Archive for the ‘NSA’ Category

Baltimore’s bill for ransomware: Over $18 million, so far

June 5th, 2019
Baltimore City Hall, where the ransomware battle continues.

Enlarge / Baltimore City Hall, where the ransomware battle continues. (credit: Alex Wroblewski/Getty Images)

BALTIMORE—It has been a month since the City of Baltimore's networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet briefed press on the status of the cleanup, which the city's director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.

"All city services remain open, and Baltimore is open for business," Mayor Young said at the briefing, listing off critical services that had continued to function during the network outage. City Finance Director Henry Raymond called the current state of systems "not ideal, but manageable"—some emails and phone services have been restored, and many systems have remained online, but payment processing systems and other tools used to handle transactions with the city remain in manual workaround mode. Department of Public Works director Rudy Chow warned residents to expect a larger-than-normal water bill in the future, as the city's smart meters and water billing system are still offline and bills cannot be generated.

Parking tickets and tickets generated by the city's speed and red light cameras can be paid in person if the ticket is in hand. The city has regained the data for all parking and camera-generated violations up to May 4, but it still lacks the ability to look up violations without the physical paper ticket or process payments electronically, city officials said. And the same is true for many other interactions with the city, which currently require mailing or hand-delivering paper documents and manual workarounds.

Read 6 remaining paragraphs | Comments

Posted in Baltimore ransomware attack, Biz & IT, EternalBlue, FBI, IoT, Maryland, NSA, Policy | Comments (0)

Baltimore ransomware perp pinky-swears he didn’t use NSA exploit

June 4th, 2019
Oh, Baltimore.

Enlarge / Oh, Baltimore. (credit: Alex Wroblewski/Getty Images)

Over the past few weeks, a Twitter account that has since been confirmed by researchers to be that of the operator of the ransomware that took down Baltimore City's networks May 4 has posted taunts of Baltimore City officials and documents demonstrating that at least some data was stolen from a city server. Those documents were posted in response to interactions I had with the ransomware operator in an attempt to confirm that the account was not a prank.

In their last post before the account was suspended by Twitter yesterday, the operator of the Robbinhood account (@robihkjn) answered my question, "Hey, so did you use EternalBlue or not?":

absolutely not my friend

The account was shut down after its operator posted a profanity and racist-tinged final warning to Baltimore City Mayor Bernard "Jack" Young that he had until June 7 to pay for keys to decrypt files on city computers. "In 7 Jun 2019 that's your dead line," the post stated. "We'll remove all of things we've had about your city and you can tell other [expletives] to help you for getting back... That's final dead line." The same messages have been posted to the Web "panel" associated with the Baltimore ransomware, according to Joe Stewart, independent security consultant working on behalf of the cloud security firm Armor, and Eric Sifford, security researcher with Armor’s Threat Resistance Unit (TRU).

Read 8 remaining paragraphs | Comments

Posted in Baltimore ransomware attack, Biz & IT, National Security Agency, NSA, Policy, robbinhood, shadow brokers. national security agency, tor | Comments (0)

Eternally Blue: Baltimore City leaders blame NSA for ransomware attack

May 28th, 2019
Baltimore: An IT disaster area?

Enlarge / Baltimore: An IT disaster area? (credit: Cyndi Monaghan via Getty Images)

The mayor and city council president of Baltimore are pushing for the ransomware attack that brought Baltimore's city government to a standstill to be designated a disaster, and officials are seeking federal aid to help pay for the cleanup from the RobbinHood malware's damage. This call came after a New York Times report that the ransomware used the EternalBlue exploit developed by the National Security Agency to spread across the city's network.

EternalBlue was part of a set of tools developed for the NSA's Tailored Access Operations (TAO) group that were leaked by Shadow Brokers in 2017. The tool was then used two months later as part of WannaCry, the destructive cryptographic worm that affected thousands of computers worldwide. Shadow Brokers has been linked by some security experts to a Russian intelligence agency; WannaCry has been attributed to North Korea's military.

After being alerted by the NSA. Microsoft issued a security patch for the vulnerability exploited by EternalBlue (among others) in March of 2017, even issuing patches for Windows Vista (which was at the time just about to be dropped from long-term paid support) and Windows XP (which had already dropped out of support).

Read 12 remaining paragraphs | Comments

Posted in Baltimore City ransomware, Biz & IT, EternalBlue, microsoft, National Security Agency, NSA, Policy, shadow brokers, Windows | Comments (0)

Trump gives Barr authority to declassify anything in campaign “spying” probe

May 24th, 2019
Trump's memorandum to agency heads gives Attorney General William Barr authority to declassify or downgrade classification of anything he sees fit in his investigation into "intelligence activity" around the 2016 presidential election.

