Microsoft officially confirms
@NSAGov developed the flaw that brought down hospitals this weekend.
Ransomware: Microsoft can no longer claim to be ‘proactive’
• 14 May 2017
• Written by Sam Varghese
Microsoft’s reaction to the Windows ransomware crisis that occurred on Friday and Saturday has shown one thing: no longer can the company continue to use the business buzzword “proactive” when it talks about itself. It was caught unawares and left looking very old and tired in the way it responded to the situation.
When the Shadow Brokers group dumped a number of NSA exploits on 14 April, after having tried for a while to get people to buy them, it should have been clear to those who head the Microsoft Security Response Centre that it was only a matter of time before some attacker would use these exploits to attack vulnerable systems.
The probability was all the more, given that attacks these days are driven mostly by a desire to make money. Not just to get up someone’s nose.
It has also been clear to all those who are in any way part of the tech community — those who have not been living under a rock, that is — that there are millions of Windows machines out there that are out of support and vulnerable to these exploits.
As iTWire reported back in February, 150 million PCs were running Windows XP at that time, a version for which support has long expired.
Microsoft issued patches to guard against these exploits in March, a month before the Shadow Brokers dumped the lot. (The company has kept mum as to how it became aware of the dumped exploits. Was it told by the NSA? Did it pay the Shadow Brokers?)
But, given its parsimonious nature, something that has often left it with egg on its face in the past, Microsoft only issued patches for Windows versions that are currently supported.
It did not think ahead and contemplate the possibility that a situation similar to Code Red could eventuate again, with attackers having a field day on older Windows systems. No, it was caught on the back foot and had to pull up its socks and react fast.
Had it not been for an accidental act by a British researcher, we would be looking at Code Red Mark II now.
Now, the company that has been force-feeding Windows to all and sundry is acting as though it is the good guy. “Seeing businesses and individuals affected by cyber attacks, such as the ones reported today, was painful,” wrote Phillip Misner, principal security group manager at the MSRC.
When the Shadow Brokers dumped the exploits, what was Misner doing? The analogy that comes to mind is that of Nero fiddling while Rome burned.
And thus, when the fat was well and truly in the fire, Microsoft found itself forced to issue patches for Windows XP, Windows 8, and Windows Server 2003. Of course, lest you forget, this was done in the public interest!
This is not the first time that attacks on Windows systems have triggered mass panic. Dave Aitel of Immunity, a security professional who often calls things as he sees them, put it well in a tweet: “Windows didn’t get more secure in the last two decades, the hackers just got nicer.”
A number of security companies wrote in to iTWire, seeking to capitalise on the situation and plug their own names and wares. These companies are part of the problem: they should be calling out Microsoft for its pathetic attitude to security, which this time put the lives of patients in Britain at risk.
But you won’t find any of these security experts saying a thing. After all, why would they bite the biggest hand that feeds them? If Windows disappeared overnight, many of these companies would be left without lunch money.
The cynicism that has been on display in the last 36-odd hours is disgusting.
Microsoft calls to end government-secret hacking techniques
By Joe Uchill – 05/14/17 08:48 PM EDT 1
On the heels of a historic ransomware attack that may have used leaked NSA hacking methods, Microsoft is calling for governments to cease stockpiling secret means of bypassing software security.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” wrote Brad Smith, president and chief legal officer at Microsoft, on a company blog Sunday evening.
WanaDecrypt0r, alternately known by names like Wanna Cry, struck hundreds of thousands of computers in more than 100 nations. Since the attack began Friday morning, victims have ranged from hospitals in the U.K. to a telecom in Spain, U.S.-based FedEx to the Russian Ministry of the Interior.
WanaDecrypt0r was so virulent in part because it used a Windows hacking tool that appears to have been stolen and leaked from the NSA. Though Microsoft had patched the security hole in Windows that tool used in March before it was leaked in April, businesses often lag in installing updates for reasons including industry-specific software being incompatible with the most current version of operating systems.
“[I]n February [we called] for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them,” wrote Smith.
By reporting bugs instead of using them to conduct hacking espionage, manufacturers would be able to increase the cybersecurity of all of its users. That would come at the cost of intelligence and sabotage operations.
There have been rules concerning which circumstances U.S. agencies can keep security vulnerabilities they discover secret. The Obama administration set up the Vulnerability Equities Process (VEP) to require agencies to presume they will report software flaws they discover to manufacturers. It also gave the option of arguing to third-party panel why they should keep a vulnerability secret and abiding by that ruling.
The VEP is opaque. It is varying degrees of unclear how good agencies were at following it, how often vulnerabilities were kept or whether the Trump administration changed any standards.
Legislators have toyed with the idea of codifying the Obama rules in the past.
On Friday, as WanaDecrypt0r raged out of control, Rep. Ted Lieu (D-Calif.) touted legislation he was creating with “industry stakeholders” that would make the process more transparent.
“It is deeply disturbing the National Security Agency likely wrote the original malware,” wrote Lieu in a statement.
Until this weekend’s attack, Microsoft declined to officially confirm this, as US Gov refused to confirm or deny this was their exploit. When US nuclear weapon is stolen, it’s called an “empty quiver.” This weekend, @NSAGov’s tools attacked hospitals, ~ Snowden
Cyber attack could spark lawsuits but not against Microsoft
Businesses that failed to update Microsoft Windows-based computer systems that were hit by a massive cyber attack over the weekend could be sued over their lax cyber security, but Microsoft Corp itself enjoys strong protection from lawsuits, legal experts said.
According to Microsoft (MSFT.O), computers affected by the so-called “ransomware” did not have security patches for various Windows versions installed or were running Windows XP, which the company no longer supports. “Using outdated versions of Windows that are no longer supported raises a lot of questions,” said Christopher Dore, a lawyer specializing in digital privacy law at Edelson PC. “It would arguably be knowingly negligent to let those systems stay in place.”
Microsoft knew about software vulnerability prior to cyberattack
Microsoft knew about the software vulnerability that was exploited by a massive cyberattack over the weekend, and had released a fix in March. But the patch wasn’t made available to users with older versions of its operating system until the attack had already hit hundreds of thousands around the world.
Microsoft is no different than the wannycry virus hackers because they demanded money for the xp update in the first place and stopped supporting their own buggy software. They are the ones who should be sued for not protecting the public when they knew there was a virus that was going to infect all these machines. They should have sent out the patch and any support needed then and there for free to all the machines in the world.