They don't keep the same return types (common way to bust API's by shithead rookies) so that legacy apps can't use them right in THEIR code!
APK
P.S.=> It's TOTAL horseshit so WE AGREE here & mere "lip service" security-theater that is EASILY broken (especially by the NSA)... apk
I was just watching Pearl Harbor - not a great film, but it brought back to me that the greatest threat to these people is the sheer force of American willpower. The Japanese military machine tugged at the tail of a sleeping tiger, and they lived to regret it.
Well, America, it is time to hit back at those that seek to disrupt our way of life through these attacks. We are seeing just the beginning of this new warfare, but we need to hark back to the spirit that was awoken in us in 1941, and we need to hit them back 100 times over for every strike on us. We owe it to the Free World.
Don't worry. Quite a few companies will be in the near future...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why should I trust your cert? More importantly, why should I believe that the cert your server presents to me is your cert? How do I know it is your server presenting the cert and not some man in the middle? I cannot verify a self signed certificate. I have no way to determine whether the certificate you present to me is genuine.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Stop spamming every comments section with this crap. There is probably another, better suited online platform to air out your creative brainfarts.
sudo rm -r -f --no-preserve-root /
Americans "We come in peace, shoot to kill".
Can I assume that you also believe any foreign government has a right to retaliate ?
No matter what you have been told, American lives are not automatically worth more than anyone elses.
"Oops, sorry, we thought that American Airlines plane full of passengers was the military aircraft used to ship in the US terrorists...our bad"
Trump is NOT really smart.
And of course such an action could put a target on the back of every american overseas
Brutality and killing has only ever resulted in MORE people being brutalised and killed, is never actually a solution.
By trusting a signed cert I basically trust that signing company (certificate authority), and this doesn't always work out. Stolen certs were used to spread virus/malware infections, and political activists in Iran were spied on by their gov't because some CA's root certificate was hacked.
Certs signed by registered CAs may offer a tad more protection against MITM attacks than self signed ones, but they are definitely no silver bullets.
yawn
If you're so scary smart, lets see Trump's taxes.
Re "The only reason you aren't hearing about them being penetrated all the time, is that it goes undetected."
Thats the interesting part. The lists of the Anti Virus brands that don't have the skills to do behavioral analysis or watch over the OS for changes.
Some brands have the staff and skills to find and track gov funded malware long term.
With more smart people globally reading the gov files, more people might just avoid that low quality AV brands and buy quality AV that detected or was able to track past gov malware.
The more new people that buy the AV, the more new staff can be hired, the better detection and tracking gets.
Domestic spying is now "Benign Information Gathering"
Re "Any other country"
Other nations got their networks totally penetrated by the NSA and GCHQ so they don't do anything interesting on the phone or internet anymore.
They learned from all their past network mistakes and have people thinking about better security.
They have a secure base, site, science city thats totally secure from the outside world. No tourists, no students on holiday, no illegal migrants, no foreigners wondering around, no embassy staff making friends. Less spies get near their sites of interest.
Their secrets stay safe as they test and select their staff to a better level too.
None of that US gov worker, US contractor, mil, other agency staff mix with questions about who is giving orders and why the wage differences.
Why does a new company get to give orders? Why the wage gap for the same work? Why is the contractor enjoying the nice wage with less skills and less skills? Other nations don't have the work place wage tensions and stress the US has. Gov and mil make the work place better for all cleared workers in other nations.
Other nations educated their staff well and then profile the people with traits who won't walk out with their nations secrets,
The US just lets any contractors in and they do a day job until they are moved to the next job. Great for short term profits, very bad for gov security.
Other nations just don't do that as they know its bad for their security. The US also stores data in plain text on internet facing computers. No encryption, fast networks.
The West hires contractors on talent, imagination, creativity. Such people can then leak data for "reasons" given the same ability to think and dream.