Enlarge / Trump's memorandum to agency heads gives Attorney General William Barr authority to declassify or downgrade classification of anything he sees fit in his investigation into "intelligence activity" around the 2016 presidential election. (credit: Chip Somodevilla/Getty Images)

Late in the day on May 23, President Donald Trump signed a memorandum ordering the heads of the Departments of Defense, Energy, and Homeland Security, and the Directors of National Intelligence and the Central Intelligence Agency to give Attorney General William Barr unfettered access to information about "intelligence activities relating to the campaigns in the 2016 Presidential election and certain related matters." The memorandum gives Barr the authority to declassify or downgrade the classification of any information he sees fit as part of the investigation.

Barr's investigation is not into electoral interference by foreign actors during the 2016  presidential campaign, but rather into whether US law enforcement and intelligence illegally spied on the Trump campaign. In an interview with Fox News earlier this month, Barr explained that "people have to find out what the government was doing during that period…If we're worried about foreign influence, for the very same reason we should be worried about whether government officials abuse their power and put their thumb on the scale."

The memorandum states that Barr can "declassify, downgrade, or direct the declassification or downgrading of information or intelligence that relates to the Attorney General's review." No restrictions are placed on what Barr can declassify, other than an instruction that "the Attorney General should, to the extent he deems it practicable, consult with the head of the originating intelligence community element or department."

Read 3 remaining paragraphs | Comments

Posted in 2016 presidential election, Donald Trump, GCHQ, NSA, Policy | Comments (0)

Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak

May 7th, 2019
The National Security Agency headquarters in Fort Meade, Maryland.

Enlarge / The National Security Agency headquarters in Fort Meade, Maryland. (credit: National Security Agency)

On of the most significant events in computer security came in April 2017, when a still-unidentified group calling itself the Shadow Brokers published a trove of the National Security Agency’s most coveted hacking tools. The leak and the subsequent repurposing of the exploits in the WannaCry and NotPetya worms that shut down computers worldwide made the theft arguably one of the NSA’s biggest operational mistakes ever.

On Monday, security firm Symantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016, fourteen months prior to the Shadow Brokers leak. An advanced persistent threat hacking group that Symantec has been tracking since 2010 somehow got access to a variant of the NSA-developed DoublePulsar backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers. The revelation that the powerful NSA tools were being repurposed much earlier than previously thought is sure to touch off a new round of criticism about the agency’s inability to secure its arsenal.

Killing NOBUS

“This definitely should bring additional criticism of the ability to protect their tools,” Jake Williams, a former NSA hacker who is now a cofounder of Rendition Infosec, told Ars. “If they didn't lose the tools from a direct compromise, then the exploits were intercepted in transit or they were independently discovered. All of this completely kills the NOBUS argument.” “NOBUS” is shorthand for nobody but us, a mantra NSA officials use to justify their practice of privately stockpiling certain exploits, rather than reporting the underlying vulnerabilities so they can be fixed.

Read 11 remaining paragraphs | Comments

Posted in APT3, Biz & IT, buckeye, exploits, National Security Agency, NSA, shadow brokers, vulnerabilities | Comments (0)

Spot the not-Fed: A day at AvengerCon, the Army’s answer to hacker conferences

May 2nd, 2019
Participants in AvengerCon III, held at the McGill Training Center at Fort Meade, Maryland, on November 27 take part in a lock pick village put on by TOOOL (The Open Organisation of Lockpickers).

Enlarge / Participants in AvengerCon III, held at the McGill Training Center at Fort Meade, Maryland, on November 27 take part in a lock pick village put on by TOOOL (The Open Organisation of Lockpickers). (credit: US Army)

FORT MEADE, Maryland—Late last year, I was invited to a relatively new hacker event in Maryland. Chris Eagle, a well-known researcher in the field of malware analysis and author of The IDA Pro Book, keynoted it. There were a number of really good talks at all levels of expertise, a couple of "Capture the Flag" (CTF) hacking challenges, and all the other typical hallmarks of a well-run hacker conference.

But this event, AvengerCon III, proved to be distinct in a number of ways from the BSides conferences and other events I've attended. The first difference was that keynote: Eagle, a senior lecturer at the Navy Postgraduate School, shared some news about an upcoming release of an open reverse engineering tool by referring to its "unclassified cover name." (The tool was Ghidra, a public reverse-engineering tool developed by the National Security Agency.) There were also a lot more people in camouflage than at most hacker events, and my CTF teammates were military intelligence agents. Perhaps the biggest giveaway that this wasn't any old hacker event? AvengerCon III was being held on Fort Meade and hosted by the US Army's 781st Military Intelligence Battalion (Cyber).

Part of the 780th Military Intelligence Brigade, the 781st was once known as the Army Network Warfare Battalion. It was the first Army unit formed to create a "cyberspace operations capability" within the Army—conducting offensive and defensive operations and intelligence collection in support of US forces around the world. So technically, AvengerCon is not a conference. It's a "training event," in Army parlance, intended to bring the hacker learning culture to the Army's cyber warriors.

