back to article Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8. The toolkit puts into anyone's hands – from moronic script kiddies to hardened crims – highly …

Bronze badge

Re: Damn it NSA,

Yeah, sure, multiple machine translations, "Chinese Whispers" or "Telephone" style with a check at the end to see that the message isn't just too garbled. However, it could be that they want people to think that their native language is not English. That it is, for example, Russian. When comedian Jessica Holmes does a Russian character, it sounds just like those excerpts. Easter, of course, they want you to think they're favouring Orthodox countries which calculate Easter (holidays) on a different basis. Although I looked it up, and in 2017, both Easters fell on the same day. Maybe there's a message in that, too. They probably didn't want to wait until Christmas.

0
0
Silver badge

Let's stop pretending...

...that standards-compliant software is a universal panacea for security.

When I started in the industry the server room was accessible only through locked doors, and housed in a Faraday Cage, in a building guarded 24/7/365.25. Ethernet was still in development. The only way to have a two-way dialog with the server was through teletype situated in the server room.

Standards such as Ethernet, TCP/IP are great for flexibility, but it is a two-way street. If you want security then the relevant bespoke hardware/firmware/software needs to be developed and rolled out. Too difficult, too expensive? Well, that's the trade-off that has to be considered.

10
1
Anonymous Coward

Re: Let's stop pretending...

When I started in the industry the server room was accessible only through locked doors, and housed in a Faraday Cage, in a building guarded 24/7/365.25.

And yet, I had access to such locations more than 2 decades ago. It's known as insider threat.

7
0
Silver badge

Re: Let's stop pretending...

"The only way to have a two-way dialog with the server was through teletype situated in the server room."

Server or mainframe? The characteristic of a server is that it provides services. Unless all the users of those services are to be herded into the secure server room it's going to have to communicate externally. Alternatively you could secure even further by closing it down, removing the power, encasing it in concrete and burying in a hole in the ground.

5
0
Silver badge

Re: The characteristic of a server is that it provides services.

It could be called a mainframe, if you wish. But if services provided are surfaced through dumb VT100 terminals, or similar, then there is less danger of vulnerability. Why "Less" and not "no"? If commands are defined which are allowed to configure the host environment, then it depends on the extent of those commands.

The problem with techies is that they/we find it difficult to resist extending functionality through backdoors which have been specifically programmed in. A good example of this is BASIC. The original intent of this language was the provision of a padded cell where programmers could knock themselves silly with whatever code they wanted to, no damage done. Then some bright spark invented the POKE command...

3
0
Anonymous Coward

Re: Let's stop pretending...

In Werner Herzog's 2016 documentary "Lo and Behold Reveries of the connected world" he interviews Kevin Mitnick who utilised the sense of security to trick people by phone into revaling the details he needed.

It is not just insiders that are a threat, the people that manipulate them are equally dangerous.

2
0
STZ

Re: Let's stop pretending... server vs. MF

Even those venerable mainframes were built to serve some purposes, and hence could be called servers.

By the way, the term "server" to be used for some machine/device to run programs and processing data became popular at those ancient times when pennypinchers had the great idea to turn PC's by 90 degrees, remove their monitors and keyboards and put many of those side by side into some shelves initially bought at IKEA, calling the result very appropriately a "server farm". For some reason this now has become the dominating form of IT, real computer systems had to retract into niches.

To be honest, nowadays those shelves do not come from IKEA any longer and those vast conglomerates of PC's are now wonderfully disguised by multicores, virtualization and fancy hyperconverged boxes - but essentially, the art of IT today is still trying to manage server farms.

Sneaking into a farm isn't very difficult ...

1
0

Re: Let's stop pretending...

The only way to interact with a SWIFT server is via an internal telephone in their ops centre, giving verbal instructions to an operator. You have to pass through a body-scanner to stop anyone entering or leaving the building with a memory stick or DVD. There is CCTV everywhere. The toilets are analysed for drug use. The servers are setup to NSA standards, then modded to suit the internal SWIFT security group.

I've worked at ATC and the security was nothing like SWIFT. The one thing they shared were the foot of the walls of the buildings were curved, apparently a defence against truck bombs.

0
0
Silver badge

This could be a good thing for Microsoft

If people start actively using these exploits then Windows 7, 8 and 10 systems will be patched and protected. Windows XP systems won't be, thus encouraging people to upgrade those at least to Windows 7 (since that's easily pirated like XP was)

The percentages of people still on Windows XP has to be a monthly embarrassment for them.

0
0
Silver badge

Re: This could be a good thing for Microsoft

"The percentages of people still on Windows XP has to be a monthly embarrassment for them."

Just wait until 2020. At least when XP went out of extended support, there was a "good" version of Windows waiting (7). When 7 ends...

12
0
Silver badge

Re: This could be a good thing for Microsoft

"If people start actively using these exploits then Windows 7, 8 and 10 systems will be patched and protected."

I doubt 7 would be. After all, they want to push people off 7 onto 10.

