On 10 May we highlighted a report on Bruce Schneier’s excellent cyber security site that examined the threat posed by the NSA’s hoarding of zero-day vulnerabilities – that is, the NSA discovering vulnerabilities in code and then not advising companies to fix the problem in case the NSA itself needs to et access one day (see http://spyingtoday.com/2019/05/10/huawei-bad-nsa/). Now it seems that the threat may have become a reality.
On 7 May Baltimore City Council was the target of a ransomware attack. The criminals demanded more than $100,000 to unfreeze the city’s computer systems. The city refused to pay and is suffering as a result. It is now known that the criminals used an NSA hacking tool know as EternalBlue to carry out the attack. EternalBlue was created by the NSA to exploit a weakness in Microsoft operating code. The NSA did not inform Microsoft for five years that the weakness existed. Later EternalBlue turned up in the hands of cyber criminals although the NSA has always refused to explain how this happened. Baltimore City councillors are demanding explanations from the NSA and threaten to hold the agency responsible for their considerable financial losses..
IT security professionals have been pointing out for some time that the NSA’s hoarding of vulnerabilities is harming, not protecting America’s cyber security. The NSA continues to insist that it does nothing wrong, yet cannot explain how vulnerabilities it has kept to itself continue to be exploited, often with tools the NSA has created.