#shadow_broker

Le #virus #wannacry révèle les lacunes de la cybersécurité mondiale
▻https://www.mediapart.fr/journal/international/220517/le-virus-wannacry-revele-les-lacunes-de-la-cybersecurite-mondiale

Une dizaine de jours après l’apparition du logiciel-rançon, de nombreuses responsabilités peuvent être pointées : celle de la #NSA qui a directement inspiré le virus, celle des États qui laissent se développer un véritable marché des failles informatiques et celle des entreprises qui avaient été prévenues d’une attaque.

#International #cybersécurité #ransomware #Shadow_Brokers

Steemit - Wikipedia
▻https://en.wikipedia.org/wiki/Steemit

https://upload.wikimedia.org/wikipedia/commons/f/fa/Steemit-big.png

User accounts can upvote posts and comments, and the authors who get upvoted can receive a monetary reward in a cryptocurrency token named STEEM and US dollar-pegged tokens called Steem Dollars. People are also rewarded for curating popular content. Curating involves voting comments and post submissions. Vote strength and curation rewards are influenced by the amount of STEEM Power held by the voter.

#steemit #bitcoin #blockchain

tout ceci n’est pas bien lisible pour moi, à cet instant...

Leaked NSA Malware Is Helping Hijack Computers Around the World
▻https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-wo

In mid-April, an arsenal of powerful software tools apparently designed by the NSA to infect and control Windows computers was leaked by an entity known only as the “Shadow Brokers.” Not even a whole month later, the hypothetical threat that criminals would use the tools against the general public has become real, and tens of thousands of computers worldwide are now crippled by an unknown party demanding (...)

#NSA #Microsoft #spyware #Windows #hacking #Wannacry

Warning: for Windows systems: important spread of #WannaCry (#Wcry) ransomware

▻http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html?m=1
▻https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide

The malware/worm is causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organisations in multiple countries, including the UK, Spain, Germany, and Turkey. Telefonica, FedEx, and the UK government’s National Health Service (NHS) have been hit. Operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work.

The ransomware completely encrypts all your files and render them unusable. They ask you to pay some money to get the decryption key. ($300 to $600 worth in bitcoins). Paying does not guarantee you will get a decryption key though.

The malware spreads through social engineering e-mails.
Be careful with any attachments you receive from unknown sources (and even known sources). Make sure the files are sent intentionally.
Watch out for .pdf or .hta files, or links received via e-mail that point to .pdf or .hta files.

More than 45.000 computers worldwide have already been infected, but there appears to be a kill switch, i.e. a way to stop its spreading.
As one of the first operations, the malware tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the program terminates.

This can be seen as a kind of kill switch provision, or perhaps it had some particular reason. Whichever it is, the domain has now been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the malware. This will of course not help anyone already infected.

Microsoft has released a patch to block the malware on Windows machines:

MS17-010
▻https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

It is important to apply the patch because other variants of the malware can exploit the same vulnerability and/or use a different domain name check.

Nice technical analysis of the worm:

▻https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r

And more technical info about the worm itself: (careful)

▻https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

typedef struct _wc_file_t {
char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
uint32_t keylen;             // length of encrypted key
uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
uint32_t unknown;            // usually 3 or 4, unknown
uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

#malware #worm #ransomware #NSA #Shadow_Broker #EternalBlue

Des « cyber-armes » de la #NSA sont mises aux enchères sur Internet
▻https://www.mediapart.fr/journal/international/210816/des-cyber-armes-de-la-nsa-sont-mises-aux-encheres-sur-internet

Des hackers proposent au plus offrant des fichiers provenant d’un sous-traitant de l’agence américaine, spécialisé dans la fabrication de virus et outils de hacking. Ce nouveau coup dur pour les services américains relance la guerre #Numérique avec la #Russie, qui fait encore figure de suspect.

#International #Edward_Snowden #FSB #piratage #Shadow_Brokers #TAO

Des « cyber-armes » de la #NSA américaine sont mises aux enchères sur Internet
▻https://www.mediapart.fr/journal/international/210816/des-cyber-armes-de-la-nsa-americaine-sont-mises-aux-encheres-sur-internet

Un groupe de hackers propose au plus offrant des centaines de fichiers provenant d’un sous-traitant de l’agence américaine, spécialisé dans la fabrication de virus et outils de hacking. Ce nouveau coup dur pour les services américains relance également la guerre froide #Numérique en cours avec la #Russie, qui fait une nouvelle fois figure de suspect idéal.

#International #Edward_Snowden #FSB #piratage #Shadow_Brokers #TAO

on the NSA Leak #Shadow_Brokers (tweets du 6/08/16)
#Shadow_Brokers (tweets du 6/08/16)
(via @baroug (merci !))

Edward Snowden ( Snowden) | Twitter on the NSA Leak
►https://twitter.com/Snowden

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know: (1/x)

1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.

2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.

3) This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.

4) Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed.

5) Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

6) What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant:

9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.