2
1
Silver badge

Re: This could be a good thing for Microsoft

Windows 7 is still under support until 2020. If they don't produce patches for these exploits, they will be facing a lynch mob made up of almost every Fortune 500 IT department.

6
0
Anonymous Coward

The SWIFT tap is ooooold news, btw

That the US has tabs (heh) on financial traffic is very, very old news - it is the very reason why the Swiss set up their own VISA payment processing centre.

As I'm all for reciprocity, I think it's time we get access to theirs. Trump's, for instance, must be fascinating :)

12
0
Bronze badge

Re: The SWIFT tap is ooooold news, btw

... VISA payment processing centre. As I'm all for reciprocity, I think it's time we get access to theirs. Trump's, for instance, must be fascinating :)

Fascinating? Since Trump's trick is to buy stuff using other people's money (a bit like Royalty, and governments, for that matter), it might tell nothing at all. Yugely.

0
0
Anonymous Coward

Surprised no one paid up and privately bought this...

The indifference to this release and others recently is baffling... It almost feels deliberate, welcomed even... To try and create a total meltdown in confidence in the net, in order to bring about out some new change or offer some new 'product'... 'Too Many Secrets' etc.

6
0
Anonymous Coward

Let me just adjust my tin foil hat.

I'm going to suggest that these leaks are not from the NSA but from Microsoft.

These exploits cover windows up to and including windows 8.1.

If they were fixed in Windows 10 then why have they not been back ported to OS's that are currently supported? Microsoft must know about them to remove them in windows 10. Microsoft is also well known for carrying exploits over.

Finally how an earth do a "hacking group" hack into the NSA if the NSA are aware of all the exploits before them?

Something just does not sit right with this.

5
3
Silver badge

"Let me just adjust my tin foil hat.

I'm going to suggest that these leaks are not from the NSA but from Microsoft.

These exploits cover windows up to and including windows 8.1."

As mentioned above, this was created before Windows 10.

5
0
Silver badge
Holmes

@Tinfoil AC

I also have a tinfoil hat, but in this case, I'm leaving it on the hat rack. As with any large organization, there will vectors that were 'overlooked' somehow in the security update/upgrade cycle, no network is impervious,

And do not discard the theory that an NSA insider leaked these, and then there is no need to wonder how the NSA's digital castle was looted.

In the end the NSA could have gotten some of the goods from MS, some from the darknet, and some from internal know how.

6
0
Silver badge

"Finally how an earth do a "hacking group" hack into the NSA if the NSA are aware of all the exploits before them?"

How could they not? Once it was confirmed that NSA had a huge cache of zero day exploits hidden away, it was the Klondike Gold Rush all over again.

Dangerous, risky, but, oh, the rewards if you succeeded!

4
0

Not Secret

Insider leak or insiders outside PC got hacked, none of these exploits were marked secret to avoid charges of exporting restricted technology so staffers/contractors were free to take their work home with them.

1
0
Anonymous Coward

The Equation Group is just an alias for Group E. There are other groups with lettered names (much like Q Branch in Ian Fleming's world) and they don't talk to each other much due to compartmentalization. Their tool kit names mostly start with E or EM but include names with different documenation styles which I assume came from other groups. I expect the E groups's focus was just a small part of the Middle East related intelligence since they did seem to like the banks. I expect they got rolled into a different group and the inevitable corporate knowledge got lost in the reshuffle and somehow someone else ended up with the goodies. I expect the Equation Group is long gone and replaced by a whole new group with no doubt a cooler sounding name...at least cooler sounding to some middle manager government bureaucrat.

1
0
Windows

Toothless?

ENGLISHMANSDENTIST what, the septic tanks mean that the sploit is not worth paying for?

5
0
Anonymous Coward

Re: Toothless?

Clearly a Simpsons reference

https://www.youtube.com/watch?v=PrpUSKE9p_M

2
0
Bronze badge

Re: Toothless?

It could just be a "throw away line" referencing tooth (and hence data) removal. MS, fb, GCHQ and so on. They're all in the extraction biz. Would you like to join in, NSA? Why yes, old fiend, nothing short of a Pymms could make the oyster go down more smoothly. Shame about your teeth.

0
0
Gold badge
WTF?

"Something just does not sit right with this."

Indeed.

A hacking group with a fearsome reputation and a near bottomless war chest for zero days is itself hacked.

Then the group that manages this fails to organize an effective auction to sell the stuff on.

So they just release it.

Assuming this is not a deliberate plant by the NSA itself this sounds like someone who got lucky, like a little brother who got into his siblings home PC and the sibling bought his work home from the NSA.

That said if you want to steal secrets the NSA is probably the outstanding mega target on the planet. Penetrate them and you get a)Their hacking tools b)Their access codes to whatever systems they have penetrated c)Establish massive credibility for yourself or your team.

Of course you'll also make yourself the #1 target of the most pervasive surveillance machine on the planet due to the very bruised ego you'll have given the NSA's assorted PHB's. This would appear to have been a sufficient deterrent up to now.

