What I find sort of (a little) comforting is that the NSA seems to be relying on zero days. All these leaks have not really revealed any structural backdoor in any of the major operating systems.
That's my feeling too. Likewise for hardware backdoors. Yes: it's certainly possible that these things exist. But if they do they're exotic and closely held. They aren't part of the routine hacking toolkits in use in the intelligence community. Routine surveillance happens via routine means that we've already baked into threat models.
In this case, it seems (though I can't find confirmation) like standard firewalling of SMB (what you get if you click the "untrusted network" category on connecting to the cafe wifi or whatever) would be enough to protect a user.
It could be necessary for NSA to rely on zero days or implanted bugs. Any entry point must be possible to close quickly, as soon as the enemy discovers it. Creating what you call structural back doors would make it possible for the enemy to use the same structural back door.
Along these lines, I would expect the NSA to encourage the use of cryptography and encrypted software/Secure Boot/secure communications while they ensure the NSA have a set of extra keys and can sign software at will.
Public key crypto can be broken if the certificate isn't securely pinned on the client. In other words, the adversary could insert their own cert and replicate the exploit.
Most seasoned security folks know that the way to backdoor something is to leave an innocent bug in it. Plausible deniability, impossible to prove it was a backdoor because it looks just like any other exploitable bug.
Not that I'm suggesting that the NSA did leave these as backdoors. I don't believe that to be the case. But if you want one, that is how you do it.
If you ever find a blatant backdoor in some software, you're either dealing with an amateur, or someone who wanted to be found in order to send a message/misdirect you.
They did have a backdoor in the Dual_EC_DRBG PRNG algorithm that was widely used. It's not a major operating system, but it was used in a lot of products.
A backdoor is far too obvious for widespread use, which is the needed anyway. The NSA (and FVEY in general) instead spends a lot of money on programs like BULLRUN (Edgehill at GCHQ) that try to bypass the need for backdoors and weaken encryption. PSYOPS for nerds[1] is much cheaper and easier than direct backdoors or other technical methods.
Instead of a backdoor we have IPSEC standards that is overly complicated, had to implement, and mandated "null" encryption support[2]. Most communication channels remain in plaintext or encrypted with keys that are recoverable, too short, or easily MitMed.
1. I imagine they'd be more or less the same thing. Any mandated/deliberate backdoor is probably going to look very similar to an accidental bug - it lets you deny it exists, gives a valid explanation for if/when it is found, and potentially lets an NSA/software company "double-employee" add it without the company knowing.
2. It'd probably be a method of last resort, so the NSA et al. would gather and use zero days anyway. Any use of the backdoor risks it being noticed, so using other entry points make sense if possible.
A less comforting interpretation would be that relying on zero days suggests they are confident in their ongoing ability to find them and/or have a sizeable cache of unknown exploits already, so adding a deliberate backdoor wouldn't provide any additional access.
> lets an NSA/software company "double-employee" add it without the company knowing.
I always wondered how that works. I am a full time employee at software company. Cannot imagine having extra time to report to another employer (NSA) and deal with their red tape and crap as well.
Or does NSA show up at their doorstep with a bag full of cash - "Here you go, have this, and install a backdoor in your company's software. And we never met <wink>, <wink>"
That sounds good on paper so to speak, I just have a hard time imagining a realistic scenario.
Now finding 0-days and hoarding them, I can see that.
You assume the mole is an MS employee first and an NSA op second. Traditionally, the opposite is true: if you want to infiltrate a somewhat friendly entity, you do it by engineering the hire of trusted individuals. This is more secure, since there is no risk that one of the guys will get cold feet and blow the whistle.
So you monitor universities and you make contact with some of the brightest sparks. You promise them a good job in exchange for the possibility that, one day, they might have to act For The Good of The Country; and in the meantime they'll even be In The Know, which will place them above their peers - excitement! Ambition! Then you lobby a few higher-ups you're friend with, to hire these guys in this or that group. They are top-notch talent, immaculate credentials, so the hire is a slam dunk. They go about their business, being good kernel devs or whatnot, and every few months you give them a quick call to catch up - there is no need for extensive briefing, nobody really cares about the going-ons of Team Kernel A356. When "the favour" is required, the guy is comfortable in his position and doesn't want to leave it, so there is no chance he'll say no.
Looking at this list it seems to affect mostly older versions of windows servers and servers with SMB running. I'd say it would mostly be a problem on intranets than windows based web servers.
Which is going to be Domain Controllers, the most highly privileged servers on most corporate networks. And accessible to the "entire" network too. Group Policy is distributed through SMB shares.
I really regret reading some of the replies to those tweets. There's something I need to know: the people going on about Snowden being a traitor, helping 'the Russians' etc... On the 'average American' to 'village idiot' scale, which end are these people closer to?
