This article is from the source 'washpo' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.washingtonpost.com/national-security/nsa-found-a-dangerous-microsoft-software-flaw-and-alerted-the-firm--rather-than-weaponize-it/2020/01/14/f024c926-3679-11ea-bb7b-265f4554af6d_story.html

The article has changed 7 times. There is an RSS feed of changes available.

Version 4 Version 5
NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponizing it NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponizing it
(about 4 hours later)
The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches, surveillance or disruption — and alerted the firm of the problem rather than turn it into a hacking weapon, officials announced Tuesday. The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could expose computer users to significant breaches, surveillance or disruption — and alerted the firm about the problem rather than turning it into a hacking weapon, officials announced Tuesday.
The public disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.The public disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.
“This is ... a change in approach ... by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust,” said Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October. “This is . . . a change in approach . . . by NSA of working to share, working to lean forward and then working to really share the data as part of building trust,” said Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October. “As soon as we learned about [the flaw], we turned it over to Microsoft.”
Cyber security professionals hailed the move. Cybersecurity professionals hailed the move.
“Big kudos to NSA for voluntarily disclosing to Microsoft,” said computer security expert Dmitri Alperovitch in a tweet Tuesday morning. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.” “Big kudos to NSA for voluntarily disclosing to Microsoft,” computer security expert Dmitri Alperovitch said in a tweet Tuesday. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.”
NSA officials worried about the day its potent hacking tool would get loose. Then it did.NSA officials worried about the day its potent hacking tool would get loose. Then it did.
The bug— essentially a mistake in the computer code — affects the Windows 10 operating system, the most widely used in government and business today.The bug— essentially a mistake in the computer code — affects the Windows 10 operating system, the most widely used in government and business today.
Microsoft issued a patch for the flaw on Tuesday. The company’s plan to issue a fix for the vulnerability was first reported Monday in the KrebsOnSecurity blog.Microsoft issued a patch for the flaw on Tuesday. The company’s plan to issue a fix for the vulnerability was first reported Monday in the KrebsOnSecurity blog.
“A security update was released on January 14, 2020 and customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible,” said Jeff Jones, senior director at Microsoft, in a statement.“A security update was released on January 14, 2020 and customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible,” said Jeff Jones, senior director at Microsoft, in a statement.
The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.” NSA’s action may help restore the agency’s image, which was tarnished after it lost control of a powerful hacking tool it called EternalBlue. One former agency hacker said using EternalBlue was like “fishing with dynamite” because the intelligence yields were so bountiful.
The NSA used EternalBlue for more than five years, but when it learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online. NSA built that weapon by exploiting a software flaw in some Microsoft Windows operating systems, and used it for at least five years without telling the company. But when the agency learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.
Malicious hackers turned it to their own purposes, launching massive ransomware campaigns such as the one dubbed WannaCry, which created global havoc and costly damage to businesses and other organizations. Despite the patch, Russian and North Korean hackers were still able to turn it to their own purposes, launching destructive attacks such as NotPetya and WannaCry that created global havoc and costly damage to businesses and other organizations.
The NSA, which was still recovering from surveillance disclosures by a former agency contractor, suffered a further hit to its reputation. To this day, companies are still grappling with ransomware and intrusions enabled by EternalBlue, though some ransomware attacks have been erroneously linked to the tool.
“Right now [Neuberger’s]trying to rebuild the reputation of NSA’s role in the defense of the nation,” said Richard “Dickie” George, who until 2011 was the agency’s technical director for information assurance. “You’re trying to build public confidence in the NSA.”
EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA uncovered would be useful to hackers seeking to break into some computers running Windows 10.EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA uncovered would be useful to hackers seeking to break into some computers running Windows 10.
Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer. When a Windows user logs onto a website, the user’s browser checks the authenticity of the site through software provided by Microsoft. The NSA discovered an error in the firm’s software code that fails to properly check the authenticity.
“Code-signing is one of the most effective tools we have to keep malicious software off of computers,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University. A sophisticated hacker seeking to exploit the flaw could build a weapon that reroutes users to malicious sites, steals files, activates microphones, records key strokes and passwords, wipes discs, installs ransomware, “you name it,” said Jake Williams, a former NSA hacker who cofounded Rendition Infosec, a cybersecurity firm.
If the flaw is patched quickly, it’s not that dangerous, he added. “If a lot of people don’t patch, it could be a disaster.” Microsoft and the NSA reported that they have seen no active exploitation of the flaw.
Microsoft has reported that it has seen no active exploitation of the flaw. “If the flaw is patched quickly, it’s not that dangerous,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University. “If a lot of people don’t patch, it could be a disaster.”
The bug disclosure is the first major announcement to come from the new directorate, which reflects NSA Director Gen. Paul Nakasone’s desire to enhance the defensive mission of an agency known for its prowess at hacking foreign networks for intelligence.The bug disclosure is the first major announcement to come from the new directorate, which reflects NSA Director Gen. Paul Nakasone’s desire to enhance the defensive mission of an agency known for its prowess at hacking foreign networks for intelligence.
George, who for years ran an internal NSA process to weigh whether to disclose software vulnerabilities to industry, said the agency informed vendors of flaws in the vast majority of cases. Many are not significant enough to be considered for use by the agency’s hackers. He said “we had given 1,500 [bugs] to Microsoft in two years” in the early 2000s.
In the past, when the NSA disclosed flaws to companies, “no one knew we did it.” That was partly because the companies did not want to advertise that they were working with the spy agency, he said.
Secrecy has other merits, he said. Announcing that a vulnerability is being patched gives malicious hackers a chance to find a way to exploit it, he said.
But Neuberger said that the agency wants to ensure the wider public heeds the warning. “Cybersecurity network owners have far more alerts and other things on any given day than they can possibly address,” she said. “We routinely hear that what they most value is our flagging the things that are most important. So our notification to them ...is...carefully timed to achieve that objective.”