May the source be with you, but remember the KISS principle ;-) Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

# Fighting Spyware

 News See also Recommended Links Recommended Books Big Uncle is Watching You Vault 7 scandal Non-scanner antispyware tools Anti-spyware forums Softpanorama Malware Defense Strategy Spyware Scanners Malicious Web Sites Windows Defender Fighting PopUps with toolbars Blocking lists Sirefef.AV Win32/Tracur.AV W32/Sdbot-AAQ Win32-Rbot TDL4 Cryptolocker (Win32/Crilock.A) Flame Trojan-GameThief. Win32.OnLineGames2.an Geraam Password Stealing Trojan Win32 Alureon Win32/Morto.A Duqu Trojan Flame Web Browsers Insecurity Data Recovery Trojan XP Antivirus 2012 Dr Guard Antivirus System Pro Cryptolocker (Win32/Crilock.A AbetterInternet BHO Identity theft Adding sites to the hosts file Phishing Fighting HomePage Hijacking History Humor Etc

### Introduction

If you use Softpanorama Spyware removal strategy, you can remove most of spyware types  no matter how complex and sophisticated the infection method is.  The only exception is encryption based extortionware such as  Cryptolocker (Win32/Crilock.A)

Yes, spyware can be complex, extremely annoying and obnoxious as well as extremly difficult to remove (and latest banking and data encryption Trojans are a serious warning). Typically the period between malware gets into your computer and the moment it is detected by AV program installed can vary from hours to several weeks or even months.  For some not very popular and regional  (or highly specialized, "government sponsored", etc ) malware it can be years.

At the same time while protection of PC using scanning AV program is never enough,  paranoia about spyware is completely unwarranted. Despite tremendous increase in spyware complexity and capabilities in recent years, restoration of OS from a "healthy" C-drive image using a bootable CD created beforehand  on other (non-infected) computer is a sure way to defeat even the most complex spyware. One important lesson that extortionware such as  Cryptolocker (Win32/Crilock.A) taught is that there should always be two sets of backup (say A and B) and each week you should change from one set to another.  And that periodic backup to double layer DVD makes perfect sense if the size of your backup image is less then 8GB. Backup on a USB harddrives can be attacked, backup on DVD is in-penetratable after it was created.  Another method to defeat attempts of data-encryption Trojans to destroy your backups is to daily move of your current backup image via FTP or SCP to a different, Linux-based backup computer.

Using this "backup-based disinfection" is a three step approach. You can read about it at Softpanorama Malware Defense Strategy  Here is the contents:

Formally spyware is any software which uses an internet connection from your computer in the background (as "backchannel") operating without user knowledge or explicit permission. that definition actually includes a lot of modern commercial software. The presence of such a  backchannel represents a simple way to detect even the most sophisticated spyware and a TCP/IP sniffer often is an adequate tool for this.  For example, you can switch to other computer (and periodic switching between computers is another good practice, as it keeps you "reference image" tested and up-to-date) and see what communications exist on your "old" PC or laptop for a week or so using sniffer logs. That actually greatly helps against "spyware paranoia" (NSA under each bed ;-).

Spyware is often connected with some way to get an advertising revenue, propagate spam or similar things. In few cases they try to steal and use your financial information (so called banking Trojans). And in very rare cases they want to monitor your activities. In any case now spyware became mostly "for profit" criminal business, and this type of criminals have enough money to pay developers and buy exploits.  That means that each new generation of spyware is more sophisticated then previous generations of malware. Interest to this type of programs from NSA and other three letter agencies does not help iether: the methods they develop using government funds and highly paid developers are eventually revealed and then flowing downhill from spooks to financial criminals. Story of malware used to damage Iranian uranium enrichment program is pretty instructive in this respect.  See Duqu Trojan, Flame and Stuxnet for more information. Just those three advanced 'state of the art" of spyware development considerably, creating essentially a "new era" in malware (as in "beforeStuxnet" and "after Stuxnet")

In any case we can safely assume that those days few spyware/adware programs are primitive and just uses one Run key to launch itself (and that removal of this key disinfects computer).

Generally any use of an Internet "backchannel" connection should be preceded by a complete and truthful disclosure followed by the receipt of explicit, informed, consent for such use. Often spyware is disguised as a useful utility (atomic clock,  toolbar, free game or other useful utility). In this case the developer  does not disclose that in addition to openly stated function it is using PC Internet connection to send information about your activities or even your data to the third party. Typical connected information is the site you visited (WeatherBug is one classic example).

Often spyware deliberately complicates its removal from the computer or tried to reinstall itself by downloading missing components, if one component is removed.

The spyware problem is not a pure Windows security problem. Situation is more complex. While the insecurity and architectural flaws of Windows operating system is a problem that aids malware in general, the channel for spreading spyware is usually Web and specifically Google search engine (which for some reason does not mark DNS names that are less then a month old -- many "waterhole spyware distribution sites" belong to this category.  We really need something for IE that blocks sites which has DNS registered less then a month or so ago.  OpenDNS is an interesting option is this respect.  Checking can be incorporated into DNS Prefetching:

The DNS Prefetch addon for Firefox enables DNS Prefetching which is a method of resolving and caching DNS lookups before you actually click on a link. DNS prefetching just resolves domain names before a user tries to navigate, so that there will be no effective user delay due to DNS resolution. One example where prefetching can help is when a user is looking at a page with many links to various other domains, for instance a search results page.

With DNS Prefetching, Firefox automatically scans the content of each page looking for links, extracting the domain name from each link, and resolving each domain to an IP address. All this work is done in parallel with the user's reading of the page. When a user clicks on any of these pre-resolved names to visit a new domain, they save an average of over 250ms in navigation.

Spyware is a more serious problem than just a simple annoyance.  Your privacy is being invaded. That's why you should never store your taxes and banking data on the PC you use for browsing Internet.  Use a separate PC. This additional $300 investment is probably the best investment we can make to protect ourselves from viruses and trojans stealing our financial data. If you have enough technical knowledge you can use two different virtual machine images on the same computer. I also would not recommend to store copies of your bank account password in the browser. Spyware has the ability to install additional software in your machine without your consent that can download this information and decrypt it. Also just the fact that you are doing on your computer is being watched by unknown third party right now does not provides any comfort. although you need to understand that browsing Internet is no longer anonymous activity, unless you use VPN or similar methods. Now logs of all your visits are stored somewhere, at least temporary. And usually not only of the sites that you visited. Advertizing plugins such as used by Google also store this information unless you disable Javascript from running or block them in some other way. And advertizing vendors developed sophisticated methods to track your identity even if you disable or periodically destroy all cookies. Just try to change your browsing session from one computer to another and see that advertizing reflect you previous activity. Email spam and deceptive advertising of sites via Google or other search engine is still the major channels of penetration of spyware into PCs. Google search results is especially nasty and effective channel. Be careful not to get into "grey zone" site on the PC that you use for your daily work. If you can't live without browsing grey areas of Internet, buy a Goggle Chomebook (such Acer C720 11.6" Chromebook) or Android tablet and browse those areas exclusively from them . Or install Ubuntu on one of your old PCs. Using a different Os then Windows represent an additional lawyer of protection -- most attacks are still directed toward Windows users and PC with Intel-compatible CPUs and Windows XP-Windows 7-Windows 10 installed. Using a different OS and/or CPU architecture gives you substantial additional protection via "security via obscurity" effect. Spyware authors like virus authors look for a particular category of gullible and greedy users: despite all this bad experience some people just can't avoid clicking on a "Get Kool Mouse Pointerz Here" or "Free Microsoft Office 2013" type of links iether in search results or email ;-). Using a email client that disables all "rich content" and hides attachments such as Thunderbird proves you with free and effective layer of protection against such threats.  Spyware authors like virus authors look for a particular category of gullible and greedy users: despite all this bad experience some people just can't avoid clicking on a "Get Kool Mouse Pointerz Here" or "Free Microsoft Office 2013" type of links iether in search results or email ;-). Using a email client that disables all "rich content" and hides attachments such as Thunderbird proves you with free and effective layer of protection against such threats. An ounce of prevention is worth a pound of cure. Here are some potentially useful methods for those who are using IE Internet browser: 1. Do not upgrade to versions of Microsoft OS higher then Windows 7. After Windows 7 Microsoft itself went into spyware business in full force. for example now they want to to authenticate to your Pc using hotmail account. Which essentially gives them free information when and how you use your PC. Although you can enhance your privacy using specific privacy settings windows 10 (see for example 5 Tips to Increase Your Privacy With Windows 10 Matthew Held or just serach "how to enhance windows 10 privacy" in any search engine you use) it is definitely more intrusive "by design" then Windows 7. Probably by at least a factor. 2. Treat your C drive as disposable. Learn to periodically wipe out your Windows C drive and restore it from "trusted" backup kept on write protected harddrive or USB drive. This idea of periodic wipe out and reinstallation of some trusted image is simple, and very effective method of fighting complex spyware including government sponsored spyware (as this would destroy Microsoft brand, Microsoft brass probably will try to avoid allowing using Microsoft updates for installing government spyware, unless this is the case connected with national security (which is a very brad notion those days); but government agencies (and not only them) can definitely use update channels of other vendors -- typical windows installation usually contains at least a dozen of commercial programs each with its own update channel. Which easily can be compromised making such computer one big security hole, no matter which AV program you use. This method is especially attractive for small companies, who do not have dedicated security staff to watch for windows threats. And it eliminates the need to spend money on commercial AV (free Microsoft Security Essentials are "good enough" in this case). Also in this case you do not need to worry about unending, stupid and dangerous patches of Adobe Reader and other crapware. Microsoft will reapply patches and if you use drive other then C for your files there is not much to do after the reinstallation. Other patches can be ignored as shelf-life of this instance is limited. If they are needed apply it to trusted image first. Minimal adjustments required can be scripted using PowerShell or whatever tool you are comfortable with. 3. Use two virtual instances of OS or at least two browsers with Microsoft IE set to high security level and used for browsing of unknown sites. The key in protections of your browser against new web threats is disabling JavaScript and ActiveX. there are aos some utilities that can enhance level of securyt in this area but I do not follow this area closely. Long ago Trend Micro USA provided Browser Guard - a free utility which uses advanced heuristics and emulation technologies to detect Javascript exploits. But it is better to disable Javascript altogether for "grey areas" browsing. The latest version (2011) included detection enhancement for Web Trojans, and for tracing infection chains. But using a virtual machine is a much better deal. 4. Use DNS server that protects from "new and hot" sites -- many malware distribution sites are less then 6 months old despite the fact that they are high in Google searches for certain keywords. Just blocking sites which are "younger" then six month stop a lot of Trojans cold. One possibility is OpenDNS 5. Install a router based firewall with Internet filter or free K9 Web ProtectionIt you know Linux you can use Linux based router and tune it to prevent any re-infections. 6. If you have Linux know-how, install and use squid proxy on a separate PC. 7. Practice "separation of duties" policy with a cheap Chromebook laptop or separate instance of virtual OS launched as virtual machine. You should use virtual machine capabilities of Windows 7 and install "disposable" version of windows XP. You can do all the browsing in it. It does not prevent you from getting spyware (and encryption malware still can encrypt your data) but 99% level achieved by wiping out your "used" image is good enough level to make this a worthwhile technique. If you know Linux you can use a Linux instance for browsing instead of XP. Linux has its own exploits but it stops dead all Windows exploits without any patching. Both GUI and browser (Firefox) are quite usable. You can also downgrade your Windows to Windows 2000. Modern exploits react badly on such an old version of OS. 8. Never do "leisure" browsing from the account with admin privileges. Create yet another account and use only it for browsing the Web. When you browsing unknown sites run IE only under some regular user account that can't write to the registry (use "Switch user" option -- it's really fast and convenient, although most users never tried it). Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run. You can configure UAC in your computer to meet your preferences: 9. Add all sites that you deem suspicious to Restricted zone in IE. You can do it before clicking on the link in Google by creating a macro with a programmable keyboard such as Logitech G510s gaming keyboard or Sidewinder X4.  If you detected spyware on your computer before removal look at the network connections the computer uses and try to "cut an oxygen" by adding sites that it accesses to hosts file and to the restricted zone. That might helps to prevent re-infections 10. If you install trial version of software use "Try and Forget" software to eliminate those guest as they not always deinstall themselves completely. Avoid "trial" versions as they can overburden you computer with unnecessary or harmful components and might not de-install cleanly, presenting the same danger as spyware (hidden channel to the vendor). There are a couple vendors that provide "try and forget" environment. One such environment is provided by Acronis True Image Try&Decide feature Acronis True Image You can run your system in a special try mode with the Try&Decide feature. In this mode you can try out new applications or experiment with the system while being sure that you can always discard the changes made to the system and revert it back to the state it was just before turning on the Try&Decide mode. When you turn on the Try&Decide mode, the product activates a special Acronis driver, which starts reading all requests to the protected partition and forwards these to the storage location you have selected. 11. Install Microsoft Security Essentials which are free and contain some real time protection components. While this gives you a minimal level of protection is better then nothing and actually not much worse (and probably has less harmful components) then paid version of MacAfee, Symantec and such. Being mostly signature based tool like any signature based tool they are not very effective and you can be infected with any spyware that is not yet in their database, but still they are better then nothing and in my opinion are better than many of commercial AV tools. Also with time even new spyware became old and will be detected and hopefully correctly disinfected. ### High level of paranoia about spyware in mainstream press Unless you are targeted by government agencies spyware can be eliminated. If you use separate PC for vital tasks chance to get spyware on this "more secure" PC is really small. Using several virtual machines on 8GB laptop is no-brainer and also provides a reasonably high level of protection (many types of advanced spyware detect the presence of VM environments and refuse to run on it, fearing that they are "watched"/analysed ) . Still there is high level of paranoia about spyware in mainstream press. Sometimes it reaches a really stupid level of "if your computer is infected discard it and get a new one". A pretty telling example of this paranoia was a NYT article By MATT RICHTEL and JOHN MARKOFF "Corrupted PC's Find New Home in the Dumpster" (July 17, 2005 ). The main hero of this article (who claim to holds PhD in computer science) demonstrates simply amazing level of ignorance of Windows OS (unless this was just a pretext to upgrade his old computer ;-) SAN FRANCISCO, July 15 - Add personal computers to the list of throwaways in the disposable society. On a recent Sunday morning when Lew Tucker's Dell desktop computer was overrun by spyware and adware - stealth software that delivers intrusive advertising messages and even gathers data from the user's machine - he did not simply get rid of the offending programs. He threw out the whole computer. Mr. Tucker, an Internet industry executive who holds a Ph.D. in computer science, decided that rather than take the time to remove the offending software, he would spend$400 on a new machine.

He is not alone in his surrender in the face of growing legions of digital pests, not only adware and spyware but computer viruses and other Internet-borne infections as well. Many PC owners are simply replacing embattled machines rather than fixing them.

"I was spending time every week trying to keep the machine free of viruses and worms," said Mr. Tucker, a vice president of Salesforce.com, a Web services firm based here. "I was losing the battle. It was cheaper and faster to go to the store and buy a low-end PC."

In the face of a constant stream of pop-up ads, malfunctioning programs and performance slowed to a crawl or a crash - the hallmarks of spyware and adware - throwing out a computer "is a rational response," said Lee Rainie, director of the Pew Internet and American Life Project, a Washington-based research group that studies the Internet's social impact.

While no figures are available on the ranks of those jettisoning their PC's, the scourge of unwanted software is widely felt. This month the Pew group published a study in which 43 percent of the 2,001 adult Internet users polled said they had been confronted with spyware or adware, collectively known as malware. Forty-eight percent said they had stopped visiting Web sites that might deposit unwanted programs on their PC's.

Moreover, 68 percent said they had had computer trouble in the last year consistent with the problems caused by spyware or adware, though 60 percent of those were unsure of the problems' origins. Twenty percent of those who tried to fix the problem said it had not been solved; among those who spent money seeking a remedy, the average outlay was $129. By comparison, it is possible to buy a new computer, including a monitor, for less than$500, though more powerful systems can cost considerably more.

Meantime, the threats from infection continue to rise, and "the arms race seems to have tilted toward the bad guys," Mr. Rainie said.

The number of viruses has more than doubled in just the last six months, while the number of adware and spyware programs has roughly quadrupled during the same period, said Vincent Weafer, a senior director at Symantec, which makes the Norton computer security programs. One reason for the explosion, Symantec executives say, is the growth of high-speed Internet access, which allows people to stay connected to the Internet constantly but creates more opportunity for malicious programs to find their way onto machines.

Mr. Weafer said an area of particular concern was infections adept at burying themselves in a computer system so that the cleansing programs had trouble finding them. The removal of these programs must often be done manually, requiring greater technical expertise.

There are methods of protecting computers from infection through antivirus and spyware-removal software and digital barriers called firewalls, but those tools are far from being completely effective.

"Things are spinning out of control," said David Gelernter, a professor of computer science at Yale.

Mr. Gelernter said his own family's computer became so badly infected that he bought a new one this week. He said his two teenage sons were balking at spending the hours needed to scrub the old one clean of viruses, worms and adware.

Mr. Gelernter blames the software industry for the morass, noting that people are increasingly unwilling to take out their "software tweezers" to clean their machines.

Microsoft executives say they decided to enter the anti-spyware business earlier this year after realizing the extent of the problem.

"We saw that a significant percentage of crashes and other problems were being caused by this," said Paul Bryan, an executive in the company's security business unit. Windows XP Service Pack 2, an upgrade to the latest Windows operating system that has been distributed to more than 200 million computers, includes an automated malware removal program that has been used 800 million times this year, he said.

At least another 10 million copies of a test version of the company's spyware removal program have been downloaded. Yet Microsoft executives acknowledged that they were not providing protection for people who have earlier versions of the company's operating system. And that provides little comfort for those who must navigate the perils of cyberspace.

Terrelea Wong's old computer now sits beside her sofa in the living room, unused, except as a makeshift table that holds a box of tissues.

Ms. Wong, a physician at Kaiser Permanente Medical Center in South San Francisco, started getting a relentless stream of pop-up ads a year ago on her four-year-old Hewlett-Packard desktop computer. Often her entire screen would turn blue and urge her to "hit any key to continue." Sometimes the computer would freeze altogether.

After putting up with the problem for months, Ms. Wong said she decided last November that rather than fix her PC, she would buy a new one. Succumbing to the seduction of all the new bells and whistles, she spent $3,000 on a new Apple laptop. She is instituting new rules to keep her home computer virus-free. "I've modified my behavior. I'm not letting my friends borrow my computer," she said, after speculating that the indiscriminate use of the Internet by her and her friends had led to the infection problems. Peter Randol, 45, a stockbroker for Charles Schwab in Denver, is at his wits' end, too. His family's four-year-old Dell computer has not been the same since last year when they got a digital subscriber line for high-speed Internet access. Mr. Randol said the PC's performance has slowed, a result he attributes to dozens of malicious programs he has discovered on the computer. He has eliminated some of the programs, but error messages continue to pop up on his screen, and the computer can be agonizingly slow. "I may have no choice but to buy a new one," he said, noting that he hopes that by starting over, he can get a computer that will be more impervious to infection. Buying a new computer is not always an antidote. Bora Ozturk, 33, who manages bank branches in San Francisco, bought a$900 Hewlett-Packard computer last year only to have it nearly paralyzed three months ago with infections that he believes he got from visiting Turkish news sites.

He debated throwing the PC out, but it had pictures of his newborn son and all of his music files. He decided to fix it himself, spending 15 hours learning what to do, then saving all his pictures and music to a disk and then wiping the hard drive clean - the equivalent of starting over.

For his part, Mr. Tucker, the Salesforce.com executive, said the first piece of software he installed on the new machine two weeks ago was antivirus software. He does not want a replay of his frustrations the last month, when the attacks on his old machine became relentless.

"It came down to the simple human fact that maintaining the old computer didn't pay," he said.

If we assume that "Mr. Tucker, an Internet industry executive who holds a Ph.D."  holds Ph.D in computer science, it is clear that he is iether idiot or crook.  With all due respect to this Ph.D holder I think that any holder of associate or bachelor degree in computer science should be able to reinstall Windows OS. Moreover even bachelor degree in computer science presuppose some interest and level of understanding of OS internals and TCP/IP networking ;-).

But there is some rational in this naive and deceptive NYT drivel: having a second computer helps to fight spyware. Used computer of decent quality can be bought for less then $200 on eBay. By having a second computer you can switch to it and continue your work instead of frantically trying to disinfect the current machine. Actually the most damaging to your data blunders are done not by viruses or Trojans but by users who try to fix the computer and do not fully understand the consequences of their action. In a way classic scenario of Sysadmin Horror Stories which is so intimately known by any Unix sysadmin is replaced here with a different OS and different players. ### Beware too greedy AV vendors Beware AV vendors that try to create hysteria and profit from it. In my opinion both Symantec and McAfee lost track and use "gray" methods of increasing sales of their, generally speaking, mediocre products. Microsoft Security Essentials and other similar free AV programs while far from being perfect are good enough for most users and money spend of McAfee should generally be spend on buying better backup drives and such. • #### Symantec transgressions Spreading FUD is a classic method to increase sales. Of course, such behavior perfectly suit the job description of any a senior director at Symantec. But this is slightly skeptical site and we should know better then believe stupid FUD of Symantec weasels. The truth is that Symantec behavior is some cases is very close to behavior of spam vendors (Symantec employs scareware sales tactics, lawsuit charges - Computerworld) The lawsuit, which was filed in a California federal court by lawyers representing Washington State resident James Gross, charged Symantec with deceptive business practices, fraud and other violations of state and federal laws. Gross took exception to the way Symantec promotes a trio of tools: PC Tools Registry Mechanic, PC Tools Performance Toolkit and Norton Utilities. According to Gross, Symantec pitches those programs with a free diagnostic scan that consistently posts menacing warnings that the customer's PC needs maintenance. To fix the all the problems, however, the user must pay for the software. Those are the same schemes used by "scareware" makers to con customers into forking over money for essentially worthless security software, said Gross. The paradox wasn't lost on Gross, who cited research on scareware programs from Symantec's own security research arm. "In what can only be described as supreme irony, or a clever attempt by Defendant to persuade customers to choose its own 'legitimate' computer utility software, the results of Symantec's research succinctly capture the fraud at issue in this lawsuit," said Gross' complaint. They also were sued for automatically renewing subscriptions to Norton Antivirus. The New York Attorney General's office fined Symantec$375,000 for the practice and ordered it to give notice before renewing any subscription. Here is one customer letter (Symantec Corporation Complaint - Be Careful What You Order from Symantec - Norton Antivirus):

I recently ordered Norton Antivirus 2010 as a download from Symantec for 39.95 (or so I thought). A month later, my electronic bank statement revealed that Symantec had debited my account $140 in three separate transactions. Two debits were just double-bills for the 2010 Norton Antivirus and one was for an internet security package at$70, which I never ordered.

I went to a Symantec chatroom to complain, and the stsffer immediately agreed to a full refund, no questions asked.

The catch is I won't get my money back for 5-10 business days. And the company removed all its software from my computer. Also, they immediately wanted a statement from me that I was satisfied with their customer support (forget about it!).

I did some research and learned this company has been sued for deceptive business practices in the past and recently paid a fine to the NY State Attorney General for renewing subscriptions without permission and charging debit/credit cards.

• #### McAfee transgressions.

McAfee is not much better then Symantec either. Here is a relevant info from Wikipedia:

In tests by Virus Bulletin and other independent consumer-organizations, McAfee virus scan has not fared well, frequently failing to detect some common viruses.[3]

A review of VirusScan 2006 by CNET criticized the product due to "pronounced performance hits in two of our three real-world performance tests"[4] and some users reviewing the same product reported encountering technical problems.[5]

Some older versions of the VirusScan engine use all available CPU cycles.[6]

As of 2009 McAfee virus-scanning products did not handle false positives well, repeatedly removing or quarantining known clean files even after the user restores them.[7]

Customer Support Criticisms

Reviewers have described customer support for McAfee products as lacking, with support staff slow to respond and unable to answer many questions.[9]

2010 Reboot Problem

On April 21, 2010, beginning approximately at 2 PM GMT, an erroneous virus definition file update from McAfee affected millions of computers worldwide running Windows XP Service Pack 3. The update resulted in the removal of a Windows system file (svchost.exe) on those machines, causing machines to lose network access and, in some cases, to enter a reboot loop. McAfee rectified this by removing and replacing the faulty DAT file, version 5958, with an emergency DAT file (version 5959) and has posted a fix for the affected machines in its consumer "KnowledgeBase".[11]

Generally there are strange bedfellows in this spyware business. See Jesse Willms Settles in Court with Google – a Google Win against the Scammers Strangely Perfect

### Factory installed image as a spyware protection tool

Actually cleaning spyware it's not a rocket science as you always can restore OS from a healthy image or reinstall Windows and software and then merge your data with this image.

In all, even the most complex cases of spyware infection, reinstallation from a "healthy" disk image works perfectly well and for anybody who is professional in the field (and not a lazy misfit with CS degree who has no backups and does not know what is installed on his/her computer) should take less an hour. I doubt that anyone can find a  plausible case when you cannot clean spyware by reinstallation. But I encourage you to try and submit such case in a letter to the editor of Softpanorama.

Most vendors now provide a special partition with the image of initially installed Windows 7 or Windows 8  as well as ordered with PC software such as Microsoft Office (factory install image).  The manual always has a special chapter about restoring the image where description is understandable for everybody with an average IQ ;-). If it's to bad y ou can always call vendor and they are quite helpful.

For the guys who assemble computer themselves the same idea works as well: they should be able to create additional partition and  "initial image" using free version of Acronis True Image (for Seagate and Western digital drives) or any other similar utility.

### Signs that you are infected

Not all spyware produces any signs that you are infected. For obvious reasons banking Trojans do not.

But many other types of spyware do produced to signs. If you are seeing new toolbars in your browser, excessive popups, or your homepage has been switched, or more commonly PC became very slow or periodically reboot itself or crashes chances are that you are infected.  Other typical symptoms:

 changed search results changed advertisements of pages that you browse IE periodically crashes Computer freezes and keyboard became irresponsive. Loss of Internet connectivity

### Prominent groups of spyware

There are several prominent groups of spyware:

• Fake AV programs such as Antivirus system pro and  XP Antivirus 2012.  Those programs belog to the category of Trojans called Scareware. This  type of spyware masks itself as AV product and is installed on your PC without your permission. Usually via rogue Web sites that are pretty high in certain Google searches (they buy adwords from Google to achieve that status).  After it infects your PC this type of spyware produces fake report about multiple infections found to scare you into registering the product.  An early example of this trend was Antivirus system pro. A more recent example is XP Antivirus 2012  Again, it should  be stressed that such product is essentially an extortion scheme designed to exploit the fear of infection for financial gain.  This is a big business so expect more or the same.  See How Two Scammers Built an Empire Hawking Sketchy Software Wired Magazine Wired.com by Benjamin Wallace
• Remote access Trojans(RATs) is malware that provides hidden channel of remote assess to your computer administrator (or equivalent) account, much like VNC (on which many of them are based) or ssh or telnet.  Computer which has covert remote control installed and about the owner of the computer does not know is called zombie. Such Trojans often use rootkit technology to hide their presence. The set of such computers controlled from a single center is called zombie network. Some publications suggest that there are millions of such computers in the world. This is a popular brand of malware with its own ecosystem that contain open source code that can serve as a template for new strains of malware (All copy and paste makes Jack a bored boy - Microsoft Malware Protection Center )

We recently came across what appeared to be a new sample, but was actually part of malware discovered in 2010. This new-old sample is built from publicly available source code and, like many of its kind, is frequently rebranded. Because of all the changes that malware authors have made, we have detection for each customized iteration. One such iteration (SHA1 8d81462089f9d1b4ec4c7423710cf545be2708e7) is commonly deployed under private obfuscators (such as H1N1 or Umbra). We detect this threat as TrojanSpy:Win32/SSonce.C(the sample also has a message for antivirus researchers, asserting that our job is monotonous and boring.)

Other backdoors that originate from the same source code are currently detected as Backdoor:Win32/Bezigate.A and Backdoor:Win32/Talsab.C, and Backdoor:Win32/Nosrawec.C. What we are seeing here is rampant use of copy/paste in the code. Because of this, all these spying families share common features, such as: reverse-connection to an attacker's server, plugins capable of file transfers, screen capture and anti-virus software disabling. Although the code is publicly available, there are some features, such as mouse/keyboard control, which are only available in private versions, as seen from the Facebook page of one of the authors.

The idea of hijacking somebody else computer to use as a storage or computational resource is as old as computing itself. Morris worm was the first computer worm that propagated from one Unix machine to another by exploiting vulnerabilities of Unix known at this time. Later there were several well publicized cases of oversees hackers trying to get access (and succeeding) at university and research networks. See for example:

• Spyware oriented on hijacking result of Web searches and replacement of advertisers. This is one of the oldest catagory of spyware that is distinguishable not so much by the method of installation but by the method they get create a revenue stream for themsleves. The oldest representative of this type fp spyware would be CWS (CoolWebSearch) is a particular nasty Spyware that hijacks Web searches, home page, and Internet Explorer settings. Most of these web sites that the homepage is set to appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. See Merijn.org/cwschronicles for listing of the variant (several dozens).  The main source of infections are probably installers located on hardporno web sites.

• Banking trojans. The most common representative of this category is Zeus toolkit based data stealing Trojans.  It is a toolkit and as such it is capable of being used to carry out many malicious and criminal tasks, but most commonly used  by criminal gangs to steal banking information using such methods as browser keystroke logging and form grabbing. It was also used to install the CryptoLocker ransomware.[1] Wikipedia also ha an article on this topic Zeus (Trojan horse)
• Ransomware. The most prominent representative of this category is CryptoLocker Trojan (Win32/Crilock.A)  It  changed views on malware, antivirus programs and on backup routines. One of few Trojan/viruses which managed to get into front pages of major newspapers like Guardian.
Unlike most Trojans this one does not need Admin access to inflict the most damage. It also targets backups of your data on USB and mapped network drives. If you offload your backups to cloud storage without versioning and this backup has an extension present in the list of extensions used by this Trojan, it destroys (aka encrypt) your "cloud" backups too.  The key idea is to encrypt the user data in a way that excludes possibility of decryption without paying ransom. So it is very effective in extorting money for decryption key. Which you may or may not get as servers that can transmit it from the Command and Control center might be already blocked; still chances are reasonably high -- server names to which Trojan connect to get public key changes (daily ?), so far at least one server the Trojan "pings" is usually operational. So in many cases decryption were possible by paying If you don't do so in three days the possibility of decrypting files is gone. It was discovered in early September 2013 (around September 9 when domains to reach C&C center were registered, with the first description on September 10, see Trojan:Win32/Crilock.A.). At the time most AV programs did not detect it. In other words like in most cases of game changing viruses in the past AV companies were caught without pants. Only in October 2013 sufficiently robust signatures to detect and block it in memory were deployed. Methods of distribution of Cryptolocker were pretty traditional for malware: mail attachments, sites propped high in certain search by buying Google adwords, etc.  See Cryptolocker Trojan (Win32/Crilock.A) for more information. A more general category of those Trojans is called Destructive Trojans.
• Government-sponsored spyware.  This category is similar to banking Trojans but is used for different purposes. Among know trojans belonging to this catagory are Flame, Duqu Trojan. See Data Stealing Trojans for more information.

### Scanner based methods of detecting spyware

Free AV scanner such a Microsoft security essentials is a useful first layer of defense. It is easily breached and can't be relied upon but  nevertheless it is unreasonable not to use a free scanning software for detection. See  Spyware Scanners. This is important as not all spyware has obvious signs and reveals itself in changing the behavior of the computer of IE or both. Businesses which want an inexpensive software tool that can be used to clean up a Spyware infection on a one-time basis should use free Microsoft Security Essentials which  Windows compatibility wise is better,  not worse then expensive ( and redundant) solutions from Symantec (junk), McAfee (semi-junk) and other AV vendors. And as for spyware detection they all are at best mediocre. You might be lucky and you might be not but generally it can be three or more months before they will include particular malware that infected your PC into their signature databases.

Microsoft provides free spyware scanner (actually 10 days copy of Microsoft Security essentials)  That I recommend to try first.

If you see some suspicious files detected by free scan or files in " C:\Documents and Settings\dell\Local Settings\Temp\" that you can't delete you can use free service called VirusTotal which allow to submit sample and run it over more then two dozens of AV tools. It produce some useful results and is best of the breed as of 2012.

AV vendors are just an overhead caused by flaws in Microsoft Windows design. For example Microsoft program loader is junk, signing executables is an option (Authencode), but it is rarely used (With Security set to High, no potentially dangerous content will be run, signed or unsigned). Ability to tell the source of the program in Windows is almost non-existent. System files are scattered in really messy fashion and Windows directory is a big mess. Registry is another mess which provides tremendous amount of ways to launch rogue programs.

In any case free spyware scanners are simple and yet effective against almost all but the most complex spyware.  And that's why they should be tried first. There are two prominent free Spyware scanners (Adaware and  Spybot S&D).  Spybot S&D usage is discussed in a separate page.

The main problem with of the Spyware scanners is that Spyware is repeating the path of file viruses and newer variants are designed with the specific mechanism to aviod detection by the scanners (polymorthic spyware). One early example of this trend was  vx2 Spyware (SAHAgent, aka Golden Retriever, ShopAtHome and ShopAtHomeSelect). Another early example was CoolWebSearch or ‘CWS’ as many refer to it.  With more the a hundred know variants CWS has surpassed most other spyware in sophistication of the infection and dificulty of removal.

In any case it does not make sense to spend money of commersial spyware scanner. It is batter to bye a USB drive and a good backup tool like Acronis.

Please be aware that you need to check the reputation of the product before downloading it. Some spyware mask itself as AV product and is installed on your PC without your permission., After that it produced fake report about multiple infections found to scare you into registering the product.  An early example of this trend was Antivirus system pro. A more recent example is XP Antivirus 2012  Such product is essentially an extortion scheme designed to exploit the fear of infection for financial gain.

### Non-scanner-based Detection Strategies

While analyzing network traffic is the best way to detect spyware, the non-scanner based strategies of fighting spyware includes several additional lines of defense:

1. Hijackthis and similar tools which can provide a useful baseline that includes integrated list of relevant registry entries and a process map,   but currently I do not know how to run it in a batch mode (other then via Expect).   Still this is the simplest way of manual creation of a useful baseline. It you are reading this page and do not yet have a problem, please create at least a process baseline. It might turn to be extremely helpful in the future. using. You cannot overestimate the value of  the baseline in fighting complex Spyware beasts.

2. Integrity checkers that provide snapshot of critical directories on you C-drive after each reboot. There are several such directories such as C:\windows  C:\Windows\System32, etc.
3. Using internet proxy.  Those who have Linux skill can use Squid proxy.

 Top Visited

Your browser does not support iframes.

Switchboard Latest Past week Past month

## Old News ;-)

#### [Oct 11, 2017] Elite Hackers Stealing NSA Secrets Is 'Child's Play'

##### Like drone strikes they inflame anti-Americanism and has constrained U.S. foreign policy options in ways that civilian and military planners neither imagined nor anticipated.
###### Oct 11, 2017 | www.msn.com

The NSA's hackers have a problem.

Last week, multiple outlets reported that the NSA's elite Tailored Access Operations unit -- tasked with breaking into foreign networks -- suffered another serious data breach. The theft of computer code and other material by an employee in 2015 allowed the Russian government to more easily detect U.S. cyber operations, according to the Washington Post. It's potentially the fourth large scale incident at the NSA to be revealed in the last five years.

Now, multiple sources with direct knowledge of TAO's security procedures in the recent past tell The Daily Beast just how porous some of the defenses were to keep workers from stealing sensitive information -- either digitally or by simply walking out of the front door with it.

One source described removing data from a TAO facility as "child's play." The Daily Beast granted the sources anonymity to talk candidly about the NSA's security practices.

TAO is not your average band of hackers. Its operations have included digging into China's networks , developing the tools British spies used to break into Belgium's largest telecom, and hacking sections of the Mexican government . While other parts of the NSA may focus on tapping undersea cables or prying data from Silicon Valley giants, TAO is the tip of the NSA's offensive hacking spear, and could have access to much more sensitive information ripped from adversaries' closed networks. The unit deploys and creates sophisticated exploits that rely on vulnerabilities in routers, operating systems, and computer hardware the general population uses -- the sort of tools that could wreak havoc if they fell into the wrong hands.

That doesn't mean those tools are locked down, though. "TAO specifically had a huge amount of latitude to move data between networks," the first source, who worked at the unit after Edward Snowden's mega-leak, said. The former employee said TAO limited the number of USB drives -- which could be used to steal data -- after that 2013 breach, but he still had used several while working at TAO.

"Most operators knew how they could get anything they wanted out of the classified nets and onto the internet if they wanted to, even without the USB drives," the former TAO employee said.

A second source, who also worked at TAO, told The Daily Beast, "most of the security was your co-workers checking to see that you had your badge on you at all times."

The NSA -- and recently TAO in particular -- have suffered a series of catastrophic data breaches. On top of the Snowden incident and this newly-scrutinized 2015 breach, NSA contractor Hal Martin allegedly hoarded a trove of computer code and documents from the NSA and other agencies in the U.S. Intelligence Community. Martin worked with TAO, and he ended up storing the material in his car and residence, according to prosecutors. Like Snowden, Martin was a contractor and not an employee of the NSA, as was Reality Winner, who allegedly leaked a top-secret report about Russian interference in the U.S. election to news site The Intercept.

Then there's the incident now in the news. Israeli operatives broke into the systems of the Russian cybersecurity firm Kaspersky Lab, officials told The Washington Post. On those systems were samples of sophisticated NSA hacking tools; a TAO employee had brought them home and placed them on his home computer. That machine was running Kasperky software, which allegedly sent the NSA tools back to Moscow.

It's not totally clear how the breach overlaps with any others, but in 2016, a group called The Shadow Brokers started publishing full NSA exploit and tool code. Various hackers went on to incorporate a number of the dumped exploits in their own campaigns, including some designed to break into computers and mine digital currency, as well as the WannaCry ransomware, which crippled tens of thousands of computers around the world. (A handful of other, smaller NSA-related disclosures, including a catalogue of TAO hacking gear from 2007 and 2008, as well as intelligence intercepts, were not attributed to the Snowden documents, and the public details around where that information came from are muddy.)

Although not a data breach per se, in 2015 Kaspersky publicly revealed details on the history and tools of the so-called Equation Group, which is widely believed to be part of the NSA. A third source, who worked directly with TAO, said the fallout from that exposure meant the hacking unit entered a "significant shutdown," and "ran on minimum ops for months."

Nevertheless, a report by the Defense Department's inspector general completed in 2016 found that the NSA's "Secure the Net" project -- which aimed to restrict access to its most sensitive data after the Snowden breach -- fell short of its stated aims. The NSA did introduce some improvements, but it didn't effectively reduce the number of user accounts with 'privileged' access, which provide more avenues into sensitive data than normal users, nor fully implement technology to oversee these accounts' activities, the report reads.

Physical security wasn't much better, at least at one TAO operator's facility. He told The Daily Beast that there were "no bag checks or anything" as employees and contractors left work for the day -- meaning, it was easy smuggle things home. Metal detectors were present, including before Snowden, but "nobody cared what came out," the second source added. The third source, who visited TAO facilities, said bag checks were random and weak.

"If you have a thumb drive in your pocket, it's going to get out," they said.

Unsurprisingly, workers need to swipe keycards to access certain rooms. But, "in most cases, it's pretty easy to get into those rooms without swipe access if you just knock and say who you're trying to see," the third source added.

To be clear, The Daily Beast's sources described the state of security up to 2015 -- not today. Things may have improved since then. And, of course, the NSA and TAO do of course have an array of security protections in place. TAO operators are screened and people on campus are already going to have a high level clearance, some of the sources stressed. The part of the NSA network that TAO uses, and which contains the unit's tools, can only be accessed by those with a designated account, according to the source who worked with TAO. Two of the sources believed in the NSA's ability to track down where a file came from after a breach.

Indeed, the system TAO members use to download their hacking tools for operations has become more heavily audited over the years too, although the network did have a known security issue, in which users could make their own account and automatically gain access to additional information, the source who worked with TAO said.

"The NSA operates in one of the most complicated IT environments in the world," an NSA spokesperson told The Daily Beast in a statement. "Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies."

"We do not rely on only one initiative. Instead, we have undertaken a comprehensive and layered set of defensive measures to further safeguard operations and advance best practices," the spokesperson added.

The problem of securing this data from the inside is not an easy one to solve. If the NSA was to lock down TAO systems more ferociously, that could hamper TAO's ability to effectively build tools and capabilities in the first place, and two of the sources emphasised that excessive searches would likely create a recruiting problem for the agency. "It's not prison," one of the former TAO employees said.

"The security is all predicated on you having a clearance and being trusted," the source who has worked with TAO said.

"The system is just not setup to protect against someone with a clearance who is determined to go rogue," they added.

#### [Oct 05, 2017] Russian Hackers Stole NSA Data on U.S. Cyber Defense by Gordon Lubold, Shane Harris

##### "... Write to Gordon Lubold at Gordon.Lubold@wsj.com and Shane Harris at shane.harris@wsj.com ..."
###### Oct 05, 2017 | www.msn.com

The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn't been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The incident occurred in 2015 but wasn't discovered until spring of last year, said the people familiar with the matter.

