NSA’s ‘dy­na­mite’ burned web

Pow­er­ful hack es­caped from agency’s hands

Sun Sentinel Broward Edition - - NATION & WORLD - By Ellen Nakashima and Craig Tim­berg The Wash­ing­ton Post

When the Na­tional Se­cu­rity Agency be­gan us­ing a new hack­ing tool called Eter­nalBlue, those en­trusted with de­ploy­ing it mar­veled at both its un­com­mon power and the wide­spread havoc it could wreak if it ever got loose.

Some of­fi­cials even dis­cussed whether the flaw was so dan­ger­ous they should re­veal it to Mi­crosoft, the com­pany whose soft­ware the gov­ern­ment was ex­ploit­ing, ac­cord­ing to for­mer NSA em­ploy­ees who spoke on the con­di­tion of anonymity given the sen­si­tiv­ity of the is­sue.

But for more than five years, the NSA kept us­ing it— through a time pe­riod that has seen sev­eral se­ri­ous se­cu­rity breaches — and now the of­fi­cials’ worst fears have been re­al­ized. The ma­li­cious code at the heart of the Wan­naCry virus that hit com­puter sys­tems glob­ally late last week was ap­par­ently stolen from the NSA, repack­aged by cy­ber­crim­i­nals and un­leashed on the world for a cy­ber­at­tack that now ranks as among the most dis­rup­tive in his­tory.

The fail­ure to keep Eter­nalBlue out of the hands of crim­i­nals and other ad­ver­saries casts the NSA’s de­ci­sions in a harsh new light, prompt­ing crit­ics to ques­tion a new whether the agency can be trusted to de­velop and pro­tect such po­tent hack­ing tools.

Cur­rent and for­mer of­fi­cials de­fended the agency’s han­dling of Eter­nalBlue, say­ing that the NSA must use such volatile tools to ful­fill its mis­sion of gathering for­eign in­tel­li­gence. In the case of Eter­nalBlue, the in­tel­li­gence haul was “un­real,” said one for­mer em­ployee.

“It was like fish­ing with dy­na­mite,” said a sec­ond.

The NSA did not re­spond to sev­eral re­quests for com­ment for this ar­ti­cle.

The con­se­quences of the NSA’s de­ci­sion to keep the flaw se­cret, com­bined with its fail­ure to keep the tool se­cure, be­came clear Fri­day when re­ports be­gan spread­ing of a mas­sive cy ber at­tack in which the Wan­naCry soft­ware en­crypted data on hun­dreds of thou­sands of com­put­ers and de­manded a ran­som to de­crypt it.

The at­tack spread vi rally be­cause the crim­i­nal hack­ers com­bined Eter­nal Blue’ s abil­ity to pen­e­trate sys­tems with other code that caused it to spread quickly, like a com­puter worm, some­thing the NSA never in­tended. The re­sult­ing dig­i­tal con­coc­tion snarled hos­pi­tals in Bri­tain, the In­te­rior Min­istry in Rus­sia and tax of­fices in Brazil.

An un­likely com­bi­na­tion of voices, rang­ing from the Amer­i­can Civil Lib­er­ties Union to a top Mi­crosoft of­fi­cial to Rus­sian Pres­i­dent Vladimir Putin, has sin­gled out the NSA for its role in cre­at­ing and even­tu­ally los­ing con­trol of the com­puter code.

Mi­crosoft Pres­i­dent Brad Smith, in a blog post Sun­day, com­pared the mishap to “the U.S. mil­i­tary hav­ing some of its Tom­a­hawk mis­siles stolen.”

Putin, for his part, echoed Mi­crosoft: “They said that the first sources of this virus were the United States in­tel­li­gence agen­cies. Rus­sia has ab­so­lutely noth­ing to do with this.”

While few crit­ics are say­ing that the NSA should never de­velop ma­li­cious soft­ware— crack­ing into the com­put­ers of sur­veil­lance tar­gets is key to its work — the Wanna Cry in­ci­dent has re­vived con­cerns about in­ter­nal se­cu­rity at an agency that in 2013 lost mas­sive troves of se­cret doc­u­ments to con­trac­tor Ed­ward Snow­den.