Other nations just don't give such "creative" people security clearances. Want to play fantasy computer games all day? No security clearance, mil work or gov work. Other nations still have a uniform or gov sector esprit de corp and only hire the best their nation has to offer.
No contractors giving orders to mil and gov staff and needing a project kept in plain text so other contractors can work on the same project all around the USA.
The US spreads it projects out to as many contractors as possible so wisdom and creativity can flow up from the best in the private sector. The profile motive always ensures new ideas.
Other nations just keep their secret secure and work hard on getting the project ready. The site is secure.
No data on open networks for the NSA and GCHQ to gather. No staff wondering around to be approached by the CIA and MI6 with a huge cash offer to buy secrets. Other nations have very small budgets and fewer staff, mil to watch too. They have learned from all their past decades of NSA, GCHQ, CIA, MI6 issues.
Domestic spying is now "Benign Information Gathering"
I figured they are going to piss off someone with some real money that's going to put a price on their heads. I wish I had the money to do it.
youusa people gonna die?
There is no silver bullet. And people understanding certificates wrongly is only the tip of the ice berg. Even if they do start to get the idea, it isn't a given that they actually understand the implications. Just because the certificate is CA signed doesn't mean that your data is protected. At least if you click a link that connects you to Bank0fAmerica.com. Yes, the connection is encrypted and the certificate is really for the server Bank0fAmerica.com. But I somehow doubt that this is where you want to send your Bank of America credentials...
Security is a process, not a product. Security isn't a little black box you can buy, put in the corner, connect to your network and it automagically protects you against anything and everything an attacker may throw at you. I know that this is what management wants and keeps buying from snake oil peddlers, but it just does not work that way.
That does not mean that it's futile, that we should throw our hands up, yell "it's hopeless" and give the attackers free reign. It isn't hopeless and it isn't impossible. But it is an arms race. It isn't something you can buy today and forget about it, it is something you have to develop, implement, measure, evaluate and refine. Constantly.
That management does not like to hear this is a different matter...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So I read the document provided and I can spare the rest of the community the work: The (insert three letter agency of choice here) have a supercomputer in the making or already ready that's a few 100 times faster than anything they had before and that can easily break 1024bit key encryption.
So switch to 4096bit and SHA256.
That's basically the gist of the document and the solution to this the-sky-is-falling problem. They have not broken https, they just threw more computing power against it. Which is pretty pointless when you have an asymmetric problem like encryption. By doubling my workload to encrypt, I can increase your workload to break by the tune of 10^10. All you have to do when you know your enemy is increasing its brute force computing power is to increase the key size, and unless something spectacular changes in the game, it more than nullifies his attempt.
Until recently I actually thought that you knew a thing or two about security...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
CA signed certificates protect you only in those cases where you don't need protection anyway, and as soon as you really need this protection against MITM, they are the first to fall while instilling a wrong sense of security. As long as there is no truly dependable CA out there, one might as well put the same amount of trust in self signed certificates.
US/UK based companies have shown on multiple occasions, that they are ready to bend over for authorities as fast as they could, just remember the shameful behavior of Mastercard/Visa/Amazon during the wikileaks/cablegate episode, or Google/Yahoo with regard to Chinese dissidents. CAs from other countries are either borderline incompetent (remember Diginotar) or just as easily manipulated/coerced, just with less media coverage than US based companies.
The biggest issue with half-arsed solutions like this CA mess are that people put way too much trust in them. These "solutions" switch people into ignorance=bliss mode. While everybody will agree, that security is a process and not a product, it's just so damn convenient to forget this once in a while.
CAs protect against rogue actors. Normal criminals. Protection against criminal governments takes more effort.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"The only place in the company that doesn't have a budget constraint is that area."
I would assume that 99.99% of all MITM attacks were executed by, or per request from, a government, typically the one the client resides in. I just don't see my Telco or some upstream provider sniff on my banking or gmail traffic unless my government would specifically instruct them to do so. Once that is the case, no browser automated CA signature check can save you.
