It's worth following @hackerfantastic (https://twitter.com/hackerfantastic) on twitter at the moment as he's looking through some of the exploits that were dropped along with this documents.
sounds familiar - we found that one 1996 when doing system programming on NT (NuMega SoftIce was your best friend together with material published by Mark Russinovich prior of him working with MS - remember when you were doing e.g. a file system driver at that time there was close to zero documentation by MS and half of what they provided was wrong). Demonstrated then how to use it to log onto remote Windows systems over the I-Net and gain Admin rights. I thought this one with all what was published about it long ago would be well known since.
Astounded that it took so long to fix and that it passed on through generations of Windows version.
Almost certain similar can be said of other low level "bugs".
same result - only one issue like that known to me
So of course I could be wrong and this issue is not the only one in that protocol implementation / sys component(s)
SMB protocol was a well known source of bugs, lots of service packs used to patch this service (funny that it was enabled on network facing machines. I think it was because windows server needed to be ready for every use case. They could have had it easier by having a separate windows product with non essential services disabled by default)
Nope. Why people/companies insist the Microsoft is usable on the open internet today, despite all evidence to the contrary, is beyond me. They are not, and have not been, suitable-for-the-datacenter/internet for well over a decade now. Let the company and its swiss-cheese OS die already.
I sure hope you're not suggesting that Linux and its dozens of critical CVEs each year is better.
Clearly you're talking about running the internet on BSDs, right?
> This release includes logs, excel files, and even for the first time PowerPoint of TOP SECRET documents. This is a first from Shadow Brokers, this would mean ShadowBrokers has definitely more than only tools.
I'm curious what the implication is here. Why would a TOP SECRET power point slide be packaged together with malware on an attack server? It's either really sloppy OPSEC by NSA TAO (or random hired contractor) or may just be a collection of files put together by an intel agency/'criminal' hacker group from various sources to embarrass NSA.
The implication is that they're working directly with leakers. It's pretty hard to imagine that a PPT would be left on operational assets where tools are traditionally found.
Aren't we overlooking a rather more likely possibility here - that the NSA has itself been hacked? You're right, I see no reason why slideware would be sitting outside the NSA corporate networks and I'm sure they have various procedures to try and prevent exactly that. The two remaining possibilities are:
1. Another leaker who isn't Snowden
2. A third party who has gained access to the insides of the NSA
I don't see why we're apparently ignoring 2 in this thread. The Snowden leaks made it very, very clear that essentially nothing is unhackable. And it's not like the USA has a monopoly on hacking skill. What else do we know about the NSA? That they perform the largest WireSharking in history, they literally parse most of the internet with a giant collection of programs which I will assume are written in C or C++ for the sake of performance (though a lot of Perl seems to crop up for analysis purposes too).
What are the chances that the NSA have managed to build a huge network with hugely complex interfacing to the entire internet, and huge amounts of software, without opening themselves up to attack by equally sophisticated attackers? I'd say close to zero.
"Aren't we overlooking a rather more likely possibility here - that the NSA has itself been hacked?"
That's the most obvious one to me. I thought everyone assumed it until I saw some of these comment threads. If it's Russian, it probably goes back to Kaspersky tracking the Equation Group. They put together about everything about how they operated. Giving Russian intelligence this information combined with trip-wires or tip-offs on live activity by NSA hackers would let Russian hackers attempt to own their boxes. They could just work from there.
Alternatively, it could be result of long-running infiltrations that U.S. government has been talking about for decades. At various points, U.S. TLA's said China is throwing piles of spies at us in a numbers game whereas Russia was using (I think it was) 4x more than during height of the Cold War. We also know they're easy to infiltrate and have terrible security since Snowden did and showed exactly that. Plus Manning just pulling everything they had from an Army private's account in Middle East. The leaks could've come from infiltrators, too.
So, we have infiltrators, hackers via Kaspersky data (or similar), or insiders that for whatever reason want to humiliate them. Whatever Shadow Brokers say about themselves is just propaganda. They're one of the above with probably typical motivations of agents in those categories.