But I'm reminded of that line from Man 2 "If you could make God bleed...."

Rather appropriate for the time of year. Happy Easter.

5
0
Anonymous Coward

Re: "Something just does not sit right with this."

"Assuming this is not a deliberate plant by the NSA itself..."

Alternatively, if you consider that it could be a deliberate plant, can you think of a better way to get binary software onto a load of pentesters' and black hat systems?

But maybe I've read too many spy novels.

5
0
Boffin

In the background....

Theo de Raadt quietly laughs....

3
0
Gold badge
Coat

Theo de Raadt quietly laughs....

What a great name.

I don't suppose he's ever thought of opening a bar called "The Raadt Cellar" ?

1
0

Re: Theo de Raadt quietly laughs....

Maybe a restaurant....Raadt In Me Kitchen perhaps

3
0
Anonymous Coward

Re: Theo de Raadt quietly laughs....

A French Restaurant? "Toad Eater"?

(with Microsoft being the Toad).

1
0
Gold badge
Thumb Up

"Maybe a restaurant....Raadt In Me Kitchen perhaps"

Nice.

0
0
Anonymous Coward

Lessons learnt: turn off the internet

The main take away from this saga is that ANYTHING online is hackable by the spooks and criminals and everyday processes for the public such as internet banking, email, browsing etc should not be regarded in any way as being secure. Unfortunately with bank branches being closed down all over the place, we'll soon have no alternatives to avoiding the internet. Even keeping cash under the floor boards will soon be impossible as we speed towards a cashless society.

8
0
Silver badge

"While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way"

How often do we see this sort of PR statement made immediately after an indication of a breach before there's been time for an investigation and how often is it followed by a climb-down.

7
0
Anonymous Coward

Crucifixion / Easter Eggs.

No one seems to have mentioned the release date. So what's the significance to Easter.

The Crucifixion, or "Easter Eggs" ?

3
0
Anonymous Coward

Re: Crucifixion / Easter Eggs.

It's because the Easter bunny died to save all our privacy.

6
0

these exploits are worthless

They are from 2013 and they couldn´t sell them, nobody wanted them. They want the xero days for win10 etc..

Don´t be fooled into thinking your alright because you have win10

2
2
Silver badge

Re: these exploits are worthless

Worthless only if the affected versions are not actively used. Given the popularity of 7 and XP as well the crumbs for 8/8.1 I would say they are valuable. With Slurp (and often true of other OSes) the same zero day is often found in multiple versions as well as other bugs. Thus knowing one worked on these versions means it likely will work on the latest Bloat version.

5
1
Silver badge

What seems clear to me...

1, for all the talk of backdoored encryption, we simply cannot trust state actors to keep a secret secret; and encryption with a hole is only going to work whilst the hole is closed

2, while it may serve the state actors to keep an arsenal of ways to hack into things, the failure to report these problems becomes in itself an act of sheer negligence when these hacks end up being released to the public

3, way to go America, great job breaking it hero......

11
0
Gold badge
Unhappy

To bureauocracies and intelligence agencies there is no such thing as "out of date"

Because someone, somewhere they want to target is still running Solaris 3.0/WindowsXP/Windows7/Dos etc.

So one of the "secret weapons" is a good filing system for your hacking tools so you can pull the right set of tools out when you need them.

3
0

SWIFT

The literal truth: no evidence that SWIFT was broken.

The actual truth: NSA has a client copy of SWIFT software, so obviously SWIFT is pwned-- perhaps even willingly. SWIFT is, well, ancient and never broken, they said so smugly themselves from 5 star Geneve hostelries.

For many organizations, there is little to literally fear from the five eyes. Russia, maybe. Norks, almost certainly. The SB data is mostly interesting as an example of the likely "worst case" nation state pwnage.

1
0
Anonymous Coward

WRONG! These exploits were patched in March....

https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/

2
2
(Written by Reg staff) Gold badge

Re: WRONG! These exploits were patched in March....

Did you actually read our article? As we said - unlike many others - no big deal.

7
0

I'm honestly surprised that nobody at the NSA simply bought back their own damn toolkit whilst posing as some other actor in order to just keep the lid on this.

Hell, even Sherlock Holmes was willing to use cash when other means would fail to avoid a massive public disclosure scandal, judging that the practical hazard outweighed the moral hazard.

1
0
Coat

Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

And, what makes you think that SB would have sold them an exclusive copy of the purloined tools? Maybe they'd sell them a copy, and then, next month, they'd sell the Russians a copy, and the Chinese a copy, and the Norks a copy, and....

Dave

P.S. I'll get my coat. It's the one with the non-exclusive copy of the SB tools in the pocket.

0
0
MJI
Silver badge

Looks like of all things

A patched XP up machine may be safe.

Patches back to 2008/2010

No SMB2

However not sure if SMB1 was patched.

My XP boot did update last week.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018