SSL/TLS are mechanisms to ensure, that traffic is encrypted such that only you and the actual endpoint of the connection can read its contents. Putting any trust beyond this in such a connection is likely going to lead to a compromise. Once we settle for this, a self signed certificate is just as trustworthy as one signed by some CA.
Don't forget that the "man" in the MITM can as well be some kind of trojan sitting inside your computer, proxying the connection.
It boils down to the problem of determining whether the certificate presented to you is actually one issued by the server you are connecting to. This can of course also be solved with self-signed certificates. Actually, in all really important cases, I do solve it with self signed certificates, but it means that you somehow have to solve the problem of verifying authenticity. This is acceptable when you are dealing with a handful of critical servers that MUST be verifiably genuine, where you do not want to rely on the trust to a certain CA.
It is completely unfeasible for the masses of encrypted servers out there. If I first had to verify the signature of every single https server I connect to, I wouldn't do much else with my time.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Don't forget that the "man" in the MITM can as well be some kind of trojan sitting inside your computer, proxying the connection.
Once you lost control over your computer, encryption won't be of much help - just think of keyloggers ...
It boils down to the problem of determining whether the certificate presented to you is actually one issued by the server you are connecting to. This can of course also be solved with self-signed certificates.
This is generally not practical, since it would require you to receive authentication through a distinct communication channel - not happening at least in WWW. Current situation goes like this: 1. you call phone number you found somewhere. 2. party claims to be someone. 3. party sends you SMS confirming that part is really who they claim they are 4. you send SMS to someone else, asking "is this really who I think it is?" and 5. that someone else tells you "yes, it is!"
Since that "someone else" owes you exactly nothing, whereas that "someone else" gets paid by the party you actually got on the phone, whoever that may be, you have a massive conflict of interest working against you, making self signed certs not less credible than CA signed ones.
Actually, in all really important cases, I do solve it with self signed certificates, but it means that you somehow have to solve the problem of verifying authenticity. This is acceptable when you are dealing with a handful of critical servers that MUST be verifiably genuine, where you do not want to rely on the trust to a certain CA.
I agree, that's hardly feasible for world wide web traffic. Still: SSL/TLS is great for protecting against sniffing by peers (=other folks on the same LAN), but not for much else, regardless of who signed your certificate.
In this case the certificate (along with pinning) does less for your security than for your ability to detect that the connection is compromised. That's the whole point behind CA-signed certificates. They don't encrypt any better than self signed, they only tell you that the encryption isn't between you and who you think you are connecting to.
And yes, verifying the authenticity of self-signed certificates isn't feasible in most circumstances, unless the required security warrants the disproportionally insane overhead. But yes, such applications exist. They are rare and certainly not something you do for your average online server, but I have traveled myself just to deliver a key in person to ensure that all important authenticity.
What I cannot agree to is that TLS isn't sufficient to encrypt sensitive data. Its actual weakness currently is mostly to verify the authenticity of the other end, the encryption part is actually pretty decent.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Brutality and killing has only ever resulted in MORE people being brutalized and killed, is never actually a solution."
Spoken like a true, brainwashed, ignorant liberal... Apparently you failed history class. Here are a few highlights of the exact opposite: WW2 ended "new Socialist" Hitler's bid for world domination and extermination of around 8 million people of "lesser races", Korea stopped the brutalization and murder of millions of south Koreans (see what happened when the US failed in Vietnam and the millions of people brutalized and 7.5 million murdered there after we left http://rebirthofreason.com/Art... ), Desert Storm (the people of Kuwait were saved from brutalization and murder), even the crusades for all their faults, stopped the bloody, violent, imperialist expansion of Islam http://www.americanthinker.com... .
Trumps intelligence was underestimated by a lot of people, including you, apparently. How smart he actually is will be determined by his record.
Considering your own apparent lack of basic history, I suggest you may better use your time reading up on history so that in the future you can make a more reasonable argument.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like