jack: (Default)
[personal profile] jack
I feel confused by the news of Friday's ransomware worm. I've tried to piece together the pieces.

It spread by both email (requiring people to clink a link or open an attachment?) and across local networks to windows computers that were not up to date with patches (ie. all xp and win7/8 which haven't got security updates in the last two months )[1] using one or more particular vulnerabilities. Is that right?

This vulnerability applied to some networking thing called Windows SMB, version 1, which was outdated, but mostly still enabled on any computers which used SMB at all, which was mostly organisation networks, not home computers. Is that right?

Some time ago, the NSA discovered this particular vulnerability. As far as I can tell there's no suggestion they *created* it? Even though that's the sort of thing they WOULD do. Lots of news articles are saying "the nsa vulnerability" but that's just hype, right? But they did find it, and (apparently) not report it, just keep it for internal use.

They assembled some of these vulnerabilities into a suite of hacking tools.

Some time more than two months ago, there was a leak. Probably an insider of some sort? Someone got hold of those tools. cf. https://en.wikipedia.org/wiki/EternalBlue

About two months ago, maybe immediately, maybe after a delay, the NSA tipped off microsoft. Microsoft released a patch in the normal security updates. I think Microsoft mostly confirmed this recently, even though at the time the patch didn't say anything about it (it was somewhat suspicious it didn't say who found the vulnerability).

One month ago, a shadowy hacker group who named themselves after a shadowy hacker group in Mass Effect 3, tried to auction some of those leaked tools with mixed success. This sounds weird, but AFAICT is fairly certain, is that right?

They could be anyone, but people suspect they may be sponsored by Russia, as propaganda to say, "see what the NSA do, don't get into an open, cyber or propaganda war with us, you have a lot to lose too".

If the malware had been released *before* the patch, it could have been a lot worse, it could have infected many other networks as well, even completely up to date computers. As it happened, it only applied to older computers of which there were still many, but it made the auction less notable.

By Friday, someone had used that vulnerability to create (an updated version of?) that worm aka WannaCry and released it. It infected many many major organisations including most of NHS.

I don't know how the clean-up is going. Will large organisations pay ransom? Probably not? Will they be able to restore computers? How much data is permanently lost? I've no idea.

Someone registered a domain name referenced in the worm which accidentally or deliberately acted as a kill switch.

Microsoft released a one-off patch for windows xp and some other older operating systems (?) to fix this specific exploit.

We have no idea who "someone" was in this case, if they were affiliated with any of the previous groups or not.


This is just a feeling, but it feels like this particular worm was a bit of a rush job by someone who didn't expect it to do this well.


As far as I can tell, this worm was based on the same exploit the NSA found, but I've not heard anything concrete whether (a) they reverse engineered the microsoft patch (b) they got the vulnerability from the leaked NSA tool or (c) they re-used some of the code in the leaked NSA tool.

I assume the NSA didn't actually write this worm? Like, they would have done something more targeted?

But the news keeps saying things like "the tool used in this current attack had been developed by the US National Security Agency and was stolen by hackers". As far as I can tell, they just didn't understand the difference between "using" and "based on", right? I don't understand how they could know "using" without citing a security researcher or something, and I've not seen anything like that. Am I missing something?

What we should do

Give up the idea that unpatched OSes are "good enough". Make sure you're getting updates if you can.


Worry about the NHS being underfunded, and having a fucked-up tender process that ensures their IT infrastructure is always supplied by the sort of company that was cutting edge when security updates came out on a scale of a decade, not a day.

Worry about the NSA stockpiling vulnerabilities.

Remember that it could be a lot worse. Sooner or later things will line up and a vulnerability gets discovered and *not* patched, and basically infects every computer running a particular operating system, and is paired with something even worse than ransomware eg. a botnet consisting of 75% of the windows computers on the planet. People are working on this and we've got a lot better, but it's a struggle to make security good enough.


That's my attempt at a summary. Mostly based on the news and SwiftOnSecurity. Can people who actually know more fill in the details, especially the bits that don't quite seem to track?


1. No idea if anyone's using vista.
Anonymous (will be screened)
OpenID (will be screened if not validated)
Identity URL: 
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


Links will be displayed as unclickable URLs to help prevent spam.