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said.

The breach is the first known incident in which Kaspersky software is believed to have been exploited by Russian hackers to conduct espionage against the U.S. government. The company, which sells its antivirus products in the U.S., had revenue of more than half a billion dollars in Western Europe and the Americas in 2016, according to International Data Corp. By Kaspersky's own account it has more than 400 million users world-wide.

The revelation comes as concern over Russian infiltration of American computer networks and social media platforms is growing amid a U.S. special counsel's investigation into whether Donald Trump's presidential campaign sought or received assistance from the Russian government. Mr. Trump denies any impropriety and has called the matter a "witch hunt."

Intelligence officials have concluded that a campaign authorized by the highest levels of the Russian government hacked into state election-board systems and the email networks of political organizations to damage the candidacy of Democratic presidential nominee Hillary Clinton.

A spokesman for the NSA didn't comment on the security breach. "Whether the information is credible or not, NSA's policy is never to comment on affiliate or personnel matters," he said. He noted that the Defense Department, of which the NSA is a part, has a contract for antivirus software with another company, not Kaspersky.

In a statement, Kaspersky Lab said it "has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation."

Kremlin spokesman Dmitry Peskov in a statement didn't address whether the Russian government stole materials from the NSA using Kaspersky software. But he criticized the U.S. government's decision to ban the software from use by U.S. agencies as "undermining the competitive positions of Russian companies on the world arena."

The Kaspersky incident is the third publicly known breach at the NSA involving a contractor's access to a huge trove of highly classified materials. It prompted an official letter of reprimand to the agency's director, Adm. Michael Rogers, by his superiors, people familiar with the situation said.

Adm. Rogers came into his post in 2014 promising to staunch leaks after the disclosure that NSA contractor Edward Snowden the year before gave classified documents to journalists that revealed surveillance programs run by the U.S. and allied nations.

The Kaspersky-linked incident predates the arrest last year of another NSA contractor, Harold Martin, who allegedly removed massive amounts of classified information from the agency's headquarters and kept it at his home, but wasn't thought to have shared the data.

Mr. Martin pleaded not guilty to charges that include stealing classified information. His lawyer has said he took the information home only to get better at his job and never intended to reveal secrets.

The name of the NSA contractor in the Kaspersky-related incident and the company he worked for aren't publicly known. People familiar with the matter said he is thought to have purposely taken home numerous documents and other materials from NSA headquarters, possibly to continue working beyond his normal office hours.

The man isn't believed to have wittingly worked for a foreign government, but knew that removing classified information without authorization is a violation of NSA policies and potentially a criminal act, said people with knowledge of the breach.

It is unclear whether he has been dismissed from his job or faces charges. The incident remains under federal investigation, said people familiar with the matter.

Kaspersky software once was authorized for use by nearly two dozen U.S. government agencies, including the Army, Navy and Air Force, and the departments of Defense, State, Homeland Security, Energy, Veterans Affairs, Justice and Treasury.

NSA employees and contractors never had been authorized to use Kaspersky software at work. While there was no prohibition against these employees or contractors using it at home, they were advised not to before the 2015 incident, said people with knowledge of the guidance the agency gave.

For years, U.S. national security officials have suspected that Kaspersky Lab, founded by a computer scientist who was trained at a KGB-sponsored technical school, is a proxy of the Russian government, which under Russian law can compel the company's assistance in intercepting communications as they move through Russian computer networks.

Kaspersky said in its statement: "As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts."

Suspicions about the company prompted the Department of Homeland Security last month to take the extraordinary step of banning all U.S. government departments and agencies from using Kaspersky products and services. Officials determined that "malicious cyber actors" could use the company's antivirus software to gain access to a computer's files, said people familiar with the matter.

The government's decision came after months of intensive discussions inside the intelligence community, as well as a study of how the software works and the company's suspected connections to the Russian government, said people familiar with the events. They said intelligence officials also were concerned that given the prevalence of Kaspersky on the commercial market, countless people could be targeted, including family members of senior government officials, or that Russia could use the software to steal information for competitive economic advantage.

"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security," the DHS said Sept. 13 in announcing the government ban.

All antivirus software scans computers looking for malicious code, comparing what is on the machine to a master list housed at the software company. But that scanning also gives makers of the software an inventory of what is on the computer, experts say.

"It's basically the equivalent of digital dumpster diving," said Blake Darché, a former NSA employee who worked in the agency's elite hacking group that targets foreign computer systems.

Kaspersky is "aggressive" in its methods of hunting for malware, Mr. Darché said, "in that they will make copies of files on a computer, anything that they think is interesting." He said the product's user license agreement, which few customers probably read, allows this.

"You're basically surrendering your right to privacy by using Kaspersky software," said Mr. Darché, who is chief security officer for Area 1, a computer security company.

"We aggressively detect and mitigate malware infections no matter the source and we have been proudly doing it for 20 years," the company said in its statement. "We make no apologies for being aggressive in the battle against malware and cybercriminals."

U.S. investigators believe the contractor's use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Investigators did determine that, armed with the knowledge that Kaspersky's software provided of what files were suspected on the contractor's computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.

The breach illustrates the chronic problem the NSA has had with keeping highly classified secrets from spilling out, former intelligence personnel say. They say they were rarely searched while entering or leaving their workplaces to see if they were carrying classified documents or removable storage media, such as a thumb drive.

The incident was considered so serious that it was given a classified code name and set off alarms among top national security officials because it demonstrated how the software could be used for spying. Members of Congress also were informed, said people familiar with the matter.

Then-Defense Secretary Ash Carter and then-Director of National Intelligence James Clapper pushed President Barack Obama to remove Adm. Rogers as NSA head, due in part to the number of data breaches on his watch, according to several officials familiar with the matter.

The NSA director had fallen out of White House favor when he traveled to Bedminster, N.J., last November to meet with president-elect Donald Trump about taking a job in his administration, said people familiar with the matter. Adm. Rogers didn't notify his superiors, an extraordinary step for a senior military officer, U.S. officials said.

Adm. Rogers wasn't fired for a number of reasons, including a pending restructuring of the NSA that would have been further complicated by his departure, according to people with knowledge of internal deliberations. An NSA spokesman didn't comment on efforts to remove Adm. Rogers.

Write to Gordon Lubold at Gordon.Lubold@wsj.com and Shane Harris at shane.harris@wsj.com

#### [Oct 01, 2017] Are you being watched FinFisher government spy tool found hiding as WhatsApp and Skype

##### "... The software's brochure boasted: "FinFly ISP is able to patch files that are downloaded by the target on-the-fly or send fake software updates for popular software. ..."
###### Oct 01, 2017 | www.ibtimes.co.uk

Legitimate downloads of popular software including WhatsApp, Skype and VLC Player are allegedly being hacked at an internet service provider (ISP) level to spread an advanced form of surveillance software known as "FinFisher", cybersecurity researchers warn.

FinFisher is sold to global governments and intelligence agencies and can be used to snoop on webcam feeds, keystrokes, microphones and web browsing. Documents, previously published by WikiLeaks, indicate that one tool called "FinFly ISP" may be linked to the case.

The digital surveillance tools are peddled by an international firm called Gamma Group and have in the past been sold to repressive regimes including Bahrain, Egypt and the United Arab Emirates (UAE). In March this year, the company attended a security conference sponsored by the UK Home Office.

This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by "man in the middle" (MitM) attacks at an ISP level – packaging real downloads with spyware.

Companies hit included WhatsApp, Skype, Avast, VLC Player and WinRAR, it said, adding that "virtually any application could be misused in this way."

When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.

When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool. The stealthy infection process was described as being "invisible to the naked eye." The seven countries were not named for security reasons, Eset said. WhatsApp and VLC Player did not respond to request for comment by the time of publication. A Microsoft spokesperson, referencing the Skype infections, told IBTimes UK : "Windows Defender antivirus cloud protection already automatically identifies and blocks the malware. "For non-cloud customers, we've deployed signatures to protect against this in our free antivirus software," the statement added.

An Avast spokesperson said: "Attackers will always focus on the most prominent targets. "Wrapping official installers of legitimate apps with malware is not a new concept and we aren't surprised to see the PC apps mentioned in this report. "What's new is that this seems to be happening at a higher level. "We don't know if the ISPs are in cooperation with the malware distributors or whether the ISPs' infrastructure has been hijacked."

The latest version of FinFisher was spotted with new customised code which kept it from being discovered, what Eset described as "tactical improvements." Some tricks, it added, were aimed at compromising end-to-end (E2E) encryption software and known privacy tools. One such application was Threema, a secure messaging service.

"The geographical dispersion of Eset's detections of FinFisher variants suggests the MitM attack is happening at a higher level – an ISP arises as the most probable option," the team said. "One of the main implications of the discovery is that they decided to use the most effective infection method and that it actually isn't hard to implement from a technical perspective," Filip Kafka, a malware researcher at Eset, told IBTimes UK. "Since we see have seen more infections than in the past surveillance campaigns, it seems that FinFisher is now more widely utilised in the monitoring of citizens in the affected countries."

Breaking encryption has become a major talking point of governments around the world, many of which conduct bulk communications collection. Politicians argue, often without evidence, that software from companies such as WhatsApp has become a burden on terror probes .

One WikiLeaks document on FinFly ISP touted its ability to conduct surveillance at an ISP level. The software's brochure boasted: "FinFly ISP is able to patch files that are downloaded by the target on-the-fly or send fake software updates for popular software. " It added that it "can be installed on an internet service provider's network" and listed one use case when it was previously deployed by an unnamed intelligence agency. Eset found that all affected targets within one of the countries were using the same ISP.

#### [Sep 25, 2017] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine)

##### "... Intel has confirmed a Remote Elevation of Privilege bug (CVE-2017-5689) in its Management Technology, on 1 May 2017.[12] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine) ..."
###### Jun 04, 2017 | turcopolier.typepad.com
Gordon Wilson , 31 May 2017 at 09:39 PM
Colonel I have refrained from any posting anywhere for any reason for months, but since the discussion seems to turn to decryption so often I thought you might be interested in knowing about network management systems built into Intel and AMD based machines for years, https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
Hardware-based management does not depend on the presence of an OS or locally installed management agent. Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations, as well as wake-on-LAN (WOL) for remotely powering on systems.[6] AMT is not intended to be used by itself; it is intended to be used with a software management application.[1] It gives a management application (and thus, the system administrator who uses it) access to the PC down the wire, in order to remotely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.[1][3][7]
...
Intel has confirmed a Remote Elevation of Privilege bug (CVE-2017-5689) in its Management Technology, on 1 May 2017.[12] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine) .[13][14]
I think our second O in OODA is getting fuzzed if we don't consider some of the observations found in "Powershift" by Toffler as well.

The point being is that many Intel and AMD based computers can and have been owned by various governments and groups for years, and at this level have access to any information on these machines before the encryption software is launched to encrypt any communications.

If this known software management tool is already on board, then extrapolation Toffler's chipping warning to unannounced or unauthorized by various actors, one begins to see where various nation states have gone back to typewriters for highly sensitive information, or are building their own chip foundries, and writing their own operating systems and TCP/IP protocols, and since these things are known knowns, one would not be too far fetched in assuming the nation state level players are communicating over something entirely different than you and I are using. How that impacts the current news cycle, and your interpretation of those events, I leave to your good judgment.

I would urge all of my fellow Americans, especially those with a megaphone, to also take care that we are not the subject of the idiom divide and conquer instead of its' master. To that end I think the concept of information overload induced by the internet may in fact be part of the increasing polarization and information bubbles we see forming with liberals and conservatives. This too fuzzes the second O in OODA and warps the D and thus the A, IMHO.

#### [Sep 24, 2017] Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments

###### Sep 24, 2017 | apple.slashdot.org

(macrumors.com) Posted by BeauHD on Friday September 22, 2017 @10:05PM from the remote-control dept. AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on , and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.

#### [Sep 24, 2017] Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss

###### Sep 24, 2017 | tech.slashdot.org

(theguardian.com) 66 Posted by msmash on Friday September 22, 2017 @02:41PM from the up-next dept. Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years" , a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

#### [Sep 24, 2017] Popular Chrome Extension Embedded A CPU-Draining Cryptocurrency Miner

###### Sep 24, 2017 | slashdot.org

(bleepingcomputer.com) Posted by EditorDavid on Saturday September 23, 2017 @02:34PM from the yours-and-mining dept. An anonymous reader writes: SafeBrowse, a Chrome extension with more than 140,000 users, contains an embedded JavaScript library in the extension's code that mines for the Monero cryptocurrency using users' computers and without getting their consent. The additional code drives CPU usage through the roof, making users' computers sluggish and hard to use. Looking at the SafeBrowse extension's source code, anyone can easily spot the embedded Coinhive JavaScript Miner, an in-browser implementation of the CryptoNight mining algorithm used by CryptoNote-based currencies, such as Monero, Dashcoin, DarkNetCoin, and others. This is the same technology that The Pirate Bay experimented with as an alternative to showing ads on its site. The extension's author claims he was "hacked" and the code added without his knowledge.

#### [Sep 22, 2017] U.S. ban on Russian software may stoke mistrust of cyber firms

##### "... "If you're China, if you're Russia, do you want to run American-built stuff? Probably not," Clark said at a presentation hosted by the Center for Cyber & Homeland Security at The George Washington University. ..."
###### McClatchy Washington Bureau
The Trump administration's ban on the use of a Russian cybersecurity firm's software is heightening suspicion worldwide that private internet firms might be in league with their home governments, an industry leader said Wednesday.

The Trump administration last week told U.S. government agencies to remove Kaspersky Lab products from their networks, citing alleged ties between officials at Moscow-based Kaspersky and Russian intelligence. Non-government entities and individuals may still use Kaspersky products.

But whether Russia retaliates or not, mistrust of the cybersecurity field has risen, and U.S. adversaries are likely to avoid U.S.-built software, believing that U.S. intelligence agencies may have special access , Greg Clark, chief executive of Symantec , said Wednesday.

"If you're China, if you're Russia, do you want to run American-built stuff? Probably not," Clark said at a presentation hosted by the Center for Cyber & Homeland Security at The George Washington University.

#### [Sep 19, 2017] CCleaner hack affects 2.27 million computers ! here's what to do

###### Sep 19, 2017 | www.msn.com

Computer-optimization software is supposed to keep your computer running smoothly. Well, in this case, maybe not so much. Monday, the company that makes CCleaner, Avast's Piriform, announced that their free software was infected with malware . If you use CCleaner, here's what you need to know.

What does the malware do?

It gathers information like your IP address, computer name, a list of installed software on your computer, a list of active software and a list of network adapters and sends it to a third-party computer server. Your credit card numbers, social security number and the like seem to be safe.

"Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done," said the company in the announcement .

Who was infected?

According to Piriform, around 3 percent -- roughly 2.27 million computers -- used the infected software. Specifically, computers running 32-bit Windows 10. If that applies to you, don't panic. The company believes that they were able to disarm the malware before any harm was done.

How do I know if I have the corrupted version?

The versions that were affected are CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191 for 32-bit Windows PCs. The Android version for phones doesn't seem to be affected.

If you've updated your software since September 12, you should be okay. This is when the new, uncorrupted version was released. Also, if you have the Cloud version, it should have automatically updated itself by now to the clean version.

I don't use the cloud version. What should I do?

CCleaner v5.33.6162 does not update on its own, so if you use the non-cloud version you may have the corrupted software. Piriform recommends deleting your current version and downloading a clean version from their website .

After you have your new software downloaded, run a check on your system using malware protection software to be sure that CCleaner didn't leave any nasty invader behind.

#### [Sep 16, 2017] ShadowBrokers Releases NSA UNITEDRAKE Manual That Targets Windows Machines

##### "... The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed. ..."
###### Sep 16, 2017 | yro.slashdot.org

Posted by BeauHD on Monday September 11, 2017

AmiMoJo shares a report from Schneier on Security:

The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines :

"Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information.

UNITEDRAKE, described as a 'fully extensible remote collection system designed for Windows targets,' also gives operators the opportunity to take complete control of a device .

The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed."

#### [Sep 16, 2017] BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices

##### "... Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. ..."
###### Sep 16, 2017 | mobile.slashdot.org

(bleepingcomputer.com) BeauHD on Tuesday September 12, 2017

An anonymous reader quotes a report from Bleeping Computer:

Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device.

They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux , impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email.

"Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device."

Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately.

When a pat oid App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).ch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Andr

#### [Sep 16, 2017] Equifax Lobbied For Easier Regulation Before Data Breach

##### "... The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and$1.02 million, respectively, on lobbying activities. ..."
###### Sep 16, 2017 | politics.slashdot.org

(wsj.com) Posted by msmash on Tuesday September 12, 2017

#### [Jul 11, 2017] Author of Original Petya Ransomware Publishes Master Decryption Key

###### Jul 08, 2017 | yro.slashdot.org

An anonymous reader writes: The author of the original Petya ransomware -- a person/group going by the name of Janus Cybercrime Solutions -- has released the master decryption key of all past Petya versions . This key can decrypt all ransomware families part of the Petya family except NotPetya,

Most (original) Petya campaigns happened in 2016, and very few campaigns have been active this year. Users that had their files locked have wiped drives or paid the ransom many months before. The key will only help those victims who cloned their drives and saved a copy of the encrypted data. Experts believe that Janus released Petya's decryption key as a result of the recent NotPetya outbreak, and he might have decided to shut down his operation to avoid further scrutiny, or being accused of launching NotPetya.

#### [Jul 08, 2017] Russia Behind Cyber-attack, Says Ukraines Security Service

##### Slashdot degenerated to primitive anti-Russian propaganda site
###### Jul 03, 2017 | politics.slashdot.org

tinkerton ( 199273 ) , Monday July 03, 2017 @05:19PM ( #54738011 )

Re:The Russians ate my homework... ( Score: 4 , Insightful)

The article's central message is plausible: Russia running a cyberwar against Ukraine and at the same time trying to build up knowhow. But at the same time the author knows that he can write anything about Russia and it will be believed. At the same time the story is part of a large anti-Russia and anti Trump campaign.

I don't keep track so I don't have a lot of links ready but I know the news about a russian cyberattack on US powerplant was bogus. Russian hacking of DNC was bogus.Russian-Trump links are bogus. Russian hacking of french elections was bogus. But these debunkings only come through very slowly. On the other side there is a barrage of claims that is so overwhelming nobody can begin to debunk them.

And I see good reasons why the democrats and the military industrical complex prefer to have high tensions with Russia and why they want to blame Russia for the failed elections. And I see why the press goes along with it.

And I think that whatever Russia is doing(a lot less than claimed, but certainly a lot of business as usual nasty stuff) it's a good idea to improve the ties with them rather than deteriorate them. That is my opinion about policy. That it's in the west's interest. I also think they're open for chances for improvement , at least as long as Putin is there.

But look at this thread. It's almost unanimous against Russia. Any outsider looking here without any knowledge of the situation would know, this is bad. It means no good thinking will come out of it.(there's more reasons for that though). It also means propaganda is still very effective here and now.

So the article of the topic here may have a good degree of truth, but it's all part of an anti-russian frenzy which I think is a very bad idea.

Here's a new link about a lot of the hacking stories. It covers quite some ground. I'd have to dig for the rest. The ones I mentioned are some I'm pretty certain of although one can debate how convincing the proof is. https://consortiumnews.com/201... [consortiumnews.com]

I didn't discuss Trump. I'd like to get rid of him but I'm convinced the current campaign to link him to Russia is extremely dishonest. He's right about that. Maybe he'll go down because in his efforts to stop them he'll do something very illegal. Or maybe he'll stay in power because he made the right friends. The Saudis and the weapons manufacturers for instance. Then all that the anti Russia campaign will have achieved is to give us the worst of both worlds. Thanks for cooperating everyone.

bogaboga ( 793279 ) , Monday July 03, 2017 @01:17PM ( #54736005 )
Wow...wait a moment... ( Score: 2 )
Russia Behind Cyber-attack, Says Ukraine's Security Service

I think it's premature to jump to such conclusions since we know that our very own CIA has also been implicated...

Vault 7 [wikileaks.org] and more. [wired.com]

atomlib ( 2618043 ) writes: on Monday July 03, 2017 @01:05PM ( #54735925 ) Homepage
Russian companies were hit by that Petya thing ( Score: 1 , Troll)

Whatever it was, that Petya thing hit bunch of Russian companies as well. For example, it hit Russia's top oil providers Rosneft and Bashneft. Some of them suffered quite a bit. Invitro, a nationwide network of private medical laboratories, temporarily ceased samples collection due to the cyberattack.

qaz123 ( 2841887 ) writes: on Monday July 03, 2017 @02:42PM ( #54736649 )
Ukraine says... ( Score: 1 )

Of course Ukraine would say that. No matter it's true or not. Because that hurts Russia and that what Ukraine wants now

Re:The only true security is renewables ( Score: 2 ) by tinkerton ( 199273 ) writes: on Monday July 03, 2017 @05:24PM ( #54738061 )

Because we don't fear the bear.

Exactly.When we're enthusiastically demonizing some party it means we're not scared of them. There have been exceptions, but that's long ago.

#### [Jul 04, 2017] Foisting Blame for Cyber-Hacking on Russia by Gareth Porter

##### "... Russian intelligence certainly has an interest in acquiring intelligence related to the likely outcome of American elections, but it would make no sense for Russia's spies to acquire personal voting information about 90,000 registered voters in Illinois. ..."
###### Jul 04, 2017 | original.antiwar.com
Cyber-criminal efforts to hack into U.S. government databases are epidemic, but this ugly reality is now being exploited to foist blame on Russia and fuel the New Cold War hysteria

Recent hearings by the Senate and House Intelligence Committees reflected the rising tide of Russian-election-hacking hysteria and contributed further to it. Both Democrats and Republicans on the two committees appeared to share the alarmist assumptions about Russian hacking, and the officials who testified did nothing to discourage the politicians.

On June 21, Samuel Liles, acting director of the Intelligence and Analysis Office's Cyber Division at the Department of Homeland Security, and Jeanette Manfra, acting deputy under secretary for cyber-security and communications, provided the main story line for the day in testimony before the Senate committee - that efforts to hack into election databases had been found in 21 states.

Former DHS Secretary Jeh Johnson and FBI counterintelligence chief Bill Priestap also endorsed the narrative of Russian government responsibility for the intrusions on voter registration databases.

But none of those who testified offered any evidence to support this suspicion nor were they pushed to do so. And beneath the seemingly unanimous embrace of that narrative lies a very different story.

The Department of Homeland Security (DHS) has a record of spreading false stories about alleged Russian hacking into US infrastructure , such as the tale of a Russian intrusion into the Burlington, Vermont electrical utility in December 2016 that DHS later admitted was untrue. There was another bogus DHS story about Russia hacking into a Springfield, Illinois water pump in November 2011.

So, there's a pattern here. Plus, investigators, assessing the notion that Russia hacked into state electoral databases, rejected that suspicion as false months ago. Last September, Assistant Secretary of DHS for Cybersecurity Andy Ozment and state officials explained that the intrusions were not carried out by Russian intelligence but by criminal hackers seeking personal information to sell on the Internet.

Both Ozment and state officials responsible for the state databases revealed that those databases have been the object of attempted intrusions for years. The FBI provided information to at least one state official indicating that the culprits in the hacking of the state's voter registration database were cyber-criminals.

Illinois is the one state where hackers succeeded in breaking into a voter registration database last summer. The crucial fact about the Illinois hacking, however, was that the hackers extracted personal information on roughly 90,000 registered voters, and that none of the information was expunged or altered.

The Actions of Cybercriminals

That was an obvious clue to the motive behind the hack. Assistant DHS Secretary Ozment testified before the House Subcommittee on Information Technology on Sept. 28 ( at 01:02.30 of the video ) that the apparent interest of the hackers in copying the data suggested that the hacking was "possibly for the purpose of selling personal information."

Ozment 's testimony provides the only credible motive for the large number of states found to have experienced what the intelligence community has called "scanning and probing" of computers to gain access to their electoral databases: the personal information involved – even e-mail addresses – is commercially valuable to the cybercriminal underworld.

That same testimony also explains why so many more states reported evidence of attempts to hack their electoral databases last summer and fall. After hackers had gone after the Illinois and Arizona databases, Ozment said, DHS had provided assistance to many states in detecting attempts to hack their voter registration and other databases.

"Any time you more carefully monitor a system you're going to see more bad guys poking and prodding at it," he observed, " because they're always poking and prodding." [Emphasis added]

State election officials have confirmed Ozment's observation. Ken Menzel, the general counsel for the Illinois Secretary of State, told this writer, "What's new about what happened last year is not that someone tried to get into our system but that they finally succeeded in getting in." Menzel said hackers "have been trying constantly to get into it since 2006."

And it's not just state voter registration databases that cybercriminals are after, according to Menzel. "Every governmental data base – driver's licenses, health care, you name it – has people trying to get into it," he said.

Arizona Secretary of State Michele Reagan told Mother Jones that her I.T. specialists had detected 193,000 distinct attempts to get into the state's website in September 2016 alone and 11,000 appeared to be trying to "do harm."

Reagan further revealed that she had learned from the FBI that hackers had gotten a user name and password for their electoral database, and that it was being sold on the "dark web" – an encrypted network used by cyber criminals to buy and sell their wares. In fact, she said, the FBI told her that the probe of Arizona's database was the work of a "known hacker" who had been closely monitored "frequently."

James Comey's Role

The sequence of events indicates that the main person behind the narrative of Russian hacking state election databases from the beginning was former FBI Director James Comey. In testimony to the House Judiciary Committee on Sept. 28, Comey suggested that the Russian government was behind efforts to penetrate voter databases, but never said so directly.

Comey told the committee that FBI Counterintelligence was working to "understand just what mischief Russia is up to with regard to our elections." Then he referred to "a variety of scanning activities" and "attempted intrusions" into election-related computers "beyond what we knew about in July and August," encouraging the inference that it had been done by Russian agents.

The media then suddenly found unnamed sources ready to accuse Russia of hacking election data even while admitting that they lacked evidence. The day after Comey's testimony ABC headlined , "Russia Hacking Targeted Nearly Half of States' Voter Registration Systems, Successfully Infiltrating 4." The story itself revealed, however, that it was merely a suspicion held by "knowledgeable" sources.

Similarly, NBC News headline announced, "Russians Hacked Two US Voter Databases, Officials Say." But those who actually read the story closely learned that in fact none of the unnamed sources it cited were actually attributing the hacking to the Russians.

It didn't take long for Democrats to turn the Comey teaser - and these anonymously sourced stories with misleading headlines about Russian database hacking - into an established fact. A few days later, the ranking Democrat on the House Intelligence Committee, Rep. Adam Schiff declared that there was "no doubt" Russia was behind the hacks on state electoral databases.

On Oct. 7, DHS and the Office of the Director of National Intelligence issued a joint statement that they were "not in a position to attribute this activity to the Russian government." But only a few weeks later, DHS participated with FBI in issuing a "Joint Analysis Report" on "Russian malicious cyber activity" that did not refer directly to scanning and spearphishing aimed of state electoral databases but attributed all hacks related to the election to "actors likely associated with RIS [Russian Intelligence Services]."

Suspect Claims

But that claim of a "likely" link between the hackers and Russia was not only speculative but highly suspect. The authors of the DHS-ODNI report claimed the link was "supported by technical indicators from the US intelligence community, DHS, FBI, the private sector and other entities." They cited a list of hundreds of I.P. addresses and other such "indicators" used by hackers they called "Grizzly Steppe" who were supposedly linked to Russian intelligence.

But as I reported last January, the staff of Dragos Security, whose CEO Rob Lee, had been the architect of a US government system for defense against cyber attack, pointed out that the vast majority of those indicators would certainly have produced "false positives."

Then, on Jan. 6 came the "intelligence community assessment" – produced by selected analysts from CIA, FBI and National Security Agency and devoted almost entirely to the hacking of e-mail of the Democratic National Committee and Hillary Clinton's campaign chairman John Podesta. But it included a statement that "Russian intelligence obtained and maintained access to elements of multiple state or local election boards." Still, no evidence was evinced on this alleged link between the hackers and Russian intelligence.

Over the following months, the narrative of hacked voter registration databases receded into the background as the drumbeat of media accounts about contacts between figures associated with the Trump campaign and Russians built to a crescendo, albeit without any actual evidence of collusion regarding the e-mail disclosures.

But a June 5 story brought the voter-data story back into the headlines. The story, published by The Intercept, accepted at face value an NSA report dated May 5, 2017 , that asserted Russia's military intelligence agency, the GRU, had carried out a spear-phishing attack on a US company providing election-related software and had sent e-mails with a malware-carrying word document to 122 addresses believed to be local government organizations.

But the highly classified NSA report made no reference to any evidence supporting such an attribution. The absence of any hint of signals intelligence supporting its conclusion makes it clear that the NSA report was based on nothing more than the same kind of inconclusive "indicators" that had been used to establish the original narrative of Russians hacking electoral databases.

A Checkered History

So, the history of the US government's claim that Russian intelligence hacked into election databases reveals it to be a clear case of politically motivated analysis by the DHS and the Intelligence Community. Not only was the claim based on nothing more than inherently inconclusive technical indicators but no credible motive for Russian intelligence wanting personal information on registered voters was ever suggested.

Russian intelligence certainly has an interest in acquiring intelligence related to the likely outcome of American elections, but it would make no sense for Russia's spies to acquire personal voting information about 90,000 registered voters in Illinois.

When FBI Counterintelligence chief Priestap was asked at the June 21 hearing how Moscow might use such personal data, his tortured effort at an explanation clearly indicated that he was totally unprepared to answer the question.

"They took the data to understand what it consisted of," said Priestap, "so they can affect better understanding and plan accordingly in regards to possibly impacting future election by knowing what is there and studying it."

In contrast to that befuddled non-explanation, there is highly credible evidence that the FBI was well aware that the actual hackers in the cases of both Illinois and Arizona were motivated by the hope of personal gain.

Gareth Porter, an investigative historian and journalist specializing in US national security policy, received the UK-based Gellhorn Prize for journalism for 2011 for articles on the U.S. war in Afghanistan. His new book is Manufactured Crisis: the Untold Story of the Iran Nuclear Scare . He can be contacted at porter.gareth50@gmail.com . Reprinted from Consortium News with the author's permission.

Read more by Gareth Porter Why Afghanistan? Fighting a War for the War System Itself – June 13th, 2017 The Kissinger Backchannel to Moscow – June 4th, 2017 Will Trump Agree to the Pentagon's Permanent War in Iraq, Afghanistan and Syria? – May 14th, 2017 US 'Deep State' Sold Out Counter-Terrorism To Keep Itself in Business – April 23rd, 2017 New Revelations Belie Trump Claims on Syria Chemical Attack – April 14th, 2017

View all posts by Gareth Porter

#### [Jul 01, 2017] Hacks Raise Fear Over N.S.A.s Hold on Cyberweapons

##### "... "When these viruses fall into the wrong hands, people can use them for financial gain, or whatever incentive they have - and the greatest fear is one of miscalculation, that something unintended can happen," Mr. Panetta said. ..."
###### Jul 01, 2017 | www.nytimes.com

Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States - Britain and Ukraine .

The N.S.A. has kept quiet, not acknowledging its role in developing the weapons. White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons.

But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands.

On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul . Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.

Though the original targets of Tuesday's attacks appear to have been government agencies and businesses in Ukraine, the attacks inflicted enormous collateral damage, taking down some 2,000 global targets in more than 65 countries, including Merck, the American drug giant, Maersk, the Danish shipping company, and Rosneft, the Russian state owned energy giant. The attack so crippled operations at a subsidiary of Federal Express that trading had to be briefly halted for FedEx stock.

"When these viruses fall into the wrong hands, people can use them for financial gain, or whatever incentive they have - and the greatest fear is one of miscalculation, that something unintended can happen," Mr. Panetta said.

#### [Jun 30, 2017] The worlds most reprehensible newspaper, The New York Times, is quick to blame the ransomeware attack which crippled computers in Ukraine on Russia.

##### "... Washington Post ..."
###### Jun 30, 2017 | marknesop.wordpress.com
marknesop , June 28, 2017 at 10:57 pm
The world's most reprehensible newspaper, The New York Times , is quick to blame the ransomeware attack which crippled computers in Ukraine on Russia . Never mind the evidence; Ukrainians say Russia did it, and Ukrainians never lie. Moreover, they say it was Russia because just a couple of days ago a senior government official was blown up in a car bomb attack, and that was Russia, so they probably did this, too. QED.

Curiously enough, another Times story from just a little over a month ago reported a near-identical attack, which it said was executed using malicious software 'stolen' from the NSA's tickle trunk .

Uh huh. Sure it was. And Cisco Systems is right there in Kiev, 'helping' Ukraine pin down the origin of the attack.

For what it's worth, one of our favouritest authors, Molly McKew – at the Washington Post , the world's second-most-reprehensible newspaper – quickly makes the connection between Shapoval's murder and Russia , which she says is the wide assumption of experts.

#### [Jun 30, 2017] the first target of the attack: MEDoc, a Ukrainian company that develops tax accounting software and malware initially spead through a system updater process

###### Jun 30, 2017 | www.msn.com

While there are still plenty of unknowns regarding Petya, security researchers have pinpointed what they believe to be the first target of the attack: M.E.Doc, a Ukrainian company that develops tax accounting software.

The initial attack took aim the software supply chain of the tax software MEDoc, which then spread through a system updater process that carried malicious code to thousands of machines, including those who do business in Ukraine.

#### [Jun 28, 2017] New computer virus spreads from Ukraine to disrupt world business

##### Small sum of money demanded might suggest Ukranian origin as $300 is big money in this country empioverished by Maydan coup detat. ###### Jun 28, 2017 | www.msn.com U.S. delivery firm FedEx Corp said its TNT Express division had been significantly affected by the virus, which also wormed its way into South America, affecting ports in Argentina operated by China's Cofco. The malicious code locked machines and demanded victims post a ransom worth$300 in bitcoins or lose their data entirely, similar to the extortion tactic used in the global WannaCry ransomware attack in May.

More than 30 victims paid up but security experts are questioning whether extortion was the goal, given the relatively small sum demanded, or whether the hackers were driven by destructive motives rather than financial gain.

Hackers asked victims to notify them by email when ransoms had been paid but German email provider Posteo quickly shut down the address, a German government cyber security official said.

While the malware seemed to be a variant of past campaigns, derived from code known as Eternal Blue believed to have been developed by the U.S. National Security Agency (NSA), experts said it was not as virulent as May's WannaCry attack.

Security researchers said Tuesday's virus could leap from computer to computer once unleashed within an organisation but, unlike WannaCry, it could not randomly trawl the internet for its next victims, limiting its scope to infect.

Bushiness that installed Microsoft's latest security patches from earlier this year and turned off Windows file-sharing features appeared to be largely unaffected. A number of the international firms hit have operations in Ukraine, and the virus is believed to have spread within global corporate networks after gaining traction within the country. ... ... ...

Shipping giant A.P. Moller-Maersk, which handles one in seven containers shipped worldwide, has a logistics unit in Ukraine.

Other large firms affected, such as French construction materials company Saint Gobain and Mondelez International Inc, which owns chocolate brand Cadbury, also have operations in the country.

Maersk was one of the first global firms to be taken down by the cyber attack and its operations at major ports such as Mumbai in India, Rotterdam in the Netherlands and Los Angeles on the U.S. west coast were disrupted.

Other companies to succumb included BNP Paribas Real Estate , a part of the French bank that provides property and investment management services.

"The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack," the bank said on Wednesday.

Production at the Cadbury factory on the Australian island state of Tasmania ground to a halt late on Tuesday after computer systems went down.

Russia's Rosneft, one of the world's biggest crude producers by volume, said on Tuesday its systems had suffered "serious consequences" but oil production had not been affected because it switched to backup systems. (Additional reporting by Helen Reid in London, Teis Jensen in Copenhagen, Maya Nikolaeva in Paris, Shadia Naralla in Vienna, Marcin Goettig in Warsaw, Byron Kaye in Sydney, John O'Donnell in Frankfurt, Ari Rabinovitch in Tel Aviv and Noor Zainab Hussain in Bangalore; writing by Eric Auchard and David Clarke; editing by David Clarke)

#### [Jun 28, 2017] Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World

##### "... ( a non-paywalled source ) ..."
###### Jun 28, 2017 | it.slashdot.org

Posted by msmash on Tuesday June 27, 2017

A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world.

From a report:

A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations ( a non-paywalled source ) , the Ukrainian central bank said. The latest disruptions follow a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power grid that prompted security chiefs to call for improved cyber defences. The central bank said an "unknown virus" was to blame for the latest attacks, but did not give further details or say which banks and firms had been affected. "As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement.

BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer Rosneft and Danish shipping company Maersk are also facing "disruption, including its offices in the UK and Ireland ." According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A .

Here's how Petya encrypts files on a system (video).

News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well .

From the report:

#### [Jun 28, 2017] Hacker Behind Massive Ransomware Outbreak Cant Get Emails From Victims Who Paid

(vice.com) 143 Posted by msmash on Tuesday June 27, 2017 @04:41PM from the interesting-turns dept. Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere . The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files . [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away. #### [Jun 28, 2017] Petya Ransomware Outbreak Originated In Ukraine Via Tainted Accounting Software ###### Jun 28, 2017 | tech.slashdot.org An anonymous reader quotes a report from Bleeping Computer: Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc , a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos , ESET , MalwareHunter , Kaspersky Lab , and others , an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory . Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware . #### [Jun 28, 2017] Petya cyber attack Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down ###### Jun 28, 2017 | telegraph.co.uk Ransomware is 2016-programme 'Petya' Ransomware known as Petya seems to have re-emerged to affect computer systems across Europe, causing issues primarily in Ukraine, Russia, England and India, a Swiss government information technology agency has told Reuters. "There have been indications of late that Petya is in circulation again, exploiting the SMB (Server Message Block) vulnerability," the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) said in an e-mail. I t said it had no information that Swiss companies had been impacted, but said it was following the situation. The Petya virus was blamed for disrupting systems in 2016. Russia's top oil producer Rosneft said a large-scale cyber attack hit its servers on Tuesday, with computer systems at some banks and the main airport in neighbouring Ukraine also disrupted. 3:48PM 'A multi-pronged attack' "This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine," said Allan Liska, a security analyst at Recorded Future. "There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine). #### [Jun 28, 2017] Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down ###### Jun 28, 2017 | marknesop.wordpress.com Moscow Exile , June 27, 2017 at 11:42 am Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down Huge cyber attack cripples firms, airports, banks and government departments in Ukraine Hack may have spread to Britain, with the advertising firm WPP affected Danish and Spanish multinationals also paralysed by attack Michael Fallon warns UK could respond to cyber attacks with military force The Defence Secretary has said the UK would be prepared to retaliate against future cyber attacks using military force such as missile strikes. He warned cyber attacks against UK systems "could invite a response from any domain – air, land, sea or cyberspace". Tough guy, huh? What a tosser! Blah, blah, fucking-blah. And the firm where I was working this afternoon, MSD Pharmaceuticals, has been down all day. That's in Moscow. In Russia. Anyone said "Putin done it!" yet? Moscow Exile , June 27, 2017 at 11:46 am Comment to same story in the Independent: This story was being reported as an attack on Ukraine alone by this a- wipe earlier today (and Russia were being put in the frame for it) The attack was always a global one and indeed many Russian companies have been hit – but of course the 1% want the world to believe it is all down to the Russian government. Add to that bit of knowledge – the extra bits of knowledge that the 1% are all buying up properties in New Zealand all of a sudden – and the US are suddenly pushing hard against the Syrian government, notwithstanding the fact that Russia are allied to Syria and Iran in their fight against terrorism (i.e. the US) Can you all now see what is going on in the minds of those that would rule the world? Moscow Exile , June 27, 2017 at 1:52 pm Kremlin says its computers not affected by hacker attack Well there you are, then! The Kremlin must have been behind the attacks. Stands to reason, don't it? marknesop , June 27, 2017 at 3:50 pm Actually, they blame North Korea for it, although that seems pretty unlikely to me and is more likely just capitalizing on an event to do a little bashing. Why is Fallon only prepared to respond militarily to the next attack? Why not this one? Come on, Mikey, get your finger out! What're they paying you for? kirill , June 27, 2017 at 6:58 pm Trash talking chihuahua. #### [Jun 28, 2017] Huge ransomware outbreak spreads in Ukraine and beyond • The Register ###### tech.slashdot.org Updated A huge ‪ransomware‬ outbreak has hit major banks, utilities and telcos in Ukraine as well as victims in other countries. Check out our full analysis of the software nasty, here . Early analysis of the attack points towards a variant of the known Petya ransomware , a strain of malware that encrypts the filesystem tables and hijacks the Master Boot Record to ensure it starts before the operating system on infected Windows PCs. Early reports suggest the malware is spreading using by network shares and email but this remains unconfirmed. The outbreak is centred but not confined to the Ukraine. Victims in Spain, France and Russia have also been reported. Victims include Ukrainian power distribution outfit Ukrenergo, which said the problem is confined to its computer network and is not affecting its power supply operations, Reuters reports . Other victims include Oschadbank, one of Ukraine's largest state-owned lenders. Global shipping outfit Maersk Group is also under the cosh. Hackers behind the attack are demanding$300 (payable in Bitcoin) to unlock each computer. It's easy to ascribe any computing problem in Ukraine to Russia because of the ongoing conflict between the two countries, but the culprits behind the latest attack are just as likely to be cybercriminals as state-sponsored saboteurs, judging by the evidence that's emerged this far.

