Last week, in a series of events seemingly a mix between Mr. Robot and Austin Powers, something fairly unusual happened that could potentially cause security problems for many people and businesses. And, perhaps because the story is a little crazy, or possibly just because it’s hard to understand, the story hasn’t gotten the attention it deserves.
Put simply, it appears as though the National Security Agency (NSA) created a set of hacking tools (i.e., tools which can be used to exploit security flaws in other computer systems); and then, the NSA itself was hacked by a group calling itself the “Shadow Brokers,” who is now attempting to sell the complete set of tools for… one million Bitcoin (at current exchange rates, over $500,000,000).
That’s a lot of money.
Wait, What Happened?
Last week, some people calling themselves the “Shadow Brokers” released onto the internet a set of hacking tools which can be used to break into a number of different types of computer systems and which bear a resemblance to previously discovered very powerful malware thought to have been associated with the NSA or otherwise “state sponsored.” They also claim that there’s more to come. I’m really not making this up. The Washington Post even reported on it.
To give you a bit of background, the secretive entity known as the “Equation Group” appears to be associated with a number of extremely sophisticated attacks which have occurred over the past 14 years. For years, many have presumed that this group is associated with (or, in fact, is, the NSA).
The release of these tools has allowed security researchers to compare this newly-leaked code with other code which has been found over the years. In examining the code, they determined that both the newly-leaked code and previously-found exploits both contain a unique implementation of a cryptographic cipher, suggesting that this new code and old exploits are both from the Equation Group.
But wait, there’s more. New revelations from Edward Snowden appear to confirm the association between these newly leaked tools and the NSA (and thus, also linking the NSA and the Equation Group).
What does this mean?
Although there is some speculation about why these tools were released, to me, that’s beside the point.
The most important takeaway from this incident is that, even though these released tools are about three years old, at least some of them actually work. Not only do they work, but they contain what are referred to by security researchers as “zero day” exploits (i.e., a tool which exploits a previously unknown security flaw, for which there is no “fix”) and related tools for a wide variety of systems, including those from Cisco, Fortigate, Topsec, and Juniper (here’s one more detailed list, and here’s another). These tools could cause a lot of damage if they get into the wrong hands. And, because the Shadow Brokers released them onto the internet, that’s exactly who will get them (or already has).
In other words, now, even poorly trained “hackers” can potentially use these tools to do serious damage. What has happened is the equivalent of giving bazookas to street gangs. And, the Shadow Brokers appear to be releasing even more. So, even if the revealed security flaws are fixed, more are likely to be revealed in the future.
What can you do about it?
There are a number of things you can do.
- You, or your IT staff, can apply security fixes as they become available. While this should be part of your standard operating procedure, now is as good a time as any to start doing this. And, there is some good news on this front, as Cisco, one of the targeted vendors, has released a fix.
- You can contact your cloud-based and software-as-a-service vendors to make sure that they are aware of the issues and are applying fixes as necessary.
- You can review your contracts with your vendors. One of the things that it’s possible to negotiate (and you may have negotiated) the level of care your vendor must take with your data. You might also consult with your lawyer to help review your contracts (and perhaps negotiate new ones).
- Another thing you can negotiate is the response to a data breach. Because security breach notification laws can impose obligations for certain kinds of security breaches, many companies negotiate who must comply with these obligations in their contracts with vendors who handle data (e.g., where software-as-a-service handles nonpublic personal information). You might also consult with your lawyer about your contracts and negotiation of new ones.
- You can look into obtaining insurance coverage for security breaches. And, you might also consult with your lawyer to give you advice about whether your current insurance policy, or any new policy you might consider, covers you for these risks.
- You can stop and reevaluate your software systems to make them harder to exploit. Many of these tools are designed to break into computer networks and extract information. Encryption of data, whether at rest or in motion), is a best practice; and, encryption that is rigorously tested and well-implemented can make it significantly harder for hackers to reach sensitive data.
- You can implement policies to avoid collecting or holding onto sensitive information you don’t need. If you don’t have it, they can’t steal it from you.
- You can train your employees to avoid inappropriate use of email. Don’t you think Sony wishes they had been more careful with their emails? Dance Like No One is Watching; Email Like It May One Day Be Read Aloud in a Deposition.
Lastly, Apple is now having an “I told you so” moment. You may recall several months ago, when Apple refused to create a “hacking tool” for the FBI to break into iPhones. One of the reasons why Apple refused was because any tool they created for the government could be stolen and released to the public. Considering that is precisely what happened here, they were right.
p.s., Here’s some more on Bitcoin: