written by Pierluigi Stella
Remember when Snowden revealed what was going on with the NSA in 2013? How we were all being spied upon? How, with the excuse of preventing terrorism, this agency was collecting data on everyone, in flagrant violation of any reasonable privacy expectation (let alone law), we were all outraged!! And demanded that someone be held accountable. And that the practice be stopped immediately. Do you remember that?
However, with time, some of us became convinced that in order to be safe, we may actually need to accept the new order of things. And that it’s far better to let the NSA know when you called your grandmother than to risk a terrorist attack.
After all, what have we got to lose?
And since, at the time, we were under a democratic government, I too eased up on the outrage, and settled for a more mundane, “I have nothing to hide”.
However, January 2017 came along, things changed, and quite dramatically too. We now live in a post democratic era where our president firmly believes he’s above the law, hires (and especially fires) at his whim and fancy. Oblivious, or should I say, impervious to the possible consequences. So my stance on this issue has drastically changed. I really don’t want this president collecting data about me.
How’s this related to WannaCry? Read on.
One of the things we ended up accepting as a matter of fact is that the NSA (and other security agencies) withhold things. When they discover vulnerabilities in commercial products, instead of letting the vendor know about it so they can be patched, they keep it a secret, and see if it can be used as a backdoor to infiltrate computers they want to spy upon. The presumption being that their network is so secure, no one will ever know about these discoveries, so only _they_ will be able to take advantage of them. Until, of course Microsoft and Co. finds that very same vulnerability on its own, and patches it anyway.
However, this arrogant presumption has finally backfired.
For years, we in the security industry have been telling everyone that this practice is dangerous, ethics and legality aside. We’ve been telling everyone that there’s no such thing as a secure network. And that despite their arrogant presumption, sooner or later the NSA network could be hacked and this information leaked.
And, there you have it.
Hackers were able to steal this information about a vulnerability that allows them to take over a workstation and encrypt all files. But what’s worse, it allows this new threat to spread horizontally. Up until now, ransomware spread ‘vertically’, as in from the server containing the malware to the workstation downloading it.
This new attack, codenamed WannaCry, also spreads horizontally, within workstations, within a network. And that’s where the big issue has been. That’s what has allowed this major attack to take place.
Because once one workstation was infected, many others followed easily, and entire networks fell prey to the attack. Microsoft had already released a patch in March to protect against this horizontal attack. And that’s likely the reason why we’ve seen much less of a problem with WannaCry in the US than as experienced by the rest of the world.
Our processes and procedures are fairly stringent, and are starting to work. We patch and protect, and things didn’t get out of control. But frankly, that’s besides the point. The real issue here is, if the NSA didn’t keep such information in the first instance, it wouldn’t have been available to steal to begin with, and none of this would’ve happened.
How’s that for protection?