"While ransomware can be (and has been) used to cover other attacks, I think it's wise to consider Ukraine attack cybercriminal for now," said Martijn Grooten, editor of Virus Bulletin and occasional security researcher. ®

Updated at 1500 UTC to add : Allan Liska, intelligence architect at Recorded Future, said the attack has multiple components including an attack to steal login credentials as well as trash compromised computers.

"This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine," Liska said. "The payload of the phishing attack is twofold: an updated version of the Petya ransomware (older version of Petya are well-known for their viciousness, rather than encrypt select files Petya overwrote the master boot record on the victim machine, making it completely inoperable)."

There is some speculation that, like WannaCrypt, this attack is being spread using the EternalBlue exploit, which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine). "Our threat intelligence also indicated that we are now starting to see US victims of this attack," according to Liska.

There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking Trojan that extracts usernames and passwords from compromised computers. This means this attack not only could make the victim's machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion, according to Recorded Future.

Updated at 1509 UTC to add : Reg sources from inside London firms have been notifying us that they've been infected. We were sent this screenshot (cropped to protect the innocent) just minutes ago:

#### [Jun 24, 2017] Obama Ordered Cyberweapons Implanted Into Russias Infrastructure by Jason Ditz

###### Jun 23, 2017 | news.antiwar.com

Former Official: Implants Designed to 'Cause Them Pain and Discomfort'

A new report from the Washington Post today quoted a series of Obama Administration officials reiterating their official narrative on Russia's accused hacking of the 2016 election. While most of the article is simply rehashes and calls for sanctions, they also revealed a secret order by President Obama in the course of "retaliation" for the alleged hacking.

This previously secret order involved having US intelligence design and implant a series of cyberweapons into Russia's infrastructure systems, with officials saying they are meant to be activated remotely to hit the most important networks in Russia and are designed to " cause them pain and discomfort ."

The US has, of course, repeatedly threatened "retaliatory" cyberattacks against Russia, and promised to knock out broad parts of their economy in doing so. These appear to be the first specific plans to have actually infiltrate Russian networks and plant such weapons to do so.

Despite the long-standing nature of the threats, by the end of Obama's last term in office this was all still in the "planning" phases. It's not totally clear where this effort has gone from there, but officials say that the intelligence community, once given Obama's permission, did not need further approval from Trump to continue on with it, and he'd have actually had to issue a countermanding order, something they say he hasn't.

The details are actually pretty scant on how far along the effort is, but the goal is said to be for the US to have the ability to retaliate at a moment's notice the next time they have a cyberattack they intend to blame on Russia.

Unspoken in this lengthy report, which quotes unnamed former Obama Administration officials substantially, advocating the effort, is that in having reported that such a program exists, they've tipped off Russia about the threat.

This is, however, reflective of the priority of the former administration, which is to continuing hyping allegations that Russia got President Trump elected, a priority that's high enough to sacrifice what was supposed to be a highly secretive cyberattack operation.

#### [Jun 17, 2017] Fileless malware targeting US restaurants went undetected by most AV

###### Jun 17, 2017 | arstechnica.com
Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market. Further Reading A rash of invisible, fileless malware is infecting banks around the globe Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets , the in-memory techniques are becoming increasingly common in financially motivated hack attacks . They typically make use of commonly used administrative and security-testing tools such as PowerShell, Metasploit, and Mimikatz, which attackers use to feed malicious commands to targeted computers.

FIN7, an established hacking group with ties to the Carbanak Gang , is among the converts to this new technique, researchers from security firm Morphisec reported in a recently published blog post . The dynamic link library file it's using to infect Windows computers in an ongoing attack on US restaurants would normally be detected by just about any AV program if the file was written to a hard drive. But because the file contents are piped into computer memory using PowerShell, the file wasn't visible to any of the 56 most widely used AV programs, according to a Virus Total query conducted earlier this month.

"FIN7 constantly upgrades their attacks and evasion techniques, thus becoming even more dangerous and unpredictable," Morphisec Vice President of Research and Development Michael Gorelik wrote. "The analysis of this attack shows, how easy it is for them to bypass static, dynamic and behavior based solutions. These attacks pose a severe risk to enterprises."

Anatomy of an infection

The tallest order of the attack is convincing a target to exit Protected View, since Word provides a prominent notice warning of the risks. In the event that the target is tricked into double-clicking on an icon promising to unlock the document contents, however, obfuscated JavaScript copies malicious code into two separate files stored in two separate directories. Then the malicious code in the first file creates a scheduled Windows task that executes the code in the second file one minute later. By breaking the code into two files and delaying the execution, the attack chain bypasses most behavior-analysis protections because the second stage isn't directly triggered by the first stage.

The process then largely repeats, with second-stage JavaScript triggering a first-stage PowerShell process that then performs a second-stage PowerShell process. The latter process injects shellcode that's derived in part using domain name system queries.

"This shellcode iterates over process environment block and looks immediately for dnsapi.dll name (xor 13) and its DnsQueryA function," Gorelik explained. "Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS messaging technique directly from memory. This way they can successfully evade many of the behavior based solutions."

The attack isn't the first to generate PowerShell scripts based on DNS requests. Cisco Systems' Talos Threat Research Group saw something similar in March . FIN7's ongoing campaign against restaurants suggests the technique won't be going away anytime soon.

#### [Jun 17, 2017] Dear AV provider: Do you enable NSA spying? Yours, EFF

###### Jun 17, 2017 | arstechnica.com

Open letter from 25 groups asks AV firms if they cooperate with spy agencies.

The Electronic Frontier Foundation, security expert Bruce Schneier, and 23 others have called on antivirus providers around the world to protect their users against malware spawned by the National Security Agency and other groups that carry out government surveillance.

The move comes amid revelations that the NSA has a wide-ranging menu of software exploits at its disposal that have been used to identify users of the Tor anonymity service , track iPhone users , and monitor the communications of surveillance targets. Schneier has said that the NSA only relies on these methods when analysts have a high degree of confidence that the malware won't be noticed. That means detection by AV programs could make the difference between such attacks succeeding, failing, or being used at all.

"As a manufacturer of antivirus software, your company has a vital position in providing security and maintaining the trust of internet users as they engage in sensitive activities such as electronic banking," the 25 signatories wrote in an open letter sent on Thursday to AV companies . "Consequently, there should be no doubt that your company's software provides the security needed to maintain this trust."

The letter went on to ask each company to reply to a list of questions about their cooperation with spy agencies. The questions included:

Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance? Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use? Have you ever granted such a request? If so, could you provide the same information as in the point mentioned above and the considerations which led to the decision to comply with the request from the government? Could you clarify how you would respond to such a request in the future?

Those drafting the letter appeared to be aware of the case of Lavabit, the encrypted e-mail service that shut down rather than comply with a secret court order that demanded the private encryption key protecting users' communications.

"Please let us know if you feel that you cannot, or cannot fully, answer any of the above questions because of legal constraints imposed upon you by any government," the letter stated. "If you feel you cannot answer any of the questions above, please reply 'no response' to this question."

In recent years, competing AV products have largely been in a dead heat when it comes to their effectiveness at detecting threats. The responses or lack thereof to this letter could provide a key differentiator for consumers about which product is right for them. The letter asked that companies respond by November 15. Promoted Comments

AndrewZ , Ars Tribunus Angusticlavius jump to post
It would be truly ironic if the USA anti-virus providers were forced to cooperate with the FBI/NSA under laws such as the Patriot Act, whereas non-USA anti-virus providers such as Kaspersky, Panda Security, AVG, etc were not. Thus driving Americans away from otherwise trust-able anti-virus vendors...
ascension2020 , Smack-Fu Master, in training jump to post
Jousle wrote:

visbis444 wrote:

It has no viruses in the wild.

Tell that to the people who maintain the Linux kernel:

Malware yes, but i doubt that viruses are feasible in Unix-like operative systems.

A virus is malware. Malware is a classification that covers rootkits, viruses, trojans, worms, and so on.

Malware (including viruses) is possible with any operating system. It's true that *nix OSes have a different approach to security than Windows. I won't even begin to open a can of worms by arguing about which one is better. Suffice it to say that malware can be developed for any OS if someone has enough skill and motivation.

The reason *nix isn't attacked more is the same reason that Apple products aren't. Right now most malware is based around making money and the that makes Windows the prime target for malware developers. The vast majority of their targets are going to be using Windows so it makes sense to focus their resources there.

There is another malware category that isn't talked about as much though, and that's malware that's developed for espionage or other non-money making nefarious purposes. The most well known piece of malware in this category is probably Stuxnet, which was a rootkit that attacked PLCs. Another more recent example is the OSX/Tibet.C malware that's apparently being used by China to spy on certain Tibetans. Stuxnet and OSX/Tibet.C are just two examples of niche malware that's designed to attack a very select group of people. Anyone who thinks that people can't and aren't doing those things is just fooling themselves.

#### [Jun 17, 2017] Cherry Blossom WikiLeaks Latest Dump Exposes CIA Wireless Hacking Tools

##### "... Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTree sends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks. ..."
###### Jun 17, 2017 | www.hackread.com

The whistleblowing site WikiLeaks is back with yet another Vault 7 series related document . This one is called " Cherry Blossom " program which gives a glance at the wireless hacking capabilities of The Central Intelligence Agency (CIA).

The Cherry Blossom project according to the leaked documents was allegedly developed and implemented by the CIA with the help of a nonprofit research institute headquartered in Menlo Park, California for its project "Cherry Bomb."

Cherry Blossom itself is a firmware allowing the attackers to exploit vulnerabilities and compromise wireless networking devices such as access points (APs) and wireless routers. Upon compromising the targeted device remotely, Cherry Blossom replaces the existing firmware with its own allowing the attackers to turn the router or access point into a so-called 'FlyTrap'. The FlyTrap can scan for "email addresses, chat usernames, MAC addresses and VoIP numbers" in passing network traffic – All that without any physical access.

Related Secret Pentagon Files Left Unprotected on the Amazon Server

According to Wikileaks press release :

Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTree sends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks.

Furthermore, WikiLeaks notes that because WiFi devices are common in homes, public places and offices it makes them fitting target to conduct 'Man-In-The-Middle' attacks as Cherry Blossom program can easily monitor, control and manipulate the Internet traffic of connected users.

Share on Facebook Share on Twitter

Some of the devices which can be exploited by Cherry Blossom for vulnerabilities include 3Com, Aironet/Cisco, Allied Telesis, Ambit, Apple, Asustek Co, Belkin, Breezecom, Cameo, D-Link, Gemtek, Linksys, Orinoco, USRobotics, and Z-Com. The full list of hundreds of other vendors is available here [Pdf].

So far, the Vault 7 series has shown how CIA allegedly hacks TVs, smartphones, trucks and computers. The series also highlights the critical vulnerabilities which the intelligence community discovers in operating systems like Windows and Mac OS but never shares with the manufacturers .

The documents have also shown how CIA uses malware and other software against unsuspecting users around the world. These include Dark Matter, Marble, Grasshopper, HIVE, Weeping Angel, Scribbles, Archimedes, AfterMidnight or Assassin , Athena and Pandemic.

#### [Jun 17, 2017] Erebus Ransomware Targets Linux Servers by Jahanzaib Hassan

###### Jun 17, 2017 | www.hackread.com
The IT security researchers at Trend Micro recently discovered malware that has the potential to infect Linux-based servers. The malware, called Erebus, has been responsible for hijacking 153 Linux-based networks of a South Korean web-hosting company called NAYANA. NAYANA's clients affected

Erebus is a ransomware capable of infecting Linux operating systems. As such, around 3,400 of NAYANA's clients were affected due to the attack with databases, websites and other files being encrypted.

The incident took place on 10th June. As of now, NAYANA has not received the keys to decrypt their files despite having paid three parts of the ransom. The fourth one, which is allegedly the last installment, is yet to be paid. However, according to NAYANA, the attackers claimed to provide the key after three payments.

Related How To Prevent Growing Issue of Encryption Based Malware (Ransomware) What is Erebus?

According to Trend Micro's report , Erebus was originally found back in September 2016. At the time, the malware was not that harmful and was being distributed through malware-containing advertisements. Once the user clicked on those ads, the ransomware would activate in the usual way.

The initial version of the Erebus only affected 423 file types and did so using the RSA-2048 encryption algorithm, thereby encrypting the files with the .encrypt extension. Furthermore, it was this variant that was using a number of websites in South Korea as a command-&-control (C&C) center.

Later, in February 2017, the malware had seemingly evolved as now it had the ability to bypass User Account Control (UAC). For those who may be unfamiliar with UAC, it is primarily a Windows privacy protection system that restricts anyone who is not authorized, to alter the user's computer.

However, this later version of the Erebus was able to do so and inject ransomware ever so conveniently. The campaign in which this version was involved demanded a ransom of 0.085 bitcoins – equivalent to USD 216 at present – and threatened to delete the files in 96 hours if the ransom was not paid.

Now, however, Erebus has reached new heights by having the ability to bypass not only UAC but also affect entire networks that run on Linux. Given that most organizations today use Linux for their networks, it is no surprise to see that the effects of the malware are far-reaching.

How does the latest Erebus work?

According to Trend Micro, the most recent version of Erebus uses RSA algorithm to alter the AES keys in Windows and change the encryption key as such. Also, the attack is accompanied by a Bluetooth service so as to ensure that the ransomware does not break, even after the computer is rebooted.

This version can affect a total of 433 file types including databases, archives, office documents, email files, web-based files and multimedia files. The ransom demanded in this campaign amounts to 5 bitcoins, which is USD 12,344 currently.

Related New Linux SSH Brute-force LUA Bot Shishiga Detected in the Wild Erebus is not the first of its kind

Although ransomware affecting Linux based networks are rare, they are, however, not new. Erebus is not the first ransomware to have affected networks running on Linux. In fact, Trend Micro claims that such ransomware was discovered as far back as in 2014.

Some of the ransomware include Linux.Encoder, Encrypter RaaS, KillDisk, KimcilWare and much more. All of these were allegedly developed from an open-source code project that was available as part of an educational campaign.

The ransomware for Linux, despite being somewhat inferior to those for Windows , are still potent enough to cause damage on a massive scale. This is because, a number of organizations and data centers use Linux, and hijacking such high-end systems can only mean catastrophe.

Safety precautions

To avoid any accidents happening, IT officials and organizations running Linux-based networks need to take some serious precautions. The most obvious one is to simply keep the server updated with the latest firmware and anti-virus software.

Furthermore, it is always a good idea to keep a back-up of your data files in two to three separate locations. It is also repeatedly advised to avoid installing unknown third-party programs as these can act as potential gateways for such ransomware.

Lastly, IT administrators should keep monitoring the traffic that passes through the network and looks for anomalies by identifying any inconsistencies in event logs.

#### [Jun 17, 2017] Notepad++ Issues Fix After CIA Attack Revealed in Vault7 Documents

##### "... Otherwise, there are a lot of enhancements and bug fixes which improve your Notepad++ experience. For all the detail change log, please check on the Download page." ..."
###### Jun 17, 2017 | www.hackread.com
On 7th Match 2017, the whistle-blowing organization Wikileaks published a series of new documents code-named "Vault 7" allegedly belonging to the U.S. Central Intelligence Agency (CIA). These documents not only revealed the existence of a large-scale cyber espionage campaign but also show how the agency used zero days security flaws in Windows, macOS, Linux, iPhones, Android devices , several other high-profile software and utilities including Notepad and video player VLC ("VideoLan").

Now, VLC has issued an official statement on the matter while Notepad++ has released patches since its name was on the list of hacking tools used by the CIA to target unsuspecting Windows users.

Notepad++ statement:

In their official blog post Notepad++ said that:

The issue of a hijacked DLL concerns scilexer.dll (needed by Notepad++) on a compromised PC, which is replaced by a modified scilexer.dll built by the CIA. When Notepad++ is launched, the modified scilexer.dll is loaded instead of the original one.

It doesn't mean that CIA is interested in your coding skill or your sex message content in Notepad++, but rather it prevents raising any red flags while the DLL does data collection in the background.

It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it. If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch.

Checking the certificate of DLL makes it harder to hack. Note that once users' PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.

Just like knowing the lock is useless for people who are willing to go into my house, I still shut the door and lock it every morning when I leave home. We are in a f**king corrupted world, unfortunately.

Otherwise, there are a lot of enhancements and bug fixes which improve your Notepad++ experience. For all the detail change log, please check on the Download page."

#### [Jun 16, 2017] UK arms firm sold spyware to repressive Middle East states Middle East Eye

##### "... - Former ETI employee ..."
###### Jun 16, 2017 | www.middleeasteye.net
UK arms firm sold spyware to repressive Middle East states #HumanRights BAE Systems distributed the software which allowed governments to trace the activities, locations and traffic of pro-democracy activists A BAE Systems booth at a trade show for naval and maritime safety in France (AFP) MEE staff Thursday 15 June 2017 07:34 UTC Last update: Thursday 15 June 2017 8:57 UTC Topics: HumanRights Tags: UK , BAE Systems , Surveillance Show comments A leading British arms company has been selling spy software across the Middle East, potentially risking the security of activists and dissident groups.

The findings come after a year-long investigation by BBC Arabic and a Danish newspaper, which revealed that BAE Systems had been selling a mass surveillance software called Evident, acquired after the purchase of Danish company ETI in 2011, to governments in the Middle East, including those involved in crackdowns on pro-democracy activists.

"You'd be able to intercept any internet traffic," said a former ETI employee speaking anonymously to the BBC.

"If you wanted to do a whole country, you could. You could pin-point people's location based on cellular data. You could follow people around. They were quite far ahead with voice recognition. They were capable of decrypting stuff as well."

If you wanted to do a whole country, you could. You could follow people around. They were quite far ahead with voice recognition

- Former ETI employee

Among the clients for the software was the government of the former Tunisian president, Zine El Abidine Ben Ali, who used it on opponents before being overthrown in the 2011 Arab Spring demonstrations.

"ETI installed it and engineers came for training sessions," explained a former Tunisian intelligence official, speaking to the BBC.

"[It] works with keywords. You put in an opponent's name and you will see all the sites, blogs, social networks related to that user."

According to Freedom of Information requests made by the BBC and the Dagbladet Information newspaper in Denmark, other clients included Saudi Arabia, the UAE, Qatar, Oman, Morocco and Algeria.

The rise in surveillance technology in the Middle East is thought to have had a serious impact on the activities of pro-democracy campaigners in the region since the beginning of anti-government protests in 2011.

Yahya Assiri, a former Saudi air force officer who fled the country following the posting of pro-democracy comments on social media, told the BBC he "wouldn't be exaggerating if I said more than 90 percent of the most active campaigners in 2011 have now vanished."

Marietje Schaake, a Dutch member of the European Parliament, described the sale of the technology as "unacceptable".

"Each and every case where someone is silenced or ends up in prison with the help of EU-made technologies I think is unacceptable," she told the BBC.

"The fact that these companies are commercial players, developing these highly sophisticated technologies... requires us to look again at what kind of restrictions maybe be needed, what kind of transparency and accountability is needed in this market before it turns against our own interest and our own principles."

The UK government has, however, been keen to support BAE Systems, a major employer, with regards to its activities in the Middle East.

In particular, Saudi Arabia is a vital market for the company, which employs more than 80,000 staff worldwide and accounts for one percent of UK exports, according to the company.

The UK government has approved more than $4.2bn of arms to Saudi since the start of the conflict in Yemen 2015, and last month The Times reported that the British government threw its weight behind the company to secure a long-awaited Typhoon jet contract with Saudi Arabia for 48 new aircrafts. Olly Sprague, Amnesty UK's programme director for military, security and police, told MEE that BAE is hiding behind the UK's "warped rules on arms exports". "BAE Systems acknowledge they have more than 6,000 people working in Saudi Arabia helping to strengthen the country's arms capability – so it is outrageous that they continue to hide behind the UK Government's warped 'rules' on arms exports as a justification for their work," he said. The UK Department for International Trade issued the following statement: "The government takes its defence export responsibilities very seriously and operates one of the most robust export control regimes in the world. "All export licence applications are assessed on a case-by-case basis against strict criteria, taking account of all relevant factors at the time of the application, including human rights considerations." • MilliMcNaMally a day ago Or check out "Nokia Siemens Networks (NSN)", "Monitoring Centre", Iran, 2009. "Nokia Siemens Network has confirmed it supplied Iran with the technology needed to monitor, control, and read local telephone calls. It told the BBC that it sold a product called the Monitoring Centre to Iran Telecom in the second half of 2008." The traders of money & power for souls know no nation, no borders and no rules. Pounce a day ago Anybody else find it strange that the very people complaining about countries keeping an eye on their radical elements. Never seem to complain when these people take control and enforce the most severe bans usually on the pain of death. But use software in which to check their communications in which to stop them killing people, why its a bleeding human rights case. #### [Jun 09, 2017] Task force tells Congress health IT security is in critical condition by Sean Gallagher ###### Jun 08, 2017 | arstechnica.com 6/8/2017 Report warns lack of security talent, glut of legacy hardware pose imminent threat. A congressionally mandated healthcare industry task force has published the findings of its investigation into the state of health information systems security, and the diagnosis is dire. The Health Care Industry Cybersecurity Task Force report (PDF), published on June 1, warns that all aspects of health IT security are in critical condition and that action is needed both by government and the industry to shore up security. The recommendations to Congress and the Department of Health and Human Services (HHS) included programs to drive vulnerable hardware and software out of health care organizations. The report also recommends efforts to inject more people with security skills into the healthcare work force, as well as the establishment of a chain of command and procedures for dealing with cyber attacks on the healthcare system. The problems healthcare organizations face probably cannot be fixed without some form of government intervention. As the report states, "The health care system cannot deliver effective and safe care without deeper digital connectivity. If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security." At the same time, government intervention is part of what got health organizations into this situation-by pushing them to rapidly adopt connected technologies without making security part of the process. The report, mandated by the 2015 Cybersecurity Act , was supposed to be filed to Congress by May 17. However, just five days before it was due, the WannaCry ransomware worm struck the UK's National Health Service , affecting 65 hospitals. "The HHS stance is pretty much that we got incredibly lucky in the US [with WannaCry], and our luck is going to run out," Joshua Corman, co-founder of the information security non-profit organization I Am The Cavalry and a member of the task force, told Ars. The report was delayed by the WannaCry outbreak, Corman said, who observed that the task force members were disappointed that they hadn't gotten the report out sooner: "because if the report had been out a week or two prior to WannaCry, you could have bet that every Congressional staffer would have been reading it during the outbreak." The task force was co-chaired by Emery Csulak, the chief information security officer for the Centers for Medicare and Medicaid Services, and Theresa Meadows, who is a registered nurse and chief information officer of the Cook Children's Health Care System. The task force also included representatives from the security industry, government and private health care organizations, pharmaceutical firms, medical device manufacturers, insurers, and others from the wider health care industry-as well as healthcare data journalist and patient advocate Fred Trotter . Corman said that the task force was "probably the hardest thing I've ever done and maybe the most important thing I'll ever do-especially if some of these recommendations are acted upon." But it's not certain that the report will spur any immediate action, given the current debate over healthcare costs in Congress and the stance of the Trump administration on regulation. Even so, Corman explained: When we were working on this, we realized that if it was summarily ignored by the next administration, or if it was ignored for being too costly, the report could still be a backstop-in that when the first crisis happens, this will be the most recently available report that will be the blueprint for what to do next. It's just an indicator of how many minutes to midnight we are on this particular clock-we may be out of time to get in front of it, but we can certainly try to see which of these measures can be put in place in parallel [with a security crisis]. Brace for impact The ransomware attack on Hollywood Presbyterian Medical Center, which happened just a few weeks after President Obama signed the legislation that established the task force, helped establish the urgency of the work the group was doing ( Ars' coverage of the ransomware attack is cited in the task force's final report). At the task force's first in-person meeting in April, Corman said he brought up the Boston Marathon bombing. "I said, imagine if you combined something like this physical attack with something like the logical attack [at Hollywood Presbyterian]." The impact-disrupting the ability to give urgent medical care during a physical attack-could potentially magnify the loss of life and shatter public confidence, he suggested. The recommendations generated by the task force amount to a Herculean to-do list: Define and streamline leadership, governance, and expectations for health care industry cybersecurity. Increase the security and resilience of medical devices and health IT. Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. Increase health care industry readiness through improved cybersecurity awareness and education. Identify mechanisms to protect research and development efforts, as well as intellectual property, from attacks or exposure. Improve information sharing of industry threats, weaknesses, and mitigations. That list is no short order. And it may already be too late to prevent another major incident. In the wake of the Hollywood Presbyterian ransomware attack last year, "the obscurity we've enjoyed is gone," Corman explained. "We've always been prone, we've always been prey-we just lacked predators. Once the Hollywood Presbyterian attack happened, there were a lot more sharks because they smelled blood in the water." As a result, hospitals went from being off attackers' radar to "the number-one attacked industry in less than a year," he said. The task force's long-term target is to get the health industry to adopt the risk management strategies of NIST's Critical Infrastructure Cybersecurity Framework . But that's a long way off, considering the potential costs associated and the bare-bones nature of many health providers' IT. Many healthcare delivery organizations "are target rich and resource poor, and [they] can't fathom further investment in cyber hygiene, period," said Corman. The challenges to securing health IT identified by the task force, including some of the problems exposed by the Hollywood Presbyterian attack, are substantial: A severe lack of security talent in the industry. As the report points out, "The majority of health delivery organizations lack full-time, qualified security personnel." Small, mid-sized, and rural health providers may not even have full-time IT staff, or they depend on a service provider and have little in the way of resources to attract and retain a skilled information security staff. Premature and excessive connectivity. Health providers rapidly embraced networked systems, in many cases without thought to secure design and implementation. As the report states, "Over the next few years, most machinery and technology involved in patient care will connect to the Internet; however, a majority of this equipment was not originally intended to be Internet accessible, nor designed to resist cyber attacks." In some significant ways, this is a problem that Congress helped create with the unintended consequences of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Passed in 2009 as part of the American Recovery and Reinvestment Act, it gave financial incentives for hospitals to rapidly deploy electronic health records and offered billions of dollars in incentives for quickly demonstrating "meaningful use" of EHRs. Combined with the Merit-Based Incentive Payment System used by Medicare and Medicaid, the HITECH Act forced many health providers to quickly adopt technology they didn't fully understand. While EHRs have likely improved patient care, they also introduced technology that care providers couldn't properly secure or support. Legacy equipment running on old, unsupported, and vulnerable operating systems . Since a large number of medical systems rely on older versions of Windows-Windows 7, and in many cases, Windows XP-"there's zero learning curve for an ideological adversary," Corman said. "There's nothing new to learn." The systems were never intended to be connected to the Internet in many cases-or to any network at all. Some systems, Corman said, "have such interoperability issues-forget security issues-that they're so brittle, most hospitals will say that, even if you just do a port scan, you'll crash them-you don't even need to hack them." On top of that, some of the legacy medical devices on hospitals' networks now are unpatchable or unsecurable, and they would have to be completely retired and replaced. The task force recommended government incentives to get rid of these devices, following a "cash for clunkers" model. But that may not be effective in luring some health organizations to get rid of them, simply because of the other costs associated with getting new hardware in. And many of the newer systems they would use to replace older ones with are still based on legacy software anyway. A wealth of vulnerabilities, and it only takes one to disrupt patient care. The increased connectivity of health providers without proper network segmentation and other security measures exposed other systems that were never meant to touch the network-medical devices powered by embedded operating systems that may never have been patched and have 20-year lifecycles. According to the task force report, one legacy medical technology system they documented had more than 1,400 vulnerabilities on its own. And the exploitation of a single vulnerability on a single system was able to affect patient care during the Hollywood Presbyterian attack. Furthermore, because these legacy systems are often based on older, common technologies, virtually no special set of skills is required to perform such an attack. Basic, common hacking tools could be used to gain access and wreak havoc. This is demonstrated in attacks like the one at MedStar hospitals in Maryland last March, in which an old JBoss vulnerability was exploited (likely with an open source tool) to give attackers access to the medical network's servers. It was clear to everyone on the task force, Corman noted, that there were no technical barriers to a "sustained denial of patient care like what happened at Hollywood Presbyterian, on purpose" at virtually any healthcare facility in the United States. "I said we all make fun of security through obscurity, but what if that's all we have?" Corman recounted. "Seriously. What if that's all we have?" Planning for "right of boom" Given that untargeted and incidental attacks on hospitals have already happened, it seems inevitable that someone will carry out a targeted attack at some point. Corman said that increases the importance of doing disaster planning and simulations now to optimize responses, "so we can see who needs to have control-is it FEMA, the White House, DHS, HHS, the hospitals? We drill with our kids what you're supposed to do in a fire. Before we have a boom, we need to prioritize simulations, practice, and disaster planning." Another part of planning for the post-attack scenario-or "right of boom"-is to make sure that the right supports are in place to quickly recover. "We need to make sure that we've done enough scaffolding now so that we can have a more elegant response," Corman said, "because if this looks like Deepwater Horizon, and we're on the news every night, every week, gushing into the Gulf, that's going to shatter confidence. If we have a prompt and agile response, maybe we can mitigate the harm." Sean Gallagher Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. #### [Jun 09, 2017] Sneaky hackers use Intel management tools to bypass Windows firewall ##### Notable quotes: ##### "... the group's malware requires AMT to be enabled and serial-over-LAN turned on before it can work. ..." ##### "... Using the AMT serial port, for example, is detectable. ..." ##### "... Do people really admin a machine through AMT through an external firewall? ..." ##### "... Businesses demanded this technology and, of course, Intel beats the drum for it as well. While I understand their *original* concerns I would never, ever connect it to the outside LAN. A real admin, in jeans and a tee, is a much better solution. ..." ###### Jun 09, 2017 | arstechnica.com When you're a bad guy breaking into a network, the first problem you need to solve is, of course, getting into the remote system and running your malware on it. But once you're there, the next challenge is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring. The group, which Microsoft has named PLATINUM, has developed a system for sending files -- such as new payloads to run and new versions of their malware-to compromised machines. PLATINUM's technique leverages Intel's Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface. The AMT needs this low-level access for some of the legitimate things it's used for. It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what's on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system. But this low-level operation is what makes AMT attractive for hackers: the network traffic that AMT uses is handled entirely within AMT itself. That traffic never gets passed up to the operating system's own IP stack and, as such, is invisible to the operating system's own firewall or other network monitoring software. The PLATINUM software uses another piece of virtual hardware-an AMT-provided virtual serial port-to provide a link between the network itself and the malware application running on the infected PC. Communication between machines uses serial-over-LAN traffic, which is handled by AMT in firmware. The malware connects to the virtual AMT serial port to send and receive data. Meanwhile, the operating system and its firewall are none the wiser. In this way, PLATINUM's malware can move files between machines on the network while being largely undetectable to those machines. AMT has been under scrutiny recently after the discovery of a long-standing remote authentication flaw that enabled attackers to use AMT features without needing to know the AMT password. This in turn could be used to enable features such as the remote KVM to control systems and run code on them. However, that's not what PLATINUM is doing: the group's malware requires AMT to be enabled and serial-over-LAN turned on before it can work. This isn't exploiting any flaw in AMT; the malware just uses the AMT as it's designed in order to do something undesirable. Both the PLATINUM malware and the AMT security flaw require AMT to be enabled in the first place; if it's not turned on at all, there's no remote access. Microsoft's write-up of the malware expressed uncertainty about this part; it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows-or that AMT was already enabled and the malware managed to steal the credentials. While this novel use of AMT is useful for transferring files while evading firewalls, it's not undetectable. Using the AMT serial port, for example, is detectable. Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity. potato44819 , Ars Legatus Legionis Jun 8, 2017 8:59 PM Popular "Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity." It's worth noting that this is NOT Windows Defender. Windows Defender Advanced Threat Protection is an enterprise product. aexcorp , Ars Scholae Palatinae Jun 8, 2017 9:04 PM Popular This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved to be a massive PITA from the security perspective. Intel needs to really reconsider its approach or drop it altogether. "it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows" I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled via UEFI instead? 1810 posts | registered 8/28/2012 bothered , Ars Scholae Palatinae Jun 8, 2017 9:16 PM Always on and undetectable. What more can you ask for? I have to imagine that and IDS system at the egress point would help here. 716 posts | registered 11/14/2012 faz , Ars Praefectus Jun 8, 2017 9:18 PM Using SOL and AMT to bypass the OS sounds like it would work over SOL and IPMI as well. I only have one server that supports AMT, I just double-checked that the webui for AMT does not allow you to enable/disable SOL. It does not, at least on my version. But my IPMI servers do allow someone to enable SOL from the web interface. xxx, Jun 8, 2017 9:24 PM But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall? 178 posts | registered 2/25/2016 zogus , Ars Tribunus Militum Jun 8, 2017 9:26 PM fake-name wrote: Quote: blockquote Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate". Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter? 1646 posts | registered 11/17/2006 bthylafh , Ars Tribunus Angusticlavius Jun 8, 2017 9:34 PM Popular zogus wrote: Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter? tomca13 , Wise, Aged Ars Veteran Jun 8, 2017 9:53 PM This PLATINUM group must be pissed about the INTEL-SA-00075 vulnerability being headline news. All those perfectly vulnerable systems having AMT disabled and limiting their hack. 175 posts | registered 8/9/2002 Darkness1231 , Ars Tribunus Militum et Subscriptor Jun 8, 2017 10:41 PM Causality wrote: Intel AMT is a fucking disaster from a security standpoint. It is utterly dependent on security through obscurity with its "secret" coding, and anybody should know that security through obscurity is no security at all. Businesses demanded this technology and, of course, Intel beats the drum for it as well. While I understand their *original* concerns I would never, ever connect it to the outside LAN. A real admin, in jeans and a tee, is a much better solution. Hopefully, either Intel will start looking into improving this and/or MSFT will make enough noise that businesses might learn to do their update, provisioning in a more secure manner. Nah, that ain't happening. Who am I kidding? 1644 posts | registered 3/31/2012 Darkness1231 , Ars Tribunus Militum et Subscriptor Jun 8, 2017 10:45 PM meta.x.gdb wrote: But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall? The interconnect is via W*. We ran this dog into the ground last month. Other OSs (all as far as I know (okay, !MSDOS)) keep them separate. Lan0 and lan1 as it were. However it is possible to access the supposedly closed off Lan0/AMT via W*. Which is probably why this was caught in the first place. Note that MSFT has stepped up to the plate here. This is much better than their traditional silence until forced solution. Which is just the same security through plugging your fingers in your ears that Intel is supporting. 1644 posts | registered 3/31/2012 rasheverak , Wise, Aged Ars Veteran Jun 8, 2017 11:05 PM Hardly surprising: https://blog.invisiblethings.org/papers ... armful.pdf This is why I adamantly refuse to use any processor with Intel management features on any of my personal systems. 160 posts | registered 3/6/2014 michaelar , Smack-Fu Master, in training Jun 8, 2017 11:12 PM Brilliant. Also, manifestly evil. Is there a word for that? Perhaps "bastardly"? JDinKC , Smack-Fu Master, in training Jun 8, 2017 11:23 PM meta.x.gdb wrote: But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall? The catch would be any machine that leaves your network with AMT enabled. Say perhaps an AMT managed laptop plugged into a hotel wired network. While still a smaller attack surface, any cabled network an AMT computer is plugged into, and not managed by you, would be a source of concern. 55 posts | registered 11/19/2012 Anonymouspock , Wise, Aged Ars Veteran Jun 8, 2017 11:42 PM Serial ports are great. They're so easy to drive that they work really early in the boot process. You can fix issues with machines that are otherwise impossible to debug. sphigel , Ars Centurion Jun 9, 2017 12:57 AM aexcorp wrote: This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved to be a massive PITA from the security perspective. Intel needs to really reconsider its approach or drop it altogether. "it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows" I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled via UEFI instead? I'm not even sure it's THAT convenient for sys admins. I'm one of a couple hundred sys admins at a large organization and none that I've talked with actually use Intel's AMT feature. We have an enterprise KVM (raritan) that we use to access servers pre OS boot up and if we have a desktop that we can't remote into after sending a WoL packet then it's time to just hunt down the desktop physically. If you're just pushing out a new image to a desktop you can do that remotely via SCCM with no local KVM access necessary. I'm sure there's some sys admins that make use of AMT but I wouldn't be surprised if the numbers were quite small. 273 posts | registered 5/5/2010 gigaplex , Ars Scholae Palatinae Jun 9, 2017 3:53 AM zogus wrote: fake-name wrote: blockquote Quote: blockquote Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate". Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter? We just got some new Dell workstations at work recently. They have serial ports. We avoid the consumer machines. 728 posts | registered 9/23/2011 GekkePrutser , Ars Centurion Jun 9, 2017 4:18 AM Quote: Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs. Not that fortunately.. Serial ports are still very useful for management tasks. It's simple and it works when everything else fails. The low speeds impose little restrictions on cables. Sure, they don't have much security but that is partly mitigated by them usually only using a few metres cable length. So they'd be covered under the same physical security as the server itself. Making this into a LAN protocol without any additional security, that's where the problem was introduced. Wherever long-distance lines were involved (modems) the security was added at the application level. #### [Jun 08, 2017] NSA Denies Everything About Latest Intercept Leak, Including Denying Something That Was Never Claimed ##### Notable quotes: ##### "... Targeting telco and ISP systems administrators goes well outside the bounds of "national security." These people aren't suspected terrorists. They're just people inconveniently placed between the NSA and its goal of " collecting it all ." ..." ##### "... The NSA's own documents say that QUANTUMHAND "exploits the computer of a target that uses Facebook." The man-on-the-side attack impersonates a server , not the site itself. The NSA denies impersonating, but that's not what The Intercept said or what its own documents state. This animated explanation, using the NSA's Powerpoint presentation, shows what the attack does -- it tips the TURBINE servers, which then send the malware payload before the Facebook servers can respond. ..." ##### "... To the end user, it looks as though Facebook is just running slowly. ..." ##### "... When the NSA says it doesn't impersonate sites, it truly doesn't. It injects malware by beating Facebook server response time. It doesn't serve up faux Facebook pages; it simply grabs the files and data from compromised computers. ..." ##### "... The exploit is almost wholly divorced from Facebook itself. The social media site is an opportunity for malware deployment, and the NSA doesn't need to impersonate a site to achieve its aims. This is the NSA maintaining deniability in the face of damning allegations -- claiming something was said that actually wasn't and resorting to (ultimately futile) attempts to portray journalists as somehow less trustworthy than the agency. ..." ##### "... At this point, the mere fact that the NSA denies doing something is almost enough to convince me that they are doing it. I'm trying not to be paranoid. They just make it so difficult. ..." ##### "... considering how much access they seemed to have I think it is entirely possible for them to do that. And the criminal energy to do it definitely there as well. ..." ##### "... And there is still the question if Facebook and similar sites might be at least funded, if not run by intelligence agencies altogether. If that is the case that would put this denial in an entirely different light. It would read "We don't impersonate companies. We ARE the companies."... ..." ##### "... Max level sophistry. I wonder if anyone at the NSA even remembers what the truth is, it's been coated in so many layers of bullshit. ..." ##### "... As for its "national security directive," it made a mockery of that when it proudly announced in its documents that "we hunt sys admins." ..." ###### Jun 08, 2017 | www.techdirt.com The recent leaks published at Glenn Greenwald's new home, The Intercept, detailed the NSA's spread of malware around the world, with a stated goal of sabotaging "millions" of computers. As was noted then, the NSA hadn't issued a comment. The GCHQ, named as a co-conspirator, had already commented, delivering the usual spiel about legality, oversight and directives -- a word salad that has pretty much replaced "no comment" in the intelligence world. The NSA has now issued a formal statement on the leaks, denying everything -- including something that wasn't even alleged. In what has become the new "no comment" on the NSA side, the words "appropriate," "lawful" and "legitimate" are trotted out, along with the now de rigueur accusations that everything printed (including, apparently, its own internal documents) is false. Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which the capability must be employed. First off, for the NSA to claim that loading up "millions" of computers with malware is somehow targeted (and not "indiscriminate") is laughable. As for its "national security directive," it made a mockery of that when it proudly announced in its documents that "we hunt sys admins." Targeting telco and ISP systems administrators goes well outside the bounds of "national security." These people aren't suspected terrorists. They're just people inconveniently placed between the NSA and its goal of " collecting it all ." Last, but not least, the NSA plays semantic games to deny an accusation that was never made, calling to mind Clapper's denial of a conveniently horrendous translation of a French article on its spying efforts there. NSA does not use its technical capabilities to impersonate U.S. company websites. This "denial" refers to this portion of The Intercept's article. In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target's computer and exfiltrate files from a hard drive... In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target's computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. The NSA's own documents say that QUANTUMHAND "exploits the computer of a target that uses Facebook." The man-on-the-side attack impersonates a server , not the site itself. The NSA denies impersonating, but that's not what The Intercept said or what its own documents state. This animated explanation, using the NSA's Powerpoint presentation, shows what the attack does -- it tips the TURBINE servers, which then send the malware payload before the Facebook servers can respond. To the end user, it looks as though Facebook is just running slowly. When the NSA says it doesn't impersonate sites, it truly doesn't. It injects malware by beating Facebook server response time. It doesn't serve up faux Facebook pages; it simply grabs the files and data from compromised computers. The exploit is almost wholly divorced from Facebook itself. The social media site is an opportunity for malware deployment, and the NSA doesn't need to impersonate a site to achieve its aims. This is the NSA maintaining deniability in the face of damning allegations -- claiming something was said that actually wasn't and resorting to (ultimately futile) attempts to portray journalists as somehow less trustworthy than the agency. sorrykb ( profile ), 14 Mar 2014 @ 9:39am Denial = Confirmation? NSA does not use its technical capabilities to impersonate U.S. company websites. At this point, the mere fact that the NSA denies doing something is almost enough to convince me that they are doing it. I'm trying not to be paranoid. They just make it so difficult. Anonymous Coward , 14 Mar 2014 @ 9:48am Re: Denial = Confirmation? considering how much access they seemed to have I think it is entirely possible for them to do that. And the criminal energy to do it definitely there as well. By now you have to assume the worst when it comes to them, and once the truth comes out it tends to paint and even worse picture then what you could imagine. And there is still the question if Facebook and similar sites might be at least funded, if not run by intelligence agencies altogether. If that is the case that would put this denial in an entirely different light. It would read "We don't impersonate companies. We ARE the companies."... Mark Wing , 14 Mar 2014 @ 10:35am Max level sophistry. I wonder if anyone at the NSA even remembers what the truth is, it's been coated in so many layers of bullshit. art guerrilla ( profile ), 14 Mar 2014 @ 12:06pm Re: NSA Word-Smithing I can not stress this poster's sentiment, as well as voiced in the article itself, of the CHILDISH semantic games the alphabet spooks will play... they WILL (metaphorically speaking) look you straight in the eye, piss on your leg, and INSIST it is raining; THEN fabricate evidence to 'prove' it was rain... In my readings about the evil done in our name, with our money, *supposedly* to 'protect and serve' us, by the boys in black, you can NOT UNDERESTIMATE the most simplistic, and -to repeat myself -- CHILDISH ways they will LIE AND DISSEMBLE... They are scum, they are slime, they are NOT the best and the brightest, they are the worst and most immoral... YOU CAN NOT OVERSTATE THEIR MORAL VACUITY... we do NOT deserve these pieces of shit... Anonymous Coward , 14 Mar 2014 @ 11:17am We know that the NSA, with the cooperation of the companies involved, has equipment co-located at major backbones and POPs to achieve the goals for QUANTUMHAND, QUANTUMINSERT, and etc. At what point will we start confronting these companies and pressuring them to discontinue such cooperation? I know it's no easy task, but just as much as the government is reeling from all the public pressure, so too will these companies if we press their hands. Make it affect their bottom line. Anonymous Coward , 14 Mar 2014 @ 1:49pm is techdirt an hack target? this page of your site tries to run scripts from google amazonaws twitter facebook ajax.googleapis techdirt and install cookies from techdirt imigur and request resources from rp-api vimeo and install/use tracking beacons from facebook connect google +1 gravitar nativo quantcast redit repost.us scorecard research beacon twitter button. ...and who knows what else would run if all that was allowed to proceed. (I'm not going to run them to find out the 2nd level stuff) for all the great reporting techdirt does on spying/tracking/privacy- you need to get you shit together already with this site; it seams like you're part of the problem. Please explain the technical facts as to why these same types of hacks couldn't be done to your readers through this clusterfuck of off site scripts/beacons/cookies/resources your forcing on people to ignorant to know how to block them. Matthew Cline ( profile ), 14 Mar 2014 @ 1:50pm As for its "national security directive," it made a mockery of that when it proudly announced in its documents that "we hunt sys admins." Well, heck, that's easy. Since the computers of the sys admins are just means to an ends, simply define "target" in a way that excludes anyone whose computers are compromised as a means to an end. Anonymous mouse , 14 Mar 2014 @ 1:56pm I seem to remember some articles about why people who don't use Facebook are suspect. To wit, Are these possible signs that the NSA and GHCQ planted those stories? Anonymous Coward , 14 Mar 2014 @ 3:49pm The fun has yet to really begin On April 8th, this year, Microsoft will stop installing new security patches from Windows XP, leaving computers running it totally vulnerable to such hacks. Anybody want to place bets on the fact that the alphabet soup agencies of our wonderful gummint are going to be first in line to exploit them? Just think what NSA could do with 300,000,000+ computers to play with! #### [Jun 06, 2017] Trend Micro AV gave any website command-line access to Windows PCs ###### Jun 06, 2017 | theregister.co.uk So a part from writing fake secutiry software, they also make fake statements and perform fake research. > > > > #### [May 29, 2017] It might make sense to use a separate Linux computer ot VM on laptop for internet browsing; you just can't secure Windows ##### Notable quotes: ##### "... But the point is that no matter where you turn the stuff is plain ass insecure and the probable most secure is Linux, and of all the distros if you remove the services you don't need, printing, etc.. most secure, and if it isn't perfect well you paid nothing! But most importantly you can control what is shared and communicated with very easy controls. ..." ##### "... What the NSA did in respect to recently disclosed leaks and congressional oversight in respect to their spying or collecting data upon Americans was wrong, but to be honest? ..." ##### "... They didn't need to because they could buy better data from Google, Facebook, Microsoft, and the cell companies. ..." ##### "... Using Linux and Firefox correctly with standard addons for privacy protects you pretty damn well. Just saying, and you can update a computer in less than one agonizing "Don't turn off your computer" screens from Microsoft with yet another Net Framework, Browser edge, Microsoft store, Bing.. all that shit we really just don't F0cking need! ..." ##### "... Shit is shit, and it was made with the INTENTION of exploitation. Why I'd say that was it's HIGHER purpose, to exploit .. and now of course that sword cuts both ways. The level of bullshit, is equal and proportionate to the level of actual shit. And hell, honesty being at shall we say a premium. folks just can't come out and admit to such things. Why whatever would people think!? So, so many ways, the masses of people, the sea of humanity, has been sold out, and sold down the river. ..." ##### "... Insecurity cuts both ways: For and against the surveillance state. For anonymity for those who know how to use it, against for everyone else. For those with the right tools, there is freedom in the dark spaces of that insecurity. And a base for rebelion. Think Everyman Hacker vs The Deep State. You should really read Thieves Emporium. It's a primer on where the dots are going delivered using technically-accurate fiction to keep you interested to the last page. ..." ###### May 29, 2017 | www.zerohedge.com I have sat through about 5 hours of MSFT loading up a VM getting ready to run a SQL SERVER 2016 lab/VM. I believe nothing except that all tech with the exception of Linux is pretty f0cked up. ... ... ... That's just the truth. Most software is such garbage, designed to leak information for corporate greed, you really have to blame Microsoft and Google. HRH Feant2 - Dilluminati , May 27, 2017 11:19 PM Damn, dude, I feel your pain! I have done more than one wipe of my OS and a fresh install. It sucks. I am looking to cut the cord, too. Found a nice handset that uses Bluetooth so I can have a decent convo using my cellphone without actually holding the damned thing up to my skull! Less than$50 on Amazon.

