Category Archives: Hacking

Timeline: NSA hacking tool to WannaCry

A recent Washington Post article is helping to answer some questions about Microsoft’s actions in recent months. Here’s a timeline of events:

2012 (or possibly earlier): The NSA identifies a vulnerability in Windows that affects all existing versions of the operating system, and has the potential to allow almost unfettered access to affected systems. A software tool — an exploit — is developed either for, or by, the NSA. The tool is called EternalBlue. People at the NSA worry about the potential damage if the tool or the vulnerability became public knowledge. They decide not to tell anyone, not even Windows’ developer, Microsoft.

EternalBlue finds its way into the toolkit of an elite hacking outfit known as Equation Group. Although it’s difficult to know for certain, this group is generally assumed to be operating under the auspices of the NSA. Equation Group may work for the NSA as contractors, or they may simply be NSA employees. Regardless, the group’s actions seem to align with those of the NSA: their targets are generally in places like Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Early to mid-2016: A hacking group calling themselves The Shadow Brokers somehow gains access to NSA systems or data, and obtains copies of various NSA documents and tools. Among those tools is EternalBlue.

August, 2016: The Shadow Brokers begin publishing their NSA haul on public services like Tumblr.

January 7, 2017: The Shadow Brokers begin selling tools that are related to EternalBlue.

Late January to early February 2017: The NSA finally tells Microsoft about the vulnerability exploited by EternalBlue. We don’t know exactly when this happened, but it clearly happened. The NSA was Microsoft’s source for this vulnerability.

February 14, 2017: Microsoft announces that February’s Patch Tuesday updates will be postponed. Their explanation is vague: “we discovered a last minute issue that could impact some customers.

Late February 2017: The Windows SMB vulnerability exploited by EternalBlue is identified publicly as CVE-2017-0144.

March 14, 2017: March’s Patch Tuesday updates from Microsoft include a fix for CVE-2017-0144, MS17-010. The update is flagged as Critical and described as Security Update for Microsoft Windows SMB Server (4013389). Nothing in Microsoft’s output on March 14 calls special attention to this update.

April 14, 2017: The Shadow Brokers release 300 megabytes of NSA material on Github, including EternalBlue.

May 12, 2017: WannaCry ransomware infection wave begins. The malware uses EternalBlue to infect vulnerable computers, mostly Windows 7 PCs in Europe and Asia. Infected computers clearly had not been updated since before March 14, and were therefore vulnerable to EternalBlue.

It’s now clear that the NSA is the real problem here. They had several opportunities to do the right thing, and failed every time, until it was too late. The NSA’s last chance to look at all good in this matter was after the vulnerability was made public, when they should have made the danger clear to the public, or at least to Microsoft. Because, after all, they knew exactly how useful EternalBlue would be in the hands of… just about anyone with bad intent.

Everyone involved in this mess acted foolishly. But whereas we’ve grown accustomed to corporations caring less about people than about money, government institutions — no matter how necessarily secretive — should not be allowed to get away with what the NSA has done. Especially when you consider that this is just the tip of the iceberg. For every WannaCry, there are probably a thousand other threats lurking out there, all thanks to the clowns at the NSA.

Ars Technica’s analysis.

Techdirt’s analysis.

Mr. Robot’s realistic depiction of hacking

As I read Cory Doctorow’s recent Technology Review post, “Mr. Robot Killed the Hollywood Hacker“, I found myself nodding my head enthusiastically. Anyone who knows much about computers and watches Mr. Robot will have noticed that the show’s depiction of hacking is very different from what we usually see on TV and in movies. The user interface is a text console. Everything is done with arcane text commands. Nothing is flashing, except the prompt. In other words, it’s accurate.

For as long as computers have been shown in movies and TV, they have been depicted as flashy, noisy, exploding, and otherwise utterly fanciful, almost magical devices. Hollywood obviously took one look at reality and collectively said “no way, that’s boring as hell.” So the vast majority of computer depictions in movies and TV are some art director’s crazy fantasy of how a computer should look.

I long ago stopped complaining about this. Nobody wants to listen to me drone on about how unrealistic a computer is in some TV show. Now, I just allow myself to be amused. I told myself that this was just harmless hyperbole, a layer of pizazz added onto reality to make it more entertaining.

But Doctorow makes an interesting point: the traditional depiction of computers by Hollywood isn’t as harmless as it may seem.

The 1983 film WarGames is about a high school kid who accidentally hacks into a military computer and almost starts a global thermonuclear war. There were – and still are – a lot of reasons why this is an unlikely scenario, but hey, this is entertainment. A lot of people saw the film, and most enjoyed it, including me. One of the least realistic parts of the film shows the WOPR computer smoking and burning when it becomes overloaded. Real computers just stop working when they’re overtaxed. Anyway, I didn’t mind the silliness; it’s all good fun, right?

Wrong. Apparently, Wargames got some people in Washington worried about whether a high school kid really could hack into military systems and start a war. In 1984, one year after the release of WarGames, the US Congress passed the Computer Fraud and Abuse Act (CFAA), which made activities related to hacking illegal. The legislation is ill-defined, and overly-broad, and it’s widely seen as pointlessly destructive. It contributed to the suicide of Aaron Swartz, who was being charged with crimes related to the CFAA.

The next time you’re watching a TV show or movie, and see an inaccurate depiction of something, ask yourself: “is this really just a harmless Hollywood convenience?”