10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.

11) Particularly if any of those operations targeted elections.

12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it’s cheap and easy. So? So...

The NSA Has a New Disclosure Policy : Getting Hacked | Foreign Policy
▻https://foreignpolicy.com/2016/08/18/the-nsa-has-a-new-disclosure-policy-getting-hacked

On Monday, when tech executives arrived in their offices, just days after a mysterious group of hackers released what they claimed were a set of NSA hacking tools, a familiar and frustrating pattern was taking shape. America’s premier signals intelligence agency had once again discovered unknown flaws in products used to secure computer networks around the globe, but instead of telling the manufacturers, the NSA pocketed those flaws, like skeleton keys that would let them open doors to others’ networks whenever and wherever they wanted.

If the tools released by the group known as the “Shadow Brokers” are legitimately from the NSA — and security researchers and agency veterans say that they appear to be — the agency now faces a fresh round of questions about how the breach occurred and when the agency found out.

That’s because the data released by the Shadow Brokers contained what are known as “zero days,” software flaws that are unknown to the manufacturer of a piece of software or hardware, and thus flaws for which no patch is even in the works.

Stockpiling such vulnerabilities is part of an international arms race in cyberspace. Last weekend’s dump exposed what is likely a small part of the American arsenal of such high tech battering rams, and it has reignited a debate among security researchers about whether the government should be stockpiling them, or if it should be revealing those vulnerabilities to manufacturers to make American networks more robust.

Given that the hardware made by the likes of Cisco Systems and Fortinet are often the backbone of the networks used by the U.S. military and State Department, helping those companies lock the back door should be a “no-brainer,” said Jason Healey, a former cyber operator for the U.S. Air Force and now a researcher at Columbia University.

“It would disappoint me if they knew and didn’t tell” the very vendors that are outfitting critical parts of the U.S. government, he said.

But some NSA veterans tick off plenty reasons not to share the information. Tipping off the Chinese and Russians about potential weaknesses makes no sense, said Dave Aitel, a former NSA research scientist and the CEO of Immunity, a security firm. And broadcasting just what tools the NSA is using risks compromising operations both past and present, he said.

On Wednesday, Cisco and Fortinet said they had not been notified about the software flaws that had been exposed. Timestamps in the released NSA code indicate that the hacking tools were likely swiped in October of 2013, though such marks can be easily faked.

On paper, the U.S. government has a process to determine whether to tell manufacturers they’ve got a problem. The interagency process was established in 2010, fell into disuse, and was then “reinvigorated” in 2014, in the words of White House cybersecurity chief Michael Daniel.

But security experts across the political spectrum scoff at the process and the notion that it seriously considers giving away potentially valuable zero-day vulnerabilities.

“Anything that has intelligence value is not going to be released,” Aitel says.

Chris Soghoian, the chief technologist at the ACLU, agrees. “It’s clear the game is rigged” against disclosure, he said.

But thanks to the #Shadow_Brokers, the vulnerabilities have been disclosed after all — not to the manufacturers, but to the entire world. What amounts to a series of military-grade hacking tools are now freely available on the internet, on sites such as this one. These tools can be used by hackers to break into firewalls, control a network, and spy on users. Another tool may be capable of stealing a users’ encryption keys.

So far, one of the tools released stands out: #ExtraBacon. That piece of code targets Cisco’s Adaptive Security Appliance firewall, widely used widely by both the U.S. government and private sector companies. ExtraBacon allows an attacker to take control of the firewall and monitor all traffic on it — a classic NSA strategy. On Wednesday, Cisco issued a security alert for the high-severity vulnerability; The company has so far not patched it, and has only issued a “work-around” for the problem.

Excellent titre, au demeurant :-D

Exotic Code in #Shadow_Brokers Release Points to #NSA | Foreign Policy
▻http://foreignpolicy.com/2016/08/16/exotic-code-in-shadow-brokers-release-points-to-nsa

After a group of mysterious hackers claimed to have broken into the NSA and posted a portion of its stolen code, security researchers were left with a pressing, vexing question: Was the material released by the so-called “Shadow Brokers” actually from the NSA?

The answer appears to be yes. On Tuesday, researchers at Kaspersky, the Russian cybersecurity firm, said their analysis of the Shadow Brokers’ code found a trail of digital breadcrumbs that leads straight back to the NSA.

The Shadow Brokers claim to have broken into the systems of hackers known as the #Equation_Group. That group was first identified in a Kaspersky report released last year. While Kaspersky’s report tied the Equation Group to operations carried out by U.S. intelligence, it did not definitely identify the group as an NSA outfit. Kaspersky said the group “surpasses anything known in terms of complexity and sophistication of techniques.”

Security researchers say privately that the Equation Group is all but certainly a project of the NSA.

In a highly technical analysis, Kaspersky documented how the code released by the Shadow Brokers includes an unusual system for encrypting data. That encryption scheme has only been seen previously in code associated with the NSA, and led its researches to “believe with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation Group.”