Comcast sucks and costs too much.

Dilluminati - HRH Feant2 , May 27, 2017 11:39 PM

I guess reading over my comments and the responses is that new tech sucks, is insecure, old tech sucks and is insecure, and no matter how much you spend on MSFT it sucks and is insecure. (most people don't know better) Android is improving an a Linux derivative, but the Google store tyranny has me thinking getting as bad as MSFT.

But the point is that no matter where you turn the stuff is plain ass insecure and the probable most secure is Linux, and of all the distros if you remove the services you don't need, printing, etc.. most secure, and if it isn't perfect well you paid nothing! But most importantly you can control what is shared and communicated with very easy controls.

What the NSA did in respect to recently disclosed leaks and congressional oversight in respect to their spying or collecting data upon Americans was wrong, but to be honest?

They didn't need to because they could buy better data from Google, Facebook, Microsoft, and the cell companies.

And guess what? Because these systems collect information that is the basis for leaked information.

Using Linux and Firefox correctly with standard addons for privacy protects you pretty damn well. Just saying, and you can update a computer in less than one agonizing "Don't turn off your computer" screens from Microsoft with yet another Net Framework, Browser edge, Microsoft store, Bing.. all that shit we really just don't F0cking need!

It's just F0cking redonkulous, and I'm going to cert 2016 and I look at the courseware and I'm like wtf? Redmond still shilling mobile data from SQL SERVER, as if nobody got the F0cking message at MSFT that their phones are DEAD!

Or R inside Sql Server, yeah daddy.. I'm going to run some R on SQL SERVER just to buy some more damn licenses... anybody smart enough for R not dumb enough to buy lottsa SQL SERVER.. just f0cking saying the dumb shit, additional shit, that adds really very little value except insecure stuff.

But yeah locked down Ubuntu loads up in about 1/10 the time and more secure.. and that is a fact.

Giant Meteor - Dilluminati , May 27, 2017 11:23 PM

Excellent excellent points ... Not as plugged in tech wise as you seem to be, but understand the hightlights .. Shit is shit, and it was made with the INTENTION of exploitation. Why I'd say that was it's HIGHER purpose, to exploit .. and now of course that sword cuts both ways.

The level of bullshit, is equal and proportionate to the level of actual shit.

And hell, honesty being at shall we say a premium. folks just can't come out and admit to such things. Why whatever would people think!? So, so many ways, the masses of people, the sea of humanity, has been sold out, and sold down the river.

Funny thing is, aside from those on the government dole payroll (which is an extensive list) lot's of folks will admit to the case, ie; "we been robbed!" and are starting to wake up to the fact ...

But the ramifications as you have laid out, so simple to see, and understand, and yet ... Well, like I mentioned, they're fightin for THEIR way of life, and THEIR freedumbs ... Well done ..

Sam.Spade - Dilluminati , May 28, 2017 1:22 AM

So project the dots. Insecurity cuts both ways: For and against the surveillance state. For anonymity for those who know how to use it, against for everyone else.

For those with the right tools, there is freedom in the dark spaces of that insecurity. And a base for rebelion.

Think Everyman Hacker vs The Deep State.

You should really read Thieves Emporium. It's a primer on where the dots are going delivered using technically-accurate fiction to keep you interested to the last page. Not nearly as detailed as your post, nor as specific, but explains the broad-brush concepts on both sides of the new internet freedom struggle very well.

The Daily Bell thought it was so good they published it as a serial which you can read for free at http://www.thedailybell.com/editorials/max-hernandez-introducing-thieves... .

Or you can guy a copy on Amazon (rated 4.6 in 120 reviews), Nook (same rating, fewer reviews), Smashwords (ditto), or iBooks.

Please take a look, I think you will like the book.

#### [May 20, 2017] While Microsoft griped about NSA exploit stockpiles, it stockpiled patches Fridays WinXP fix was built in February by Iain Thomson

##### "... However, our analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt. ..."
###### May 16, 2017 | theregister.co.uk
And it took three months to release despite Eternalblue leak 16 May 2017 at 01:44, When the WannaCrypt ransomware exploded across the world over the weekend, infecting Windows systems using a stolen NSA exploit, Microsoft president Brad Smith quickly blamed the spy agency . If the snoops hadn't stockpiled hacking tools and details of vulnerabilities, these instruments wouldn't have leaked into the wild, sparing us Friday's cyber assault, he said.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," said Smith.

Speaking of hoarding, though, it's emerged Microsoft was itself stockpiling software – critical security patches for months.

Around January this year, Microsoft was tipped off by persons unknown that the NSA's Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain. In March, Microsoft emitted security fixes for supported versions of Windows to kill off the SMB vulnerability, striking Eternalblue dead on those editions.

In April, exactly a month later, an NSA toolkit of hacking weapons , including Eternalblue, was dumped online by the Shadow Brokers: a powerful loaded gun was now in the hands of any willing miscreant.

In May, just last week in fact, the WannaCrypt ransomware, equipped with this weapon, spread across networks and infected tens of thousands of machines worldwide, from hospital computers in the UK and Fedex terminals in the US, to railways in Germany and Russia, to cash machines in China.

On Friday night, Microsoft issued emergency patches for unsupported versions of Windows that did not receive the March update – namely WinXP, Server 2003, and Windows 8 RT. Up until this point, these systems – and all other unpatched pre-Windows 10 computers – were being menaced by WannaCrypt, and variants of the software nasty would be going after these systems in the coming weeks, too.

The Redmond tech giant was praised for issuing the fixes for its legacy Windows builds. It stopped supporting Windows XP in April 2014 , and Server 2003 in July 2015 , for instance, so the updates were welcome.

However, our analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt.

Here's the dates in the patches:

Windows 8 RT (64-bit x86): Feb 13, 2017 Windows 8 RT (32-bit x86): Feb 13, 2017 Windows Server 2003 (64-bit x86): Feb 11, 2017 Windows Server 2003 (32-bit x86): Feb 11, 2017 Windows XP: Feb 11, 2017 Windows XP Embedded: Feb 17, 2017

The SMBv1 bug is trivial , by the way: it is a miscalculation from a 32-bit integer to a 16-bit integer that can be exploited by an attacker to overflow a buffer, push too much information into the file networking service, and therefore inject malicious code into the system and execute it. Fixing this programming blunder in the Windows codebase would have been easy to back port from Windows 8 to XP.

If you pay Microsoft a wedge of cash, and you're important enough, you can continue to get security fixes for unsupported versions of Windows under a custom support license. It appears enterprises and other organizations with these agreements got the legacy fixes months ago, but us plebs got the free updates when the house was already on fire.

Smith actually alluded to this in his blog post over the weekend: "We are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only , including Windows XP, Windows 8, and Windows Server 2003." [Italics are ours.]

Money talks

Custom support is a big earner: Microsoft charged Britain's National Health Service $200 per desktop for year one,$400 for year two and $800 for a third year as part of its contract. UK Health Secretary Jeremy Hunt cancelled the contract after a year as a cost-saving measure. The idea was that a year would give NHS trusts time to manage their upgrades and get modern operating systems, but instead it seems some trusts preferred to spend the money not on IT upgrades but on executive remuneration, nicer offices, and occasionally patient care. Defence Secretary Michael Fallon claimed on Sunday that "less than five per cent of [NHS] trusts" still use Windows XP. Naturally, Microsoft doesn't want to kill the goose that lays such lovely golden eggs, by handing out patches for old gear for free. And supporting a 16-year-old operating system like Windows XP must be a right pain in the ASCII for its engineers. And we appreciate that computers still running out-of-date operating systems are probably doing so for a reason – perhaps it's a critical device or an MRI scanner that can't be upgraded – and thus it doesn't matter if a patch landed in February, March or May: while every little helps, the updates are unlikely to be applied anyway. On the other hand, we're having to live with Microsoft's programming mistakes nearly two decades on, mistakes that Microsoft is seemingly super reluctant to clean up, unless you go the whole hog and upgrade the operating system. Most crucially, it's more than a little grating for Microsoft, its executives, and its PR machine, to be so shrill about the NSA stockpiling zero-day exploits when the software giant is itself nesting on a pile of fixes – critical fixes it's keeping secret unless you pay it top dollar. Suddenly, it's looking more like the robber baron we all know, and less like the white knight in cyber armor. We asked Microsoft to comment on the timing of its patching, but its spokespeople uselessly referred us back to Smith's blog. Meanwhile, here's some more technical analysis of the WannaCrypt worm and how a kill switch for the nasty was found and activated over the weekend. #### [May 19, 2017] Global Cyberattack Are Private Interests Using States: The global cyberattack, the NSA and Washingtons war propaganda against Russia by Bill Van Auken ##### Notable quotes: ##### "... Thus, amid the hysterical propaganda campaign over Russian hacking, Washington has been developing an array of cyber-weapons that have the capability of crippling entire countries. Through the carelessness of the NSA, some of these weapons have now been placed in the hands of criminals. US authorities did nothing to warn the public, much less prepare it to protect itself against the inevitable unleashing of the cyber weapons it itself had crafted. ..." ##### "... There was no question then of an investigation taking months to uncover the culprit, much less any mystery going unsolved. Putin and Russia were declared guilty based upon unsubstantiated allegations and innuendo. Ever since, the Times ..." ##### "... Since Trump's inauguration, the Democratic Party has only intensified the anti-Russian propaganda. It serves both as a means of pressuring the Trump administration to abandon any turn toward a less aggressive policy toward Moscow, and of smothering the popular opposition to the right-wing and anti-working class policies of the administration under a reactionary and neo-McCarthyite campaign painting Trump as an agent of the Kremlin. ..." ###### May 16, 2017 | www.defenddemocracy.press The cyberattack that hit some 200,000 computers around the world last Friday, apparently using malicious software developed by the US National Security Agency, is only expected to escalate and spread with the start of the new workweek. The cyber weapon employed in the attack, known as "WannaCrypt," has proven to be one of the most destructive and far-reaching ever. Among the targets whose computer systems were hijacked in the attack was Britain's National Health Service, which was unable to access patient records and forced to cancel appointments, treatments and surgeries. Major corporations hit include the Spanish telecom Telefonica, the French automaker Renault, the US-based delivery service Fedex and Germany's federal railway system. Among the worst affected countries were reportedly Russia, Ukraine and Japan. The weaponized software employed in the attacks locks up files in an infected computer by encrypting them, while demanding$300 in Bitcoin (digital currency) to decrypt them and restore access.

Clearly, this kind of attack has the potential for massive social disruption and, through its attack on institutions like Britain's NHS, exacting a toll in human life.

This event, among the worst global cyberattacks in history, also sheds considerable light on issues that have dominated the political life of the United States for the past 10 months, since WikiLeaks began its release of documents obtained from the hacked accounts of the Democratic National Committee and John Podesta, the chairman of Hillary Clinton's presidential campaign.

The content of these leaked documents exposed, on the one hand, the DNC's machinations to sabotage the presidential campaign of Bernie Sanders, and, on the other, the subservience of his rival, Hillary Clinton, to Wall Street through her own previously secret and lavishly paid speeches to financial institutions like Goldman Sachs.

Read also: Obama Warned to Defuse Tensions with Russia

This information, which served to discredit Clinton, the favored candidate of the US military and intelligence apparatus, was drowned out by a massive campaign by the US government and the corporate media to blame Russia for the hacking and for direct interference in the US election, i.e., by allegedly making information available to the American people that was supposed to be kept secret from them.

Ever since then, US intelligence agencies, Democratic Party leaders and the corporate media, led by the New York Times , have endlessly repeated the charge of Russian hacking, involving the personal direction of Vladimir Putin. To this day, none of these agencies or media outlets have provided any probative evidence of Russian responsibility for "hacking the US election."

Among the claims made to support the allegations against Moscow was that the hacking of the Democrats was so sophisticated that it could have been carried out only by a state actor. In a campaign to demonize Russia, Moscow's alleged hacking was cast as a threat to the entire planet.

Western security agencies have acknowledged that the present global cyberattack-among the worst ever of its kind-is the work not of any state agency, but rather of a criminal organization. Moreover, the roots of the attack lie not in Moscow, but in Washington. The "WannaCrypt" malware employed in the attack is based on weaponized software developed by the NSA, code-named Eternal Blue, part of a bundle of documents and computer code stolen from the NSA's server and then leaked by a hacking group known as "Shadow Brokers."

Read also: The End of Freedom? Secret Services developing like a Cancer

Thus, amid the hysterical propaganda campaign over Russian hacking, Washington has been developing an array of cyber-weapons that have the capability of crippling entire countries. Through the carelessness of the NSA, some of these weapons have now been placed in the hands of criminals. US authorities did nothing to warn the public, much less prepare it to protect itself against the inevitable unleashing of the cyber weapons it itself had crafted.

In its report on the global cyberattacks on Saturday, the New York Times stated: "It could take months to find out who was behind the attacks-a mystery that may go unsolved."

The co-author of these lines was the New York Times chief Washington correspondent David E. Sanger, who, in addition to writing for the "newspaper of record," finds time to lecture at Harvard's Kennedy School of Government, a state-connected finishing school for top political and military officials. He also holds membership in both the Council on Foreign Relations and the Aspen Strategy Group, think tanks that bring together capitalist politicians, military and intelligence officials and corporate heads to discuss US imperialist strategy.

All of this makes Sanger one of the favorite media conduits for "leaks" and propaganda that the CIA and the Pentagon want put into the public domain.

It is worth contrasting his treatment of the "WannaCrypt" ransomware attack with the way he and the Times dealt with the allegations of Russian hacking in the run-up to and aftermath of the 2016 US presidential election.

There was no question then of an investigation taking months to uncover the culprit, much less any mystery going unsolved. Putin and Russia were declared guilty based upon unsubstantiated allegations and innuendo. Ever since, the Times, serving as the propaganda outlet of the US intelligence services, has given the lead to the rest of the media by endlessly repeating the allegation of Russian state direction of the hacking of the Democratic Party, without bothering to provide any evidence to back up the charge.

Read also: Political Coverup of Iraq Atrocities

With the entire world now under attack from a weapon forged by Washington's cyberwarfare experts, the hysterical allegations of Russian hacking are placed in perspective.

From the beginning, they have been utilized as war propaganda, a means of attempting to promote popular support for US imperialism's steady escalation of military threats and aggression against Russia, the world's second-largest nuclear power.

Since Trump's inauguration, the Democratic Party has only intensified the anti-Russian propaganda. It serves both as a means of pressuring the Trump administration to abandon any turn toward a less aggressive policy toward Moscow, and of smothering the popular opposition to the right-wing and anti-working class policies of the administration under a reactionary and neo-McCarthyite campaign painting Trump as an agent of the Kremlin.

SOURCE www.wsws.org

#### [May 19, 2017] There are other search engines, browsers, email services besides those operated by the giants. DuckDuckGo, protonmail, and the Opera browser (with free built-in VPN!) work well for me

##### As soon as DuckDuckGo shows ads and you have Javascript enabled your privacy evaporate the same way it evaporated in Google, unless you use VPN. But even in this case there are ways to "bound" your PC to you via non IP based methods.
###### May 19, 2017 | www.nakedcapitalism.com

lyman alpha blob , May 19, 2017 at 1:58 pm

There are other search engines, browsers, email services, etc. besides those operated by the giants. DuckDuckGo, protonmail, and the Opera browser (with free built-in VPN!) work well for me.

The problem is, if these other services ever do get popular enough, the tech giants will either block them by getting their stooges appointed to Federal agencies and regulating them out of existence, or buy them.

I've been running from ISP acquisitions for years, as the little guys get bought out I have to find an even littler one.

Luckily I've found a local ISP, GWI, that I've used for years now. They actually came out against the new regulations that would allow them to gather and sell their customers' data. Such anathema will probably wind up with their CEO publicly flayed for going against all that is good and holy according to the Five Horsemen.

#### [May 17, 2017] How to avoid the WannaCrypt virus if you run Windows XP in VM

###### May 17, 2017 | www.techconnect.com
WannaCrypt may be exclusively a problem for Windows users, but the worm/virus combination could hit a Mac user with a Boot Camp partition or Windows virtual machines in VMware Fusion, Parallels, or other software. If you fit that bill and haven't booted your Windows system since mid-March or you didn't receive or install Microsoft's vital security update (MS17-010) released at that time, read on.

It's critical that you don't start up a Windows XP or later installation that's unpatched and let it connect to the Internet unless you're absolutely sure you have the SMB file-sharing service disabled or firewall or network-monitoring software installed that will block any attempt from an outside connection.

Also, if you use Windows XP or a few later releases of Windows that are past Microsoft's end of support since mid-March, you wouldn't have received the security updates that Microsoft was reserving only for corporate subscribers until last Friday . At that point, they made these updates generally available. If you booted any of those systems between mid-March and Friday, you're unprotected as well.

If your Mac is on a network that uses NAT and DHCP to provide private IP addresses, which is most home networks and most small-office ones, and your router isn't set up to connect the SMB file service from outside the local private network to your computer (whether Boot Camp or a VM), then the WannaCrypt worm can only attack your system from other computers on the same network. If they're already patched or there are no other Windows instances of any kind, you can boot up the system, disable SMBv1, and apply the patches.

If you don't want to take that chance or you have a system that can be reached from the greater Internet directly through whatever method (a routable IP or router port mapping to your Mac), you should disable networking on your computer before restarting into Boot Camp or launching a VM. This is easy with ethernet, but if you're using Wi-Fi for your Windows instance, you need to unplug your network from the Internet.

After booting, disable SMBv1. This prevents the worm from reaching your computer, no matter where it is. Microsoft offers instructions for Windows 7 and later at this support note . If you have a Windows XP system, the process requires directly editing the registry, and you will want to install firewall software to prevent incoming connections to SMB (port 445) before proceeding. The firewall approach is a good additional method for any Windows instance.

Once you've either disabled SMBv1 or have a firewall in place, you can enable network access and install all the patches required for your release, including MS17-010.

In some cases, you no longer need SMBv1, already known to be problematic, and can leave it disabled. If for legacy reasons you have to re-enable it, make sure you have both networking monitoring and firewall software (separately or a single app) that prevents unwanted and unexpected SMB access.

#### [May 16, 2017] Ransomware scum have already unleashed kill-switch-free WannaCry pt variant • The Register

##### "... Given that the only safe/undetected way of laundering the bitcoins will be to buy drugs or guns or other such illegal goods on the darkweb and then turn that into cash by selling it on then the perps are as you say both greedy and insanely (criminally) stupid. ..."
##### "... If Microsoft had an update channel for security patches only, not unwanted features and M$'s own brand of malware, people would but alot more inclined to stay up to date. ..." ##### "... Rumors running around that this is Deep State sponsored coming out of various cliques in intelligence agencies in retaliation for the Vault 7 leaks. ..." ###### May 16, 2017 | theregister.co.uk 15 May 2017 at 09:42, John Leyden Miscreants have launched a ransomware worm variant that abuses the same vulnerability as ‪the infamous WannaCry‬pt‪ malware . Danish firm Heimdal Security warned on Sunday that the new Uiwix strain doesn't include a kill-switch domain, like the one that proved instrumental in minimising the harm caused by WannaCrypt last week, although this is subject to some dispute. "As far as I know there's only been two variants (one this morn) and none without [a kill]switch," security researcher Dave Kennedy told El Reg . Other researchers, including Kevin Beaumont, are also telling us they haven't yet seen a variant of WannaCrypt without a kill switch. What isn't in question is that follow-up attacks based on something similar to WannaCrypt are likely and that systems therefore really need protecting. Black hats might well create a worm that attacks the same Windows vulnerability more stealthily to install a backdoor on the many vulnerable systems still out there, for example. The WannaCrypt ransomware spread to devastating effect last week using worm -like capabilities that relied on a recently patched vulnerability in Microsoft's SMB file-sharing services (MS17-010). WannaCrypt used a purloined EternalBlue exploit originally developed by the US National Security Agency before it was leaked by the Shadow Brokers last month. WannaCrypt's victims included the National Health Service, Spain's Telefónica and numerous other organisations across the world. A techie at Telefónica confirmed that the initial infection vector was a phishing email . The scale of the attack prompted Microsoft to take the highly unusual step of releasing patches for unsupported operating systems , including Windows XP. ® Re: Inevitable Don't blame the NSA - anyone could have discovered this issue and weaponized it. Certainly the NSA should have reported it to Microsoft but they apparently didn't ... who knows. The real issue here is that Microsoft stopped has patching XP and Vista systems in an attempt to force users to upgrade -- that's where the real money is in these vulnerabilities. So who's going to make out like a bandit from WannaCry et al? Expect Microsoft Win 10 share to increase over the next few months - they are the real winners here. Mage Re: The real issue here is that Microsoft stopped has patching XP Actually technically they haven't stopped. (Vista yes). BUT THE PATCHING IS NEARLY IRRELEVANT! Like most other spam borne "attacks" this would be totally mitigated by 1) User training and common sense. 2) Better configured systems. XP use by NHS is a red herring. Even if EVERYONE used Linux* and it was updated daily, it will NOT stop this until the USERs are better trained and use email properly. [*Because all the spam based attacks would be aimed at Linux] Ken Hagan Re: Inevitable "Because the likes of the FSB & PLA must be too stupid to have also discovered these types of vulnerabilities." If they knew about them, they didn't do a very good job of protecting their own gear from them. M. Re: Inevitable Your Comment: "Yes, the NSA is criminal for making these immoral and unlawful cyber weapons..." Unlawful? By what law, specifically? (NOTE: Title 10 and Title 50 authorities directly - and legally - trump certain US laws.) As an analogy - It's not "illegal" for a policeman to speed to catch up to a criminal. It's not "illegal" for the NSA to create tools to compromise computers. You can argue all day as to whether it is illegal to DEPLOY tools, once created, against CERTAIN computers, but I don't think you have a leg to stand on calling the fact that NSA *creates* such a tool - if they even did create one themselves - in any way an illegal act. Michael Habel Re: Inevitable Implying that Windows 8, and Windows 10 are better than an unmaintained Windows XP SP3 Installation. Which can still do it's job. Probably better than those other Two numbskull OSs. Assuming Microsoft were kind enough to continue supporting it. But, alas that way only madness lay. As XP does not contain Tracker's, and (Cr)App Stores to take your Moneyz. DuncanLarge Re: Inevitable "Don't blame the NSA - anyone could have discovered this issue and weaponized it. Certainly the NSA should have reported it to Microsoft but they apparently didn't ... who knows." It's clear the NSA intended to not inform Microsoft at all as this was part or their arsenal, a secret tool on their version of a Bat Belt. We must blame the NSA as they developed it, hoarded it and then lost control of it when it got out. This should be an example of how such organisations should not be using such methods. The only way Microsoft knew about this and patched this was because the NSA lost control of the code to ShadowBrokers who then reported it to Microsoft giving them enough time to roll out a patch before a public release. As you correctly say, anyone could have developed code that exploits the flaw. But who detected that flaw first? So who should have the social responsibility to improve the "cyber" defense of at least their own nation by disclosing such a flaw? The NSA found it. Kept it secret, then lost the code due to real humans making mistakes or breaking in who discover a pot of "hacker gold" runnable and mature from the fist double click. For this very reason Apple, correctly, refused to create a version of iOS that could be installed on an iphone to weaken the pin entry screen to allow the FBI entry. Apple knew they could not simply trust that this hacked version of iOS could be kept under control. inmypjs Re: Inevitable "blaming a commercial company for not patching a 13 year" I think blaming and criticising a company that sold you buggy vulnerable crap and refuses to fix bugs because someone else didn't find and advise them of them soon enough is entirely justified. I have some compilers from a company with a policy that finding a bug in an obsolete unsupported version of the compiler entitles you to a free upgrade to a current supported version. That would be the policy of a decent company (which Microsoft clearly isn't). Of course Microsoft's current supported version being a piece of shit that no one wants would stymie such a policy. Wayland Re: So you're blaming a commercial company for not patching a 13 year old OS? In my experience with embedded systems there is nothing particularly fancy about the way the PC talks to the special hardware. There is nothing that says it can't be upgraded to say 32 bit Windows 7 or even rewritten for Linux. Much of the code is written in C or Delphi. It would take a bit of work but not impossible. The problem is that like Microsoft the manufacturers have moved on. They are playing with their next big thing and have forgotten about that old stuff. What is needed is a commitment from the manufacturers to either support the gear for 30 years or share the code and the schematics. Obviously a consideration would be required from the buyer, I don't see why they should do that for free. The easiest thing would be to keep XP going and Microsoft will do that if you pay them. The next thing would be to fit each XP system with a hardware firewall. Don't expect XP to protect itself, put a packet sniffing firewall in between. Dr Who You could look at an event such as that of the last few days as the Internet's version of a wildfire. In the short run some damage is done but in the long run the fire's job is to clear out dead wood and enable the regrowth of a stronger, healthier ecosystem. Short term pain for long term gain. Lost all faith... And in a few years it will all be forgotten. Nachi / Blaster anyone? katrinab Not really. "We've installed the MS security patch, we've restored from back-up. Everything's OK now". Papworth NHS Trust has had something like 16 of these ransomware attacks in the last 12 months, and hasn't done anything. It is going to take a lot more than this to change management attitudes. Mage Internet's version of a wildfire. No, because very few organisations and users will learn the real lessons. Patching and AV inevitably often is bolting the stable door after horses gone for the first hit. Yet proper user training and proper IT configuration mitigates against almost all zero day exploits. I struggle to think of any since 1991. Firewalls, routers, internal email servers (block anything doubtful), all superfluous services and applications removed, no adhoc sharing. users not administrators, and PROPER training of users. Anonymous Coward I wish! The idiots who think it's fine to run XP are paid ten times more than me and they'll still be in the same role this time next year. They'll be no getting rid of dead wood, just more winging it and forcing underpaid Techies to work more weekends after more screw ups. Stuart 22 Is it just me? Its surely incredible that a lone pizza stuffed actor could get immediate access to the worm and spend a night before he spotted the 'call home' vector? Is that really that hard? And beat the best resourced detection agencies worldwide? Surely every IT detective agency including GCHQ would have sandboxed it on first sight, thrown their best at it if only to beat their friends across the pond, to save Jeremy Hunt & Mother Theresa's bacon just ahead of a new funding opportunity (aka new government). It all smells not only of pizza but planted news. And if it is genuine what on earth are we paying this organisation and every anti-virus firm for? Andy Non Re: Experts all giving advice how how to stay secure Went to the doctor's surgery this morning. All the computers were down. I queried if they'd been hit with the malware, but apparently it was as a preventative measure as their main NHS trust has been badly hit, so couldn't bring up any records or even know what the wife's blood test was supposed to be for. Next I'm expecting the wife's hospital appt to be canceled due to the chaos it is causing. I wonder if we can get a go-fund-me page set up to hire someone to track down this hacker scum and take out a hit on them? A bullet to the brain may give other scumbags something to think about. Voyna i Mor Re: Experts all giving advice how how to stay secure The answer is not to avoid Windows. It's for our so-called security agencies to get to understand that they are not supposed to be a dirty tricks department collecting weapons for use against others, but that they are supposed to work on our national security - which includes public and private services and businesses as well as the Civil Service. The fact that May and Rudd seem totally unable to get what could go wrong post-Snowden suggests that when one of them became PM, a school somewhere missed the bullet of a particularly anal retentive geography teacher. Anonymous Coward Re: Experts all giving advice how how to stay secure Actually Windows 10 was affected, but because it patches more aggressively the March fix was already applied to must unless they had different WSUS settings in a business/edu environment. Ferry Michael Re: Experts all giving advice how how to stay secure Windows 10 STILL has SMBv1 needlessly enabled by default. Should either be disabled by default or removed all together. Wonder when someone will find another exploitable weakness. Staying secure means turning off protocols you don't need. I have a dual boot laptop that has not booted to Windows since before March - I need to review what services it has enabled to make it a bit more secure before I connect it to the Internet to download latest patches. Patching and anti-virus software take time to apply after a vulnerability has been discovered. That can be too late. roblightbody Re: Experts all giving advice how how to stay secure "Customers running Windows 10 were not targeted by the attack today." Voland's right hand Re: Experts all giving advice how how to stay secure Some people do not have any choice. When the X-ray machines in the affected hospital trusts were bought using Windows XP (or even 2001) imaging software, that was state of the art. The issue is that the life of a piece of equipment like this vastly exceeds the lifespan of the OS that was used for the control system. On top of that, quite often these cannot be patched as the software is written so badly that it will work only with a specific patch-level of the core OS. That CAN and SHOULD be mitigated by: 0. Considering each and every one of those a Typhoid Mary in potentia 2. Preventing any communication except essential management and authentication/authorization going out 3. Providing a single controlled channel to ship out results to a location which we CAN maintain and keep up to date. Instead of that, criminally stupid idots at NHS IT in the affected trusts as well as other enterprises which were hit: 1. Put these unpatchable and unmaintainable machines in the same flat broadcast domain with desktop equipment. There was no attempt at isolation and segmentation whatsoever. 2. In some cases allowed use of unrelated desktop applications (at ridiculously ancient patch-levels) such as Outlook or even Outlook Express. 3. Opened file sharing on the machines in question. Each of these should be a sackable offense for the IT staff in question. mcpharm Re: Experts all giving advice how how to stay secure It's more than incompetent IT people and way worse and virtually impossible to fix. There is a lot of niche or specialist custom software used in the nhs that can only work on XP and ie 6 period. Most of the people who wrote are dead or retired etc Systems vendors to the NHS are borderline criminal. In pharmacy, there are only 1 of 4 mandated systems vendors you can choose. The 3 desktop based ones have so much legacy crap etc that they still only work on windows 7. They also insist on bundling in a machine to just a stupid high cost to a tech illiterate customer base - generally a cut down crappier version of something you could by uin argos for 300 quid they will charge over a grand for. Their upgrade cycles are a f**king joke and their business model makes their customers very reluctant to do so as they have fork out silly money for a new shit machine just cos their vendors tells they have to .. our superdupa crap shit fuck software will only work on a machine we provide. Emis/proscript have alot to answer for .. Lots of the staff and their employers are basically proud of being a digital numbskull. "I am healthcare professional, why should i have to know anything about this" and the drones are so poorly paid / bitched at incessantly about everything they just have an" i dunno i just work here, that's not my job attitude" I have to screenshare to train people how to use our websites .. this means i have to get them stick a url into their browser, that's it ... you have no idea how many can't do that .. then get all offended when i ask them what browser they are using .. "i don;t know, why should i know that, i just use google" is always the response .. when half the nhs work force doesn't know what a f**king browser is and peversely proud of the fact they can't type a url into a brower address bar, how on earth are we ever going to hav any sunnvbnf0ijgogjrnb;vzjnav;kjnnf;kqgfnjv;jnf;jjvn;w Data Security has turned into one of these tick box things, everyone has dire warning, you will be fined loads of money for doing something wrong that you don't understand and actively don't want to understand so no one gives a f**k as long as they can say they ticked the right boxes. Anonymous Coward A dish best served cold Now, I would *hate* to start an internet rumour... but didn't the USA promise a retaliation? :-) • https://www.theguardian.com/us-news/2016/dec/16/obama-retaliation-russia-hacking-us-election • http://www.bbc.com/news/world-39919249 Yupp, there was some collateral damage amongst their allies, but thats the new normal. Anon because I might be right ;-) Naselus Re: A dish best served cold "Anon because I might be right" You aren't. Firstly, a state actor attack would be far better targeted. Stuxnet, for example, actually checked the serial numbers of the centrifuges it targeted to ensure that it only hit ones created in the right date span to impact only those bought by Iran. The vector on this attack, on the other hand, literally just spammed itself out to every available IP address that had port 445 open. Second, US retaliation would almost certainly involve using a few zero-days. If you want to prove that you have vastly more power than your opponent, then you want to do something that literally resembles friggin' magic from his point of view. You want to show him that he can do nothing whatsoever to defend his critical infrastructure from your attacks. This did not; nothing in this hadn't already been discovered and patched. If the best thing the US can throw at Russia could be taken out by just switching on your WSUS server in the past three months, then there's no point even doing it because it would make them look weak, not strong. Thirdly, and most importantly, most of the original bits of this were actually quite shittily written. Oh sure, there was a genuine bit of high-tech NSA code in there from the shadow broker leak... but there was also a fair load of primitive crap there too. It's a bit like an 16 year old came into possession of an F-16; it was destructive as hell but he didn't really know how to fly it. I've just finished in a webinar on the incident, and there's literally 5 different layers of my SMB's security that blocked this (patching, permissions, firewall, commercial AV, VLANs). And we're not exactly cutting-edge - just running best practice. In short, if this was state-backed, then the state in question would have to be somewhere like Honduras, not one of the big-league infosec powers. Anonymous Coward On the topic of NSA exploits being used by WannaCry, was the DOUBLEPULSAR exploit patched with MS17-010? Commswonk I can't help thinking that announcing the discovery of the kill switch might not have been a good idea. And you should see the number of downvotes I got in another thread for suggesting exactly that. Another commentator stated (if I understood him correctly) that the "public announcement" was more or less irrelevant because security experts' chatter on blogs would have given the game away anyway. In turn that made me think along the lines of " FFS what sort of security experts swap notes on blogs that may be / almost certainly are open to being read by the hackers " I think I despair... if the above is true then there is simply no hope. Norman Nescio Possibly not an intentional kill switch As the Malwaretech blog entry here: points out, it was quite possibly not an intentional kill switch. Some malware probes for the existence of a selection of randomly generated domains. Some sandbox VMs respond to all DNS lookups by providing back the IP address of the sandbox VM instance. If the malware sees a positive response to the DNS lookups (which should fail), then the logic is that it is probably running in a sandbox VM, which may well be being used to analyse/investigate the malware, so the malware stops running. The single lookup of the unusual domain name was possibly a poor implementation of this technique. Alternatively, it is an intentional kill switch, used during development, with a local DNS server on the malware developer's LAN, the function of which was to prevent infection of other devices on the same LAN. If anyone keeps records of DNS lookups, it might be interesting to see where the first lookups came from. Bill Gray Re: Possibly not an intentional kill switch @Norman Nescio : "...The single lookup of the unusual domain name was possibly a poor implementation of this [sandbox detection] technique." I read the Malwaretech log (excellent description of why you'd look for a nonexistent domain to determine if you're sandboxed) and thought: OK, so the virus writer should check a randomly generated domain, instead of a fixed one. That way, they can't all be registered, your virus can't be kill-switched the way this one was, and your virus can still tell if it's being run in a sandbox. Except the folks creating sandboxes might take the precaution of checking the domain. Instead of returning a valid result for any garbage domain, check to see if it's been registered first. Suddenly, the virus can no longer tell that it's running in a sandbox. Except then, the virus author checks four or five valid domains; if they all return identical results, you know you're running in a sandbox. (Reading further, I see that this method is actually used in some cases.) Except that _then_, the sandbox authors do some revisions so that seemingly accurate results are returned that are actually remapped by the sandbox code. This is all outside my area of expertise. Still, I could see a nearly endless cycle of fix/counter-fix going on here. Blotto Ransome code is not proxy aware, kill switch won't work in most enterprises. the code is not proxy aware and the kill switch would not work in well structured environments where the only access to the net is via a configured non transparent proxy. Enterprises will need to think a bit harder about how they ensure the kill switch is effective this time. The miscreants wont make this same mistake next time. Talking about the kill switch is good, wouldn't have taken the miscreants long to work out something was not right anyway. Anonymous Coward What is the motivation here? Is all it seems to be... <Black Helicopter Icon> Ransomware usually works on a relatively widespread basis but usually SMB, and domestic users. Big organisations and governments, generally are defended (although clearly some well publicised exceptions) The beneficiaries are usually relatively safe as law enforcement cannot usually be bothered to investigate and the cash rolls in for the most desperate victims. In this case, knowing there are a number of nation state backed cyber defence teams looking into this... they either a) have balls big enough to need a wheelbarrow and believe that they wont get caught no matter what and cyber defence is really too hard to deliver effectively, regardless of backers. or b) that they are insanely stupid and greedy and are not following the news... Or is this already a state backed exercise from somewhere and is simply a global experiment at our expense? The fact the original flaw was used by the NSA is not really relevant, it simply got it publicity but was clearly available for a long time. Anonymous Coward Re: What is the motivation here? Is all it seems to be... Given that the only safe/undetected way of laundering the bitcoins will be to buy drugs or guns or other such illegal goods on the darkweb and then turn that into cash by selling it on then the perps are as you say both greedy and insanely (criminally) stupid. No doubt they'll have their comeuppance shortly - without being "caught" by any nation state backed cyber defense team - probably up some dark alley being stiffed by gangbangers. Probably just some kid :-( gerritv The warning was there in Sep 2016!! We were told to stop using SMB v1 in Sep 2016. The only reason to keep it enabled is to use it with XP! IanMoore33 MS should hire the NSA hackers maybe they can teach them something about software Anonymous Coward In light of this threat I just got around to patching a somewhat neglected Windows 7 PC. And now it's got a message from Microsoft (falsely) saying it's not genuine. It may not be registered but it's certainly a legitimately purchased copy. So far it's just a tiny message in the corner of the screen but who knows what else it'll do. I don't have time for this. Guess I'll roll back the update and take my chances. This bullshit is what I blame more than anything, even the NSA, for outbreaks like this. If Microsoft had an update channel for security patches only, not unwanted features and M$'s own brand of malware, people would but alot more inclined to stay up to date.

Anonymous Coward

The goal here was 2 fold.

1. Hurt Russia.

2. Hurt NSA credibility.

Everything else is gravy for the attackers. Rumors running around that this is Deep State sponsored coming out of various cliques in intelligence agencies in retaliation for the Vault 7 leaks.

Lion
Peer creds

The scum are obviously in hiding - either on a luxury yacht on the Black Sea or in a basement somewhere. I'd hazard a guess it is the latter. There must be other scum in the same racket who know who the are. I wonder if they have earned any street creds for what they did?

• - chaos (not really)
• - financial bonanza (nope)
• - media attention (big win)
• - shit disturbing (yep - mostly stirred the NSA and Microsoft)
• - rattle some chains (mostly IT departments)
• - peer envy (I doubt it)

Their reward beyond the $30K they collected will be prison (blackmail and extortion are felonies). John Smith 19 So the haul from this little operation is currently what$60K?

V. Poor criminal work. Extortion technique needs more work. Clean up costs have probably been in the $m. Jim Birch Re: So the haul from this little operation is currently what$60K?

This is a fairly typical ratio of realized proceeds of crime to cost of crime and prevention measures. The economic case for crime reduction is overwhelming. But it's easier said than done. People are creative, even (especially?) criminals.

truloxmyth
Its a sign of the times that no government is actually interested in Universal security, for the greater good of human kind. We're at a point where everything is now based online, and everyone in the world is connected.

The internet has removed the idea of 'borders' in the traditional sense!! I don't have to get on a plane to Italy, to see Italy. I can log onto remote cameras and a host of other online services, which mean I can be in the country without having to physically be in the country!

The NSA wasn't even bothered about protecting their own country... They didn't release this data, to allow the problem to be solved. If I were American I would be Pissed that my own government has been complicit in this entire debacle by keeping this quiet, and didn't release the information to the wider security community when they found the holes!!

If your doctor found you had terminal cancer, but they had a product that would guaranteed slowing of the cancer or entire removal of the disease then you would expect them to tell you wouldn't you?! But when the shady NSA finds a potentially life threatening exploit, they keep it to themselves?!... the middle letter of NSA stands for SECURITY for effs sake!!

There is no such thing as trust anymore between so called 'allies' as the NSA has just proved. It has also proved that life is worthless to them. This is clearly due to their inability to see the bigger picture of what they have A. Created, and B. Allowed to be released into the wild!!

Yes someone in their bedroom could have found the exploit, but that's a bedroom hacker/cracker. But you put pretty much unlimited resources and man power behind a department, then they are clearly going to come up with the exploit a billion times faster than a sole agent. Or even a collective of agents separated over the globe.

So all this stupidity that the NSA shouldn't be held accountable should be rethought. Because they CLEARLY are at fault here, for NOT DISCLOSING THE INFORMATION LAST YEAR!!!

#### [May 15, 2017] In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely

##### "... Bad car analogy. Firstly many old cars are banned from using critical infrastructure like highways (or in some cases any roads) for their obvious threat to third parties and their owners. ..."
###### www.theserverside.com

In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times:

At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, "pay extra money to us or we will withhold critical security updates" can be seen as its own form of ransomware.

In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms.

However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more.

Microsoft supported Windows XP for over a decade before finally putting it to sleep.

In the wake of ransomware attacks, it stepped forward to release a patch -- a move that has been lauded by columnists. That said, do you folks think it should continue to push security updates to older operating systems as well?

acoustix ( 123925 ) on Monday May 15, 2017 @01:01PM (#54419597)

Wrong Approach (Score:2)

This attack happened because the US Government didn't do it's job. It's primary task is national defense. It kept a vulnerability to itself to attack foreigners instead of protecting it's own infrastructure, businesses and individuals. The government had these tools taken and passed around for everyone to use. And crap like this is why governments can never be allowed to have backdoors. The secrets will always get out. Everyone is vulnerable.

WaffleMonster ( 969671 ) on Monday May 15, 2017 @12:09PM (#54419177)

Artificial scarcity (Score:2)

There are more than enough XP users in the world for Microsoft to dedicate resources and turn a profit supporting it. Arbitrary sunset dates disconnected from reality of who is still using software amount to nothing more than sales tools intended to extort upgrade revenue.... buy this or get owned.

I personally don't believe vendors should be allowed to walk away from safety defects in products in order to make money on upgrades. Buffer overflows are entirely preventable classes of software failures. It is a tractable problem to solve. That it may not be in the case of XP isn't the end users problem.

jrifkin ( 100192 ) on Monday May 15, 2017 @11:55AM (#54419015)

Yes. It's like vaccinations (Score:2)

If the number of older systems is large enough, then Yes, Microsoft should release patches for them.

They should do this for two reasons:

1) Reducing the number of infected systems helps protect others from infections

2) It protects the innocent, like those whose Medical Care was interrupted in the UK, from collateral damage.

Who pays for it? Microsoft. They have benefited from the sale of all those systems, and certainly have enough cash to divert some to supported old but prevalent systems. Also, the fact that people still use MS systems, even if they're old, benefits MS in some way by helping them maintain market share (and "mindshare"). Odds are that these systems will eventually be replaced by more MS systems, representing future revenue for MS.

Khyber ( 864651 ) <techkitsune@gmail.com> on Monday May 15, 2017 @11:50AM (#54418981) Homepage Journal

Re: Silly idea (Score:2)

"I think there is clearly one party at fault, and it is IT."

Why so? XP was far easier to lock down and fully secure than 8 or 10 with that bullshit telemetry, and it had far fewer hardware restrictions. It is smaller and faster and more capable at most of my tasks than most modern systems (example: I use ManyCam 3.0.80 - 2000/XP-Era multi-cam software. Runs like a champ on XP with 4 webcams, I go 7 [Ultimate] or higher, I can no longer use more than 2 webcams despite the software having the ability to access them and me having more than enough USB bandwidth for the uncompressed video streams.)

Most real IT pros know that XP was far superior to the locked-down and (quite often) over-optimized (as in the optimizations go so far as to make the code more complex and actually runs slower due to shit like cache misses and what not) bullshit that is anything after Windows 7.

swb ( 14022 ) on Monday May 15, 2017 @12:20PM (#54419293)

It's an existential problem (Score:2)

Forever support isn't reasonable, but at the same time vendors using security update channels to push unwanted upgrades for the benefit of the vendor is equally bad.

My guess is that we're going to be getting to the end of the road of the "nasty, brutish and short" state of nature in the software industry and start seeing more regulations.

Vendors will be able to EOL their products, but will also have to supply security updates for N years after the product is officially ended. Vendors will be required to maintain a security update channel which may not be used for pushing upgrades or unrequested new products.

An interesting solution would be to let vendors "expire" a version by inserting a patch that boots the OS at a warning page requiring a firm verbal commitment ("I agree this is obsolete") before booting any further. Vendors would be REQUIRED to do this for operating systems they had obsoleted but only after their N years of post-EOL support had ended.

This way, nobody escapes the product being EOL. Customers can still use it, but must affirmatively acknowledge it is obsolete. Vendors are required to keep supporting it for a really long time after official EOL, but they can kill it more completely but only after the EOL support period.

Anonymous Coward on Monday May 15, 2017 @10:44AM (#54418429)

No (Score:5, Insightful)

No. You can't support legacy software forever. If your customers choose to stay with it past it's notified EOL then they are SOL. Any company using XP that got hit by this can only blame themselves.

jellomizer ( 103300 ) on Monday May 15, 2017 @10:48AM (#54418451)

Re:No (Score:4, Insightful)

I will need to agree with conditions. If the Tech company is selling service contracts for that product, they will need to update it. However like XP and older, where the company isn't selling support, and had let everyone know that it off service, they shouldn't need to keep it updated. Otherwise I am still waiting for my MS DOS 6 patch as it is still vulnerable to the stoner virus.

AmiMoJo ( 196126 ) <mojo AT world3 DOT net> on Monday May 15, 2017 @12:11PM (#54419217) Homepage Journal

Re:No (Score:4, Insightful)

The people providing support should be the ones making MRI scanners, ATMs and other expensive equipment that only works with XP. Even when XP was brand new, did they really expect those machines to only have a lifetime of around 10 years? Microsoft was clear about how long support was going to be provided for.

It seems that people are only just waking up to the fact that these machines have software and it needs on-going maintenance. The next decade or two will be littered with software bricked but mechanically sound hardware, everything from IoT lightbulbs to multi-million Euro medical equipment.

In fact it's already happening. You can buy DNA sequencers on eBay, less than a decade old and original price $500,000, now barely worth the shipping because the manufacturer abandoned support. number6x ( 626555 ) on Monday May 15, 2017 @12:18PM (#54419269) They already exist (Score:4, Insightful) They already exist. They're called routers. Network routers can be configured to provide great deal of protection to machines that are older and cannot be patched. Many contain firewall software. Even simple ones can be configured to block traffic on vulnerable ports. In this case, a router could be configured to keep the SMB port (445) blocked. A router, with updated software, and a firewall gateway can help protect even older devices with embedded code that may no longer be supported. Of course, it goes to say, that you must keep the router's software updated and not use default credentials on the router. The NHS decided to not upgrade many old systems because the threat was deemed minimal. Offices were urged to upgrade but funds were not made available and infrastructure budgets were cut again and again. Multiple bad decisions led to this result. Many things could have prevented it. Better funding, better threat assessment, the NSA informing Microsoft of the vulnerability so it could have been patched years ago, and on and on... In the end we are here, and hopefully threats will be re-prioritized and better protections will be put in place in the future (I could not keep a straight face while typing that and finally burst out laughing). bugs2squash ( 1132591 ) on Monday May 15, 2017 @10:45AM (#54418433) Don't be silly (Score:2) this did not need to be fixed with an OS patch, it could have been prevented with better network security policies. I would be surprised if someone hadn't said something about addressing the vulnerability earlier but probably got ignored because of some budgetary issue. It would be more reasonable to call for continued money to be made available to address these vulnerabilities after a system has gone into production and a move to use more open source solutions where users can share patches. CAOgdin ( 984672 ) on Monday May 15, 2017 @11:07AM (#54418613) I recommend a Subscription model... (Score:3) Abandoning Operating Systems is a cruel trick played by vendors who want the new revenue from upgrades...no matter what the cost in lost-business, learning-curves, and incompatibilities with existing practices may be to the customers.. Spending money on maintaining the security (even excluding features) of superceded products distracts from development of improved products, and is not in the vendors' self-interest. Given that a new Operating system (retail) is in the$100-$150 range, I'd propose "Life Extension" service subscription, solely for security updates in the$30-35/year range...with a required minimum of 10,000 customers to keep maintaining the service. That provides enough revenue ($1,000,000+ per annum) to support a small, dedicated staff. Frankly, there's no reason that a M$ couldn't engage in a Joint Venture with a small qualified, independent security firm to provide the service, with special access to proprietary information within the O.S. vendor.

It would be an investment in the rehabilitation of the O.S. vendors' reputation, because M$has gotten quite high-handed in recent years, dictating (or even forcing) software on unwilling customers.who have existing businesses to run. ToTheStars ( 4807725 ) on Monday May 15, 2017 @11:29AM (#54418801) What if we tied support to copyright? (Score:5, Interesting) Slashdot generally doesn't like ludicrously-long copyright terms, right? What if we made maintenance a requirement for retaining copyright over software? If Microsoft (or whoever) wants to retain a copyright on their software for 70 years, then they'd better be prepared to commit to 70 years of support. If they want to EOL it after 5 years or 20 years or whatever, and wash their hands of responsibility, that's fine, but then it's public domain. Why should we let companies benefit from software they don't support anymore? This could also work for art works, as well -- because copyright exists "To promote the Progress of Science and useful Arts," we could make it a requirement that an author (or company, or whatever) needs to be distributing (or licensing for distribution) a work to have copyright on it. When it's out of print, it enters the public domain. Hartree ( 191324 ) on Monday May 15, 2017 @11:07AM (#54418625) Yes, because WinXP was never killed off. (Score:2) It also lives on in many scientific instruments. An old mass spec that runs XP (or even older. I regularly maintain X Ray diffraction machines that still run DOS) usually can still do the day to day job just fine. The software usually hasn't been supported for many years and won't run on anything newer. But replacing the instrument could cost a large amount of money (250K or up in many cases). Research budgets aren't growing and I work for a university in a state that can't pass a budget. We just don't have the money to throw out older systems that work well just because the software is outdated. We just take them off the network and use other means to get the data transferred off of them. ganjadude ( 952775 ) on Monday May 15, 2017 @11:37AM (#54418873) Homepage Yes, because WinXP was never killed off. (Score:2) do those devices NEED internet connection? serious question as i don't know. if not, no problems DontBeAMoran ( 4843879 ) on Monday May 15, 2017 @11:22AM (#54418727) Re:Bitcoin is the problem (Score:2) Because ransomware did not exist before Bitcoin. :rolleyes: jellomizer ( 103300 ) on Monday May 15, 2017 @11:12AM (#54418661) Re:Silly idea (Score:2) What happens if a still used software isn't owned by anyone any more. The Company is out of business, There is no source code available. There is a point where the end user has some responsibility to update their system. Like the Model-T they may still keep it, and use it for a hobby, but knowing full well if you take it on the Highway and get in an accident you are probably going to get killed. thegarbz ( 1787294 ) on Monday May 15, 2017 @12:08PM (#54419169) Re:Silly idea (Score:3) Bad car analogy. Firstly many old cars are banned from using critical infrastructure like highways (or in some cases any roads) for their obvious threat to third parties and their owners. Also this isn't hobbies we're talking about. No one gives a crap if someone's Model T toy breaks down, just like no one will cry about the Windows XP virtual machine I play with at home. The only complaints are against critical services, internet connected machines that operate and provide livelihoods for the owners. If the software isn't owned by anyone, ... well I'm sure the owner provided an unbiased risk assessment as to whether they should migrate to something that is supported by someone right? Didn't think so. The end user has 100% of the responsibility, and dollars don't change that. #### [May 15, 2017] Further Analysis of WannaCry Ransomware McAfee Blogs ###### May 15, 2017 | securingtomorrow.mcafee.com WannaCry offers free decryption for some random number of files in the folder C:\Intel\<random folder name>\f.wnry. We have seen 10 files decrypted for free. In the first step, the malware checks the header of each encrypted file. Once successful, it calls the decryption routine, and decrypts all the files listed in C:\Intel\<random folder name>\ f.wnry. A code snippet of the header check: The format of the encrypted file: To decrypt all the files on an infected machine we need the file 00000000.dky, which contains the decryption keys. The decryption routine for the key and original file follows: Bitcoin activity WannaCry uses three Bitcoin wallets to receive payments from its victims. Looking at the payment activity for these wallets gives us an idea of how much money the attackers have made. The current statistics as of May 13 show that not many people have paid to recover their files: • Wallet 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw • Wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 • Wallet 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn The attackers appear to have earned a little over BTC 15.44 (US$27,724.22). That is not much considering the number of infected machines, but these numbers are increasing and might become much higher in the next few days. It's possible that the sink holing of two sites may have helped slow things down:

• hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
• hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Multiple organizations across more than 90 countries have been impacted, according to reports.

We will update this blog as we learn more.

#### [May 14, 2017] Cyber-attack could escalate as working week begins, experts warn by Robert Booth

###### May 14, 2017 | www.theguardian.com

"Cyber criminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice," said Oliver Gower from the National Crime Agency.

A computer security expert credited with stopping the spread of the ransomware on Saturday by activating a digital "kill switch" warned on Sunday that a fresh attack was likely.

The expert, known only as MalwareTech on Twitter, said hackers could upgrade the virus. "Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw," he said on Twitter . "You're only safe if you patch ASAP."

On Sunday, Microsoft issued a security bulletin marked "critical" including security updates that it said "resolves vulnerabilities in Microsoft Windows".

It emerged over the weekend that NHS Digital last month emailed 10,000 individuals in NHS organisations warning them to protect themselves against the specific threat of ransomware and included a software patch to block such hacks on the majority of systems. However, it would not work with outdated Windows XP systems that still run on about 5% of NHS devices.

NHS Digital said it did not yet know how many organisations installed the update and this would be revealed in a later analysis of the incident.

... ... ...

Amber Rudd, the home secretary, who is leading the response to the attack, said the same day: "I don't think it's to do with ... preparedness. There's always more we can all do to make sure we're secure against viruses, but I think there have already been good preparations in place by the NHS to make sure they were ready for this sort of attack."

#### [May 14, 2017] PC repair chap lets tech support scammer log on to his PC. His Linux PC • The Register Forums

###### May 14, 2017 | theregister.co.uk

Why look at that! Friday is upon us, which means it's time for another instalment of On-Call, The Register's weekly column in which readers share memories of being asked to fix odd stuff at unpleasant times of the day. This week, meet "Shane," who used to do a bit of computer repair work on the side, and kept a phone just for

The beauty of virtual machines

At one company I worked for, one of the tech support guys got a call like this. They fired up a virtual machine and let the scammer loose on that. Of course every reboot, all changes were lost ... I don't know how long the charade went on for.

I do know the techie in question seemed to have a lot more patience for remote scammers than they did colleagues in need ..... Re: The beauty of virtual machines

Probably until someone realized it was a VM and tried pulling a hypervisor attack on it, forcing the virtual plug to be pulled. Re: The beauty of virtual machines

"Of course every reboot, all changes were lost"

That's not how VMs work. Re: The beauty of virtual machines

"Of course every reboot, all changes were lost"

That's not how VMs work.

It is if you set them up to not commit changes to the VM disk file on power off Re: The beauty of virtual machines

Look more a VM with deep freeze or a similar software packet Re: The beauty of virtual machines

It is how some virtual machines work. I know of one company that supplies such a setup to the educational market. The teacher can set up a template computer with the software / files required for the lesson, and it all gets reset at the end of the lesson. Re: The beauty of virtual machines

"It is if you set them up to not commit changes to the VM disk file on power off"

That's VDI you are talking about, not just a VM... Re: The beauty of virtual machines

It's called snapshotting. You store a specific state of virtual machine and simply revert to it each time you finish your session. Even VirtualBox has such a feature. Re: The beauty of virtual machines

Pretty much every Hypervisor/VM host I've used has that option, possibly even "Microsoft Virtual PC". I believe VirtualBox used immutable disks by default when I first used it.

Edit: Virtual PC Undo Disk Re: The beauty of virtual machines

Sounds like the old Microsoft SteadyState.

User profile is set back to a set standard on every login.

#### [May 14, 2017] More disruptions feared from cyberattack; Microsoft slams US secrecy

###### May 14, 2017 | www.atimes.com

In a blog post late Sunday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool, built by the US National Security Agency, that leaked online in April.

He also poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the internet.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Smith wrote. He added that governments around the world should "treat this attack as a wake-up call" and "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

The NSA and White House did not immediately respond to requests for comment about the Microsoft statement.

A general view of the Dharmais hospital in Jakarta, Indonesia May 14, 2017. REUTERS/Darren Whiteside
The Dharmais hospital in Jakarta was targeted by the Wannacry "ransomware" worm. Photo: Reuters/Darren Whiteside

US President Donald Trump on Friday night ordered his homeland security adviser, Tom Bossert, to convene an "emergency meeting" to assess the threat posed by the global attack, a senior administration official told Reuters.

Senior US security officials held another meeting in the White House Situation Room on Saturday, and the FBI and the National Security Agency were working to help mitigate damage and identify the perpetrators of the massive cyber attack, said the official, who spoke on condition of anonymity to discuss internal deliberations.

The investigations into the attack were in the early stages, however, and attribution for cyberattacks is notoriously difficult.

The original attack lost momentum late on Friday after a security researcher took control of a server connected to the outbreak, which crippled a feature that caused the malware to rapidly spread across infected networks.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.

Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.

Code for exploiting that bug, which is known as "Eternal Blue," was released on the internet last month by a hacking group known as the Shadow Brokers.

The head of the European Union police agency said on Sunday the cyber assault hit 200,000 victims in at least 150 countries and that number would grow when people return to work on Monday.

#### [May 14, 2017] International manhunt to find criminals behind global cyber attack

##### "... French police said there were "more than 75,000 victims" around the globe, but cautioned that the number could increase "significantly". ..."
###### May 14, 2017 | timesofindia.indiatimes.com

International investigators hunted for those behind an unprecedented cyber-attack that affected systems in dozens of countries, including at banks, hospitals and government agencies, as security experts sought to contain the fallout.

The assault, which began on Friday and was being described as the biggest-ever cyber ransom attack, struck state agencies and major companies around the world - from Russian banks and British hospitals to FedEx and European car factories.

"The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits," said Europol, Europe's police agency. Europol said a special task force at its European Cybercrime Centre was "specially designed to assist in such investigations and will play an important role in supporting the investigation".

The attacks used ransomware that apparently exploited a security flaw in Microsoft operating systems, locking users' files unless they pay the attackers a designated sum in the virtual currency Bitcoin. Images appeared on victims' screens demanding payment of $300 in Bitcoin, saying: "Ooops, your files have been encrypted!" Payment is demanded within three days or the price is doubled, and if none is received within seven days the files will be deleted, according to the screen message. But experts and government alike warn against ceding to the hackers' demands. "Paying the ransom does not guarantee the encrypted files will be released," the US Department of Homeland Security's computer emergency response team said. Mikko Hypponen, chief research officer at the Helsinki- based cyber security company F-Secure, told AFP it was the biggest ransomware outbreak in history, saying that 130,000 systems in more than 100 countries had been affected. ... .... .... French police said there were "more than 75,000 victims" around the globe, but cautioned that the number could increase "significantly". #### [May 14, 2017] A global outbreak of computer extortion virus: Tianjin enterprise release letter WannaCry worm infection emergency treatment ###### May 14, 2017 | www.aiainews.com on May 12, called "encryption" (Wannacry) "worm" blackmail software in large-scale spread around the world.The software using the Windows SMB services vulnerabilities, documents, pictures, etc. Of computer implementation of high-strength encryption, and ransom.Currently, including universities, energy and other important information system, more class user attack, have serious security threat to China's Internet network. a, infected host emergency isolation methods given WannaCry worm has a great risk, all the known infected host must isolate their work from the current network. in view of the file has been damaged by worms, as of 2017/5/14 haven't found any effective means to restore.To prevent further spread worms, it is forbidden to infected host any file copy to other host or device, it is strictly forbidden to known infected host to access any network. 2, important documents emergency handling methods in order to ensure the important document is not destroyed by WannaCry worms, minimize loss, all uninfected hosts or ban on uncertain whether infected host. the type host need to adopt the method of physical copy for processing, i.e., the host opens by the professionals, remove all the hard disk where important files, and use the external devices mounted to determine uninfected hosts will be copied. to prevent secondary infection, copy the file must be in the isolation zone for processing. it is strictly forbidden to hard disk may be infected by the IDE and SATA motherboard interface mounted directly to the copy machine, in order to prevent the copying machine use the hard disk boot, leading to possible infection. existing in the network, have access to all Windows host should adopt the method of important file backup. after the physical copy process, in accordance with the: three, host, emergency detection strategy is used to detect the emergency treatment. the temporary absence of these conditions or because of some must be switched on, it is important to ensure keep access to the Internet boot in out of the office network environment (such as 4 g networks, ordinary broadband, etc.), at the same time must be the entire keep clear of the Internet.(access to the Internet standard for success: can open the following web site in the browser, and see the content as shown: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com ) for classified machine cannot access to the Internet, make sure the web server, network configuration and the domain name resolution to access the Intranet server. the Intranet server home page must return the following contents: sinkhole. Tech - where the bots party hard and the researchers harder. & lt;!- h4 - & gt;At the end of the temporary boot process, shutdown and physical copy process. 3, host, emergency detection strategies in view of the physical copy after the host, to make the following treatment: test be mounted hard drive Windows directory, see if there are files: mssecsvc. Exe, if there are infected. in view of the host other boot, check whether there is a file system disk Windows directory: mssecsvc. Exe.Check whether there is a service in the system mssecsvc2.0 (see specific operation at the end of this section).Any one is exists to prove that is infected. for there is a firewall with other logging equipment in the network, check whether there is in the log of domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, if any, prove the existence of network within the infected host.In view of the infected host detect, be sure to at the end of the physical copy process format for all the hard disk. similar to the host if there is a backup before 2017/4/13, full recovery operations can be performed (including system disk as well as other all), a backup after this time may have been infected, not for recovery. in view of the network known to exist the infected host, prohibit open closed host, at the same time to physical copies of the host process.For the host has been switched on, immediately shut down, and the physical copy process.Attachment: the method of inspection service: Windows + R key to open the "run" window: input services. MSC enter, open the service administration page: check all items in the" name "column, there mssecsvc2.0 suggests that infected. 4, uninfected hosts emergency defense strategy to an infected host, there are four emergency defense strategy. one strategy as the most effective means of defense, but takes longer.Other strategies for temporary solution for unable to implement strategies for temporary use. application strategy two or three in the host will not be able to access the network sharing, please carefully use. in no immediate application strategy and suggestion first application strategy four temporary defence.No matter use what kind of temporary strategy, all must be application strategy as soon as possible in order to achieve complete defense. under 10 version for Windows host, suggest to upgrade to Windows 10 and update to the latest version of the system.Because of the situation cannot upgrade, be sure to use an emergency defense strategy for defense. strategy one: install MS17-010 system patches according to the system version, install patches MS17-010.With Windows 7 and above can be gained through the automatic updates to install all patches, Windows xp, Windows 2003 and Windows vista can be gained by installing temporary tools provided with the document. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ strategy 2: closing loopholes related services by professionals using the following command to close loopholes related services: sc stop LmHosts sc stop lanmanworkstation sc stop LanmanServer sc config LmHosts start = DISABLED sc config lanmanworkstation start = DISABLED sc config LanmanServer start = DISABLE strategy 3: configure the firewall ban vulnerabilities related port for Windows 2003 or Windows xp system, click on the start menu, and open the "control panel". double click the" Windows firewall "option in control panel, click on the" exception "TAB, and uncheck the" file and printer sharing ", and click ok. for Windows 7 and above system, click on the start menu, open the control panel, click on the" system and security "" Windows firewall". in Windows firewall configuration page, click the" allow the procedure or function through Windows firewall "option, click at the top of the" change Settings ": in the list to find" file and printer sharing "checkbox, uncheck the, click ok in the end. strategy 4: use the vulnerability defense tool 360 company provides tools for temporary immune defense worm, this tool can be downloaded in the 360 site. directly to perform this tool can be simple to defence, every time to restart the host must perform this tool again. 5, emergency public server and network security defense strategy on public server (such as web sites, public system, etc.) most can connect to the Internet, for Windows server 2008 r2 and higher versions, suggested that open system "automatically update" function, and install all patches. for Windows server 2003, you can choose four, uninfected hosts emergency strategy of defense strategy for defense, at the same time Suggestions as soon as possible to upgrade to higher version of the server (such as Windows 2008 r2). according to the internal network, need to ensure the safety of the host of the case to prevent possible infection. without using the sharing function, but on firewalls, routers and other equipment 445 port access is prohibited. since this worm using domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com as "switch", instantly attacks when unable to access the domain name.Therefore, the ban on the network security devices such as firewall and IPS intercept this domain name, otherwise it will trigger the infected host encryption process, cause irreparable damage. use Intranet private DNS, be sure to configure the domain analysis, and point to survive in the Intranet web server.The Intranet server home page should be returned the following contents: sinkhole. Tech - where the bots party hard and the researchers harder. & lt;!- h4 - & gt; net letter tianjin municipal party committee office, network security and information technology evaluation center A+ Date：2017-05-14 Tag： do emergency Tianjin global worm infection WannaCry method virus computer #### [May 14, 2017] Along with hospitals some automanifactures were hit ###### May 14, 2017 | www.atimes.com Targets both large and small have been hit. Renault said on Saturday it had halted manufacturing at plants in Sandouville, France, and Romania to prevent the spread of ransomware in its systems. Among the other victims is a Nissan manufacturing plant in Sunderland, northeast England, hundreds of hospitals and clinics in the British National Health Service, German rail operator Deutsche Bahn and International shipper FedEx Corp A Jakarta hospital said on Sunday that the cyber attack had infected 400 computers, disrupting the registration of patients and finding records. The hospital said it expected big queues on Monday when about 500 people were due to register. 'Ransom' paymentsmay rise Account addresses hard-coded into the malicious WannaCry software code appear to show the attackers had received just under US$32,500 in anonymous bitcoin currency as of 1100 GMT on Sunday, but that amount could rise as more victims rush to pay ransoms of US$300 or more to regain access to their computers, just one day before the threatened deadline expires. #### [May 14, 2017] Wanna Cry variant without kill switch exists in the wild since May 13 ###### May 14, 2017 | motherboard.vice.com "I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday. #### [May 14, 2017] Wana Decryptor Ransomware Using NSA Exploit Leaked By Shadow Brokers To Spread Ransomware Worldwide - Slashdot ###### May 14, 2017 | it.slashdot.org TiggertheMad ( 556308 ) writes: on Friday May 12, 2017 @07:19PM ( #54408293 ) Homepage Journal National Insecurity Agency ( Score: 4 , Informative) ] The NSA (and other ABC agencies that are undoubtedly running the same game plan) are doing what they are tasked with, finding ways to protect America and America's interests. Using hacking as a tool to this end is (relatively) new in the old game of spycraft, so there are going to be a few epic disasters like this before the black ops people start to figure out all the types of blow back they can experience. The US was really big on foreign covert action in the 50's, and it took the bay of pigs to make people realize that there were ways that things could go horribly wrong. That didn't stop covert action from being used, but I think it was employed more carefully afterwards. Having all their shiny hacking toys stolen and having this happen is the hacking version of the 'Bay of Pigs'. Also, while the NSA seems to have compiled a formidable array of exploits and tools to compromise enemy systems, that doesn't mean that everyone else isn't playing the exact same game. The only difference between the NSA and EVERY other state intelligence agency on the planet is that they seem to be able to properly secure their black ops toys. Being one of the largest agencies of this sort, there are going to be a lot of people in the know. And the more people involved, the harder it is to keep a secret. Mind you, that doesn't make this any less tragic or regrettable. I sort of hope the CIA decides that it is in the US interest to find and vanish anyone connected with this ransomware to make an example of them. Alas, that sort of thing only happens in implausible Hollywood scripts. ancientt ( 569920 ) writes: < ancientt@yahoo.com > on Friday May 12, 2017 @08:07PM ( #54408453 ) Homepage Journal Re:National Insecurity Agency ( Score: 3 ) Remotely exploitable network vulnerabilities shouldn't happen, but there seems no practical hope that they'll stop anytime soon. It would be negligent of legitimate spy agencies to fail to search for them and arguably be able to take advantage of them. Imagine you're trying to find out when an ISIS group is planning a bombing and you discover they're running a messageboard on a Windows machine with an SMB exploit, do you tell Microsoft to patch the exploit? You never know which of the vulnerabilities you'll be able to use, but if you dedicate sufficient resources to finding them and building exploits for them, then there is a good chance you'll be able to spy on whichever bad guy your agency needs to spy on when the need arises. Getting all the vendors to patch the exploits you find does limit your own agency's ability to spy but you have to assume it doesn't impair your enemies as significantly since the enemy doubtless will have exploits you don't have. What's the best solution? I suspect the best thing to do is build force-patch worms for every exploit. If you write an exploit, you should also dedicate resources to the task of writing a version of the exploit which pressures the owner of the exploited system to fix the problem. So in this instance, as soon as the attacks started being seen in the wild, the NSA servers should have launched a MASSIVE attack against any and all systems with the vulnerability which would disable the vulnerable systems in the least painful ways along with alerting the owners of the need to update their systems. Instead of getting "your files are encrypted and give hackers bitcoin to recover" messages, the people with exploitable systems should be seeing warnings like "Your system has been temporarily patched by the NSA for your own protection, please secure or update your device to protect it from malicious actors." The Hajime botnet [arstechnica.com] may actually already be just the thing I'm describing. I'd prefer to see the NSA take public responsibility, and I'm doubtful the NSA is actually responsible for that one, but it is an example of how it could be done. If I have a vulnerable system, I'd much prefer to see it hacked by the NSA instead of some ransomware writer. Do I wish it wasn't hackable? Of course, but I accept that anything plugged into a network might be hackable. I do what I can to protect it from everyone, including the NSA. It's not that I'm worried about the NSA (because they have the resources to gain physical access if they really want it) but if I do my best to build secure systems, then it's less likely I'll wake up to a ransomware message some morning mcswell ( 1102107 ) writes: on Friday May 12, 2017 @11:09PM ( #54409045 ) Re:Say "thanks" to your "security"-agency... ( Score: 2 ) And why do you think Microsoft was able to patch this *before* the exploit was leaked by Shadow Brokers? Anonymous Coward writes: on Friday May 12, 2017 @08:56PM ( #54408607 ) Re:Say "thanks" to your "security"-agency... ( Score: 1 ) microsoft is partly guilty in this for sure because A LOT of people have the updates turned off since the windows 10 debacle, the lies, the telemetry, the diagtrack process, the broken windows update service that sits iddle consuming 25% of your cpu, etc but even a monkey like me that hears about the smb vuln, even if i dont know what it means exactly because im just a user and not an engineer, i could tell it was BAD, so i patched the living shit out of my computer sorry but if youve had experiences with blaster, conficker, etc, you should know about this kind of things already, again, not an engineer at all, but just hearing about it, looking the ports affected this thing looked really bad Man On Pink Corner ( 1089867 ) writes: on Friday May 12, 2017 @08:29PM ( #54408529 ) Re:That only happened to idiots. ( Score: 3 ) Microsoft told lie after lie after lie about their intentions. There was absolutely no reason to believe that setting your update threshold to "Critical Only" would save you from an unsolicited Windows 10 installation. The only rational course of action for those who didn't want Windows 10 was to turn off Windows Update entirely. Deny this all you want, but be prepared for justified accusations of victim-blaming. Anonymous Coward , Friday May 12, 2017 @06:55PM ( #54408177 ) It hit the NHS hard ( Score: 5 , Interesting) I'm a doctor in the NHS. It hit my hospital hard. The bosses triggered the MAJAX protocols meaning everyone off work was called to come in and help. Computers are used for everything, so blood tests, admissions, scan requests, referrals, all had to be done by hand. The public were asked to keep away from A+E because hundreds of people were waiting. It was terrifying how little failsafe infrastructure there was. The hospital just stopped working. TroII ( 4484479 ) writes: on Friday May 12, 2017 @08:28PM ( #54408521 ) Re:It hit the NHS hard ( Score: 5 , Insightful) And you use unpatched computers in a hospital WHY? Because patches are often broken . Imagine these hospitals had applied the patch when Microsoft released it, but the patch was faulty in some way, and all of the hospital computers went down as a result. Instead of complaining the hospitals were running unpatched, you and/or many people like you would be bitching and moaning that they were negligent to install the patch too soon. Updates from Microsoft frequently include at least one broken patch. There was one update last year that broke millions of peoples' webcams. There have been several updates that interfered with settings and reverted them back to default configurations, and several more updates that seemingly deleted group policy objects that had been configured by the domain administrator. There was a patch around the new year that inadvertently disabled the DHCP service, despite the update itself having nothing to do with DHCP. (Things that make you go hmmm.) This particular fuck-up rendered a lot of machines not only broken, but totally irreparable without manual human intervention, i.e. dispatching someone clueful to each of your premises to clean up the mess. Patch deployment in any enterprise environment requires extensive testing. You have to coordinate with your software vendors to make sure their applications are compatible with the update. If you install Patch XYZ without first getting approval from Vendor123, you wind up invalidating your support contracts with them. All of this takes time. In 2016, there were several months in a row where Microsoft had to un-issue, repair, supersede, and re-release a broken patch they'd pushed out. Put yourself in the shoes of an admin team who got burned by Windows Update breaking your systems, especially repeatedly. Are you going to be in any hurry to patch? If you were bitten by the DHCP bug, do you trust that the "critical SMB patch" really only touches SMBv1, and isn't going to inexplicably corrupt Office or remove IPV4 connectivity on every computer it touches? If the PC your kid plays Minecraft on gets hosed by a broken patch, it's not that big of a deal. The business world is a different story. guruevi ( 827432 ) writes: < evi@evcir[ ]ts.com ['cui' in gap] > on Friday May 12, 2017 @07:03PM ( #54408215 ) Homepage What boggles my mind ( Score: 4 , Informative) Is that there are still 45k Windows machine that are directly connected to the Internet. Any Windows machine I manage (mostly very specific medical software and medical machines) are either VM (and thus behind a firewall and any service proxied to a BSD or Linux host) or airgapped. cpm99352 ( 939350 ) , Saturday May 13, 2017 @12:52AM ( #54409331 ) Plenty of blame to spread around ( Score: 2 ) 1, Microsoft has always had a disclosure that their OS is not suitable for life-critical applications 2. NSA has a dual mission -- the second (neglected) mission is to ensure the security of domestic computer networks #### [May 14, 2017] NHS workers and patients on how cyber-attack has affected them ###### May 14, 2017 | www.theguardian.com Officials have claimed in the wake of the global ransomware attack that patient care has been unaffected despite 45 NHS sites being hit. But hospitals across England and Scotland were forced to cancel routine procedures and divert emergency cases in the wake of the attack, which has shut down access to computers in almost 100 countries. Here, patients and NHS workers reveal how the crisis has affected them. Bill, a doctor at a hospital in London I have been unable to look after patients properly. However much they pretend patient safety is unaffected, it's not true. At my hospital we are literally unable to do any X-rays, which are an essential component of emergency medicine. I had a patient this evening who we could not do an X-ray for, who absolutely should have had one. He is OK but that is just one example. My hospital is good in many ways but the IT system is appalling. I was shocked when I started in hospital at how bad the systems are. I know the staff will do their very best to keep looking after everyone, but there are no robust systems in place to deal with blackouts like this, information-sharing is hard enough in a clinical environment when everything works. Without the IT systems I suspect test results will be missed, and definitely delayed. Handovers are much more difficult. It will absolutely certainly impact patient safety negatively, even if that impact can't be clearly measured. This is basically all the result of chronic underfunding and crap, short-sighted management. Theresa, 44, a breast cancer patient from Lincolnshire I was halfway through my chemotherapy infusion when the attack happened. The treatment finished without a hitch, but I then had to wait for a couple of hours for my medications to take home. That's because all drugs have to be checked against prescriptions, and they are all computerised. The hospital pharmacists worked quickly to produce paper copies, but it still took a while. The horrible side-effects (nausea, exhaustion, dizziness) kicked in while I was stuck in rush-hour traffic coming home. Fortunately, I wasn't driving. There were other patients in the ward waiting to start their chemo whose drugs had been delivered but again couldn't be checked, so administration was delayed. In some cases treatment had to be postponed entirely for another day. The oncology nurses and the hospital staff were brilliant throughout, reassuring patients and doing their best in difficult circumstances. They were also deeply apologetic, frustrated that they couldn't do their job, and angry that such an act had put patients treatment – and lives – at risk. Amber, 40, a community nurse from Essex We have been unable to check patient information and scheduled visits for this afternoon. I am working this weekend and had to write down who we may see tomorrow from my own memory. Our own call centre for community services is in lockdown and unable to receive any information regarding authorisation for drug changes or referrals. We are also unable to look up patient addresses, complete any documentation or check test results. Alun Phillips, 45, a community pharmacist from Merseyside Doctors in Liverpool have been advised to isolate their computer systems from the wider NHS network. This has left many of our local surgeries unable to access patient records, which are cloud-based. Surgeries are unable to issue prescriptions from their systems, most of which are now issued electronically via the NHS spine. Even if they could, we (community pharmacy) are being advised to not connect to the spine. We have had quite a few requests from local surgeries to tell them what medication patient are on, as although they cannot access patient records we still have our copy of the patients' medication records. We have also made some emergency supplies of medication to patients unable to access GP services while they are down. Kyle, 42, a patient from Maidestone I am waiting for test results after a urine infection and pain in my kidneys. I called the doctors this afternoon. They said it looks like I need a further prescription but the doctor will need to call me back. Two hours later I get a call from the doctor advising me that they have had to shut down their systems due to this hack, and that they can't give me any results till Monday. I am now worried that my situation is going to get worse without any treatment. Ben, 37, in the prescription team at a GP surgery in the north We were unable to process any prescriptions for patients, including urgent requests. As a result patients could potentially be left without asthma, epilepsy or diabetes medication over the weekend. We also had a medical emergency on-site and waited over 40 minutes for an ambulance to attend. Ali, a cardiologist from the north I am a cardiology registrar. At work, on call for a tertiary cardiology centre. Treating patients with heart attacks, attending cardiac arrests, seeing sick patients in resus. We are unable to access to old notes, blood results, x-rays or order vital tests. Blood samples are being sent to other hospitals. We have one working x-ray viewer for the entire hospital and emergency results are being rung through already overloaded phone lines. All of which potentially delays vital treatment and could jeopardise patient safety. Those with life-threatening problems are still receiving appropriate care. Though this couldn't have happened at a worse time with the weekend looming, patients are still being looked after safely thanks to the dedication of all the members of staff at work tonight. It's been a stark reminder of the conditions we worked under over 20 years ago – and on how reliant on computers we are even to do things as simple as prescribe basic drugs. Kaley, 30, a receptionist at a large surgery in the north-west Friday afternoons are usually one of our busiest times at the surgery. With already full clinics and people ringing for emergency appointments there were five reception staff on duty. There was no warning that there was anything wrong with the computer systems but at around 3pm the screens all went black, indicating that the computers had crashed. We had no access to any patient information for the GPs or nurses. There was no way of checking the patients in. Phones were still ringing. The computers were down for about an hour but then we were able to get back on. We received notification that there was a virus affecting the whole of the NHS. The practice manager received a text from the CCG advising that we should invoke "emergency planning measures". This involves printing lists out of patients due to attend all clinics from Friday afternoon until Monday afternoon. Then we had to print out full medical information for each patient as the system was being taken down to investigate the virus. It's been a difficult afternoon. Some names and details have been changed. #### [May 14, 2017] AfterMidnight -- new NSA malware ###### May 14, 2017 | failedevolution.blogspot.gr WikiLeaks Today, May 12th 2017, WikiLeaks publishes "AfterMidnight" and "Assassin", two CIA malware frameworks for the Microsoft Windows platform. "AfterMidnight" allows operators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of "Gremlins" via a HTTPS based Listening Post (LP) system called "Octopus". Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components before loading all new gremlins in memory. "Gremlins" are small AM payloads that are meant to run hidden on the target and either subvert the functionality of targeted software, survey the target (including data exfiltration) or provide internal services for other gremlins. The special payload "AlphaGremlin" even has a custom script language which allows operators to schedule custom tasks to be executed on the target machine. "Assassin" is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. "Assassin" (just like "AfterMidnight") will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment. The "Assassin" C2 (Command and Control) and LP (Listening Post) subsystems are referred to collectively as" The Gibson" and allow operators to perform specific tasks on an infected target.. #### [May 14, 2017] Massive cyber attack hits hospitals, universities and businesses worldwide ###### May 14, 2017 | failedevolution.blogspot.gr ...The Barts Health Group, which helps manage some of the largest hospitals in London, said, " We are experiencing a major IT disruption and there are delays at all of our hospitals. " Patients had to be turned away from surgeries and appointments at medical facilities throughout England, and ambulances had to be rerouted to other hospitals as well. Telefonica, one of the largest telecommunications companies in Spain, was one target, though their services and clients were not affected, as the malicious software only impacted certain computers on an internal network. #### [May 13, 2017] Researchers Find New Version Of WanaDecrypt0r Ransomware Without A Kill Switch ###### May 13, 2017 | tech.slashdot.org (vice.com) 49 Posted by EditorDavid on Saturday May 13, 2017 @06:57PM from the wanna-cry-more? dept. Remember that "kill switch" which shut down the WannCry ransomware? An anonymous reader quotes Motherboard: Over Friday and Saturday, samples of the malware emerged without that debilitating feature, meaning that attackers may be able to resume spreading ransomware even though a security researcher cut off the original wave. "I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday... Another researcher confirmed they have seen samples of the malware without the killswitch. #### [May 13, 2017] What you need to know about the WannaCry Ransomware ##### Notable quotes: ##### "... Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments. ..." ###### May 13, 2017 | www.symantec.com • Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments. • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email. • Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can't delete them. • Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to "roll back" to the unencrypted form. After encryption the Trojan then deletes the shadow copies of the encrypted files. The Trojan drops the following files in every folder where files are encrypted: •!WannaDecryptor!.exe.lnk •!Please Read Me!.txt The contents of the !Please Read Me!.txt is a text version of the ransom note with details of how to pay the ransom. The Trojan downloads Tor and uses it to connect to a server using the Tor network. It then displays a ransom note explaining to the user what has happened and how to pay the ransom. WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name: • .123 • .3dm • .3ds • .3g2 • .3gp • .602 • .7z • .ARC • .PAQ • .accdb • .aes • .ai • .asc • .asf • .asm • .asp • .avi • .backup • .bak • .bat • .bmp • .brd • .bz2 • .cgm • .class • .cmd • .cpp • .crt • .cs • .csr • .csv • .db • .dbf • .dch • .der • .dif • .dip • .djvu • .doc • .docb • .docm • .docx • .dot • .dotm • .dotx • .dwg • .edb • .eml • .fla • .flv • .frm • .gif • .gpg • .gz • .hwp • .ibd • .iso • .jar • .java • .jpeg • .jpg • .js • .jsp • .key • .lay • .lay6 • .ldf • .m3u • .m4u • .max • .mdb • .mdf • .mid • .mkv • .mml • .mov • .mp3 • .mp4 • .mpeg • .mpg • .msg • .myd • .myi • .nef • .odb • .odg • .odp • .ods • .odt • .onetoc2 • .ost • .otg • .otp • .ots • .ott • .p12 • .pas • .pdf • .pem • .pfx • .php • .pl • .png • .pot • .potm • .potx • .ppam • .pps • .ppsm • .ppsx • .ppt • .pptm • .pptx • .ps1 • .psd • .pst • .rar • .raw • .rb • .rtf • .sch • .sh • .sldm • .sldx • .slk • .sln • .snt • .sql • .sqlite3 • .sqlitedb • .stc • .std • .sti • .stw • .suo • .svg • .swf • .sxc • .sxd • .sxi • .sxm • .sxw • .tar • .tbk • .tgz • .tif • .tiff • .txt • .uop • .uot • .vb • .vbs • .vcd • .vdi • .vmdk • .vmx • .vob • .vsd • .vsdx • .wav • .wb2 • .wk1 • .wks • .wma • .wmv • .xlc • .xlm • .xls • .xlsb • .xlsm • .xlsx • .xlt • .xltm • .xltx • .xlw • .zip #### [May 13, 2017] WannaCry 2.0 Ransomware by Colin Hardy ##### Probably the best description of the worm on Youtube as of May 13, 2017... ###### support.microsoft.com Andy Beez, 9 hours ago Thanks for the forensic deconstruction - a lot more info than the experts on Sky News! Is it interesting the popup is written in accurate English with the correct use of capitals, commas and full stops? Plus the grammar is correct. I understand the Italian version has the same grammatical exactness. So not script kiddies from Chindia? This writers are well educated. Anton, 10 hours ago A kill switch already has been found in the code, which prevents new infections. This has been activated by researchers and should slow the spread.﻿ Colin Hardy, 8 hours ago agree. Firstly, contain your network (block affected ports in/outbound), also look for compromised hosts on your network using the various IOCs from the likes of Virus Total and other analysts blogs. Remediate the machines, and rebuild the network - slowly, carefully and under good supervision!﻿ Colin Hardy, 8 hours ago this was an awesome find as well. see my new video https://youtu.be/d56g3wahBck on how you can see it for yourself. #### [May 13, 2017] Indicators Associated With WannaCry Ransomware ##### Symantec provides a better description of what you need to look at. ###### May 13, 2017 | www.us-cert.gov The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named "t.wry". The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user's files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans. The newly loaded DLL immediately begins encrypting files on the victim's system and encrypts the user's files with 128-bit AES. A random key is generated for the encryption of each file. The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim's account in order to access the IPC$share. This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