Back when the first half of this stuff was leaked, Snowden suggested that this was likely stuff left on an external machine that the NSA was using for staging and failed to clean up. I'd link the tweet but can't find it at the moment. Given the age of most of this stuff that seemed plausible.
Now that we've seen more than just tools and exploits leaked (powerpoints, other documents), that doesn't seem plausible anymore.
An interesting note on 1: back during the Snowden and Manning leaks, Bruce Schneier strongly believed that there was a still-unknown leaker because some of the data shouldn't have been available to the other leakers.
Not sure if these are related, but the latest round makes pretty clear that there's been either a new leaker or a serious attack.
I don't think I am? A quick look says he was identified in 2012, and Snowden started publishing in 2013. I'll have to track down the Schneier post to be sure of my dates, though.
I recall reading circa Stuxnet that the NSA had recruited criminal malware coders. In particular, that a notorious botnet coder was consulting for them. So I wonder whether some of their consultants left backdoors.
strongest current speculation is the nsa employee who was arrested late last year, harold martin, is the source -- but we really don't know. apparently there was terabytes of nsa data at his home, which seems like a relatively likely source, but perhaps not -- he may have been benign and was only 'incidentally collected' in the hunt for the source
I question this speculation. It seems to me that people start from the assumption that the NSA is unhackable and work backwards from there. There is no reason to believe this.
The NSA uses Windows like everyone else. There are multiple Windows 0day RCEs in this dump, which may not be all of it by far. All it'd take is to find a single Windows server that isn't properly airgapped - and the NSA TAO can't possibly be airgapped given that its job is to hack people over the internet - and you have a foothold.
The incentives for these intelligence agencies are all wrong and I think even if this particular dump isn't traced to a direct compromise of their network, it's bound to happen eventually. They've been operating on the assumption that all nation states work in secret, so even if they get totally hacked by their adversaries the White House will never find out. However, their chain of command would definitely notice if they stopped sending intercepted intel up to them. This means they're strongly incentivised to horde exploits even if they're sure their enemies know the very same exploits and even if they're sure they can't defend themselves.
The Shadow Brokers appear to have at a stroke invalidated the assumption of universal secrecy. These are people who have access to the NSAs most sensitive internal tools and documents, and are simply ... burning it all.
Bingo! Well, a mix of Windows, Linux (esp Red Hat), and Solaris (optionally with trusted extensions). All low-assurance operating systems with history of 0-days plus current ones for at least Windows and Linux. It's not like they didn't know it was coming. High-assurance field, including pioneers in INFOSEC, warned them over and over.
Bad news is they have methods today that work better that they could build on. They recently canceled them in favor of a new program with something like a 90-day evaluation. Something short. I remember reading the protection profiles to find the assurance argument required is EAL1: one so low we thought they'd cancel it. Things will only get worse.
we are already aware of a guy who was arrested for having terabytes of classified info, who worked for TAO. i'm not sure how it would have gotten from martin to the (presumably russian) shadow brokers -- maybe he was paid, maybe he was hacked -- but it doesn't seem like a staggering leap to make.
certain politicians aside, exposing TS networks to the internet is not only difficult inside an organization that 'lives in the dark', it will get you severely reprimanded if not fired from your very well paying job, and possibly scuttle your ability to remain cleared and continue your career. classified networks are designed from above so that as much as possible this isn't an issue, and i'm certain it's only intensified since snowden.
i'm not saying by any means it's an impossibility that they were hacked, but i don't see any reason at all to favor that conclusion. like i said, martin worked for TAO, the source of everything the shadow brokers have released. why would you come to the conclusion that they were hacked vs an already known, very likely source candidate?
So why is the NSA leaking all this shit. What's the leading theory on that? It's like just get it all out there, just to preempt an eventual leak? Maybe see who picks up this stuff and uses it? Mis-lead the other side on the capabilities which are actually far superior than a few things which have been released?
If we do buy into the fact that the NSA is behind the leaks, it would most likely be in response to some sort of loss-aversion or negative leverage play. i.e. they want to severely devalue these assets on the black market.
The Shadow Brokers are speculated to be an insider [1] (or my own speculation, a small but >1 group given what we've seen), which would mean that these things are packaged together because they've chosen to package them together, not because they were necessarily proximal "in the wild".
Yeah, this is fascinating. I thought the prior understanding was that Shadow Brokers had found/located a TAO box which had unintentionally been left with a full pen suite.
That was an interesting error already, but this implies either a ludicrous screwup (how would you even package those together?) or some much deeper compromise.
Bitcoin being a sewer rat, and the banking system being a bubble boy, I knew a day would come when the bubble boy would be exposed to something bitcoin had grown immune to, get sick, and possibly die. I didn't know his protective bubble was already gone. I thought these banks all communicated on leased lines and weren't exposed to the public internet.
Is there any indication that a criminal hacker gang couldn't have compromised this or other SWIFT service bureau's or banks in a similar manner?
> exposed to something bitcoin had grown immune to
I don't know where this myth is coming from that Bitcoin is immune to state-level actors. If a relatively large government really wanted to manipulate the Bitcoin network, they could either just buy some thousand Bitcoin and spam the network with transactions or buy enough hardware to get over 50% hashing power. Especially China only needs to take down the 2 or 3 top miners and can cut the mining power in half within a day.
Bitcoin is simply not interesting enough at the moment to get manipulated by state-level actors. But that doesn't mean that it's impossible, regardless what Bitcoin advocates want you to believe.
Definitely not impossible, but a quick check at the moment suggests that with the best available ASICs, it'd cost about $376M retail (or perhaps less wholesale) to buy hashing power equivalent to the current network. (And that assumes sufficient supply to do so, though it might be possible to scale that better.) So, definitely in the range for states to accomplish, but not trivial; it'd have to be extremely critical to do so. (And an attempt to do so would likely get noticed, and there are ways to work around it.)
The U.S. threw ~$80M worth of missiles into Syria several days ago, just to damage an airfield. No one would blink at half a billion to take out bitcoin, and that's assuming that the NSA/CIA don't already have billions' worth of codebreaking hardware that could be applied to that purpose (they almost certainly do.) Taking control of bitcoin is probably "fun weekend project" level work for them.
The cost ($80M) is not the interesting metric - consider the press coverage, positive poll results and resulting political engagement. The power gained is the interesting result.
Currently there is no power to be gained in wiping out bitcoin when half of the constituents have never even heard of it. Never mind the cost.
Agreed. The point is that USGOV could 100% do it, for pocket change. It would be pocket change for a bunch of countries, really, and expensive but doable for a whole lot more.
I would assume the only reason we haven't done it has nothing to do with the cost, its simply that bitcoin is just not interesting enough to them (yet). I can't imagine that some USGOV and probably >1 non-us-gov have plans already and could rapidly build out an ASIC farm, if asked to do so (and funded, of course).
Agreed. China doing it is way more likely in general because they could walk in and take over enough capacity to reduce the capex required for takeover (by combining stolen capacity + new capacity) by perhaps 75%. It would also make it way harder to notice, because a massive new mining pool trying to pull things in a new direction would be obvious. Several established mining ops shifting direction would be less obvious.
rsync is right. There's a lot of factors at play to make those missiles worthwhile to those in power. Whereas, they won't waste effort on bitcoin until they get similar gains or it's similarly a threat. Right now it's definitely not a major threat in their eyes. It's barely even a minor threat with all the crooks using stolen credit cards, money mules, Western Union, etc. Vast majority of damage done on that end of things. Their big investment to deal with finance is the same they'd use on Bitcoin transactions: mass surveillance of Internet and financial system. A multi-use technology that helps in more goals. ;)
If the top 2-3 miners are in China, it would cost the Chinese state zero dollars to issue an ultimatum to these organizations - say, requiring them run X modified software or do whatever.
China's legal system already contains provisions which could be summarized as "all your data belongs to us".
