(URR here.)
The leak of what purports to be a National Security Agency hacking tool kit has set the information security world atwitter – and sent major companies rushing to update their defenses.
Well, what do you know.
The tool kit consists of a suite of malicious software intended to tamper with firewalls, the electronic defenses protecting computer networks. The rogue programs appear to date back to 2013…
The auctioneers claim the tools were stolen from the Equation Group, the name given to a powerful collective of hackers exposed by antivirus firm Kaspersky Lab in 2015. Others have linked the Equation Group to the NSA's hacking arm, although such claims are extraordinarily hard to settle with any certainty.
The leaked tools "share a strong connection" with the Equation Group, Kaspersky said in a blog post late Tuesday. The Moscow-based company said the two used "functionally identical" encryption techniques.
The leaked tools also appear to be powerful, according to a running analysis maintained by Richmond, Virginia-headquartered Risk Based Security. The group said several of the vulnerabilities targeted by the malware – including one affecting Cisco firewalls – were previously unknown, a sign of a sophisticated actor.
And an early candidate for the Understatement of the Year:
Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, California, said that the news was terrible for the NSA no matter the circumstances behind the leak because companies like Cisco guard critical U.S. infrastructure.
"If the NSA discovered breach in 2013 and never told Cisco/Fortinet, this is VERY BAD," he said in a message posted to Twitter . "If they didn't know, this is VERY BAD."
The NSA has not returned repeated messages seeking comment.
Ya don't say. The description of the "auction" in the article seems intended to make the reader think the perpetrators are somewhat incompetent. They aren't. The "auction" is a smoke screen, though undoubtedly money will change hands. These hacking tools, although 2-3 years old, will be reverse engineered, pulled apart, repackaged, and modified to avoid detection and scanning, and will be used against all manner of US public and private sector systems, just as portions of the STUXNET code was (and still is).
The US Government in general (and DoD in particular) shows itself time and again to be incredibly arrogant when it comes to network security. Because they can see and track certain hackers, they think they can see them all. They assert that attribution by technical means alone is possible. It is not. There is no real consideration that the breaches seen by NSA are, in part, deliberately made visible so that the adversary can study the techniques used in forensic investigations. Or that the most talented of the Black Hats are all but undetectable.
Also, there seems little real understanding of the immense number of gateways possible for entry into critical networks, and what REAL damage can be done by someone with institutional or operational knowledge of the network structure and intended function. Or that exploits can be (and are) nested in networks already, without the knowledge of users or managers. Nor does there seem to be an understanding of how rapid the response to a network breach must be. To the government, a "rapid" response to such a breach happens in hours or days, whereas the damage of a malicious hack occurs in seconds, or at most, minutes.
And they wonder why the Private Sector views government "help" with such a jaundiced eye?
I spose I ought to finish my "cyber awareness" training. In two-plus years, I have been made to do this "annual" training five times. Why? Reflective Belt Technique.
XBradTC 
Leave a comment