References

• Malwarebytes LABS: "WanaCrypt0r ransomware hits it big just before the weekend
• Malwarebytes LABS: "The worm that spreads WanaCrypt0r"
• Microsoft: "Microsoft Security Bulletin MS17-010"
• Forbes: "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak"
• Reuters: "Factbox: Don't click - What is the 'ransomware' WannaCry worm?"
• GitHubGist: "WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm"

#### [May 13, 2017] WannaCry technical information

##### "... Ensure that port 445 is blocked for firewall communications with all exceptions scrutinized and verified before adding. ..."
###### May 13, 2017 | www.criticalstart.com

WanaCryptor 2.0, WannaCry, WCry or WCryp is currently a world-wide ransom-ware outbreak. These are all versions of Crypto-locker, encrypting victim files and demanding payment via bit-coin. This vulnerability was patched in the Microsoft March update (MS17-010).

The following links contain information about the exploit that the new malware is using (based on ETERNAL BLUE) and the fix and temporary workaround for servers and local clients, as well as firewall configuration recommendations.

SMB v1 is the current exploit mechanism being used for moving within enterprise. Movement has been detected from Cloud Sync file-share as well. The link contains information on disabling SMBv1 (which is the only recommended service to disable) via Servers, Powershell, and local Client Firewall Configuration,

Ensure that port 445 is blocked for firewall communications with all exceptions scrutinized and verified before adding.

#### [May 13, 2017] Wanna Cry ransomware cyber attack 104 countries hit, India among worst affected, US NSA criticised

###### May 13, 2017 | indiatoday.intoday.in

India was among the countries worst affected by the Wanna Cry attack, data shared by Kaspersky, a Russian anti-virus company, showed. According to initial calculations performed soon after the malware struck on Friday night, around five per cent of all computers affected in the attack were in India.

Mikko Hypponen, chief research officer at a Helsinki-based cyber security company called F-Secure, told news agency AFP that the it was the biggest ransomware outbreak in history and estimated that 130,000 systems in more than 100 countries had been affected.

Hypponen added that Russia and India were hit particularly hard, largely because Microsoft's Windows XP - one of the operating systems most at risk - was still widely used there.

#### [May 13, 2017] The worm that spreads WanaCrypt0r

###### May 13, 2017 | blog.malwarebytes.com
WanaCrypt0r has been most effective-not only does the ransomware loop through every open RDP session on a system and run the ransomware as that user, but the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability ( MS17-010 ).

The WinMain of this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn't actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

This was probably some kind of kill switch or anti-sandbox technique. Whichever it is, it has backfired on the authors of the worm, as the domain has been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the executable. This only applies to the binary with the hash listed above; there may well be new versions released in the future. UPDATE: The second argument to InternetOpenA is 1 (INTERNET_OPEN_TYPE_DIRECT), so the worm will still work on any system that requires a proxy to access the Internet, which is the case on the majority of corporate networks.

... ... ...

[after kill switch check pass] ...

the first thing the worm does is check the number of arguments it was launched with. If it was run with less than two arguments passed, it installs a service called mssecsvc2.0 with display name Microsoft Security Center (2.0) Service (where the binary ran is itself with two arguments), starts that service, drops the ransomware binary located in the resources of the worm, and runs it.

If it was run with two arguments or more-in other words, if it was run as a service-execution eventually falls through to the worm function.

#### [May 13, 2017] How to Accidentally Stop a Global Cyber Attacks

##### "... The mass connection attempts immediately made me think exploit scanner, and the fact it was scanning on the SMB port caused me to look back to the recent ShadowBroker leak of NSA exploits containing .an SMB exploit. ..."
###### May 13, 2017 | www.malwaretech.com

So finally I've found enough time between emails and Skype calls to write up on the crazy events which occurred over Friday, which was supposed to be part of my week off (I made it a total of 4 days without working, so there's that). You've probably read about the WannaCrypt fiasco on several news sites, but I figured I'd tell my story.

I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where i had been following the spread of the Emotet banking malware, something which seemed incredibly significant until today. There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant yet. I ended up going out to lunch with a friend, meanwhile the WannaCrypt ransomware campaign had entered full swing.

When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me of to the fact this was something big.

Although ransomware on a public sector system isn't even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don't open phishing emails which suggested that something to be this widespread it would have to be propagated using another method). I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher.

Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which i promptly registered.

Using Cisco Umbrella, we can actually see query volume to the domain prior to my registration of it which shows the campaign started at around 8 AM UTC.

... ... ...

While the domain was propagating, I ran the sample again in my virtual environment to be met with WannaCrypt ransom page; but more interestingly was that after encrypting the fake files I left there as a test, it started connecting out to random IP addresses on port 445 (used by SMB).

The mass connection attempts immediately made me think exploit scanner, and the fact it was scanning on the SMB port caused me to look back to the recent ShadowBroker leak of NSA exploits containing .an SMB exploit. Obvious I had no evidence yet that it was definitely scanning SMB hosts or using the leaked NSA exploit, so I tweeted out my finding and went to tend to the now propagated domain.

... ... ...

Now one thing that's important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I'm always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.

Our standard model goes something like this.

1. Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
2. Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they're infected and assist law enforcement.
3. Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.

In the case of WannaCrypt, step 1, 2 and 3 were all one and the same, I just didn't know it yet.

A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided. Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all. As curious as this was, I was pressed for time and wasn't able to investigate, because now the sinkhole servers were coming dangerously close to their maximum load.

I set about making sure our sinkhole server were stable and getting the expected data from the domain we had registered (at this point we still didn't know much about what the domain I registered was for, just that anyone infected with this malware would connect to the domain we now own, allowing us to track the spread of the infection). Sorting out the sinkholes took longer than expected due to a very large botnet we had sinkholed the previous week eating up all the bandwidth, but soon enough I was able to set up a live tracking map and push it out via twitter (you can still see it here ).

Aris Adamantiadis > greggreen29 • 12 hours ago

To be fair, he said himself he thought at some point that registering the domain name triggered the ransomware instead of disabling it. The story headline would have mentioned "Security research accidentally armed a ransomware" in that case. His experience told him it was a good thing to own domains used by C&C, his luck made it that it was a kill switch. I don't think "accidental" is undeserved in this case.

Whatever, it's good job!

Dave > greggreen29 • 13 hours ago

The media is filled with people who don't do their research. This is both true in the IT world along with the firearms world. Me being involved in both. Media however LOVES buzzwords without even knowing what that word means nor use it in context correctly.

They make conclusions about things they don't even understand or refer to a real expert in the field or multiple to get out of single sourced subjective analysis problems.

I am no total expert in either though I do know a lot, but I make my due diligience if I do write aboit a subject, I do RESEARCH vs WEBSEARCH on it to draw conclusions. I also then employ logic and personal experiences for supplimenting those conclusions if I have the experiences to draw upon.

This is why I follow people I would deem as experts in the field, to learn more about what we come across, to ask questions, and to constantly learn.

This is why I follow the Malwaretech crew and others like them in security and forensics.

Malwaretech, thank you for your service, not only for this incident, but all the research you do.

Susan O'neill > Dave • 10 hours ago

Well said Dave. Whilst I struggled to follow the report on his progress, it would seem that he is connected to people who can offer a service and using his own expertise and by a process of elimination, find the answers, but because he caught on to something very quickly(which he might easily have missed, had he not been so thorough and alert) would have allowed the worm to continue it's travels. I think a lot of people should be very thankful to MalwareTech and his expertise - even if it does generate more business for him, it's probably well deserved.

#### [May 13, 2017] How to enable and disable SMBv1 in Windows and Windows Server

###### May 13, 2017 | support.microsoft.com
How to enable or disable SMB protocols on the SMB server 0 -- Windows 8 and Windows Server 2012 Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

Notes When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

• To obtain the current state of the SMB server protocol configuration, run the following cmdlet: Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

At this point, one's computer would be rendered useless for anything other than paying said ransom. The price rises to $600 after a few days; after seven days, if no ransom is paid, the hacker (or hackers) will make the data permanently inaccessible (WannaCry victims will have a handy countdown clock to see exactly how much time they have left). Ransomware is not new; for victims, such an attack is normally a colossal headache. But today's vicious outbreak has spread ransomware on a massive scale, hitting not just home computers but reportedly health care, communications infrastructure, logistics, and government entities. #### [May 12, 2017] Worst-Ever Recorded Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools ##### Cyber attacks on a global scale took place on Friday, May 12, 2017. The notable hits include computers in 16 UK hospitals, Telefonica Telecom in Spain, Gas Natural, Iberdrola. Several thousand computer were infected in 99 countries. WannaCry ransomware attack - Wikipedia ##### WannaCry is believed to use the EternalBlueexploit, which was developed by the U.S. National Security Agency[15][16] to attack computers running Microsoft Windows operating systems. Once it invades a network, it is self-replicated and transmitted to other computers. ##### Initial infection vector is either via LAN, an email attachment, or drive-by download. ##### A kill switch has been found in the code, which since May 13 helps to prevent new infections. This swich was accidentally activated by an anti-virus researcher from GB. However, different versions of the attack may be released and all vulnerable systems still have an urgent need to be patched. ##### Notable quotes: ##### "... Hollywood Overwhelmed With Hack Attacks; FBI Advises 'Pay Ransom'... ..." ###### May 12, 2017 | www.zerohedge.com The ransomware has been identifed as WannaCry * * * Update 4 : According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind . The security researcher who tweets and blogs as MalwareTech told The Intercept "I've never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker." Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details, Today's WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency's hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there's been no such assurance. Today shows exactly what's at stake when government hackers can't keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, "I am actually surprised that a weaponized malware of this nature didn't spread sooner." Update 3: Microsoft has issued a statement, confirming the status the vulnerability: Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance. Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading." 57,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry ) #ransomware by Avast today. More details in blog post: https://t.co/PWxbs8LZkk According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding$300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying " Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."

* * *

Update 1 : In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as "eternal blue", developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA's eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

NHS hack: So NSA had secret backdoor into Windows. Details leaked few weeks ago. Now backdoor being exploited by random criminals. Nightmare

- Sam Coates Times (@SamCoatesTimes) May 12, 2017

* * *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports .

The UK National Health Service said: "We're aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware ." It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.

At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack .

NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

Hospitals say backlog will go on for some weeks after today's cyber attack #NHScyberattack pic.twitter.com/BGV5jV7KZ1

- Sky News Tonight (@SkyNewsTonight) May 12, 2017

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.

Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

Manthong macholatte May 12, 2017 2:19 PM

"Ransomware"?

The FBI has the solution and comes to the rescue .

Hollywood Overwhelmed With Hack Attacks; FBI Advises 'Pay Ransom'...

Manthong Manthong May 12, 2017 2:22 PM

It's just a damn good thing the US spent all that time and money developing all that stuff.

Now that it's out, just pay the ransom to the Cyber-Barbary Pirates so that the government can return to its main 1984 mass surveillance and control mission.

stormsailor pods May 12, 2017 4:52 PM
My son is an IT professional and has been inundated with new clients calling to rid their complex systems of this plague.For his clients he has divised protection from it, but most of the calls he gets are from large hospitals, corporations, etc. that have their own IT staff.

He can fix it and prevent/firewall it so it doesn't happen but some of the systems are so complex with so many open ends, his bill is sometimes as much as the hackers are asking for. He told me that in some cases he is tempted to tell them to just pay it, however, he said all of the payoffs have to be made with bitcoin on the "dark-web" and since you are dealing with known criminals he has heard that more than half the time they do not fix it.

He was in New Orleans about a month ago, Thursday through Sunday clearing up a large companies servers and systems, worked 70 hours and billed them 24k plus expenses

virgule Arnold May 12, 2017 3:21 PM
First thing I suggest to do if this happens to you, is to shut down your computer, take out the HD, and boot it into a Linux system, so at least you can make a copy in a asafe environment, before things get worse.

#### [May 12, 2017] What is WanaCrypt0r 2.0 ransomware and why is it attacking the NHS Technology by Alex Herb

##### The article was published at 12:16 EDT so the work probably was unleashed at least 24 hours before that
###### May 12, 2017 | www.theguardian.com

The ransomware uses a vulnerability first revealed to the public as part of a leaked stash of NSA-related documents in order to infect Windows PCs and encrypt their contents, before demanding payments of hundreds of dollars for the key to decrypt files.

How does it spread?

Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.

MalwareHunterTeam (@malwrhunterteam)

There is a new version of WCry/WannaCry ransomware: "WanaCrypt0r 2.0".
Extension: .WNCRY
Note: @Please_Read_Me@.txt @BleepinComputer pic.twitter.com/tdq0OBScz4

May 12, 2017
What is WanaCrypt0r 2.0?

The malware that has affected Telefónica in Spain and the NHS in Britain is the same software: a piece of ransomware first spotted in the wild by security researchers MalwareHunterTeam , at 9:45am on 12 May.

Less than four hours later, the ransomware had infected NHS computers, albeit originally only in Lancashire , and spread laterally throughout the NHS's internal network. It is also being called Wanna Decryptor 2.0, WCry 2, WannaCry 2 and Wanna Decryptor 2.

How much are they asking for?

WanaCrypt0r 2.0 is asking for $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computers. Myles Longfield (@myleslongfield) Shocking that our @NHS is under attack and being held to ransom. #nhscyberattack pic.twitter.com/1bcrqD9vEz May 12, 2017 Who are they? The creators of this piece of ransomware are still unknown, but WanaCrypt0r 2.0 is their second attempt at cyber-extortion. An earlier version, named WeCry, was discovered back in February this year : it asked users for 0.1 bitcoin (currently worth$177, but with a fluctuating value) to unlock files and programs.

How is the NSA tied in to this attack?

Once one user has unwittingly installed this particular flavour of ransomware on their own PC, it tries to spread to other computers in the same network. In order to do so, WanaCrypt0r uses a known vulnerability in the Windows operating system, jumping between PC and PC. This weakness was first revealed to the world as part of a huge leak of NSA hacking tools and known weaknesses by an anonymous group calling itself "Shadow Brokers" in April.

Was there any defence?

Yes. Shortly before the Shadow Brokers released their files, Microsoft issued a patch for affected versions of Windows, ensuring that the vulnerability couldn't be used to spread malware between fully updated versions of its operating system. But for many reasons, from lack of resources to a desire to fully test new updates before pushing them out more widely, organisations are often slow to install such security updates on a wide scale.

Who are the Shadow Brokers? Were they behind this attack?

In keeping with almost everything else in the world of cyberwarfare, attribution is tricky. But it seems unlikely that the Shadow Brokers were directly involved in the ransomware strike: instead, some opportunist developer seems to have spotted the utility of the information in the leaked files, and updated their own software accordingly. As for the Shadow Brokers themselves, no-one really knows, but fingers point towards Russian actors as likely culprits.

Will paying the ransom really unlock the files?

Sometimes paying the ransom will work, but sometimes it won't. For the Cryptolocker ransomware that hit a few years ago, some users reported that they really did get their data back after paying the ransom, which was typically around £300. But there's no guarantee paying will work, because cybercriminals aren't exactly the most trustworthy group of people.

There are also a collection of viruses that go out of their way to look like ransomware such as Cryptolocker, but which won't hand back the data if victims pay. Plus, there's the ethical issue: paying the ransom funds more crime.

What else can I do?

Once ransomware has encrypted your files there's not a lot you can do. If you have a backup of the files you should be able to restore them after cleaning the computer, but if not your files could be gone for good.

Some badly designed ransomware, however, has been itself hacked by security researchers, allowing recovery of data. But such situations are rare, and tend not to apply in the case of widescale professional hits like the WanaCrypt0r attack.

How long will this attack last?

Ransomware often has a short shelf life. As anti-virus vendors cotton on to new versions of the malware, they are able to prevent infections originating and spreading, leading to developers attempting "Big Bang" introductions like the one currently underway.

Will they get away with it?

Bitcoin, the payment medium through which the hackers are demanding payment, is difficult to trace, but not impossible, and the sheer scale of the attack means that law enforcement in multiple countries will be looking to see if they can follow the money back to the culprits.

Why is the NHS being targeted?

The NHS does not seem to have been specifically targeted, but the service is not helped by its reliance on old, unsupported software. Many NHS trusts still use Windows XP, a version of Microsoft's operating system that has not received publicly available security updates for half a decade, and even those which are running on newer operating systems are often sporadically maintained. For an attack which relies on using a hole fixed less than three months ago, just a slight oversight can be catastrophic.

Attacks on healthcare providers across the world are at an all-time high as they contain valuable private information, including healthcare records.

Ransomware threat on the rise as 'almost 40% of businesses attacked'

#### [May 10, 2017] Link shorteners are really awefull and easily allow drive-by installation of malware.

##### "... All in all: never click a shortned URL and if a title is present and you deem it actually useful, copy paste the title in a search engine and it will probably land you on the proclamed web page. ..."
###### May 10, 2017 | www.moonofalabama.org
Link shorteners are really awefull and easily allow drive-by installation of malware.

Sorry, should have been more presise. When you paste the actual link shortner into a query with a search engine such as duckduckgo, it will usually return the actual link location as well as a warning should it be dubious. Not bullet proof, but then what is.

xor | May 8, 2017 10:23:47 AM | 30
(on the link shortners)

Link shorteners are really awful and easily allow drive-by installation of malware. You could easily create a shortened link that directs the browser to your mallicious webserver, this server checks your browser/OS to see if it can install something or not and when it's done do a redirect to the intended website. All this is done within seconds so you'd never have noticed unless you scanned the in and outgoing traffic but it would already be to late then. There is no rocket science involved so any script kiddy could do this.

All in all: never click a shortned URL and if a title is present and you deem it actually useful, copy paste the title in a search engine and it will probably land you on the proclamed web page.

runaway robot | May 8, 2017 10:57:45 AM | 31
Thanks for the good advice, exclusive or!

#### [May 01, 2017] Several steps that are implementable to make your Web browser less of a gateway for malware

##### "... You click and if you have anything then IE high security mode for Internet sites (which prevents running any third party ActiveX or Java) you are hosed. ..."
###### www.softpanorama.org
1. Use primitive browser like Links. In many cases it is adequate. Experimental/Enhanced Links (ELinks) is a fork of Links led by Petr Baudis. the latest stable version is 0.11.7, released on 2009-08-22. It has a more open development and incorporates patches from other Links versions (such as additional extension scripting in Lua) and from Internet users. You can also use Browser Link is a new feature in Visual Studio 2013 that creates a communication channel between the development environment and one or more web browsers in Visual Studio 2013

2. Use special application that sandbox you browser such as Sandboxie (run on you desktop/laptop) or AirGap (runs in the clowd).

3. Use external "browser hosting" site like Browser Sandbox , Cross Browser Testing Tool or Spoon.net Spoon.net is an excellent subscription service that allows users with a basic free subscription to run any of the latest browsers in a virtual machine; Sandboxing on your own desktop has problems: see Does sandbox security really protect your desktop InfoWorld The problem, then and now, is the sandbox wall remained permeable, so Trojans and other forms of malware can slip through the virtual sandbox into your desktop.

4. Use DNS provider that protect you from malicious sites that Google propagates to the top of some "exotic" searches (for small amount of money ;-). For example OpenDNS can be used as you DNS provider (this actually helpful for any browser). This might help to prevent you from visiting sites that are systematically spreading malware as well as sites that were just created to do so (less then 30 days old sites). As period of existence of malware sites is pretty short befor they got into blacklist and are abamdoned. So by limiting your ability to browse sites that are less then say 30 or 90 days old you can improve the security of your browsing. Google sucks badly in this area (serving as a powerful advertizing channel for spyware), as they are way too greedy.

5. For IE set high security mode for Internet Zone. The key idea is simple: use IE with high security mode for Internet Zone and medium in trusted zone where you should put all your regular visited sites. Typical way malware authors get into your computer is that they buy Google adwords and position their site high in some Web searches. You click and if you have anything then IE high security mode for Internet sites (which prevents running any third party ActiveX or Java) you are hosed. At the same time the most important sites (Amazon, your webmail, etc) that are crippled if Internet is assigned to high security mode can be still accessed if you put them in the trusted zone. This probably can be done automatically (Microsoft sucks big way by not providing more granular security modes and relevant automation), but even manually this maintenance step is not a big burden. The rule is simple: each time you add a favorite you also need to add it to Trusted zone. This probably should be done automatically.

• You can use different browser for trusted site -- I personally use Firefox for such sites. but this requires strict discipline and this is not for every user (most user will follow this routine after spending six or more hours recovering from malware infection (and losing some money in he process), but after a couple of months this experience became forgotten and users return to their old, bad ways.

• You can check when the domain was creates using simple Perl script running from CygWin session which lauches the broswer only if the site is checked for this criteria. That can probably be automated further and represent the most simple and effective security measure -- again malware distribution sites usually do not last that long. Most last less then a year. 30 days is probably a half-life for the majority of them. So avoid visiting sites that were created less then 90 days before you can somewhat diminish the level of your risk.

6. Use private VPM provider which also provides some defense from malware.

7. Run Your Web browser in VM which is possible with Windows 7 Professional and above by using Windows XP compatibility box.

8. Use linux bootable from DVD on a separately ("disposable") computer (old Dell laptop or Windows smartphone are OK) connect to it using XRDP. That guarantee that the computer will be reimaged on each reboot. Also this is not standard configuration, which somewhat complicates hacking as the amount of free space is very limited, you can also kill automatically all processes outside your standard set.

#### [May 01, 2017] A free, almost foolproof way to check for malware

##### "... Neither the Sysinternals Process Explorer software nor the VirusTotal service cost anything at all. The whole setup process will take you about five minutes and the scan, which you can execute any time you like, takes less than a minute. Only malware in memory will be detected, but if you're infected, very likely that malicious process will be running -- and this easy method will sniff it out. Watch and learn. ..."
###### May 01, 2017 | www.infoworld.com
In this video, you'll learn how to download and run Windows Sysinternals Process Explorer to test all currently running executables on your Windows system against VirusTotal' s 57 antivirus engines, which together offer the best accuracy you can ever get (with a small percentage of false positives that are pretty easy to spot).

Neither the Sysinternals Process Explorer software nor the VirusTotal service cost anything at all. The whole setup process will take you about five minutes and the scan, which you can execute any time you like, takes less than a minute. Only malware in memory will be detected, but if you're infected, very likely that malicious process will be running -- and this easy method will sniff it out. Watch and learn.

#### [Apr 25, 2017] New leak exposes shady world of 'Stalkerware' surveillance software - RT Viral

###### Apr 25, 2017 | www.rt.com
New leak exposes shady world of 'Stalkerware' surveillance software Published time: 22 Apr, 2017 16:53 Get short URL The software even allows for monitoring of Tinder use. © Edgar Su / Reuters

#### [Apr 17, 2017] Microsoft says users are protected from alleged NSA malware

##### "... The post knocked back warnings from some researchers that the digital espionage toolkit made public by TheShadowBrokers took advantage of undisclosed vulnerabilities in Microsoft's code. That would have been a potentially damaging development because such tools could swiftly be repurposed to strike across the company's massive customer base. ..."
###### Apr 17, 2017 | economistsview.typepad.com
im1dc, April 16, 2017 at 09:52 AM
Good to Know & Need to Know Data Security Information

"Microsoft says users are protected from alleged NSA malware"

"Microsoft says users are protected from alleged NSA malware"

By Raphael Satter, AP Cybersecurity writer...PARIS...Apr 15, 2017

"Up-to-date Microsoft customers are safe from the purported National Security Agency spying tools dumped online, the software company said Saturday, tamping down fears that the digital arsenal was poised to wreak havoc across the internet.

In a blog post , Microsoft Corp. security manager Phillip Misner said that the software giant had already built defenses against nine of the 12 tools disclosed by TheShadowBrokers, a mysterious group that has repeatedly published NSA code . The three others affected old, unsupported products.

"Most of the exploits are already patched," Misner said.

The post knocked back warnings from some researchers that the digital espionage toolkit made public by TheShadowBrokers took advantage of undisclosed vulnerabilities in Microsoft's code. That would have been a potentially damaging development because such tools could swiftly be repurposed to strike across the company's massive customer base.

Those fears appear to have been prompted by experts using even slightly out-of-date versions of Windows in their labs. One of Microsoft's fixes, also called a patch, was only released last month .

"I missed the patch," said British security architect Kevin Beaumont, jokingly adding, "I'm thinking about going to live in the woods now."

Beaumont wasn't alone. Matthew Hickey, of cybersecurity firm Hacker House, also ran the code against earlier versions of Windows on Friday. But he noted that many organizations put patches off, meaning "many servers will still be affected by these flaws."

Everyone involved recommended keeping up with software updates.

"We encourage customers to ensure their computers are up-to-date," Misner said."

---

"Online:

Raphael Satter is reachable on: http://raphaelsatter.com"

#### [Apr 14, 2017] Top secret CIA virus control system WikiLeaks releases Hive from Vault7 series

##### "... The CIA's Hive project was created by its Embedded Development Branch (EDB). This branch was also responsible for projects detailed in WikiLeaks' 'Dark Matter' leak, revealing the CIA's attacks on Apple firmware. ..."
###### Apr 14, 2017 | www.rt.com
Hive, the latest batch of WikiLeaks documents exposing alleged CIA hacking techniques from 'Vault 7', details how the agency can monitor its targets through the use of malware and carry out specific tasks on targeted machines. Trends WikiLeaks CIA files

Described as a multi-platform malware suite, Hive provides "customisable implants" for Windows, Solaris, MikroTik (used in Internet routers), Linux platforms, and AVTech Network Video Recorders, used for CCTV recording. Such implants allow the CIA to communicate specific commands.

RELEASE: Inside the top secret CIA virus control system HIVE https://t.co/Bs6LmsVALz pic.twitter.com/y79IVSukK0

- WikiLeaks (@wikileaks) April 14, 2017

A 2015 User Guide reveals the initial release of Hive came in 2010, and describes the software implant as having two primary functions – a beacon and interactive shell. Both are designed to provide an initial foothold to deploy other "full featured tools."

The implants communicate via HTTPS with the webserver of a cover domain. Each cover domain is connected to an IP address at a commercial Virtual Private Server (VPS) provider. This forwards all incoming traffic to what's called a 'Blot' server.

The redirected traffic is examined to see if it contains a valid beacon. If it does, it's sent to a tool handler, known as Honeycomb, where the CIA can initiate other actions on the target computer.

The user guide details the commands that are available, including uploading and deleting files and executing applications on the computer.

'Brought to you by agency which produced Al-Qaeda & ISIS' - #Assange trolls CIA chief https://t.co/xgbZF7U68H

- RT (@RT_com) April 14, 2017

To hide the presence of such malware, WikiLeaks notes that the public HTTPS interface (a protocol for secure communication over a computer network within an encrypted connection) "utilizes unsuspicious-looking cover domains," meaning those targeted would be unaware of the CIA's interference.

A 'self-delete' function is described in documentation accompanying Hive, revealing that the implant destroys itself if it's not signalled for a predetermined amount of time. Binary information regarding Hive is deleted from the host, leaving a log and configuration file containing only a timestamp.

The self-delete was known to cause issues for the developers after running into complications caused by disparities in system clocks.

40 targets in 16 countries: Scale of CIA-linked #Vault7 hacking tools revealed by Symantec https://t.co/2IuixxyIhR pic.twitter.com/528zlN0eae

- RT (@RT_com) April 10, 2017

WikiLeaks says anti-virus companies and forensic experts have noticed "possible state-actor" malware using similar back-end infrastructure, but were unable to connect the back-end to CIA operations.

The Hive documents released Friday may allow experts to examine this kind of communication between malware implants and backend servers, WikiLeaks says.

The CIA's Hive project was created by its Embedded Development Branch (EDB). This branch was also responsible for projects detailed in WikiLeaks' 'Dark Matter' leak, revealing the CIA's attacks on Apple firmware.

READ MORE: #Vault7: WikiLeaks releases 'Dark Matter' batch of CIA hacking tactics for Apple products

#### [Apr 12, 2017] Spy Merchants reveals for the first time how highly-invasive spyware, which can capture the electronic communications of a town, can be purchased in a 'grey market'

###### Apr 12, 2017 | marknesop.wordpress.com
Warren , April 10, 2017 at 4:17 am

Published on 10 Apr 2017
Al Jazeera's Investigative Unit enters the secretive world of the surveillance industry. Spy Merchants reveals for the first time how highly-invasive spyware, which can capture the electronic communications of a town, can be purchased in a 'grey market' where regulations are ignored or bypassed. Mass surveillance equipment can then be sold onto authoritarian governments, criminals or even terrorists.

During a four-month undercover operation, an industry insider working for Al Jazeera filmed the negotiation of several illegal, multi-million dollar deals that breach international sanctions. The proposed deals include the supply of highly restricted surveillance equipment to Iran. The undercover operative also secured an extraordinary agreement to purchase powerful spyware with a company who said they didn't care who was the end-user.

#### [Apr 12, 2017] Symantec Links CIA Leaks to Cyberattacks in 16 Countries

###### Apr 12, 2017 | marknesop.wordpress.com
Antiwar.com: Symantec Links CIA Leaks to Cyberattacks in 16 Countries
http://news.antiwar.com/2017/04/10/symantec-links-cia-leaks-to-cyberattacks-in-16-countries/

Says Methods Described in Leaks Linked to 'Longhorn' Operations

Internet and computer security company Symantec has issued a statement today related to the Vault 7 WikiLeaks documents leaked from the CIA, saying that the methods and protocols described in the documents are consistent with cyberattacks they'd been tracking for years.

Symantec says they now believe that the CIA hacking tool Fluxwire is a malware that had been known as Corentry, which Symantec had previously attributed to an unknown cyberespionage group called Longhorn, which apparently was the CIA.

They described Longhorn as having been active since at least 2011, and responsible fro attacks in at least 16 countries across the world, targeting governments and NGOs, as well as financial, energy, and natural resource companies, things that would generally be of interest to a nation-state

marknesop , April 11, 2017 at 5:13 pm
Sure sounds like state-sponsored hacking to me.

#### [Apr 10, 2017] WikiLeaks New files show how CIA hides malware on Windows computers

Eric Geller

##### It is unclear how other then using boot virus technology you can secure preservation of malware after reinstallation from of a clean source. For small drivers there might be possibility to find them and then patch directly on disk bypassing filesystem layer. But UEFI boot protects the computer from boot viruses So those guys probably need help from Microsoft by installing "poisoned" updates. Booting from infected USB is another obvious path.

04/07/17

... The new batch of 27 documents includes alleged manuals for the spy agency's Grasshopper program, which WikiLeaks says the CIA uses to build Windows malware.

... Most of the documents describe how the CIA builds "persistence modules," software that lets malware survive on a target machine despite reboots, reinstallations and other attempts to wipe the system clean.

One alleged persistence module, "Stolen Goods," uses code from the Carberp malware tool, which is believed to come from Russia's criminal hacker underground.

Some of the other modules - with code names like "Wheat," "Crab" and "Buffalo" - smuggle malware onto a system and preserve it using Windows components like drivers and executable files. Another module, "Netman," piggybacks on Windows' network connection system.

WikiLeaks said its release of the files offered "directions for those seeking to defend their systems to identify any existing compromise."

#### [Apr 09, 2017] WikiLeaks New files show how CIA hides malware on Windows computers

###### Apr 09, 2017 | www.politico.com
Eric Geller

04/07/17 11:40 AM EDT Share on Facebook Share on Twitter

WikiLeaks on Friday released more files that it says reveal the CIA's efforts to hack consumer electronics - this time focusing on flaws in Microsoft's Windows operating system.

The new batch of 27 documents includes alleged manuals for the spy agency's Grasshopper program, which WikiLeaks says the CIA uses to build Windows malware. The online activist group had previously released files March 23 on the CIA's hacking of Apple Macs and iPhones, and March 31 on the agency's tools for thwarting investigators and antivirus programs.

Most of the documents describe how the CIA builds "persistence modules," software that lets malware survive on a target machine despite reboots, reinstallations and other attempts to wipe the system clean.

One alleged persistence module, "Stolen Goods," uses code from the Carberp malware tool, which is believed to come from Russia's criminal hacker underground.

Some of the other modules - with code names like "Wheat," "Crab" and "Buffalo" - smuggle malware onto a system and preserve it using Windows components like drivers and executable files. Another module, "Netman," piggybacks on Windows' network connection system.

WikiLeaks said its release of the files offered "directions for those seeking to defend their systems to identify any existing compromise."

#### [Mar 16, 2017] Is Trump administration under survellance from its own intelligence agencies?

###### Mar 16, 2017 | economistsview.typepad.com
rjs -> pgl... March 14, 2017 at 02:16 PM , 2017 at 02:16 PM
it's obvious that Conway was reading about the wikileaks release of the CIA's Vault 7, which shows they have the capability of remotely turning over the counter smart phones and TVs into spying devices...the release was widely covered in the foreign press, not so much here..

1) The CIA has the ability to break into Android and iPhone handsets, and all kinds of computers. The US intelligence agency has been involved in a concerted effort to write various kinds of malware to spy on just about every piece of electronic equipment that people use. That includes iPhones, Androids and computers running Windows, macOS and Linux.
2) Doing so would make apps like Signal, Telegram and WhatsApp entirely insecure Encrypted messaging apps are only as secure as the device they are used on – if an operating system is compromised, then the messages can be read before they encrypted and sent to the other user. WikiLeaks claims that has happened, potentially meaning that messages have been compromised even if all of the usual precautions had been taken.

3) The CIA could use smart TVs to listen in on conversations that happened around them. One of the most eye-catching programmes detailed in the documents is "Weeping Angel". That allows intelligence agencies to install special software that allows TVs to be turned into listening devices – so that even when they appear to be switched off, they're actually on.

4) The agency explored hacking into cars and crashing them, allowing 'nearly undetectable assassinations'

5) The CIA hid vulnerabilities that could be used by hackers from other countries or governments Such bugs were found in the biggest consumer electronics in the world, including phones and computers made Apple, Google and Microsoft. But those companies didn't get the chance to fix those exploits because the agency kept them secret in order to keep using them, the documents suggest.

6) More information is coming. The documents have still not been looked through entirely. There are 8,378 pages of files, some of which have already been analyzed but many of which hasn't. When taken together, those "Vault 7" leaks will make up the biggest intelligence publication in history, WikiLeaks claimed.

#### [Mar 13, 2017] Boris and Natasha version of hacking might well be a false flag operation. How about developing Russian-looking hacking tools in CIA? To plant fingerprints and get the warrant for monitoring Trump communications

##### "... Tell me who stole the whole arsenal of CIA hacking tools with all the manuals? Were those people Russians? ..."
###### Mar 13, 2017 | economistsview.typepad.com

Am I alone in thinking that Preet Bharara, the just fired US Attorney for Southern District of New York, would be the ideal Special Prosecutor of the Trump - Russia investigation

Tom aka Rusty -> im1dc... Sunday, March 12, 2017 at 11:41 AM
Bharara did not push back against "too big to prosecute" and sat out the biggest white collar crime wave in the history of the world, so why is he such a saint?

Lots of easy insider trading cases.

im1dc -> Tom aka Rusty... Sunday, March 12, 2017 at 05:01 PM
I don't think you considered the bigger picture here which includes in Bharara's case his bosses to whom he would have to had run any cases up the flag pole for approval and Obama and Company were not at the time into frying Wall Street for their crimes b/c they were into restarting the Bush/Cheney damaged, almost ruined, US and global Economy.
libezkova -> im1dc... Sunday, March 12, 2017 at 09:11 PM
If you did not noticed Vault 7 scandal completely overtook everything else now. This is a real game changer.

Just think, how many million if not billion dollars this exercise in removing the last traces of democracy from the USA and converting us into a new Democratic Republic of Germany, where everybody was controlled by STASI, cost. And those money were spend for what ?

BTW the Stasi was one of the most hated and feared institutions of the East German government.

If this is not the demonstration of huge and out of civil control raw power of "deep state" I do not know what is.

If you are not completely detached from really you should talk about Vault 7. This is huge, Snowden size scandal that is by the order of magnitude more important for the country then all those mostly fake hints on connections of Trump and, especially "Russian hacking".

Tell me who stole the whole arsenal of CIA hacking tools with all the manuals? Were those people Russians?

If not, you should print your last post, shred is and eat it with borsch ;-).

libezkova -> libezkova... Sunday, March 12, 2017 at 10:01 PM

From this video it looks like CIA adapted some Russian hacking tools for their own purposes.

https://www.youtube.com/watch?v=8Z6XGl_hLnw

In the world of intelligence false flag operations is a standard tactics. Now what ? Difficult situation for a Midwesterner...

libezkova -> libezkova...
Another difficult to stomach hypothesis:

"Boris and Natasha" version of hacking might well be a false flag operation. How about developing Russian-looking hacking tools in CIA? To plant fingerprints and get the warrant for monitoring Trump communications.

VAULT 7: CIA Staged Fake Russian Hacking to Set Up Trump - Russian Cyber-Attack M.O. As False Flag

https://www.youtube.com/watch?v=B4CHcdCbyYs

== quote ==

Published on Mar 7, 2017

"The United States must not adopt the tactics of the enemy. Means are important, as ends. Crisis makes it tempting to ignore the wise restraints that make men free. But each time we do so, each time the means we use are wrong, our inner strength, the strength which makes us free, is lessened." - Sen. Frank Church

WikiLeaks Press Release

Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.

The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.

Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force - its own substantial fleet of hackers. The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities.

#### [Mar 11, 2017] US spies still wont tell Congress the number of Americans caught in dragnet

##### "... By our definition, which says if you put the data in your database and use it when running searches, that data has been collected, there's no doubt the number is nearly the same as the US population, discounting only people with no online presence (e.g. infants). ..."
###### Mar 11, 2017 | arstechnica.com
In 2013, a National Security Agency contractor named Edward Snowden revealed US surveillance programs that involved the massive and warrantless gathering of Americans' electronic communications. Two of the programs, called Upstream and Prism , are allowed under Section 702 of the Foreign Intelligence Surveillance Act. That section expires at year's end, and President Donald Trump's administration, like his predecessor's administration, wants the law renewed so those snooping programs can continue.

That said, even as the administration seeks renewal of the programs , Congress and the public have been left in the dark regarding questions surrounding how many Americans' electronic communications have been ensnared under the programs. Congress won't be told in a classified setting either, despite repeated requests.

mod50ack , Smack-Fu Master, in training Mar 10, 2017 6:38 AM Popular
Yeah, you're not going to see anybody in the Federal Government really stopping this, no matter their party. 99 posts | registered 2/23/2014
gmerrick , Ars Praefectus Mar 10, 2017 6:40 AM Popular
If a government employee is not answering questions to the comittees regarding these issues, what measures can the comitties take to force an answer? Can they impeach, or compel testimony? Can they throw somebodies ass in jail until the question gets answered? 3033 posts | registered 9/20/2006
Ziontrain , Ars Praefectus Mar 10, 2017 6:40 AM Popular
Thing is, we all know two things:
1) the number is 300 million +
2) the "esteemed" members of congress are singled out for special surveillance

As a result, the only possible outcome is the same procedure as all the previous times: congress rolls over. As should everyone's eyes who is watching this elaborate kabuki performance... 3189 posts | registered 7/7/2006

d4Njv , Ars Scholae Palatinae Mar 10, 2017 7:23 AM Popular
mod50ack wrote:
Yeah, you're not going to see anybody in the Federal Government really stopping this, no matter their party.
Trump at least seems to have a problem with him or his associates being spied on lately. Not sure how he feels about ordinary Americans /s. 1635 posts | registered 10/1/2013
close , Wise, Aged Ars Veteran Mar 10, 2017 7:25 AM
gmerrick wrote:
If a government employee is not answering questions to the comittees regarding these issues, what measures can the comitties take to force an answer? Can they impeach, or compel testimony? Can they throw somebodies ass in jail until the question gets answered?
Nothing can be done because the intelligence services are in the privileged position of being able to sabotage anybody's political career. So everyone keeps going through the motions of simulating free will while actually only doing as they're told. And it will only get worse so brace for it.
arcite , Ars Legatus Legionis Mar 10, 2017 7:35 AM
mod50ack wrote:
Yeah, you're not going to see anybody in the Federal Government really stopping this, no matter their party.
Ostensibly, they have the power to bring down the Trump admin...odds are he will increase their funding.
AHuxley , Wise, Aged Ars Veteran Mar 10, 2017 7:45 AM
gmerrick wrote:
If a government employee is not answering questions to the comittees regarding these issues, what measures can the comitties take to force an answer? Can they impeach, or compel testimony? Can they throw somebodies ass in jail until the question gets answered?
The lack of overnight issue was attempted in the 1970's with the Church Committee.

https://en.wikipedia.org/wiki/Church_Committee

All that domestic US spying should have been stopped.

Operation CHAOS https://en.wikipedia.org/wiki/Operation_CHAOS showed domestic legal protections did not work.

boondox , Ars Centurion Mar 10, 2017 8:04 AM
Reisner wrote:
The American people don't know and don't care to know. John Conyers really need to focus on the things that matter, like stopping Detroit from sinking into the abyss; getting jobs for his constituents; lowering the amount of kids being born out of wedlock and preventing them from killing each other over trivial things like clothes and being disrespected.
I agree with you on the underlined. America seems more interested in amusing itself to death more than anything.

The representatives of the people have their work cut out for them.

Personne , Ars Scholae Palatinae Mar 10, 2017 8:28 AM
So essentially, the 3 letter agencies are not accountable to the US government. They can lie, cheat and hide information at will without any kind of consequence. They are running the show.

The US people has completely lost control over their governance. The constitution is a totally empty shell.

AHuxley , Wise, Aged Ars Veteran Mar 10, 2017 8:37 AM
Personne wrote:
So essentially, the 3 letter agencies are not accountable to the US government.

The US people has completely lost control over their governance. The constitution is a totally empty shell.

Its more that staff feel Congress has no oversight as who they work for did not get established by Congress. The question of oversight authority was used to avoid questions until the 1970's.
AutisticGramma , Ars Scholae Palatinae Mar 10, 2017 8:45 AM
AHvivere wrote:
Small nitpick to the author. You do know that having that particular picture on there constitutes a spillage for every single DoD and Federal employee that clicks on the article to read it right?
And this is exactly why it should stay up. These agencies behavior is creating this for themselves. No over sight no funding, who ever signs the check is on the hook. The fed budget needs to reflect this. Someone signed off on authority to operate.
SewerRanger , Ars Centurion et Subscriptor Mar 10, 2017 8:50 AM
Hookgrip wrote:
I would assume that they're collecting IP addresses along with this traffic. Couldn't that be used to generate at least a rough estimate of the number of US citizens targeted? Is there another way to generate a good estimate?
You would need more then just IP's to make that determination - anyone with a VPN can have an American IP address, same with TOR exit nodes.

This number would be completely useless. You'd have to cross reference the IP with a bunch of other data and that leads to a catch-22: you'd have to maintain a database of American data to be able to detect when you have American data so you can not keep it except what you have in your database of American data that you use to detect American data so you can not keep it.

arcite , Ars Legatus Legionis Mar 10, 2017 8:54 AM
Personne wrote:
So essentially, the 3 letter agencies are not accountable to the US government. They can lie, cheat and hide information at will without any kind of consequence. They are running the show.

The US people has completely lost control over their governance. The constitution is a totally empty shell.

Vast bureaucracies have a life of their own, detached from the earthly proclivities of democractic transitions.
Buchliebhaber , Wise, Aged Ars Veteran et Subscriptor Mar 10, 2017 9:18 AM
Quote:
Still, US spies say they don't track the number of Americans caught in this dragnet, in part to protect Americans' privacy. Performing this task would require spies to de-anonymize phone numbers and IP addresses to determine whether they're American, according to April Doss, a former NSA lawyer who testified (PDF) before the House Judiciary Committee on March 1.
This seems to imply that they're reading the request to "get the count of Americans monitored" extremely literally, interpreting it as "get the exact number of Americans".

The NSA has some very good mathematicians - they should easily be able to give a pretty highly accurate estimate using the sample data they already have from when they've de-anonymized targeted persons.

Bodacious , Smack-Fu Master, in training Mar 10, 2017 9:21 AM
AHvivere wrote:
You are literally saying that 5 million people are bad. You sound retarded.
I think he literally said the agencies' behavior is bad, which is literally not the same thing as saying everyone who works for them is. Are you a DoD or Federal employee?
AutisticGramma , Ars Scholae Palatinae Mar 10, 2017 9:29 AM
Buchliebhaber wrote:

Still, US spies say they don't track the number of Americans caught in this dragnet, in part to protect Americans' privacy. Performing this task would require spies to de-anonymize phone numbers and IP addresses to determine whether they're American, according to April Doss, a former NSA lawyer who testified (PDF) before the House Judiciary Committee on March 1.

This seems to imply that they're reading the request to "get the count of Americans monitored" extremely literally, interpreting it as "get the exact number of Americans".

The NSA has some very good mathematicians - they should easily be able to give a pretty highly accurate estimate using the sample data they already have from when they've de-anonymized targeted persons, +/-10%.

This estimate I'm sure was rolling around in the head of someone at the table.

The whole point of the system is to provide information that they're requesting, literally how computers work.

Stonewalling Congress needs to be a good way to find an agency with out funding or mandate.

Instead it's more like Kanye stealing the mic at the grammys, but with more chest medals.

AHuxley , Wise, Aged Ars Veteran Mar 10, 2017 9:31 AM
AutisticGramma wrote:
Do you have some context for 5 million people, this comment is an island not found on any map.
The 5.1 million people number? Its amount of people who held some US government security clearance as of around 2013. Confidential, Secret, Top Secret, Gov staff, Contractors as a total.
TheFu , Ars Scholae Palatinae Mar 10, 2017 9:32 AM
We should send them to Guantanamo Bay until they talk and cut their funding 50%. The US Govt is supposed to work FOR US citizens. Something has gone wrong. People need to be held accountable. Spying on everyone is NOT ok without an individual, specific, tied-to-location, warrant signed by a judge outside some secret court.

PERIOD.

The heads of these agencies knows if they ever say any number, that will be the end due to outrage. There is little to be gained, unless they are sent to prison. If I were a senator, I'd give immunity to some of the whistle blowers to find the truth. Give them a chance to testify about their bosses.

AnchorClanker , Wise, Aged Ars Veteran et Subscriptor Mar 10, 2017 9:40 AM
Seems like it would be a minor exercise to analyze a valid sample of their intercepts and to project with enough accuracy to answer the question.

A cynic might suspect that the answer to, "How many Americans' electronic communications have been ensnared under the programs?" may well be, "All of them."

waasoo , Wise, Aged Ars Veteran Mar 10, 2017 9:41 AM
Reisner wrote:
The American people don't know and don't care to know. John Conyers really need to focus on the things that matter, like stopping Detroit from sinking into the abyss; getting jobs for his constituents; lowering the amount of kids being born out of wedlock and preventing them from killing each other over trivial things like clothes and being disrespected.
I agree with a part of your sentiment but feel, maybe wrongly, that you are also hiding racism behind those words.

The part that I agree with - most people don't care enough about spying programs or which 3 letter agency is scanning their ass. You can probably get 100 million Americans to sign a petition on facebook or twitter or your neighborhood supermarket and only because those are low investment options. There is nothing wrong with such an existential position; I am guilty of that for most part of the day. If the scanning keeps me "safe" and I have nothing to hide, why bother?

Now, you will get a lot more people involved if such scanning led to prosecution for the little technical crimes we do every day of our life; until then this will continue if only with another name. 139 posts | registered 5/9/2012

yankinwaoz , Ars Centurion Mar 10, 2017 9:50 AM
I'm sure Feinstein has her rubber stamp out. There is no request from NSA/CIA that she doesn't love.

Grrrrrr... 321 posts | registered 2/20/2013

Jacee , Smack-Fu Master, in training Mar 10, 2017 9:56 AM
Hookgrip wrote:
I would assume that they're collecting IP addresses along with this traffic. Couldn't that be used to generate at least a rough estimate of the number of US citizens targeted? Is there another way to generate a good estimate?
"Another way to generate a good estimate?" Certainly. Go to the US Census Bureau. They can get you real close. Or just google it. As of 2014, it was 318.4million

If they're scanning the backbone, AND checking the main sites people go to, that's pretty danged close to everybody.

bothered , Ars Scholae Palatinae Mar 10, 2017 10:13 AM
yankinwaoz wrote:
I'm sure Feinstein has her rubber stamp out. There is no request from NSA/CIA that she doesn't love.

Grrrrrr...

Don't vote for her again, I know I won't. Just got an email from Feinstein's office today with a laundry list of ways she is opposing Trump and his picks, no mention of national security issues. Im sure that Feinstein and the current Administration will come together on National Security - in their view its about "protecting American's" which I read as "covering my ass on my watch".
ars diavoli , Ars Centurion Mar 10, 2017 10:46 AM
gmerrick wrote:
If a government employee is not answering questions to the comittees regarding these issues, what measures can the comitties take to force an answer? Can they impeach, or compel testimony? Can they throw somebodies ass in jail until the question gets answered?

They could start cutting budgets, but that won't happen.

carcharoth , Ars Scholae Palatinae Mar 10, 2017 10:56 AM
"Congress and the public have been left in the dark regarding questions surrounding how many Americans' electronic communications have been ensnared under the programs."

how is this acceptable? how are these programs still running period? where is the outcry?

why wont they tell? because its not about "dragnet casualties," they're not accidentally spying on Americans, they've got a system they use to spy on who they want when they want to

Its insane that these organizations can lie to the people, to their own gov't, and not get torn down

AutisticGramma , Ars Scholae Palatinae Mar 10, 2017 11:03 AM

The 5.1 million people number?

Its amount of people who held some US government security clearance as of around 2013. Confidential, Secret, Top Secret, Gov staff, Contractors as a total. And how many of them are responsible for signing off on carte blanche spying on Americans with 0 oversight. Since clearance is on a need to know basis, did that many people need to know? I see you looking to divide and conquer here, you just end up sounding guilty. 5.1 million people wanted a paycheck while serving their country and deserve one. Around 500 elected officials are letting a select few ruin all of this for rest of us because rules are 'unamerican.'

This is what happens 20 years after 'rules kill jobs' the same business leaders who didn't need rules 'cause jobs' now don't need rules as government appointees.

NotJustAnotherRandmGuy , Wise, Aged Ars Veteran Mar 10, 2017 11:08 AM
Hookgrip wrote:
I would assume that they're collecting IP addresses along with this traffic. Couldn't that be used to generate at least a rough estimate of the number of US citizens targeted? Is there another way to generate a good estimate?
All of it... the answer is all of it. Everything. Everybody. All. https://en.wikipedia.org/wiki/Mark_Klein
BobsYourUncleBob , Ars Tribunus Militum Mar 10, 2017 11:22 AM
We cannot provide an answer to your request, Senator, simply because we don't know the answer. Should we ever embark upon data analysis that would provide the answer you're seeking, such action would constitute an unnecessary and unwarranted intrusion on the privacy of U.S. persons; without specific statutory authorization, it would likely also be unlawful, since it would be both intrusive and unrelated to any need for foreign intelligence gathering.

And we don't want to act in any manner that may be regarded as unlawful ... unless Congress were to provide authorization for us to do so ...

Then there is the matter of resource allocation: current budgets constrain us from embarking upon such a program of data analysis, in terms of both the hardware and human resources that such a program would require.

Estimates on the additional funding that such a program would require have been developed, however these budgetary requirements cannot be released to Congress, as they are classified. Should Congress decide to provide both authorization and funding for such a program, we can advise on the number of zeros ( "0" ) that the funding authorization should include.

In summary, Senator, it would appear that "the ball is entirely in your court" so to speak ...

jdale , Ars Tribunus Militum Mar 10, 2017 11:26 AM
The evasiveness is deceptive in and of itself. When the NSA says it "would require the Intelligence Community to conduct exhaustive analysis of every unknown identifier in order to determine whether they are being used inside or outside the U.S." that's because they don't even count the data as "collected" unless an analyst looked at it. Recorded? Doesn't count. Searched by computer programs for keywords or pattern matching? Doesn't count. A human looked at it? Ok, that counts.

By this definition, they should be able to produce a deceptively low number, perhaps thousands to tens of thousands per year.

By our definition, which says if you put the data in your database and use it when running searches, that data has been collected, there's no doubt the number is nearly the same as the US population, discounting only people with no online presence (e.g. infants).

In any case, the fact that they have prevaricated about this for the past 6 years makes pretty clear that the answer will not look good. It's time to end these programs. If they want them renewed, the replacements will need real oversight.

#### [Mar 11, 2017] Snowden What The Wikileaks Revelations Show Is Reckless Beyond Words

##### "... Now if IBM Mainframes are compromised it means, Banks, Insurance, and other behemoths (they mostly use IBM Main Frames for their back-end functions) maybe ticking time bombs. Scary shit. ..."
###### Mar 07, 2017 | www.zerohedge.com
While it has been superficially covered by much of the press - and one can make the argument that what Julian Assange has revealed is more relevant to the US population, than constant and so far unconfirmed speculation that Trump is a puppet of Putin - the fallout from the Wikileaks' "Vault 7" release this morning of thousands of documents demonstrating the extent to which the CIA uses backdoors to hack smartphones, computer operating systems, messenger applications and internet-connected televisions, will be profound.

As evidence of this, the WSJ cites an intelligence source who said that " the revelations were far more significant than the leaks of Edward Snowden ."

Mr. Snowden's leaks revealed names of programs, companies that assist the NSA in surveillance and in some cases the targets of American spying. But the recent leak purports to contain highly technical details about how surveillance is carried out. That would make them far more revealing and useful to an adversary, this person said. In one sense, Mr. Snowden provided a briefing book on U.S. surveillance, but the CIA leaks could provide the blueprints.

Speaking of Snowden, the former NSA contractor-turned-whistleblower, who now appears to have a "parallel whisteblower" deep inside the "Deep State", i.e., the source of the Wikileaks data - also had some thoughts on today's CIA dump.

In a series of tweets, Snowden notes that "what @Wikileaks has here is genuinely a big deal", and makes the following key observations "If you're writing about the CIA/@Wikileaks story, here's the big deal: first public evidence USG secretly paying to keep US software unsafe " and adds that "the CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. Reckless beyond words ."

He then asks rhetorically "Why is this dangerous?" and explains " Because until closed, any hacker can use the security hole the CIA left open to break into any iPhone in the world. "

His conclusion, one which many of the so-called conspiratorial bent would say was well-known long ago: " Evidence mounts showing CIA & FBI knew about catastrophic weaknesses in the most-used smartphones in America, but kept them open -- to spy. "

To which the increasingly prevalent response has become: "obviously."

Still working through the publication, but what @Wikileaks has here is genuinely a big deal. Looks authentic.

- Edward Snowden (@Snowden) March 7, 2017

If you're writing about the CIA/ @Wikileaks story, here's the big deal: first public evidence USG secretly paying to keep US software unsafe. pic.twitter.com/kYi0NC2mOp

- Edward Snowden (@Snowden) March 7, 2017

The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. Reckless beyond words.

- Edward Snowden (@Snowden) March 7, 2017

Why is this dangerous? Because until closed, any hacker can use the security hole the CIA left open to break into any iPhone in the world. https://t.co/xK0aILAdFI

- Edward Snowden (@Snowden) March 7, 2017

Evidence mounts showing CIA & FBI knew about catastrophic weaknesses in the most-used smartphones in America, but kept them open -- to spy. https://t.co/mDyVred3H8

- Edward Snowden (@Snowden) March 7, 2017

Looney -> PoasterToaster , Mar 7, 2017 2:33 PM

The "Pandora's Box" cliché doesn't quite fit the use of Cyber Weapons, but another metaphor does – "Pinocchio's Screw".

When Pinocchio discovered a screw inside of his belly button, he grabbed a screwdriver and two seconds later, his ass fell off . ;-)

Looney

froze25 -> nuubee , Mar 7, 2017 2:44 PM

So the CIA was doing the NSA's job, dropped the ball and let the weapons out to the world. I wonder if they were using these "tools" domestically outside of their mandate? As an agency you couldn't be more incompetent. Does anyone understand how much security they (CIA) have just compromised? This is so serous it's insane.

WordSmith2013 -> froze25 , Mar 7, 2017 2:56 PM

"It doesn't get any bigger than Vault 7!"

Vault 7 Opened Up: The Biggest Megillah of Them All
CPL -> froze25 , Mar 7, 2017 3:06 PM

Why do you think the geek community decided to go develop their own tools in parallel (Linux, BitCoin, DevOps platforms, etc)? We knew, we complained, we got shut down. The issue is now all that software is running on nearly every computer out there. Every computer in the current paradigm is considered a security risk.

It also means the insurance industry now has to pull out of all insurance guarantees on engineered systems with an ISO certification for every industry. It's a fucked up mess that's going to cost tens of trillions of dollars to migrate and patch every existing system on the planet.

froze25 -> CPL , Mar 7, 2017 3:22 PM

Android is Linux based as well as the routers that have been reportedly compromised use Linux as a Operating system. Nothing has been spared. I believe IOS is UNix based (or IOS is just IOS) so that one is compromised as well. Now if UNIX is compromised that means (potentially) that IBM mainframes are compromised.

Now if IBM Mainframes are compromised it means, Banks, Insurance, and other behemoths (they mostly use IBM Main Frames for their back-end functions) maybe ticking time bombs. Scary shit.

#### [Mar 11, 2017] CIA faces huge problem over malware claims

###### Mar 11, 2017 | www.bbc.com
BBC
• WikiLeaks, the CIA and your devices: what the documents reveal FT
• CIA contractors likely source of latest WikiLeaks release: U.S. officials Reuters. Neoliberalism's "market state" puts government functions up for sale. So it's not surprising that people sell them.
• CIA Leak: "Russian Election Hackers" May Work In Langley Moon of Alabama. Watch for the "atttribution problem" when CrowdStrike testifies at the upcoming Russki hearings. As I've said, "Internet evidence is not evidence."
• WikiLeaks strikes again. Here are 4 big questions about Vault 7. WaPo. "In cyberspace, we mainly have a reasonability problem, not an attribution problem." Oh. OK.
• CIA Did Not Have Multi-Factor Authentication Controls for All Users as Recently as August 2016 emptywheel
• Oh, that traitorous WikiTrump Pepe Escobar, Asia Times (Re Silc).
• Spicer says 'massive difference' between CIA WikiLeaks leak and Podesta email leak ABC

#### [Mar 10, 2017] CIA Leak Shows Sliding Down the Slippery Slope Toward Totalitarianism, Where Private Lives Do Not Exist

##### "... And Clinton never feared anything, probably because the CIA was in her pocket and could get the goods on anybody even Loretta Lynch. ..."
###### Mar 10, 2017 | www.zerohedge.com

That the CIA has reached into the lives of all Americans through its wholesale gathering of the nation's "haystack" of information has already been reported.

It is bad enough that the government spies on its own people. It is equally bad that the CIA, through its incompetence, has opened the cyberdoor to anyone with the technological skills and connections to spy on anyone else.

The constant erosion of privacy at the hands of the government and corporations has annihilated the concept of a "right to privacy," which is embedded in the rationale of the First, Third, Fourth, Ninth and Fourteenth Amendments to the U.S. Constitution.

It is becoming increasingly clear that we are sliding down the slippery slope toward totalitarianism, where private lives do not exist.

We have entered a condition of constitutional crisis that requires a full-throated response from the American people.

Before you label Kucinich as being overly-dramatic, you may want to note that Bill Binney – the high-level NSA executive who created the agency's mass surveillance program for digital information, the 36-year NSA veteran widely who was the senior technical director within the agency and managed thousands of NSA employees – told Washington's Blog that America has already become a police state.

And Thomas Drake – one of the top NSA executives, and Senior Change Leader within the NSA – told us the same thing.

And Kirk Wiebe – a 32-year NSA veteran who received the Director CIA's Meritorious Unit Award and the NSA's Meritorious Civilian Service Award – agrees (tweet via Jesselyn Radack, attorney for many national security whistleblowers, herself a Department of Justice whistleblower):

It's not just NSA officials Two former U.S. Supreme Court Justices have warned that America is sliding into tyranny.

A former U.S. President , and many other high-level American officials agree.

#1 problem all other unconstitutional problems stem from FRB

Wild E Coyote , Mar 9, 2017 8:58 PM

The elephant in the room is not privacy problems. It is blackmail for various purposes.

We have many indications that politicians, judges, officials and even other intel organizations are being blackmailed, and destroyed using lucid information from their private life.

This makes he US Government totally dysfunctional. the spread of such spy technique has created chaos. Latest news is that Democrats paid some hackers for not revealing their server information.

I don't think this can be stopped. But we need more open discussion about blackmailing and thus protection from such methods. An elected President or Official should not have their private life discussed by the Media. It should be banned.

GRDguy , Mar 9, 2017 8:56 PM

All we're really seeing is the wet dreams of banksters efforts of over 400+ years "to own the earth in fee-simple."

Our real problem is that their efforts makes them richer while making everyone else poorer.

The only way to stop the Money Kings is not to do business with them; an extremely difficult task.

Sometimes The Dragon Wins

JailBanksters , Mar 9, 2017 8:51 PM

The old adage about, if you've got nothing to hide, you've got nothing to fear ....

I don't think a lot of people realize the scope of this, because it's not about you.

If Trump was hacked, that information could be used against him, like blackmail in order to change his action or direction on certain things.

Clinton: You should be in Jail, they're GOOD People, so I won't be appointing a special prosecutor.

And Clinton never feared anything, probably because the CIA was in her pocket and could get the goods on anybody even Loretta Lynch.

That's what this is about. And that's why Trump can't win.

#### [Mar 10, 2017] Democratic Party as the defenders of the surveillance state

###### Mar 10, 2017 | economistsview.typepad.com
Peter K. : March 09, 2017 at 01:37 AM

Democrats like PGL are big defenders of the surveillance state and hate on Wikileaks. Why is that? B/c they're anti-democratic and authoritarian. The NSA tapped Angela Merkel's phone. Way to alienate our allies.

https://www.nytimes.com/2017/03/08/us/wikileaks-cia.html

C.I.A. Scrambles to Contain Damage From WikiLeaks Documents

By MATTHEW ROSENBERG, SCOTT SHANE and ADAM GOLDMAN

MARCH 8, 2017

WASHINGTON - The C.I.A. scrambled on Wednesday to assess and contain the damage from the release by WikiLeaks of thousands of documents that cataloged the agency's cyberspying capabilities, temporarily halting work on some projects while the F.B.I. turned to finding who was responsible for the leak.

Investigators say that the leak was the work not of a hostile foreign power like Russia but of a disaffected insider, as WikiLeaks suggested when it released the documents Tuesday. The F.B.I. was preparing to interview anyone who had access to the information, a group likely to include at least a few hundred people, and possibly more than a thousand.

An intelligence official said the information, much of which appeared to be technical documents, may have come from a server outside the C.I.A. managed by a contractor. But neither he nor a former senior intelligence official ruled out the possibility that the leaker was a C.I.A. employee.

The officials spoke on the condition of anonymity to discuss an ongoing investigation into classified information. The C.I.A. has refused to explicitly confirm the authenticity of the documents, but it all but said they were genuine Wednesday when it took the unusual step of putting out a statement to defend its work and chastise WikiLeaks.

The disclosures "equip our adversaries with tools and information to do us harm," said Ryan Trapani, a spokesman for the C.I.A. He added that the C.I.A. is legally prohibited from spying on individuals in the United States and "does not do so."

The leak was perhaps most awkward for the White House, which found itself criticizing WikiLeaks less than six months after the group published embarrassing emails from John D. Podesta, the campaign chairman for Hillary Clinton, prompting President Trump to declare at the time, "I love WikiLeaks."

Sean Spicer, the White House spokesman, said the release of documents "should be something that everybody is outraged about in this country."

There was, he added, a "massive, massive difference" between the leak of classified C.I.A. cyberspying tools and personal emails of political figures.

The documents, taken at face value, suggest that American spies had designed hacking tools that could breach almost anything connected to the internet - smartphones, computers, televisions - and had even found a way to compromise Apple and Android devices. But whether the C.I.A. had successfully built and employed them to conduct espionage remained unclear on Wednesday.

A number of cybersecurity experts and hackers expressed skepticism at the level of technical wizardry that WikiLeaks claimed to uncover, and pointed out that much of what was described in the documents was aimed at older devices that have known security flaws. One document, for instance, discussed ways to quickly copy 3.5-inch floppy disks, a storage device so out of date that few people younger than 35 have probably used one.

One indication that the documents did not contain information on the most highly sensitive C.I.A. cyberespionage programs was that none of them appeared to be classified above the level of "secret/noforn," which is a relatively low-level of classification.

The disclosures "equip our adversaries with tools and information to do us harm," said Ryan Trapani, a spokesman for the C.I.A. He added that the C.I.A. is legally prohibited from spying on individuals in the United States and "does not do so."

The leak was perhaps most awkward for the White House, which found itself criticizing WikiLeaks less than six months after the group published embarrassing emails from John D. Podesta, the campaign chairman for Hillary Clinton, prompting President Trump to declare at the time, "I love WikiLeaks."

Sean Spicer, the White House spokesman, said the release of documents "should be something that everybody is outraged about in this country."

There was, he added, a "massive, massive difference" between the leak of classified C.I.A. cyberspying tools and personal emails of political figures.

The documents, taken at face value, suggest that American spies had designed hacking tools that could breach almost anything connected to the internet - smartphones, computers, televisions - and had even found a way to compromise Apple and Android devices. But whether the C.I.A. had successfully built and employed them to conduct espionage remained unclear on Wednesday.

A number of cybersecurity experts and hackers expressed skepticism at the level of technical wizardry that WikiLeaks claimed to uncover, and pointed out that much of what was described in the documents was aimed at older devices that have known security flaws. One document, for instance, discussed ways to quickly copy 3.5-inch floppy disks, a storage device so out of date that few people younger than 35 have probably used one.

One indication that the documents did not contain information on the most highly sensitive C.I.A. cyberespionage programs was that none of them appeared to be classified above the level of "secret/noforn," which is a relatively low-level of classification.

On Feb. 16, WikiLeaks released what appeared to be a C.I.A. document laying out intelligence questions about the coming French elections that agency analysts wanted answers to, either from human spies or eavesdropping. When WikiLeaks released the cyberspying documents on Tuesday, it described the earlier document as "an introductory disclosure."

Peter K. -> Peter K.... March 09, 2017 at 01:52 AM

"He added that the C.I.A. is legally prohibited from spying on individuals in the United States and "does not do so.""

Well that's good to know give the CIA's history.

Anachronism -> Peter K.... , March 09, 2017 at 05:12 AM
Maybe, but the FBI is not prohibited and I'm sure they have access to the same tools the CIA has.

Peter K. - Are you comfortable with Wikileaks telling the world (and therefore the "bad guys") exactly what we've been using to gather information and showing them how they can use the same tools? Do you think that hurts America's security?

I'll grant you that there have been times I've been for some of the Wikileaks disclosures, but on the whole (and expecially this), it harms our security.

RC AKA Darryl, Ron -> Anachronism ... , March 09, 2017 at 06:31 AM
I used to be disgusted but now I am just amused.

The surveillance state is a deep subject. Without the military hegemony for which it is emblematic would we then even have a threat of terrorism? The domestic surveillance state does little else save maybe some counter-espionage against the other nuclear powers.

OTOH, it gave us the recently ended TV series "Person of Interest," which almost makes up for the violations of our Bill of Rights (illegal search and potentially seizure). I kind of like people knowing how automobile technology can be hacked to remotely control the family car. If not for the competition to develop self-driving cars then I doubt most of the Wi-Fi enabled interfaces would facilitate remote control, but rather just monitoring. It sounds like the game of grand theft auto is about to be profoundly revised.

Anachronism -> RC AKA Darryl, Ron... , March 09, 2017 at 07:01 AM
"The surveillance state is a deep subject. Without the military hegemony for which it is emblematic would we then even have a threat of terrorism? The domestic surveillance state does little else save maybe some counter-espionage against the other nuclear powers."

Agreed. We've interfered with impudence in the affairs of Central/South America and the Middle East. We've assassinated leaders of other countries and propped up our little puppets in their places. We staged a revolution to create the country of Panama, simply because we wanted to dig a canal.

However, You're arguing the past. The question is, now that we're where we are, how do we proceed? All of these people who now hate us, because of the evils we've done aren't simply going to stop if we say "we're not going to spy on you anymore".

Paraphrasing Shakespere - "The evil countries do lives after them. The good is oft interr'd within their bones. Thus let it be with the U.S.A" won't make terrorists think about our foreign aid programs, or disaster relief for places like Haiti".

The primary function of the federal government should be to protect the welfare of it's people, and obstensibly tools like the ones the CIA developed (and subsequently leaked) were there to find out what the bad guys were doing. We are now less safe as a direct result of the leak.

RC AKA Darryl, Ron -> Anachronism ... , March 09, 2017 at 07:37 AM
"...The question is, now that we're where we are, how do we proceed?..."

[Your point there is well taken. However, it is still a question with no implicit answer that cannot be alternatively argued. So, the other way to say this is that we have as a nation done very bad things. There will be a price to pay for it. How do we want to pay for it? How long do we want to keep paying for it? Stated another way then there is still no implicit answer that cannot be alternatively argued. It is why I usually avoid such matters. Without a crystal ball then we answer correctly. I just was inquiring to see how far that you were considering. I have no argument against you since you seem to understand the quagmire well enough. I will stick with easier topics such as constitutional reform of the political system, a piece of cake in comparison.]

RC AKA Darryl, Ron -> RC AKA Darryl, Ron... , March 09, 2017 at 07:38 AM
"...Without a crystal ball then we CANNOT answer correctly..."

[First EDIT, then POST.]

Anachronism -> RC AKA Darryl, Ron... , March 09, 2017 at 07:46 AM
So, to paraphrase you; we're screwed. It's simply a question of how badly we're screwed and when.

I agree. Which is why I'm no fun at parties anymore. I would argue that people who don't understand how screwed we are, are much happier than those who do understand.

Such is our lot in life.

RC AKA Darryl, Ron -> Anachronism ... , March 09, 2017 at 08:09 AM
Totally agreed. Yet I cling to hope. Donald Trump has achieved more in organizing progressives in just four months than I have seen done over the collective period since 1968.
RC AKA Darryl, Ron -> RC AKA Darryl, Ron... , March 09, 2017 at 08:12 AM
Nothing unites people better than a common enemy which they unequivocally despise.
ilsm -> RC AKA Darryl, Ron... , March 09, 2017 at 02:30 PM
the oceans mean no one without a huge navy* or ICBM's (why sputnik was a problem) can affect the US. Military spending outside of nuclear warning and MAD is low payback.

The terrorists know we won't nuke Mecca, hell we are paying Mecca's defenders to keep terrorists in Syria.

* occupying the US would be dealing with 120M guns in hands of angered civilians....... the Japanese general staff thought they would find 80M behind blades of grass...........

Peter K. -> Anachronism ... , March 09, 2017 at 08:54 AM
The NSA chief told Congress that they don't spy on private US citizens, but Edward Snowden showed that to be a lie.

Are you comfortable with that? Are you comfortable with handing the surveillance state over to a lunatic like Trump?

Anachronism -> Peter K.... , March 09, 2017 at 09:45 AM
As I said above, maybe the CIA doesn't spy on US citizens, but the FBI can and does.

I don't think Trump would care about me nearly as much as he would Bill Maher or Hillary Clinton, public people who mock him.

Peter K. -> Anachronism ... , March 09, 2017 at 10:08 AM
It would effect you personally for Trump to neutralize all of his political opponents?
Anachronism -> Peter K.... , March 09, 2017 at 11:09 AM
I don't think republicans would like the idea of a liberal spying on them any more than we would with a conservative spying on us. Trump is at a whole new level because of his Nixonian paranoia plus his need for revenge plus his penchant for "punching down".

Having said that, there are safeguards in place to ensure that the FBI can't spy on just anyone. You need a FISA warrant which needs to be approved by a FISA judge. President Cheeto can't just order it to be done. Well, he could, but the FBI should refuse.

Anachronism -> Anachronism ... , March 09, 2017 at 11:11 AM
This is the same reason Obama could not order Cheeto's "wires tapped".
ilsm -> Peter K.... , March 09, 2017 at 02:32 PM
Trump is more concerned with the Bill of rights than the con artist with the peace prize.

#### [Mar 10, 2017] Latest WikiLeaks dump reveals CIA can hack computers, smartphones, even TVs

##### "... And if you think you only need to worry about your computers, phones, and TVs being full of Mama Gubmint's lackeys consider your car. It has it's own ID and the roads are bristling with detectors too. License plate scanners, facial recognition, chem/radiation detectors, etc. 1984 has long been with us. ..."
###### Mar 10, 2017 | www.salon.com
...The disclosure revealed that the CIA has its own division dedicated solely to computer hacking that rivals the National Security Agency's online espionage operation. According to WikiLeaks, the code tracking system of the CIA's Center for Cyber Intelligence has more than 5,000 registered users.

"Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook," WikiLeaks said in an introductory statement accompanying the documents. "The CIA had created, in effect, its 'own NSA' with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified."

Tuesday's disclosure is only the first part of what WikiLeaks is calling its "Vault 7" series of documents obtained from what it said was an "isolated, high-security network" located within the CIA's headquarters in Langley, Virginia. The documents, which appear to have been acquired at least several months ago, detail exploits (or techniques to expose vulnerabilities) for a wide variety of desktop and mobile operating systems, including Android, iOS, Windows, Linux and the server operating system Solaris.

The CIA also appears to have developed methods to hijack internet-enabled televisions from Samsung to use them to record audio such as conversations, through the use of a "Fake Off" mode so that the TV appears to be powered down but actually is not.

The stolen information indicates that the intelligence agency also appears to have the ability to gain access to messaging programs like Telegram, WhatsApp, Signal and iMessage that have been billed as secure because they encrypt all messages between participants. Instead of intercepting a messages en route, however, the exploits work at more basic level to intercept and capture audio and text before they are encrypted and transmitted.

The documents appear to have been extracted from an internal CIA wiki website that was established to provide authorized users download access to the malware programs and also to instruct users on how to deploy them.

WikiLeaks did not release any of the code behind the so-called cyber-weapons, but said that an archive of the software and its documentation had been circulating among former U.S. government hackers and contractors in an unauthorized manner for some time.

The site's editor, Julian Assange, said there was an "extreme proliferation risk" in the development of malicious software by governments, which he compared to the global arms trade.

The Vault 7 documents also disclose that the CIA purchases software exploits from other intelligence agencies, including Britain's MI5. The documents also indicate that the CIA has purchased exploits from shadowy private companies going by such names as Fangtooth, Anglerfish and SurfsUp. Instead of reporting security holes to software companies like Microsoft or Google, these companies peddle the vulnerability to the highest bidder.

If this information is accurate, the agency may be in violation of a policy put into place by former President Barack Obama in 2013 that was intended to prohibit the government from exploiting vulnerabilities that were unknown to software makers.

Besides speeding up the development time for malware for the CIA's use, the agency's use of outside-sourced malware also enables the CIA to make digital forensic investigators believe that an unknown outside party may have been behind an infiltration, rather than a government agency.

... ... ...

A veteran writer, tv producer, and web developer, Matthew Sheffield writes about politics, media, and technology for Salon. You can email him via m.sheffield@salon.com or follow him on Twitter .

zackeryzackery , 2017-03-10T03:32:31

Anyone interested in the Russian Bank / Trump Server connection:

Looks like the libtards will twist any facts to fit their narrative.

DirtyDan23 , 2017-03-09T19:30:29
But ... but .... RUSSIA!!!!!. Look guys, RUSSIA! The Obama administration repeatedly broke federal laws, lied about breaking those laws, got caught lying about breaking those laws (thank you "whistle blowers") then said it stopped breaking said laws. Then it got caught lying about saying it stopped breaking laws.
A Real American , 2017-03-09T16:55:26
Who cares. But what we also know is that The "President" is Putin's puppet. When is Assange going to leak that? And Don the Con has already paid Putin back by destroying the State Department. Sad.
Captain America , 2017-03-09T17:05:13

Okay, so "who cares" that we have a CIA with unchecked powers and no publicly discernible agenda, but RUSSIA!!

You sound like McCarthy. Is that the New Democratic Party?

Fester N Boyle , 2017-03-09T11:16:11

How many agencies do we need to do the same things and replicate each others work? 16 intelligence agencies? There's 500+ govt. agencies, the system needs a reorg. Make new agencies to combine the old one's critical functions, fire all the worthless govt. employees and move the good ones into the new agency.

And if you think you only need to worry about your computers, phones, and TVs being full of Mama Gubmint's lackeys consider your car. It has it's own ID and the roads are bristling with detectors too. License plate scanners, facial recognition, chem/radiation detectors, etc. 1984 has long been with us.

#### [Mar 10, 2017] When Whistleblowers Tell The Truth Theyre Traitors. When Government Lies Its Politics

##### "... Immediately after Wikileaks released thousands of documents revealing the extent of CIA surveillance and hacking practices, the government was calling for an investigation - not into why the CIA has amassed so much power, but rather, into who exposed their invasive policies . ..."
###### Mar 09, 2017 | www.zerohedge.com
Mar 9, 2017 6:05 PM Via Carey Wedler via TheAntiMedia.org,

Immediately after Wikileaks released thousands of documents revealing the extent of CIA surveillance and hacking practices, the government was calling for an investigation - not into why the CIA has amassed so much power, but rather, into who exposed their invasive policies .

" A federal criminal investigation is being opened into WikiLeaks' publication of documents detailing alleged CIA hacking operations, several US officials, " reportedly told CNN .

According to USA Today :

" The inquiry, the official said, will seek to determine whether the disclosure represented a breach from the outside or a leak from inside the organization. A separate review will attempt to assess the damage caused by such a disclosure, the official said ."

Even Democratic representative Ted Lieu, who has been urging whistleblowers to come forward to expose wrongdoing within the Trump administration, has turned his focus away from what the documents exposed and toward determining how it could have possibly happened.

" I am deeply disturbed by the allegation that the CIA lost its arsenal of hacking tools, " he said while calling for an investigation. " The ramifications could be devastating. I am calling for an immediate congressional investigation. We need to know if the CIA lost control of its hacking tools, who may have those tools, and how do we now protect the privacy of Americans ."

According to Lieu's statements, the problem isn't necessarily that the CIA is spying on Americans and invading innocent people's technology without consent. It's that the CIA mishandled their spying tools, and in doing so, endangered Americans' privacy by exposing the tools to presumably 'bad actors.' The problem isn't the corrupt agency violating basic privacy rights, but that they weren't skillful enough to keep their corruption under wraps.

So goes the familiar whistleblower narrative in the United States. Whistleblowers step forward to expose wrongdoing on the part of government - something the government claims to support - and immediately, establishment institutions and the media bend the conversation away from the wrongdoing in order to focus on the unlawful release of secrets.

Putting aside the fact that, according to popular American mythology breaking the law is a patriotic duty, the government and politicians' reactions are both hypocritical and habitual.

When Chelsea Manning revealed damning evidence of U.S. war crimes in Iraq, including soldiers directly targeting Reuters news staff, the response was not to investigate who allowed those crimes (in fact, a later Pentagon manual went on to describe instances in which it's permissible to kill journalists; that version was later retracted after outcry from reporters). Rather, Manning was subject to a military tribunal and issued multiple life sentences, a cruel and unusual punishment reversed only in President Obama's last days in office amid his attempts to salvage his abysmal human rights, transparency, and whistleblower record.

When Edward Snowden revealed the extent of the NSA's warrantless mass surveillance of American citizens and millions of others around the world, the government's response was not to investigate why those programs existed in the first place . Rather, they thrashed and flailed around the world, ordering the plane of Bolivian President Evo Morales to be grounded in the hopes of catching the whistleblower. Congress later passed the deceptive "USA Freedom Act," which codified continued surveillance.

Edward Snowden remains in exile, and establishment politicians repeatedly call him a traitor for exposing the crimes of his government. Some, including Trump's CIA Director Mike Pompeo, have called for his execution. Mass surveillance continues, and the president himself is seeking to retain those powers as he condemns former President Obama for allegedly spying on him.

And so on and so forth. The same was true for John Kiriakou , Thomas Drake , William Binney , and Jeffrey Sterling . The government is exposed for wrongdoing, and rather than prove themselves to be representatives of the people by remedying those transgressions, they point fingers and divert, all the while refusing to relinquish the unjust power any given agency is exposed for having.

Many people are already aware that the government does little to actually serve them (Americans' trust in political leaders and government , in general, is abysmally low). Rather, government agents and agencies operate to advance and concentrate their own interests and power. This is why penalties against killing government employees are more stringent than killing civilians. It is why stealing from the government is perceived as more outrageous to the State than stealing from a civilian. The government considers "crimes" committed against itself to carry the utmost offense, yet often fails to deliver justice to the people who provide their financial foundation.

As a result, the State does not even try to show remorse for its volatile policies, even when they are exposed and splattered across social media for the world to see. Instead, with the help of corporate media, the debate is shifted to whether or not WikiLeaks is a criminal organization, or whether or not Edward Snowden is a traitor.

As White House Press Secretary Sean Spicer said of the leaks:

"This is the kind of disclosure that undermines our country, our security. This alleged leak should concern every American for its impact on national security. Anybody who leaks classified information will be held accountable to the maximum extent of the law ."

Meanwhile, we're supposed to accept the government's investigation of itself, which (surprise!) usually finds little or no wrongdoing on their own behalf and often consolidates and extends the very same power whistleblowers exposed in the first place.

Yes. The truth is always treason in an empire of lies.

All by design motherfuckers.

indygo55 , Mar 9, 2017 6:23 PM

Binney said the NSA has everything. Every phone call, text, website visited, everything. The FISA court is theater. Window dressing. The FISA court allows prosecutors to recreate fake parallel sources to make it look like they got permission to create the illusion they didn't break the 4th amendment. THEY ALREADY BROKE THE 4TH AMENDMENT!!!

Its all theater. Thats what Binney said. It was written here on ZH. These talking heads keep refering to warrants. They don't need a fucking warrant. They alreay have it. EVERYTHING.

Brazen Heist -> indygo55 , Mar 9, 2017 6:31 PM

In theory they could have ALOT of data with their backdoors and dragnets.

But in reality, they have finite manpower to sift through all that data, and make sense of it. The more of us that rebel, encrypt and become defiant, the more taxing it is on their resources.

Like I enjoy saying. They can have my data. But I'm going to make the fuckers work for it, and waste their finite resources in getting it.

Ms No -> Brazen Heist , Mar 9, 2017 6:43 PM

They might not need people to sift through some of the data. They could probably have a computer program sift through terms: guns, the Constitution, the Federal Reserve, Jews, drugs, gold... etc. Then you could be catagorized a whether not you were a proper sheep or a target.

Brazen Heist -> Ms No , Mar 9, 2017 7:18 PM

You're probably right. The algos will be hard at work.

Thing is. I don't give a shit. I can already see the limits to their powers.

quax -> indygo55 , Mar 9, 2017 6:37 PM

And if you'd bother to add the amount of storage that'll require you'd know this is BS.

They may have the metadata on pretty much everything but not the actual transcripts.

DuneCreature -> quax , Mar 9, 2017 6:58 PM

Nonsense. ..... They have all the content that is meaningful to them and save EVERYTHING to parse through it. ....... Your mom's phone calls to the hairdresser timeout and get discarded after they sniff it good.

My guess is, anyone posting here at ZH gets their stuff tagged for archiving. ..... As do a bunch of other categories of 'interesting people'.

Live Hard, You Do The Math On What A Terabyte Will Store, Die Free

~ DC v5.0

IndyPat -> quax , Mar 9, 2017 7:02 PM

If you'd bother to read up on Binney, you'd know to not talk shit about that which you have no idea of.

Storage is dirt cheap.

Not that money is an issue. At all.

TeethVillage88s -> indygo55 , Mar 9, 2017 7:01 PM

***- Right to freedom from quartering of govt in our house without our consent (Americans don't want NSA, CIA, DHS, TSA, or border control inside out devices, smart phones, PDAs, PCs, TVs, Refrigerators) (And Trump E.O Today: Our Kids are Precious they have Cell Phones and Devices, this is Tyranny, Protect our kids from Pedos!!!)

E.O. Today, President Donald J. Trump, Please! - Call it the CIA, NSA, Govt in our Homes, Anti-Pedo Act

Chupacabra-322 -> indygo55 , Mar 9, 2017 7:06 PM

The "Spoofing" or Digital Finger Print & Parallel Construction tools that can be used against Governments, Individuals, enemies & adversaries are Chilling.

Effective immediately defund, Eliminate & Supeona it's Agents, Officials & Dept. Heads in regard to the Mass Surveillance, Global Espionage Spying network & monitoring of a President Elect by aforementioned Agencies & former President Obama, AG Lynch & DIA James Clapper.

The CIA can not only hack into anything -- they can download any "evidence" they want onto your phone or computer. Child pornography, national secrets, you name it. Then they can blackmail you, threatening prosecution for whatever crap they have planted, then "found" on your computer. They can also "spoof" the source of such downloads -- for instance, if they want to "prove" that something on your computer (or Donald Trump's computer) came from a "Russian source" -- they can spoof the IP address of a Russian source.

The take-away: no digital evidence the CIA or NSA produces on any subject whatsoever can be trusted. No digital evidence should be acceptable in any case where the government has an interest, because they have the complete ability to fabricate and implant any evidence on any iphone or computer. And worse: they have intentionally created these digital vulnerabilities and pushed them onto the whole world via Microsoft and Google. Government has long been at war with liberty, claiming that we need to give up liberty to be secure. Now we learn that they have been deliberately sabotaging our security, in order to augment their own power. Time to shut down the CIA and all the other spy agencies. They're not keeping us free OR secure, and they're doing it deliberately. Their main function nowadays seems to be lying us into wars against countries that never attacked us, and had no plans to do so.

TePikoElPozo , Mar 9, 2017 6:50 PM

"There are a few rules that I live by. Number 1: I don't believe anything that the government says"

-GEORGE CARLIN

#### [Mar 09, 2017] Gaius Publius: Explosive WikiLeaks Release Exposes Massive, Aggressive CIA Cyber Spying, Hacking Capability

##### "... "These CIA revelations in conjunction with those of the NSA paints a pretty dark future for privacy and freedom. Edward Snowden made us aware of the NSA's program XKEYSCORE and PRISM which are utilized to monitor and bulk collect information from virtually any electronic device on the planet and put it into a searchable database. Now Wikileaks has published what appears to be additional Big Brother techniques used by a competing agency. Say what you want about the method of discovery, but Pandora's box has been opened." ..."
###### Mar 09, 2017 | www.nakedcapitalism.com
March 9, 2017 by Yves Smith Yves here. The first release of the Wikileaks Vault 7 trove has curiously gone from being a MSM lead story yesterday to a handwave today. On the one hand, anyone who was half awake during the Edward Snowden revelations knows that the NSA is in full spectrum surveillance and data storage mode, and members of the Five Eyes back-scratch each other to evade pesky domestic curbs on snooping. So the idea that the CIA (and presumably the NSA) found a way to circumvent encryption tools on smartphones, or are trying to figure out how to control cars remotely, should hardly come as a surprise.

However, at a minimum, reminding the generally complacent public that they are being spied on any time they use the Web, and increasingly the times in between, makes the officialdom Not Happy.

And if this Wikileaks claim is even halfway true, its Vault 7 publication is a big deal:

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

This is an indictment of the model of having the intelligence services rely heavily on outside contractors. It is far more difficult to control information when you have multiple organizations involved. In addition, neolibearlism posits that workers are free agents who have no loyalties save to their own bottom lines (or for oddballs, their own sense of ethics). Let us not forget that Snowden planned his career job moves , which included a stint at NSA contractor Dell, before executing his information haul at a Booz Allen site that he had targeted.

Admittedly, there are no doubt many individuals who are very dedicated to the agencies for which they work and aspire to spend most it not all of their woking lives there. But I would assume that they are a minority.

The reason outsiders can attempt to pooh-pooh the Wikileaks release is that the organization redacted sensitive information like the names of targets and attack machines. The CIA staffers who have access to the full versions of these documents as well as other major components in the hacking toolkit will be the ones who can judge how large and serious the breach really is. 1 And their incentives are to minimize it no matter what.

By Gaius Publius , a professional writer living on the West Coast of the United States and frequent contributor to DownWithTyranny, digby, Truthout, and Naked Capitalism. Follow him on Twitter @Gaius_Publius , Tumblr and Facebook . GP article archive here . Originally published at DownWithTyranny

CIA org chart from the WikiLeaks cache (click to enlarge). "The organizational chart corresponds to the material published by WikiLeaks so far. Since the organizational structure of the CIA below the level of Directorates is not public, the placement of the EDG [Engineering Development Group]and its branches is reconstructed from information contained in the documents released so far. It is intended to be used as a rough outline of the internal organization; please be aware that the reconstructed org chart is incomplete and that internal reorganizations occur frequently."

* * *

"O brave new world, that has such people in it."

Bottom line first. As you read what's below, consider:

That the CIA is capable of doing all of the things described, and has been for years, is not in doubt.
That unnameable many others have stolen ("exfiltrated") these tools and capabilities is, according to the Wikileaks leaker, also certain. Consider this an especially dangerous form of proliferation, with cyber warfare tools in the hands of anyone with money and intent. As WikiLeaks notes, "Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike."
That the CIA is itself using these tools, and if so, to what degree, are the only unknowns. But can anyone doubt, in this aggressively militarized environment, that only the degree of use is in question?

Now the story.

WikiLeaks just dropped a huge cache of documents (the first of several promised releases), leaked from a person or people associated with the CIA in one or more capacities (examples, employee, contractor), which shows an agency out-of-control in its spying and hacking overreach. Read through to the end. If you're like me, you'll be stunned, not just about what they can do, but that they would want to do it, in some cases in direct violation of President Obama's orders. This story is bigger than anything you can imagine.

Consider this piece just an introduction, to make sure the story stays on your radar as it unfolds - and to help you identify those media figures who will try to minimize or bury it. (Unless I missed it, on MSNBC last night, for example, the first mention of this story was not Chris Hayes, not Maddow, but the Lawrence O'Donnell show, and then only to support his guest's "Russia gave us Trump" narrative. If anything, this leak suggests a much muddier picture, which I'll explore in a later piece.)

So I'll start with just a taste, a few of its many revelations, to give you, without too much time spent, the scope of the problem. Then I'll add some longer bullet-point detail, to indicate just how much of American life this revelation touches.

While the cache of documents has been vetted and redacted , it hasn't been fully explored for implications. I'll follow this story as bits and piece are added from the crowd sourced research done on the cache of information. If you wish to play along at home, the WikiLeaks torrent file is here . The torrent's passphrase is here . WikiLeaks press release is here (also reproduced below). Their FAQ is here .

Note that this release covers the years 2013–2016. As WikiLeaks says in its FAQ, "The series is the largest intelligence publication in history."

Preface - Trump and Our "Brave New World"

But first, this preface, consisting of one idea only. Donald Trump is deep in the world of spooks now, the world of spies, agents and operatives. He and his inner circle have a nest of friends, but an even larger, more varied nest of enemies. As John Sevigny writes below, his enemies include not only the intel and counter-intel people, but also "Republican lawmakers, journalists, the Clintons, the Bush family, Barack Obama, the ACLU, every living Democrat and even Rand Paul." Plus Vladimir Putin, whose relationship with Trump is just "business," an alliance of convenience, if you will.

I have zero sympathy for Donald Trump. But his world is now our world, and with both of his feet firmly planted in spook world, ours are too. He's in it to his neck, in fact, and what happens in that world will affect every one of us. He's so impossibly erratic, so impossibly unfit for his office, that everyone on the list above wants to remove him. Many of them are allied, but if they are, it's also only for convenience.

How do spooks remove the inconvenient and unfit? I leave that to your imagination;they have their ways. Whatever method they choose, however, it must be one without fingerprints - or more accurately, without their fingerprints - on it.

Which suggests two more questions. One, who will help them do it, take him down? Clearly, anyone and everyone on the list. Second, how do you bring down the president, using extra-electoral, extra-constitutional means, without bringing down the Republic? I have no answer for that.

Here's a brief look at "spook world" (my phrase, not the author's) from " The Fox Hunt " by John Sevigny:

Several times in my life – as a journalist and rambling, independent photographer - I've ended up rubbing shoulders with spooks. Long before that was a racist term, it was a catch-all to describe intelligence community people, counter intel types, and everyone working for or against them. I don't have any special insight into the current situation with Donald Trump and his battle with the IC as the intelligence community calls itself, but I can offer a few first hand observations about the labyrinth of shadows, light, reflections, paranoia, perceptions and misperceptions through which he finds himself wandering, blindly. More baffling and scary is the thought he may have no idea his ankles are already bound together in a cluster of quadruple gordian knots, the likes of which very few people ever escape.

Criminal underworlds, of which the Trump administration is just one, are terrifying and confusing places. They become far more complicated once they've been penetrated by authorities and faux-authorities who often represent competing interests, but are nearly always in it for themselves.

One big complication - and I've written about this before - is that you never know who's working for whom . Another problem is that the hierarchy of handlers, informants, assets and sources is never defined. People who believe, for example, they are CIA assets are really just being used by people who are perhaps not in the CIA at all but depend on controlling the dupe in question. It is very simple - and I have seen this happen - for the subject of an international investigation to claim that he is part of that operation. [emphasis added]

Which leads Sevigny to this observation about Trump, which I partially quoted above: "Donald Trump may be crazy, stupid, evil or all three but he knows the knives are being sharpened and there are now too many blades for him to count. The intel people are against him, as are the counter intel people. His phone conversations were almost certainly recorded by one organization or another, legal or quasi legal. His enemies include Republican lawmakers, journalists, the Clintons, the Bush family, Barack Obama, the ACLU, every living Democrat and even Rand Paul. Putin is not on his side - that's a business matter and not an alliance."

Again, this is not to defend Trump, or even to generate sympathy for him - I personally have none. It's to characterize where he is, and we are, at in this pivotal moment. Pivotal not for what they're doing, the broad intelligence community. But pivotal for what we're finding out, the extent and blatancy of the violations.

All of this creates an incredibly complex story, with only a tenth or less being covered by anything like the mainstream press. For example, the Trump-Putin tale is much more likely to be part of a much broader "international mobster" story, whose participants include not only Trump and Putin, but Wall Street (think HSBC) and major international banks, sovereign wealth funds, major hedge funds, venture capital (vulture capital) firms, international drug and other trafficking cartels, corrupt dictators and presidents around the world and much of the highest reaches of the "Davos crowd."

Much of the highest reaches of the .01 percent, in other words, all served, supported and "curated" by the various, often competing elements of the first-world military and intelligence communities. What a stew of competing and aligned interests, of marriages and divorces of convenience, all for the common currencies of money and power, all of them dealing in death .

What this new WikiLeaks revelation shows us is what just one arm of that community, the CIA, has been up to. Again, the breadth of the spying and hacking capability is beyond imagination. This is where we've come to as a nation.

What the CIA Is Up To - A Brief Sample

Now about those CIA spooks and their surprising capabilities. A number of other outlets have written up the story, but this from Zero Hedge has managed to capture the essence as well as the breadth in not too many words (emphasis mine throughout):

WikiLeaks has published what it claims is the largest ever release of confidential documents on the CIA. It includes more than 8,000 documents as part of 'Vault 7', a series of leaks on the agency, which have allegedly emerged from the CIA's Center For Cyber Intelligence in Langley , and which can be seen on the org chart below, which Wikileaks also released : [org chart reproduced above]

A total of 8,761 documents have been published as part of 'Year Zero', the first in a series of leaks the whistleblower organization has dubbed 'Vault 7.' WikiLeaks said that 'Year Zero' revealed details of the CIA's "global covert hacking program," including "weaponized exploits" used against company products including " Apple's iPhone , Google's Android and Microsoft's Windows and even Samsung TVs , which are turned into covert microphones."

WikiLeaks tweeted the leak, which it claims came from a network inside the CIA's Center for Cyber Intelligence in Langley, Virginia.

Among the more notable disclosures which, if confirmed, " would rock the technology world ", the CIA had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect "audio and message traffic before encryption is applied."

With respect to hacked devices like you smart phone, smart TV and computer, consider the concept of putting these devices in "fake-off" mode:

Among the various techniques profiled by WikiLeaks is "Weeping Angel", developed by the CIA's Embedded Devices Branch (EDB), which infests smart TVs , transforming them into covert microphones. After infestation, Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on. In 'Fake-Off' mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

As Kim Dotcom chimed in on Twitter, "CIA turns Smart TVs, iPhones, gaming consoles and many other consumer gadgets into open microphones" and added "CIA turned every Microsoft Windows PC in the world into spyware. Can activate backdoors on demand, including via Windows update "[.]

Do you still trust Windows Update?

About "Russia did it"

Adding to the "Russia did it" story, note this:

Another profound revelation is that the CIA can engage in "false flag" cyberattacks which portray Russia as the assailant . Discussing the CIA's Remote Devices Branch's UMBRAGE group, Wikileaks' source notes that it "collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.["]

As Kim Dotcom summarizes this finding, " CIA uses techniques to make cyber attacks look like they originated from enemy state ."

This doesn't prove that Russia didn't do it ("it" meaning actually hacking the presidency for Trump, as opposed to providing much influence in that direction), but again, we're in spook world, with all the phrase implies. The CIA can clearly put anyone's fingerprints on any weapon they wish, and I can't imagine they're alone in that capability.

Hacking Presidential Devices?

If I were a president, I'd be concerned about this, from the WikiLeaks " Analysis " portion of the Press Release (emphasis added):

"Year Zero" documents show that the CIA breached the Obama administration's commitments [that the intelligence community would reveal to device manufacturers whatever vulnerabilities it discovered]. Many of the vulnerabilities used in the CIA's cyber arsenal are pervasive [across devices and device types] and some may already have been found by rival intelligence agencies or cyber criminals.

As an example, specific CIA malware revealed in "Year Zero" [that it] is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts . The CIA attacks this software by using undisclosed security vulnerabilities ("zero days") possessed by the CIA[,] but if the CIA can hack these phones then so can everyone else who has obtained or discovered the vulnerability. As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable.

Does or did the CIA do this (hack presidential devices), or is it just capable of it? The second paragraph implies the latter. That's a discussion for another day, but I can say now that both Lawrence Wilkerson, aide to Colin Powell and a non-partisan (though an admitted Republican) expert in these matters, and William Binney, one of the triumvirate of major pre-Snowden leakers, think emphatically yes. (See Wilkerson's comments here . See Binney's comments here .)

Whether or not you believe Wilkerson and Binney, do you doubt that if our intelligence people can do something, they would balk at the deed itself, in this world of "collect it all "? If nothing else, imagine the power this kind of bugging would confer on those who do it.

The Breadth of the CIA Cyber-Hacking Scheme

But there is so much more in this Wikileaks release than suggested by the brief summary above. Here's a bullet-point overview of what we've learned so far, again via Zero Hedge:

Key Highlights from the Vault 7 release so far:

"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products , include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.
Wikileaks claims that the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation . This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware . Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook.
The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.
Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds , to be used by rival states, cyber mafia and teenage hackers alike.

Also this scary possibility:

As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks.
The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations .

Journalist Michael Hastings, who in 2010 destroyed the career of General Stanley McChrystal and was hated by the military for it, was killed in 2013 in an inexplicably out-of-control car. This isn't to suggest the CIA, specifically, caused his death. It's to ask that, if these capabilities existed in 2013, what would prevent their use by elements of the military, which is, after all a death-delivery organization?

And lest you consider this last speculation just crazy talk, Richard Clarke (that Richard Clarke ) agrees: "Richard Clarke, the counterterrorism chief under both Bill Clinton and George W. Bush, told the Huffington Post that Hastings's crash looked consistent with a car cyber attack.'" Full and fascinating article here .

WiliLeaks Press Release

Here's what WikiLeaks itself says about this first document cache (again, emphasis mine):

Press Release

Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.

The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election .

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.

Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force - its own substantial fleet of hackers. The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities.

By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public , including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike.

Julian Assange, WikiLeaks editor stated that "There is an extreme proliferation risk in the development of cyber 'weapons'. Comparisons can be drawn between the uncontrolled proliferation of such 'weapons', which results from the inability to contain them combined with their high market value, and the global arms trade. But the significance of "Year Zero" goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective."

Wikileaks has carefully reviewed the "Year Zero" disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in "Year Zero" for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in "Vault 7" part one ("Year Zero") already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.

Be sure to click through for the Analysis, Examples and FAQ sections as well.

"O brave new world," someone once wrote . Indeed. Brave new world, that only the brave can live in.

____

1 Mind you, the leakers may have had a comprehensive enough view to be making an accurate call. But the real point is there are no actors who will be allowed to make an independent assessment.

34 0 42 1 0 This entry was posted in Banana republic , Guest Post , Legal , Politics , Surveillance state , Technology and innovation on March 9, 2017 by Yves Smith . Subscribe to Post Comments 64 comments Code Name D , March 9, 2017 at 2:38 am

Senator John McCain passed documents to the FBI director, James Comey, last month alleging secret contacts between the Trump campaign and Moscow and that Russian intelligence had personally compromising material on the president-elect himself.

The material, which has been seen by the Guardian, is a series of reports on Trump's relationship with Moscow. They were drawn up by a former western counter-intelligence official, now working as a private consultant. BuzzFeed on Tuesday published the documents, which it said were "unverified and potentially unverifiable".

The Guardian has not been able to confirm the veracity of the documents' contents,

Emphases mine. I had been sitting on this link trying to make sense of this part. Clearly, the Trump Whitehouse has some major leaks, which the MSM is exploiting. But the start of this article suggests that para-intelligence (is that a word? Eh, it is now) was the source of the allegedly damaging info.

This is no longer about the deep-state, but a rouge state, possibly guns for higher, each having fealty to specific political interests. The CIA arsenal wasn't leaked. It was delivered.

salvo , March 9, 2017 at 3:13 am

hmm.. as far as I can see, noone seems to care here in Germany anymore about being spied on by our US friends, apart from a few alternative sources which are being accused of spreading fake news, of being anti-american, russian trolls, the matter is widely ignored

visitor , March 9, 2017 at 3:40 am

I have read a few articles about the Vault 7 leak that typically raise a few alarms I would like to comment on.

1) The fact that the

CIA had managed to bypass encryption on popular phone and messaging services

does not mean that it has broken encryption, just that it has a way to install a program at a lower level, close to the operating system, that will read messages before they are encrypted and sent by the messaging app, or just after they have been decrypted by it.

As a side note: banks have now largely introduced two-factor authentication when accessing online services. One enters username (or account number) and password; the bank site returns a code; the user must then enter this code into a smartphone app or a tiny specialized device, which computes and returns a value out of it; the user enters this last value into the entry form as a throw-away additional password, and gains access to the bank website.

I have always refused to use such methods on a smartphone and insist on getting the specialized "single-use password computer", precisely because the smartphone platform can be subverted.

2) The fact that

"Weeping Angel", developed by the CIA's Embedded Devices Branch (EDB), [ ] infests smart TVs, transforming them into covert microphones.

is possible largely because smart TVs are designed by their manufacturers to serve as spying devices. "Weeping Angel" is not some kind of virus that turns normal devices into zombies, but a tool to take control of existing zombie devices.

The fact that smart TVs from Vizio , Samsung or LG constitute an outrageous intrusion into the privacy of their owners has been a known topic for years already.

3) The

CIA [ ] also looking at infecting the vehicle control systems used by modern cars and trucks

is not a "scary possibility" either; various demonstrations of such feats on Tesla , Nissan , or Chrysler vehicles have been demonstrated in the past few years.

And the consequences have already been suggested (killing people by disabling their car controls on the highway for instance).

My take on this is that we should seriously look askance not just at the shenanigans of the CIA, but at the entire "innovative technology" that is imposed upon (computerized cars) or joyfully adopted by (smartphones) consumers. Of course, most NC readers are aware of the pitfalls already, but alas not the majority of the population.

4) Finally this:

He's so impossibly erratic, so impossibly unfit for his office,

Trump is arguably unfit for office, does not have a clue about many things (such as foreign relations), but by taxing him of being "erratic" Gaius Publius shows that he still does not "get" the Donald.

Trump has a completely different modus operandi than career politicians, formed by his experience as a real-estate mogul and media star. His world has been one where one makes outrageous offers to try anchoring the negotiation before reducing one's claims - even significantly, or abruptly exiting just before an agreement to strike a deal with another party that has been lured to concessions through negotiations with the first one. NC once included a video of Trump doing an interactive A/B testing of his slogans during a campaign meeting; while changing one's slogans on the spot might seem "erratic", it is actually a very systematic market probing technique.

So stop asserting that Trump is "unpredictable" or "irrational"; this is underestimating him (a dangerous fault), as he is very consistent, though in an uncommon fashion amongst political pundits.

Yves Smith Post author , March 9, 2017 at 5:53 am

While I agree that it's worth pointing out that the CIA has not broken any of the major encryption tools, even Snowden regards being able to circumvent them as worse, since people using encryption are presumably those who feel particularly at risk and will get a false sense of security and say things or keep data on their devices that they never never would if they thought they were insecure.

Re Gaius on Trump, I agree the lady doth protest too much. But I said repeatedly that Trump would not want to be President if he understood the job. It is not like being the CEO of a private company. Trump has vastly more control over his smaller terrain in his past life than he does as President.

And Trump is no longer campaigning. No more a/b testing.

The fact is that he still does not have effective control of the Executive branch. He has lots of open positions in the political appointee slots (largely due to not having even submitted candidates!) plus has rebellion in some organizations (like folks in the EPA storing data outside the agency to prevent its destruction).

You cannot pretend that Trump's former MO is working at all well for him. And he isn't showing an ability to adapt or learn (not surprising at his age). For instance, he should have figured out by now that DC is run by lawyers, yet his team has hardly any on it. This is continuing to be a source of major self inflicted wounds.

His erraticness may be keeping his opponents off base, but it is also keeping him from advancing any of his goals.

visitor , March 9, 2017 at 6:59 am

I believe we are in agreement.

Yes, not breaking encryption is devious, as it gives a false sense of security - this is precisely why I refuse to use those supposedly secure e-banking login apps on smartphones whose system software can be subverted, and prefer those non-connected, non-reprogrammable, special-purpose password generating devices.

As for Trump being incompetent for his job, and his skills in wheeling-dealing do not carrying over usefully to conducting high political offices, that much is clear. But he is not "erratic", rather he is out of place and out of his depth.

RBHoughton , March 9, 2017 at 9:00 pm

I am writing this in the shower with a paper bag over my head and my iPhone in the microwave.

I have for years had a password-protected document on computer with all my important numbers and passwords. I have today deleted that document and reverted to a paper record.

Ivy , March 9, 2017 at 10:09 am

Please tell readers more about the following for our benefit:

"single-use password computer"

visitor , March 9, 2017 at 11:34 am

That is an example of the sort of thing I am talking about.

PhilM , March 9, 2017 at 11:35 am

I think he means a machine dedicated to high-security operations like anything financial or bill-pay. Something that is not exposed to email or web-browsing operations that happen on a casual-use computer that can easily compromise. That's not a bad way to go; it's cheaper in terms of time than the labor-intensive approaches I use, but those are a hobby more than anything else. It depends on how much you have at stake if they get your bank account or brokerage service password.

I take a few basic security measures, which would not impress the IT crowd I hang out with elsewhere, but at least would not make me a laughingstock. I run Linux and use only open-source software; run ad-blockers and script blockers; confine risky operations, which means any non-corporate or non-mainstream website to a virtual machine that is reset after each use; use separate browsers with different cookie storage policies and different accounts for different purposes. I keep a well-maintained pfSense router with a proxy server and an intrusion detection system, allowing me to segregate my secure network, home servers, guest networks, audiovisual streaming and entertainment devices, and IoT devices each on their own VLANs with appropriate ACLs between them. No device on the more-secured network is allowed out to any port without permission, and similar rules are there for the IoT devices, and the VoIP tools.

#### [Dec 26, 2016] International Authorities Take Down Massive 'Avalanche' Botnet, Sinkhole Over 800,000 Domains

###### Dec 26, 2016 | it.slashdot.org
(arstechnica.com) 53 Posted by BeauHD on Thursday December 01, 2016 @10:30PM from the largest-ever dept. plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche ," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."

#### [Dec 26, 2016] Watchdog Group Claims Smart Toys Are Spying On Kids

###### Dec 26, 2016 | yro.slashdot.org
(mashable.com) 70 Posted by BeauHD on Thursday December 08, 2016 @07:05PM from the always-listening dept. The Center for Digital Democracy has filed a complaint with the Federal Trade Commission warning of security and privacy holes associated with a pair of smart toys designed for children. Mashable reports: "This complaint concerns toys that spy," reads the complaint, which claims the Genesis Toys' My Friend Cayla and i-QUE Intelligent Robot can record and collect private conversations and offer no limitations on the collection and use of personal information . Both toys use voice recognition, internet connectivity and Bluetooth to engage with children in conversational manner and answer questions. The CDD claims they do all of this in wildly insecure and invasive ways. Both My Friend Cayla and i-QUE use Nuance Communications' voice-recognition platform to listen and respond to queries. On the Genesis Toy site, the manufacturer notes that while "most of Cayla's conversational features can be accessed offline," searching for information may require an internet connection. The promotional video for Cayla encourages children to "ask Cayla almost anything." The dolls work in concert with mobile apps. Some questions can be asked directly, but the toys maintain a constant Bluetooth connection to the dolls so they can also react to actions in the app and even appear to identify objects the child taps on on screen. While some of the questions children ask the dolls are apparently recorded and sent to Nuance's servers for parsing, it's unclear how much of the information is personal in nature. The Genesis Privacy Policy promises to anonymize information. The CDD also claims, however, that My Friend Cayla and i-Que employ Bluetooth in the least secure way possible. Instead of requiring a PIN code to complete pairing between the toy and a smartphone or iPad, "Cayla and i-Que do not employ... authentication mechanisms to establish a Bluetooth connection between the doll and a smartphone or tablet. The dolls do not implement any other security measure to prevent unauthorized Bluetooth pairing." Without a pairing notification on the toy or any authentication strategy, anyone with a Bluetooth device could connect to the toys' open Bluetooth networks, according to the complaint.

#### [Dec 26, 2016] Ransomware Compromises San Francisco's Mass Transit System

###### Dec 26, 2016 | news.slashdot.org
(cbslocal.com) 141

osted by EditorDavid on Sunday November 27, 2016 @01:34PM

Buses and light rail cars make San Francisco's "Muni" fleet the seventh largest mass transit system in America. But yesterday its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted" -- and all the rides were free, according to a local CBS report shared by RAYinNYC :

Inside sources say the system has been hacked for days . The San Francisco Municipal Transportation Agency has officially confirmed the hack, but says it has not affected any service... The hack affects employees, as well. According to sources, SFMTA workers are not sure if they will get paid this week. Cyber attackers also hit Muni's email systems.
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."

One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."

#### [Dec 26, 2016] Adobe Flash Responsible For Six of the Top 10 Bugs Used By Exploit Kits In 2016

###### Dec 26, 2016 | it.slashdot.org
(onthewire.io) 72 Posted by BeauHD on Wednesday December 07, 2016 @09:05PM from the majority-rules dept. Trailrunner7 quotes a report from On the Wire: Vulnerabilities in Flash and Internet Explorer dominated the exploit kit landscape in the last year , with a high-profile bug in Flash being found in seven separate kits, new research shows. Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed. While there are dozens of exploit kits available, a handful of them attract the most use and attention, including Angler, Neutrino, Nuclear, and Rig. Researchers at Recorded Future looked at more than 140 exploit kits and analyzed which exploits appeared in the most kits in the last year, and it's no surprise that Flash and IE exploits dominated the landscape. Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it's deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future's analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups. "Adobe Flash Player's CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter," the analysis by Recorded Future says .

#### [Nov 24, 2016] Dutch media company VPRO and Amsterdam based interactive design company Studio Moniker have created the site to remind online users about the big data and privacy

###### Nov 24, 2016 | yro.slashdot.org
(news.com.au) 74

Posted by BeauHD on Tuesday November 22, 2016 @05:00AM from the creepy-websites dept.

mi writes:

The site called ClickClickClick annotates your every move on its one and only page . Turn on the sound to listen to verbal annotations in addition to reading them. The same is possible for, and therefore done by, the regular sites as they attempt to study visitors looking for various trends -- better to gauge our opinions and sell us things. While not a surprise to regular Slashdotters, it is certainly a good illustration...

Dutch media company VPRO and Amsterdam based interactive design company Studio Moniker have created the site to remind online users about the "serious themes of big data and privacy." Studio Monkier designer Roel Wouters said , "It seemed fun to thematize this in a simple and lighthearted way."

#### [Oct 22, 2016] Botnets can use internet enabled devices other then PC, tablets and phones

###### Oct 22, 2016 | www.nakedcapitalism.com

Not mentioned in the News of the Wired snips: the Dyn DDOS was the latest using a megascale IOT botnet. Coming soon to a Smart Toaster|Thermostat|Fridge|WasherDryer|EggTimer|PencilSharpener|Dishwasher|GarbageCompacter|BabyMonitor near you!

hunkerdown October 21, 2016 at 7:36 pm

I suspect various enforcement agencies are using those cameras for something else, like mass video surveillance, and having just lost a lot of TLS vulnerabilities, are motivated to keep their sources' name out of the news (as befits TS/SI NOFORN projects), though steering the industry's and the commercial market economy's Confidence Fairy out of an imminent uncontrolled landing would suffice to explain the quiet.

OpenThePodBayDoorsHAL October 21, 2016 at 7:38 pm

For people who understand what that means it is mind-blowing, the processors in your parking garage gate or your nursery's NannyCam being used in a giant global concerto of digital disruption. Smells like the NSA in a desperate attempt to disrupt the flows from Wiki, they already gave