The Shadow Broker Knows
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
In the popular video game series know as Mass Effect, the Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder.
All secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing all of the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business.
In real life, the Shadowbrokers is a stealthy cyber group who seems to be operating a similar game with our national security.
On April 8th, the Shadowbrokers leaked National Security Agency documents describing hacking tools that were used by the NSA to prepare a complete capture of the entire global SWIFT Network, the international banking backbone of the world. This hack would give the NSA a broad view into the financial transactions of any bank, anywhere and at any time.
The documents describe a hack by the NSA that covertly provided certain financial institutions access to the SWIFT bank transfer request network and was used to breach a number of the institution’s clients. Regardless of who was targeted, that banking process was irreparably disrupted as none of the affected or member banks will be able to trust the network any longer.
This may be a good or a bad thing from a national security point of view which if course we will never know, but it definitely sends a signal that the top guys in congress are either not in charge or are lying.
This leak dwarfs the Wikileaks’ Vault 7 dump and describes a multi stage attack bypassing the very latest and best firewall technology, infecting and exploiting vulnerabilities in Windows servers and flaws in Oracle databases to capture and copy all of the data in the SWIFT internal financial system. Wikileaks gets headlines because of the evil Dr. Assange, but no one knows who the evil Dr. Shadow might be.
The leaked documents additionally provide clear evidence that the NSA had launched a series of successful cyber-intrusions against the Office of the President of Iran and the Russian Federal Nuclear Center along with a myriad of other lesser known organizations and detailed descriptions of the ways in which these cyberattacks were engineered.
The reasons this is far more consequential than the Wikileaks’ dump start with the fact that the tools the NSA used in this case are now usable by anyone with a computer. Contrasted with Wikileaks, the Shadowbroker files provided are complete and un-redacted computer code, fully operable by anyone with minimal programming experience to unleash on any target of their choosing. Whatever you may think of Julian Assange, Wikileaks at least purposefully redacted the usable parts of the code so that they could not be easily duplicated.
The next reason you should care is that they came from the NSA’s Equation Group, the same guys who have been described by many in the cybersecurity community as the most sophisticated cyber-attack group in the world. In other words, forget Russia, China, Iran and North Korea. The most sophisticated cyber-attackers on the planet are our own guys. Good for us, but if they can’t keep their secrets secret, not so good for us.
Another reason for concern is that the NSA’s hacking tools take advantage of hoarded security bugs in computer products that we all use and spend billions each year to keep secured. Rather than use these vulnerabilities for their own purposes with no apparent congressional oversight, it would be nice if the NSA could let the manufacturers know that these holes exist so they could do something about them before the hackers could exploit them.
There is currently no set of rules that governs when or even if the NSA should notify a manufacturer about a security flaw.
Oddly in this case, we noticed that Microsoft in a dramatic and uncharacteristic flurry of activity managed to release its fixes for the zero-day flaws released by the Shadowbrokers’ report just a few weeks before the leaked announcements. As Microsoft controls over 90% of the worldwide market for operating systems, that knowledge would have made almost all desktops and laptops in the world susceptible to hackers had the leak come a few weeks earlier.
The wheels of government and industry turn in mysterious ways.
By the way, if you are panicked by what the Shadowbroker release means to you, it may be because you have not been installing security update sin a timely manner. Everyone knows they should do this, but they frequently don’t and it’s why it's repeated ad nauseum. The lag time between when patches are released and when systems are updated is still too long. Too many systems get compromised because a year-old update was never applied, not due to a zero-day vulnerability.
When Windows XP entered end-of-life, security experts warned holdouts that refused to move to newer platforms would be at risk for future attacks since there will be no more updates for the platform. That is exactly what's happening here. IT and security teams need to protect lingering legacy systems or develop a plan to finally migrate the applications to a more modern and secure alternative.
And the final reason is that the NSA seems incapable of protecting their own espionage technologies from people like the Shadowbrokers and who knows whomsoever else.
The over-arching questions posed by all of this are whether we really want covert espionage groups to have and wield that kind of power under the flag of national security, and if we do, then to whom should they answer, how should they protect the secrets they possess and under what specific and legally enforceable circumstances should they be compelled to disclose known vulnerabilities to the vendors of the products they exploit, and why if the best intelligence groups on the planet cannot keep their secrets secret would we expect the FBI to be able to contain secret keys to backdoors in iPhone operating systems?
The Wikileaks dump and the Shadowbrokers’ leaks are pretty strong indicators that important stuff is broken.
It is beyond time for our leaders to pass meaningful legislation addressing the whole cybersecurity defense issue before we, along with the rest of the world learn even more about whom the bad guys really are and what they are really up to.