This is not a rhetorical question btw. I just want to get some insight into what the 'average American' thinks about Snowden.
I've been following this closely over the last couple of hours on Twitter as the news broke. What does it mean in practice?
From what I have read one of the vulnerabilities seems to be a 0day targeting SMB on Windows. One commentator suggested it's enabled by default on the majority of Windows machines (of that I am sceptical). Presumably most people are behind a router which would stop this in its tracks?
A lot of people (who I would probably take seriously) suggest disconnecting Windows machines from the internet for the time-being. Is it really this bad? Are there millions of Windows (home-)users who are vulnerable (by default) today?
> Presumably most people are behind a router which would stop this in its tracks?
Trouble is there are millions of IoT devices with terrible security some of which are alway owned and inside the network. They could be used as a delivery tool to attack multiple machines inside of a network.
I'm not sure how many folks connect directly to the internet anymore. Hopefully not many.
> one of the vulnerabilities seems to be a 0day targeting SMB on Windows.
If your computer's network profile is set to Public, it will be firewalled off. In other cases YMMV.
On corporate networks, AD Domain Controllers are (usually) the most highly privileged servers on the network and they will always have SMB enabled and accessible to the entire domain network because Group Policy relies on SMB shares. Compromise the Domain Controllers and you own the entire (Windows) network because they can administer everything.
Yes, but most NAT routers consumers use act as a firewall too (i.e. they block ingress traffic that is not related to a connection that was initiated from inside)
This entire article is a gross mischaracterisation of the facts and risks.
The only major zero days released for Windows in this bundle targeted SMB (SMBv1, SMBv2, & SMBv3). By default Windows firewalls SMB and has since Windows XP SP2. Many home and business users then typically have a NAT between the Windows Firewall and the internet, offering a second layer of protection.
Few companies intentionally expose SMB to the internet. Generally users are required to VPN in before then being able to contact an SMB endpoint.
The type of language in this article is designed to mislead non-technical readers into believing they're at risk e.g.:
> The software could give nearly anyone with sufficient technical knowledge the ability to wreak havoc on millions of Microsoft users.
So either the article author lacks the technical literacy to understand why this is untrue, or they know it to be untrue and are trying to implant fear into their readership. In either case, not a good look for The Intercept.
> Few companies intentionally expose SMB to the internet.
True, but in your average coffee shop setup if a user has SMB running you could reach them via a local IP if it isn't firewalled off on the machine itself.
1. This is actually a big deal. Look on Shodan and see how many systems have the CIFS port open, bannering on Win8 and older.
2. There are other risks: pivoting, RDP, etc.
3. Greenwald's entire point of founding The Intercept was to capitalize on bombastic Snowden leak stories without intermediaries such as The Guardian. It seems like it would be counterproductive for the editors to write something measured or that give NSA any benefit of the doubt. Readers should expect alarmist journalism from The Intercept as much as they should expect anti-conservative viewpoints from the NYT.
I did look on Shodan before I wrote the above, am not seeing "millions" of machines like this hyperbolic article claimed.
But never let fact get in the way of hyperbole and clickbait, it doesn't matter that Windows is secure against this out of the box since XP SP2, it doesn't matter that a simple NAT "firewall" will protect you, all that matters is that some article told you to be afraid and no amount of technical facts is going to get in the way of that.
Too many of these types of articles and threads appearing today completely void of rationality about the scope of this because they don't understand the attack vector and "journalists" like The Intercept are not helping. But naturally outside of a few Netsec discussion boards the fear-party is in full swing, and people will downvote those not fully committed to that narrative.
> Few companies intentionally expose SMB to the internet. Generally users are required to VPN in before then being able to contact an SMB endpoint.
And what did (and likely still does) the NSA possess? Exploits for Cisco gear, which many enterprises and universities use to provide VPN access.
> So either the article author lacks the technical literacy to understand why this is untrue, or they know it to be untrue and are trying to implant fear into their readership. In either case, not a good look for The Intercept.
Place a drive-by-infection malware on a news site, or a well done email, which contains a payload that exploits said SMB issue, and boom you've infected the entire network.
Also, many people don't upgrade their Windows servers if not absolutely neccessary.
I find it very irresponsible that NSA did not report these vulnerabilities to Microsoft after they had fallen into hands of shadow broker (no longer zeroday). Shadowbroker announced possession of these zerodays around 3 months ago. NSA had good 3 months to work with Microsoft to patch these. They chose not to.
In their original leak, Shadowbroker released a list of all file names in the encrypted part of the archive. They just did not release the password at that time.
Oh yes! I have my brothers windows7 laptop in my home now. Im on a mac. Can I remotely hack that windows machine from my mac using any of these exploits? Can someone help? What are the things that I should know ?
reply