> they could either just buy some thousand Bitcoin and spam the network with transactions
Marginal loss on each transaction + "spamming transactions" = essentially paying people to run their machines at 100% for a while for you, which to the tune of "some thousand bitcoin" would be money to their ears
> just [..] buy enough hardware to get over 50% hashing power
'just'
> Especially China only needs to take down the 2 or 3 top miners and can cut the mining power in half within a day
If that is true (and I'm not convinced that it is) you don't think those '2 or 3' entities aren't large and financially self-interested enough to work to secure themselves, divest their resources, or so on?
I highly doubt any sort of subversive action could be taken sub-rosa to the tune of 51% of a network of paraniod individuals who'd either fork or move out given any whiff of subversion, especially by state actors.
> Marginal loss on each transaction + "spamming transactions" = essentially paying people to run their machines at 100% for a while for you, which to the tune of "some thousand bitcoin" would be money to their ears
If the network is unusable for 6 months or so because confirmations take dozens of blocks or need very high fees, what do you think would happen? Everybody just waits for it to blow over and continues like nothing happened? The costs don't matter if the control over the monetary system is at stake. Defend now or the $/€/¥/£/etc will lose value anyways. Not that I expect it to come this far but don't underestimate the monetary power of large states. Bitcoins often quoted market cap is only a very, very small blip on their radar right now.
> 'just'
Okay, you are right. They would most likely confiscate the miners' hardware and will mine with that. So they kill two birds with one stone.
> If that is true (and I'm not convinced that it is) you don't think those '2 or 3' entities aren't large and financially self-interested enough to work to secure themselves, divest their resources, or so on?
China regularly takes down party members for "corruption" (more likely not enough corruption). So if not even party members are safe, how could anybody be safe that threatens the power of the whole government?
As the supply goes down, so too does the price rise. They will become more expensive the more governments try to do this. This is like saying that "a government can buy all the gold in the world to prevent this" .. inherently false and shallow statement ignoring the complexity of the issue
And again a novelty account pops up and talks about how complex Bitcoin is and how Bitcoin is like gold despite both not sharing similarities. Bitcoin is not gold. It never was and never will be.
The anarcho-capitalists who think that Bitcoin exists outside of government control and will be able to replace national currencies are wrong. China can at any point order the top miners to shut down their pools. Bitcoin is simply not relevant enough to be attacked by more than the local police that is underfunded for those endeavors anyways.
The difficulty is according to the amount of miners, right? So it's supposed to not matter if China shuts down their pools. And local police? Complete speculation, my friend.
You obviously don't know enough about Bitcoin to argue the way you did.
If there is X hashing power and you need X/2 to control the network, then reducing X by 50% means that you only need X*0,5/2 to control the network.
The difficulty is only adapted every 2010 blocks which equals around 2 weeks but if you suddenly cut the hashing power in half, this will take up to around 4 weeks and slow the network down immensely.
The idea that the stability of banks is largely determined by their internet security is not something anyone who is familiar with bank operations believe. Breaches, fraud, inside jobs (and much more commonly) errors in SWIFT or other electronic communications are assumed to be happening by the banks.
Double entry accounting, auditing, charge backs and correction protocols are all normal, standard and expected in even the smallest credit unions and the amount of dollars spent on these things at the larger financial institutions is staggering. That is essentially the job of a bank. To back stop that we have insurance and regulatory bodies working to prevent and mitigate losses. Again, this is normal and expected.
The thing those of us who have worked in banks find so funny about Bitcoin isn't that it solves some issues that banks don't know about or does something clever. Its how unprofessional the whole thing is. It doesn't account for hardly any of the real world problems of the banking system.
> Which fiat bank will be the first Mt Gox?
Depends on what you mean? A bank that is brought down by theft by its employees? That was such a big problem in the early banking world that banks competed on the edifices and security theater to prove it didn't happen at their bank...150 years ago or more.
My quick skim shows they're gaining information about transactions in Middle East and Panama. One is essentially a hotbed of competing interests among imperialists and terrorism. The U.S. invaded two countries over there. There's proxy war going on in another. Far as Panama, it's one of leading spots for rich people, threatening or just tax-dodging, to set up offshore accounts, companies, and so on. They use it to hide their transactions. FinCEN has been fighting for access to tax haven data for years. No surprise NSA is monitoring illegal, money moving given targets of interests might be involved in it in that specific place.
