The NSA told

Dis­clos­ing the Win­dows vul­ner­a­bil­ity is a big shift in agency’s ap­proach

The Washington Post - - FRONT PAGE - BY ELLEN NAKASHIMA [email protected]­

Mi­crosoft about a se­cu­rity flaw in­stead of us­ing it as a weapon.

The Na­tional Se­cu­rity Agency re­cently dis­cov­ered a ma­jor flaw in Mi­crosoft’s Win­dows op­er­at­ing sys­tem — one that could ex­pose com­puter users to sig­nif­i­cant breaches, sur­veil­lance or dis­rup­tion — and alerted the firm about the prob­lem rather than turn­ing it into a hack­ing weapon, of­fi­cials an­nounced Tues­day.

The pub­lic dis­clo­sure rep­re­sents a ma­jor shift in the NSA’S ap­proach, choos­ing to put com­puter se­cu­rity ahead of build­ing up its arsenal of hack­ing tools that al­low the agency to spy on ad­ver­saries’ net­works.

“This is . . . a change in ap­proach . . . by NSA of work­ing to share, work­ing to lean for­ward and then work­ing to re­ally share the data as part of build­ing trust,” said Anne Neu­berger, di­rec­tor of the NSA’S Cy­ber­se­cu­rity Di­rec­torate, which was launched in Oc­to­ber. “As soon as we learned about [the flaw], we turned it over to Mi­crosoft.”

Cy­ber­se­cu­rity pro­fes­sion­als hailed the move.

“Big ku­dos to NSA for vol­un­tar­ily dis­clos­ing to Mi­crosoft,” com­puter se­cu­rity ex­pert Dmitri Alper­ovitch said in a tweet Tues­day. “This is the type of [vul­ner­a­bil­ity] I am sure the [NSA hackers] would have loved to use for years to come.”

The bug — es­sen­tially a mis­take in the com­puter code — af­fects the Win­dows 10 op­er­at­ing sys­tem, the most widely used in govern­ment and busi­ness to­day.

Mi­crosoft is­sued a patch for the flaw Tues­day. The com­pany’s plan to is­sue a fix for the vul­ner­a­bil­ity was first re­ported Mon­day in the Kreb­sonse­cu­rity blog.

“A se­cu­rity up­date was re­leased on Jan­uary 14, 2020 and cus­tomers who have al­ready ap­plied the up­date, or have automatic up­dates en­abled, are al­ready pro­tected. As al­ways we en­cour­age cus­tomers to in­stall all se­cu­rity up­dates as soon as pos­si­ble,” Jeff

Jones, se­nior di­rec­tor at Mi­crosoft, said in a state­ment.

The NSA’S ac­tion may help re­store the agency’s im­age, which was tar­nished af­ter it lost con­trol of a pow­er­ful hack­ing tool it called Eter­nalblue. One for­mer agency hacker said us­ing Eter­nalBlue was like “fish­ing with dy­na­mite” be­cause the in­tel­li­gence yields were so boun­ti­ful.

The NSA built that weapon by ex­ploit­ing a soft­ware flaw in some Mi­crosoft Win­dows op­er­at­ing sys­tems, and used it for at least five years with­out telling the com­pany. But when the agency learned that the tool had been ob­tained by oth­ers, it alerted Mi­crosoft, which is­sued a patch in early 2017. About a month later, Shadow Bro­kers, a sus­pected Rus­sian hack­ing group, re­leased the NSA tool on­line.

De­spite the patch, Rus­sian and North Korean hackers were able to turn the tool to their own pur­poses, launch­ing de­struc­tive at­tacks such as Notpetya and Wan­nacry that cre­ated global havoc and costly dam­age to busi­nesses and other or­ga­ni­za­tions.

The NSA, which was still re­cov­er­ing from sur­veil­lance dis­clo­sures by a for­mer agency con­trac­tor, suf­fered a fur­ther hit to its rep­u­ta­tion. To this day, com­pa­nies are grap­pling with ran­somware and in­tru­sions en­abled by Eter­nalblue, though some ran­somware at­tacks have been er­ro­neously linked to the tool.

“Right now [Neu­berger’s] try­ing to re­build the rep­u­ta­tion of NSA’S role in the de­fense of the na­tion,” said Richard “Dickie” Ge­orge, who un­til 2011 was the agency’s tech­ni­cal di­rec­tor for in­for­ma­tion as­sur­ance. “You’re try­ing to build pub­lic con­fi­dence in the NSA.”

Eter­nalblue worked on all Win­dows sys­tems, not just one, which made it so po­tent. The flaw the NSA re­cently un­cov­ered would be use­ful to hackers seek­ing to break into some com­put­ers run­ning Win­dows 10.

When a Win­dows user logs onto a web­site, the user’s browser checks the au­then­tic­ity of the site through soft­ware pro­vided by Mi­crosoft. The NSA dis­cov­ered an er­ror in the soft­ware code that fails to prop­erly check the au­then­tic­ity.

A so­phis­ti­cated hacker seek­ing to ex­ploit the flaw could build a weapon that reroutes users to ma­li­cious sites, steals files, ac­ti­vates mi­cro­phones, records keystrokes and pass­words, wipes disks, in­stalls ran­somware, “you name it,” said Jake Wil­liams, a for­mer NSA hacker who co­founded Ren­di­tion In­fosec, a cy­ber­se­cu­rity firm.

Mi­crosoft and the NSA re­ported that they have seen no ac­tive ex­ploita­tion of the flaw.

“If the flaw is patched quickly, it’s not that dan­ger­ous,” said Matthew Green, a cryp­tog­ra­pher and com­puter sci­ence pro­fes­sor at Johns Hop­kins Univer­sity. “If a lot of peo­ple don’t patch, it could be a dis­as­ter.”

The bug dis­clo­sure is the first ma­jor an­nounce­ment to come from the new di­rec­torate, which re­flects NSA Di­rec­tor Paul Naka­sone’s de­sire to en­hance the de­fen­sive mis­sion of an agency known for its prow­ess at hack­ing for­eign net­works for in­tel­li­gence.

Ge­orge, who for years ran an in­ter­nal NSA process to weigh whether to dis­close soft­ware vul­ner­a­bil­i­ties to in­dus­try, said the agency in­formed ven­dors of flaws in the vast ma­jor­ity of cases. Many were not sig­nif­i­cant enough to be con­sid­ered for use by the agency’s hackers. He said that “we had given 1,500 [bugs] to Mi­crosoft in two years” in the early 2000s.

In the past, when the NSA dis­closed flaws to com­pa­nies, “no one knew we did it.” That was partly be­cause the com­pa­nies did not want to ad­ver­tise that they were work­ing with the spy agency, he said.

Se­crecy has other mer­its, Ge­orge said. An­nounc­ing that a vul­ner­a­bil­ity is be­ing patched gives ma­li­cious hackers a chance to find a way to ex­ploit it, he said.

But Neu­berger said the agency wants to en­sure that the wider pub­lic heeds the warn­ing. “Cy­ber­se­cu­rity net­work own­ers have far more alerts and other things on any given day than they can pos­si­bly ad­dress,” she said. “We rou­tinely hear that what they most value is our flag­ging the things that are most im­por­tant. So our no­ti­fi­ca­tion to them ... is ... care­fully timed to achieve that ob­jec­tive.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.