Group Linked To NSA Spy Leaks Threatens Sale of New Tech Secrets

Hacker group Shadow Brokers, which has taken credit for leaking NSA cyber spying tools -- including ones used in the WannaCry global ransomware attack -- has said it plans to sell code that can be used to hack into the world's most used computers, software and phones. From a report on Reuters: Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world's biggest commercial secrets. In the blog post, the group said it was setting up a "monthly data dump" and that it could offer tools to break into web browsers, network routers, phone handsets, plus newer exploits for Windows 10 and data stolen from central banks. It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft's latest software system, Windows 10. The post did not identify other products by name. It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.

Trolling or stupid?

[TWX]

It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.

Are they attempting to ensure that there's no safe harbor for them anywhere in the whole world? Seems like if one pisses off the USA, Russia, and China, that there's no country in the entire world that wouldn't give up these people to someone if their identities are uncovered.

This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.

Re:Trolling or stupid?

[Moheeheeko]

This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.

I think this last week has proven that, yes, they do have access to these tools.

Re:Trolling or stupid?

[mfh]

Either they aren't thinking this through or they are shills for some government to give them an excuse for another scorched earth policy.

Computers can be made secure most of the time with a little anti-stupidity. Firefox/netflix stops 99.999% of malware unless you whitelist some EvilWebsite. Don't open forwarded emails from your computer-challenged friends & family members.

Sure there are some nasty exploits on almost every platform but most of them require a javascript call to execute or some poor sap to open an attachment and run it.

Re:Trolling or stupid?

The NSA knows what the Shadow Brokers have (basically, everything the NSA has). The NSA knows how much damage they can do. Further, the NSA, and ONLY the NSA, are in a position to disclose the remaining weaponized vulnerabilities to Microsoft, to get them fixed, and protect the rest of us from harm.

It's beautiful, you see. The NSA MUST voluntarily surrender the weapons that they have been sitting on, or they will be directly responsible for the use of those weapons against us. And this time, there is no head start...if the NSA doesn't disclose them, Microsoft can't fix them, and the ensuing hacks will make WannaCry look like a preshock.

Re:Trolling or stupid?

[TWX]

One of the things that has bothered me about computing developments over the last 20 or so years is that the push for easier and easier UI should have ended about fifteen years ago, and when the realization that an ever-increasingly-connected Internet was to be the future, the focus should have shifted away from UI and to backend security and testing of software products and protocols. Unfortunately that stuff isn't visual, so it's hard to sell a user on a new version of Windows without changing the look.

In my opinion GUI development peaked sometime around 1996 or 1997. Windows 95 OSR2 with IE4 debuted and integrated the web browser into the filesystem shell in a way that's basically the same as it is today, and most of the elements in Windows that we're used to were implemented. In XWindows the most important elements of each major windowmanager project had been created. Only lagging was Apple, OSX wouldn't debut for another four or five years, but again, there were UI elements similar to Microsoft's or to Common Desktop Environment (CDE) or to KDE, so there wasn't a whole lot that was truly new, and a lot of the OS was borrowed from its predecessor NeXT anyway.

Sure they've changed the colors, they've shifted back and forth between 3D-looking window frames and icons and 2D-looking window frames and icons, and they rearrange the look of the dialogue boxes or replace the Start Menu with a new menu, but the just seem to be reinventing the wheel, not actually creating anything new. But they aren't focusing on security like they should be either, even though with the UI nailed-down they really should be.

Re:Trolling or stupid?

[Sir+Holo]

Agreed. NSA bears a huge responsibility for any bad things that happen.

NSA not only kept zero-days exploits secret, but they weaponized them. And, apparently, even wrote manuals for these weapons. Then they failed to keep these weapons secure –– now they are out there.

Every day that NSA lets this stuff just sit out there, without doing anything to mitigate potential damage from their weapons, puts more and more responsibility on their shoulders.

Re:Trolling or stupid?

[sit1963nz]

Who said financial reward was their ultimate goal ?

Maybe its to force the US government into revealing all their exploits so they can be patched.

The alternate is that US allies will feel betrayed, that loss of trust will get reflected in attitudes to the USA, make it a tipping point where US citizens get scrutinised more heavily at international boarders, need Visas for entry, trade goods will need closer (and more expensive) inspection, US owned transport given lower priority at ports and airports, reduction on dependence of US software companies, etc etc etc etc etc

One way or another, this is a huge setback for the USA. And if that's the goal, the money is a smoke screen.

End of Bitcoin

[DatbeDank]

It's only a matter of time before some hair brained bureaucrat suggests blocking bitcoin transactions as a means to prevent criminals from funding themselves.

Re:End of Bitcoin

Actually, I wonder if Bitcoin will prove their undoing.

Contrary to popular belief, Bitcoin is not anonymous. It's pseudonymous. Every single bitcoin transaction is recorded in the shared ledger of which account it went from, and which account it went to - it's HEAVILY tied to an identity. The thing is anyone can set up a bitcoin wallet with an encryption key, so we don't know which real person each wallet is associated with.

Why is this relevant? Because AT SOME POINT, the criminals need to get their money OUT of bitcoin and into the real world, where they can actually spend it on things. And at that point, they need to sell bitcoins out of some wallet, and exchange them for cash.