It really doesn't. Spy agencies have been collecting economic and military intelligence on foreign countries and companies since their inception. It was a NSA apologist that correctly noted that each country with a spy agency makes it illegal for people to spy on them, complains about it internationally, and then funds an agency to spy on everyone else for their own benefit. Regardless of what laws or technicalities say, all these countries with spy agencies want foreign spying to happen & legally endorse it by creating said agencies. This should be expected.
Even if they made it illegal, I still wouldn't trust them as they'd try to do something to get an edge on negotiations. That something would be illegal activity they outsourced to mercenary organizations or partnered with nations with spy organizations with some benefit promised back to them. For example, nearly all of Europe has intelligence sharing agreements per Snowden leaks with the very agency (NSA) they're publicly griping about. Only 3 didn't in whatever deal that was: Switzerland, Iceland, and one other I can't remember.
Bitcoin is quite trivial to take down (spam with transactions because clearing rate is so slow). Also remember that the core promise of Bitcoin is decentralization not anonymity and anyone with resources amd will like the NSA should be able to comfortably trace back users unless there's unusually good opsec (even Tor merely increases the cost of unmasking).
The point of the banking system is not necessarily high security, it's the legal frameworks and process flexibility to identify and prosecute fraud and reverse the effect of fraud of detected in time
The big advantage of double entry book keeping is that it provides multiple layers of security in the basic ledger handling the banks must perform. (The big disadvantage is the implicit instabilities that result from the associated statistical multiplexing of money.) So SWIFT being compromised is bad, just ask the Central Bank of Bangladesh, but it's not the end of the world as we know it.
I love them outright denying it, then slowly admitting that the slides reference real elements of their infrastructure that they have since retired.
This dump is a few years old. Seems very believable that the NSA compromised their network before 2013 in the way the slides suggest. Plus if their "internal Security Unit" was worth a damn they would have known about this already, rather than finding out about it from this dump.
Overall that press release is a little embarrassing, and screams to the tech illiteracy of their senior management. Nobody would publish a press release like this so quickly if they understood the problem scopes in play here (e.g. their Cisco firewalls themselves could have implants!).
We've known the NSA compromised SWIFT since 2013, that the US has control over SWIFT transactions since 2012, and that the US had been failing to guarantee the privacy of EU citizens' transactions on the network since 2011.
We've also known since last year that at least three separate hacks by three separate thieves stole millions of dollars from multiple banks after compromising the SWIFT network.
All 11,000 financial institutions connected to the network should just switch to sending their 15 million messages per day using iPhones. Problem solved.
"All 11,000 financial institutions connected to the network should just switch to sending their 15 million messages per day using iPhones. Problem solved."
iPhones are in U.S. jurisdiction. That's a bad idea. Instead, they should send P2P or through SWIFT-like intermediary with signed messages GPG-style over TLS-style links via dedicated lines or Internet lines with high-speed port knocking. It all can be done with highly-secure tech. The tech for bottom of stack from secure CPU's to secure kernels even exists already. SWIFT or some other setup just has to buy it with that pile of money they have.
Alright, maybe SWIFT will be interested in high-assurance systems now. Any day now they'll start applying the best of real INFOSEC to a world-wide, financial-transfer network. Any day now... Probably not lol...
I can't glean useful information out of it except to note Fox-IT has some experts on hand that can help. They were mentioned. The hacks usually come from malicious insiders, social engineering of benign insiders, bad configurations, bad protocols, and especially 0-days in software. The interim solution should then be hardened OS with strong TCB, use of proven protocols, secure-by-default configuration, auditing/monitoring by third-parties for malicious insiders, and controls for both malicious and benign insiders. SWIFT's headlines indicate a lot of software implementing controls, analysis, and so on. I didn't see anything at a glance about making the implementation of those software, their protocols, or their OS's bulletproof.