“They’ve ab­so­lutely got to do a bet­ter job pro­tect­ing (the hack­ing tools). You can’t ar­gue against that,” said for­mer NSA Di­rec­tor Keith Alexan­der, who ran the agency from 2005 to 2014 but said he was un­able to com­ment on any par­tic­u­lar tool. “You had some­body steal­ing you blind. The gov­ern­ment has got to do bet­ter at that.”

The global back­lash to the Snow­den rev­e­la­tions added ur­gency to the gov­ern­ment’s ef­forts to re­vamp rules on when to re­port flaws to com­pa­nies and when to use them for sur­veil­lance. Alexan­der said that about 90 per­cent of dis­cov­ered flaws are re­ported to the com­pa­nies that make the soft­ware.

Richard Led­gett, who re­tired this month as the NSA’s deputy di­rec­tor, said dis­clos­ing all flaws would amount to “uni­lat­eral dis­ar­ma­ment.” He said the idea that “ev­ery­thing would be just fine” if the NSA dis­closed all the vul­ner­a­bil­i­ties it finds is “non­sense.”

In Au­gust, a mys­te­ri­ous group call­ing it­self the Shadow Bro­kers dumped a set of ex­ploits — or hack­ing tools — on­line. The ex­ploits are built to take ad­van­tage of soft­ware flaws.

The agency even­tu­ally warned Mi­crosoft af­ter learn­ing about Eter­nalBlue’s theft, al­low­ing the com­pany to pre­pare a soft­ware patch is­sued in March. But the Shadow Bro­kers did not just re­lease the flaw, which would take time and tal­ent to turn into a tool. They re­leased the ex­ploits, which means even a novice hacker could use them to cause dam­age.

Af­ter fash­ion­ing their own tool, Wan­naCry hack­ers de­ployed it last week, caus­ing an im­me­di­ate out­cry. The White House con­vened an emer­gency meet­ing of Cabi­netlevel heads led by Trump ad­min­is­tra­tion home­land-se­cu­rity ad­viser Thomas Bossert.

U.S. sys­tems were mostly spared, but the dam­age could have been far worse. Since the NSA be­gan us­ing Eter­nalBlue, which tar­gets some ver­sions of Mi­crosoft Win­dows, the U.S. mil­i­tary and many other in­sti­tu­tions up­dated soft­ware that was es­pe­cially vul­ner­a­ble.

The NSA also made up­grades to Eter­nalBlue to ad­dress its pen­chant for crash­ing tar­geted com­put­ers — a prob­lem that earned it the nick­name “Eter­nalBlue-Screen ,” af­ter the blue screen of­ten dis­played by com­put­ers in dis­tress.

To mit­i­gate its in­sta­bil­ity in the early days, the NSA hack­ers were un­der strict us­age rules that re­quired ap­proval from a se­nior su­per­vi­sor on a tar­get-by-tar­get ba­sis to use the ex­ploit, the em­ploy­ees re­called.

Af­ter a few years, its sta­bil­ity was im­proved, but NSA was still mind­ful of the po­ten­tial for harm if the tool some how got breached.

“If one of our tar­gets dis­cov­ered we were us­ing this par­tic­u­lar ex­ploit and turned it against the United States, the en­tire De­part­ment of De­fense would be vul­ner­a­ble,” the sec­ond em­ployee said. “You just have to have a foothold in­side the net­work and you can com­pro­mise ev­ery­thing.”

The Shadow Bro­kers’ first dump of ex­ploits in Au­gust sparked a ro­bust dis­cus­sion within the Obama ad­min­is­tra­tion. “By that point, the in­tel­li­gence value” of the ex­ploits was “de­graded,” so it was de­cided that NSA would alert what­ever ven­dors were af­fected, a for­mer se­nior ad­min­is­tra­tion of­fi­cial said.

For years, NSA had its own in­ter­nal process for weigh­ing whether to dis­close soft­ware flaws or keep them close so they could be used to build sur­veil­lance tools. In the spring of 2014, the Obama ad­min­is­tra­tion’s Na­tional Se­cu­rity Coun­cil kicked­off a new process to vet vul­ner­a­bil­i­ties among agen­cies in­clud­ing the FBI, NSA, CIA and De­part­ment of Home­land Se­cu­rity.


NSA’s pow­er­ful hack­ing tool Eter­nalBlue wasn’t sup­posed to leave the agency’s hands.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.