Read 20 remaining paragraphs | Comments

Posted in Army Cyber Command, Biz & IT, fort meade, hacker conferences, NSA, Policy, US Army | Comments (0)

Ex-NSA Contractor Pleads Guilty to 20-Year-Long Theft of Classified Data

March 29th, 2019
A former National Security Agency contractor—who stole an enormous amount of sensitive information from the agency and then stored it at his home and car for over two decades—today changed his plea to guilty. The theft was labeled as the largest heist of classified government material in America's history. Harold Thomas Martin III, a 54-year-old Navy veteran from Glen Burnie, abused his

Posted in cyber espionage, cyber security, Edward Snowden, hacker arrested, hacking news, NSA, nsa agent, NSA contractor, nsa hacking tools, The Shadow Brokers | Comments (0)

NSA Releases GHIDRA Source Code — Free Reverse Engineering Tool

March 6th, 2019
Update (4/4/2019) — Great news. NSA today finally released the complete source code for GHIDRA version 9.0.2 which is now available on its Github repository. GHIDRA is agency's home-grown classified software reverse engineering tool that agency experts have been using internally for over a decade to hunt down security bugs in software and applications. GHIDRA is a Java-based reverse

Posted in cyber security, cyber security software, Ghidra, hacking news, NSA, reverse engineering tool, Reverse-engineering, software reverse engineering | Comments (0)

NSA’s top policy advisor: It’s time to start putting teeth in cyber deterrence

March 4th, 2019
Rob Joyce, senior advisor to the Director for Cybersecurity National Security Agency (NSA), shown here speaking at  the Aspen Cyber Summit in November of 2018, warned at a presentation to DOD contractors that the US needs to be more aggressive in cyber operations to achieve anything resembling deterrence of state hacking attacks.

Enlarge / Rob Joyce, senior advisor to the Director for Cybersecurity National Security Agency (NSA), shown here speaking at the Aspen Cyber Summit in November of 2018, warned at a presentation to DOD contractors that the US needs to be more aggressive in cyber operations to achieve anything resembling deterrence of state hacking attacks. (credit: Bloomberg via Getty Images)

At an industry event in Hanover, Maryland last week, former National Security Council cybersecurity policy coordinator and acting Homeland Security Advisor Rob Joyce—now back at the National Security Agency as senior advisor to NSA Director General Paul Nakasone—warned that the US government needs to do more than just counter cyber attacks launched against the US. "We have to impose costs in a visible way to start deterrence,” Joyce told attendees of a February 28 Armed Forces Communications and Electronics Association (AFCEA) chapter meeting, according to a report by CyberScoop's Sean Lyngaas. "We have to go out and try to make those operations less successful and harder to do.”

Citing the WannaCry and NotPetya malware attacks (attributed to North Korea and Russia, respectively, by US intelligence), along with the Russian hacking and disinformation campaigns in the run-up to the 2016 US presidential elections, Joyce said that state-sponsored cyberattacks have been shifting from "exploitation to disruption." While electronic espionage continues, attackers have increasingly focused on doing economic damage to the US and its allies, he said.

Joyce spoke as President Donald Trump was bringing his summit with North Korean leader Kim Jong Un to an early close—and as North Korean hackers reportedly continued a 15-month campaign targeting US and European businesses.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, NSA, Policy, Rob Joyce, Russian election interference, US Cyber Command | Comments (0)

Kaspersky blew whistle on NSA hacking tool hoarder

January 9th, 2019
NSA got a message from Kaspersky that one of its own was being very, very bad, according to a new Politico report.

Enlarge / NSA got a message from Kaspersky that one of its own was being very, very bad, according to a new Politico report.

Harold T. Martin III, a former government contractor, is still facing trial for the alleged theft of massive amounts of National Security Agency data, including documents and tools from the NSA's Tailored Access Operations Division. Now, a new report by Kim Zetter for Politico suggests that the NSA and the Justice Department tracked down Martin thanks to information shared by an ironic source: the Moscow-based malware protection company Kaspersky Lab. Citing two anonymous sources familiar with the investigation, Zetter reports that Kaspersky Lab employees passed information on Martin to the US government after he sent unusual direct messages via Twitter to the company in 2016.

Kaspersky passed the US government five messages from an anonymous Twitter account named @HAL999999999 to two researchers at the company. The first message, sent August 15, 2016, requested that a researcher facilitate a conversation with "Yevgeny," the given name of Kaspersky Lab founder and CEO Eugene Kaspersky. "So, figure out how we talk... With Yevgeny present," the message read. The second message: "Shelf life, three weeks."

The messages came just 30 minutes before someone calling themselves Shadow Brokers dumped a link to a collection of NSA tools in a Tumblr post and announced additional tools would be auctioned off for 1 million Bitcoin.

Read 3 remaining paragraphs | Comments

Posted in Biz & IT, harold martin, Kaspersky, Kaspersky Lab, NSA, Policy, shadow brokers. national security agency | Comments (0)