So, I still don't trust them. This looks like the same shit management in banking and "security" industries come up with all the time. You know, the stuff used in dozens of companies that got bypassed by so-called "APT's" that sent emails with infected PDF's and Excel documents. Really "advanced" attacks it takes. Haha. Trick is, you need both the security features and assurance they're secure. Most of industry focuses on former where my type focuses on latter as much as possible. ;)
That's a nice design. They're trying really hard while staying within COTS components. So, I wanted to know what the TCB was running. Paydirt:
" The I/O Controller runs an isolated instance of Security
Enhanced Linux and has a separate TPM for measurements and identity anchoring."
Yeah, that's not trustworthy. It might get attacked less than competing systems but SELinux isn't a good TCB. The NSA themselves rate it like most of the rest at EAL4+: resistant to "inadvertant" or "casual" attempts to breach security. You want that trusted component to be running something stronger, preferably with low odds of 0-days. A minimal version of OpenBSD is a cheap start as their networking and Ethernet stacks probably had most review. Next best is a separation kernel enforcing policy with small TCB & user-mode stacks. There's commercial ones they can buy or FOSS ones to build on. Memory-safe language like Ada/SPARK or Rust for their trusted code. Paid or FOSS options for that, too.
The point being the hackers are going to look for ways to send in malicious data or cause unusual executions to get code into memory. Whatever they're using should stop that or isolate the damage with high confidence. Most don't, though. Even well-thought ones like this product.
EDIT: Thanks for the tip-off, though, as I occasionally send recommendations to security vendors. Might email them or use them as an example for high-security people of what kind of thing to build or market.
The title does not seem to be accurate. I don't see evidence that whole SWIFT network was compromised. Instead it looks like they compromised one company which connects to the SWIFT network.
That's what it looks like. They were monitoring or getting data from SWIFT before, though. Just can't remember the details. I'd assume they can hack SWIFT, though, given SWIFT probably relies on tech they have 0-days in like most places. Just more monitoring that might catch them. Hopefully...
Back then SWIFT had two processing centers, one in EU and one in US. Traffic was replicated to both for resiliency. Later they opened up a new center in Switzerland to be able to keep European data in Europe.
Every time something like this breaks I have to take it with a grain of salt. I've been fooled by HN before about "major" security breaches that end up not having much of an impact at all.
Cloudflare leak in Feb... sounded like the world was ending here.
You may have noticed that the biggest freakout was from Google.
The freakout wasn't due to the incident itself (although obviously everyone was unimpressed the leak happened), it was the fallout: the leaked data was archived in various caches. Google's indexes of the web are the biggest.
Because they likely have an operational network for each work group that's mirrored, using standard configurations to maintain continuity across tools, techniques, and procedures.
How is NSA TAO not being held criminally irresponsible by our administration for not patching the still-unreleased exploits that are currently in possession of third parties?
A person claimed they already found a vulnerability, maybe reported it or just ignored it, and this was the same vulnerability. That person provided no evidence this was true. My impression was that people were downvoting it because they thought it was a lie (no evidence) or thought an unsupported "me too" claim added nothing to the discussion. You (a) didn't spot that or (b) asked about votes [1]. Both can lead to further downvotes. I just skipped past this whole, pointless section of the comments as I imagine most people do. Some people will downvote stuff like this, though, to clean up the thread or out of irritation.
[1] "Please resist commenting about being downvoted. It never does any good, and it makes boring reading."
> The US government already has legal and very broad access to SWIFT for anything even slightly terror related.
Not really. SWIFT maintains multiple datacenters outside the US so that transactions between 2 non-US actors don't touch US-based computers and are therefore not (easily, officially) accessible by the US government.
I find it interesting that he did not mention Bitcoin or other blockchain based solutions as an alternative to SWIFT. I doubt that that's because the author is unaware of these technologies.
Highlights so far are a 0-day in windows from NT-->2012 which reliably exploits over the SMBv2 port and a bunch of other stuff. (https://twitter.com/hackerfantastic/status/85291588665052774...)