And here we are. With a global ransomware rampage, referred to as “WannaCry” putting tons of people at risk, thanks to leaked NSA malware:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks — which been spotted in tens of thousands of incidents in 99 countries, according to the cyber firm Avast — have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
Specifically, it appears that the ransomware is using an NSA tool called ETERNALBLUE, which was leaked in April by Shadow Brokers. This was among those that were quietly patched by Microsoft back in March, but not everyone installs security patches in a timely manner. Indeed, as some are reporting, some of the victims — including the National Health Service Hospitals in the UK — are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.
Thus, there’s some debate online about whether the “problem” here is organizations who don’t upgrade/patch or the NSA. Of course, these things are not mutually exclusive: you can reasonably blame both. Failing to update and patch your computers is a bad idea these days — especially for large organizations with IT staff who should know better.
At the same time, the fact that this hack is built off of a leaked NSA hacking tool highlights a couple of key points:
- The NSA’s dual-hatted offensive & defensive structure is damaging: The NSA plays both offense and defense on computer security. That is, it is supposed to hack into other systems, but also help protect our systems. But it’s quite clear that the offensive capabilities are valued much more than the defensive ones — and that’s a problem. Once again, it appears that people in the intelligence community are not doing a clear cost-benefit analysis of the tools that they use. They like their toys, but they rarely seem to take into consideration what happens should those toys get out.
- Once again, this reinforces why we should not allow backdoors to encryption or any other such vulnerability. Over and over again, the proponents of backdooring encryption have insisted that it can be built in a “safe” way, where only government will get the backdoor access to encryption. The fact that some of the NSA’s most powerful hacking tools have not only been leaked but are now wreaking havoc around the world, should put a complete end to the “going dark” debate. But it won’t. It’s not safe, but many in the law enforcement community, in particular, are in denial about this.
These problems are not new. Hell, we’ve been talking about both of them for the better part of a decade already. But this rapid spread of WannaCry is putting an exclamation point on those arguments. Unfortunately, the cynical side of my brain says this warning will still be ignored.