Because every single bitcoin transaction is traceable (this is the entire purpose of the ledger), it's easily knowable which wallet the ransom was paid to. It's easily knowable which other wallets that wallet transferred the bitcoins to. And, at some point, it will be knowable when one of those wallets attempts to trade bitcoins for cash. And, should the perpetrators be arrested at this point, there will be a forensically traceable trail tying them to every single ransom they were paid, and so to every crime they committed.

Re:End of Bitcoin

[cfalcon]

> . And at that point, they need to sell bitcoins out of some wallet, and exchange them for cash

Yea, but like any burgeoning semicriminal area, there's a reasonable amount of mitigations for this risk.

The simplest one is overt laundering. You put some amount of your illegally gained money into a pool that is trusted to spit out some fraction of that at a later time, to an entirely different account. Because the pool is constantly spewing bitcoin at arbitrary accounts, it is not always obvious which goes where. As this can be repeated several times, it is argued online that it makes investigations difficult (or at least, that's the implications of the totally-not-a-criminal types who run these things).

A secondary one is to convert bitcoin to an entirely different cryptocurrency, good, or future, one that is believed to be harder to trace, and then convert it from there to either bitcoin, or direct purchase of goods.

It could also be directly turned into goods or services, or even donated to some supposed charity.

Bitcoins clearly can be investigated, and are. If they can be traced properly, that capability is not a well known or frequently deployed one.

Odd Behavior

[nehumanuscrede]

Considering their last attempt to sell such data was somewhat lacking in buyers, I'm curious why they don't just ring up WikiLeaks, get a semi-decent payday and be done with it.

Unless, of course, it's the intel agencies themselves playing the part of TSB seeing who they can reel in on their fishing expedition.

Re:How bad is this, really?

[Opportunist]

Erh... no. Allow me to shed some light onto this.

I've been in IT security for about 10 years now. For most of this time, security was but an afterthought. Security is the equivalent of insurance or military: Expensive and utterly useless unless you really, really need it. Be honest, do you need fire insurance? As long as it doesn't burn anywhere, it's just a waste of money. And for the longest time, there was no fire anywhere in IT. Yes, from time to time there was a bit of a problem. A worm that dug into millions of computers. Or some big company was hit by a hack that did minimal damage.

The problem here is that the damage was simply not high enough to warrant employing people who cost 6 figures a year and can't even guarantee you to be protected against anything that may come your way. Take this highly simplified risk calculation: If your potential damage in case the risk manifests isn't higher than the chance of it manifesting times the cost to mitigate it, it is more sensible to just carry the risk.

And for the longest time, this was the case. Imagine a potential damage of a million bucks per incident. If that happens once every ten years in your company, your annual cost to mitigate must not be higher than 100k. And 100k isn't really much money in ITsec.

If it costs more, you're better off just taking the hit once a decade.

For the longest time this was actually a sensible way to operate. Financially sensible. We've been warning about something like this for years. It was pointless, because the risk never manifested as incidents.

Now the incidents happen.

And now it is too late. We're in too deep to recover. Most of the software and hardware we use cannot be sensibly secured, because, as noted before, security is an afterthought and was not part of the fundamental design. Take HTTPS of all the things. What is it, essentially, but a thin security fig leaf on top of http? And we're still dealing with crucial infrastructure like DNS and DHCP that are by no means secure (not only because they still use a protocol where you can't even sensibly find out who the hell sent the packet in the first place), and while secure replacements exist, their implementation cost too much. Not only because we'd need new hardware.

More importantly, we'd need better trained administrators. Wait, more precisely: We'd need administrators that get at least basic security training. When you see people shrug at you when you tell them that using self signed certs is not ok and you get back a "what's your problem, it IS encrypted, what else do you want?", you know that the person does not even understand what he is doing here. We are critically underprepared for what's coming our way, what we see here is the tip of the spear that's going to hit us right into the chest.

And we will not have the time left to don armor.

Writing Style

[OverlordQ]

> Using trademark garbled English,

I wonder if they translate and reverse their releases to help defeat style-analysis on what they write.

Re:Strike back

[painandgreed]

I was just watching Pearl Harbor - not a great film, but it brought back to me that the greatest threat to these people is the sheer force of American willpower. The Japanese military machine tugged at the tail of a sleeping tiger, and they lived to regret it.

I doubt American willpower was a serious contender considering the other side had people litter lay training to be suicide bombers. Americans troops typically were the first to break and run away. We had some advantages in that Americans were also the first to rally and run back into battle with more resolve, and with a different plan to make sure the last mistake didn't happen. The first mistake the Japanese did was mistakenly think that bombing people would make them want to give up. If anything, actively bombing a population has the opposite effect. Second, the sleeping tiger that the Japanese actually awoke was American industrial might. The Japanese could not replace sunken ships, downed airplanes, or dead pilots and soldiers. They US was pumping out enough for two fronts to double every year or two (not to mention while also supplying the Brits and Russians with considerable war material at the same time). Part of that was bad Japanese military tactics that aided in their downfall just like Sparta, while the US will try a different tactic till they find one that works, but mostly, it was just American has the industry, economy, and population to win a war through attrition.