back to article Script kiddies pwn 1000s of Windows boxes using leaked NSA hack tools

The NSA's Equation Group hacking tools, leaked last Friday by the Shadow Brokers, have now been used to infect thousands of Windows machines worldwide, we're told. On Thursday, Dan Tentler, founder of security shop Phobos Group, told The Register he's seen rising numbers of boxes on the public internet showing signs they have …

  1. Your alien overlord - fear me
    Facepalm

    Wow, that was so unexpected !!!!

    1. Bob Vistakin
      Mushroom

      Tut tut tut

      Use windows as a server? Expect the internet equivalent of Kelvin MacKenzie turning up at Anfield dressed in red, plonking himself in the middle of the Kop and singing about never walking alone for 90 minutes at Liverpools next home game.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tut tut tut

        Anyone with common sense will use linux WHERE possible. Unfortunately, Linux doesn't cover everything, for example, Active Directory and creating domains.

        1. Anonymous Coward
          Anonymous Coward

          Re: Tut tut tut

          If you have to use Windows - use the latest version. Learn how to find and shut down all the built in MS spyware. MS just doesn't give a crap about anything older.

        2. Jeremy Allison

          Re: Tut tut tut

          Ahem. Samba4 implements an Active Directory Domain Controller quite nicely thanks. Amazon use it in their cloud provisioning for customers who don't want to pay Microsoft licensing fees.

          1. patrickstar

            Re: Tut tut tut

            If security is your concern, then you are just as (if not more) screwed with Samba. It has a truly atrocious history of vulnerabilities.

        3. Agamemnon

          Re: Tut tut tut

          SaMbA has had Active Directory for some time now, but even more fun is that I've used my laptop's SaMbA to escalate to a PDC by *Changing The Build Number* to higher than the Windows PDC/BDCs. (To be fair, I used to do it to NT back in the day if I needed the PDC otherwise occupied while I pulled completely legal, by the client's decree because had to be done and cheating was Authorizezd, etc, etc, shennanagans).

          I was in Indianapolis, bringing up a BDC in Oakland when the West Coast...vanished. Just gone. *Poof* Nada. Then it started coming back up slowly. Turns out, some jackass backhoed a backbone fiber around Vegas. I had Dial-In (remember RAS? I have PTSD but it could be tricked in to all sorts of neat Dominion stuff) and updated the Role so poor Oakland could do all the office stuff that offices tend to do because they could log in.

          Active Directory == NIS+/Kerberos/LDAP/DNS done completely wrong.

      2. Anonymous Coward
        Anonymous Coward

        Re: Tut tut tut

        "use Windows as a Server"

        If you look at attack / defacement stats- you are (or maybe were!) about 4 times less likely to be hacked running Windows as an internet facing server than Linux...

      3. patrickstar

        Re: Tut tut tut

        I operate lots of Windows servers on the Internet. And lots of Linux servers. As well as several other OSes. For some reason, they tend not to get hacked, regardless of OS.

        Might have something to do with the fact that I don't do dumb things like expose port 139/445 to the world, regardless of whether it's the Windows, Samba, or Solaris implementation.

        1. Agamemnon
          Pint

          Re: Tut tut tut

          Upvote and a Beer for you my friend.

      4. russmichaels

        Re: Tut tut tut

        Oh dear, that is very ignorant. People are not using the same version of Windows you use on your desktop, there are separate SERVER versions of windows. And guess what, Linux also gets hacked too.

  2. BongoJoe
    Mushroom

    Bit of a sod for those forced to maintain XP machines due to third party application compatibility issues.

    1. Pascal Monett Silver badge

      Yup. Looks like it's time to airgap. Permanently.

    2. This post has been deleted by its author

    3. Doctor Evil

      just throw it over the side?

      Wondering if it would be best to simply disable the SMB protocol altogether?

      HKLM/System/CurrentControlSet/Services/LanmanServer/Parameters/SMBn(DWORD) = 0

      where n = 1, 2

      (and make sure you reboot)

      1. GrapeBunch

        Re: just throw it over the side?

        (and make sure you reboot)

        I did as you suggested on an old XP machine. On rebooting, it could not connect with the Internet. After a few minutes of futzing around, I fell back upon an old method that often works, though I never know why. I rebooted a second time. All normal after that. Thanks!

        It strikes me that much of one's security should reside in the router. It even runs a different OS ! Don't know how one might go about that, though.

      2. Roland6 Silver badge

        Re: just throw it over the side?

        >Wondering if it would be best to simply disable the SMB protocol altogether?

        Interesting article:

        https://support.microsoft.com/en-gb/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

    4. h4rm0ny

      Windows XP was released a decade and a half ago. It's replacement was released a decade ago. Extended Support ended three years ago.

      At this point, you should really consider your vendors inadequate for the job.

      1. BongoJoe

        And if the people who wrote the application have:

        1. The monopoly on the product

        2. Won't update their code

        Then where are you?

        1. Fatman
          Joke

          RE: Then where are you?

          Simples: UP SHIT CREEK, WITHOUT A PADDLE!

        2. Doctor Syntax Silver badge

          3. Don't even exist any more.

        3. Craig 31

          Waiting for ...

          Waiting for a virus to pop up.

      2. WolfFan Silver badge

        At this point, you should really consider your vendors inadequate for the job.

        We have an old imagesetter sitting in one of the rooms downstairs. When it was new it cost more than $150,000. It hasn't been new for a very long time. The company which made it stopped supporting it more than 10 years ago, and never released drivers for Vista, much less for Win 7 or later. This means that we _must_ have a XP machine available to talk to it. (Well, that, or a machine running Mac OS 9 or OS X 10.3 or earlier; 10.5 definitely won't work, 10.4 works sometimes.) Management doesn't want to replace it as it works, and it's paid for. Yes, it's slow, it's clunky, it requires babying... but it works. And it will never, ever, be updated. Yes, there are ways to use generic Adobe PostScript drivers on Windows and/or to use CUPS on Macs, but they don't support the full feature list (or even a large subset of the feature list) and that means that we just can't do certain things unless we connect using XP. (Or OS X 10.3.) We still use it because film for it is relatively cheap compared to film for a new imagesetter. The imagesetter people have adopted the same basic idea as the printer people: sell the device relatively cheaply (new imagesetters capable of doing what we want cost as little as $30,000) but sell the film as expensively as possible (200 feet of film for the new imagesetters can cost between $550 and $1650. We burn about 2000 feet of film a month. We can get film for the old imagesetter at about $1/foot. Do the math.)

        No, we won't be getting a new, Win 7 compatible, imagesetter any time soon, not unless the old machine goes completely TITSUP or our film supplier stops supplying the required material. And we have at least six months supply of film and chemicals sitting in stores.

        1. J. Cook Silver badge
          Boffin

          ... and that is when you air-gap the machine, or put something between it and the rest of the world, like a _decent_ firewall running in whitelisting mode (block all except what I explicitly want through)

          Kinda of like you should do for SCADA or other industrial control systems where application security is shite.

        2. DJ Smiley

          And it's on the internet why?

      3. Anonymous Coward
        Anonymous Coward

        Why? Not every XP PC is internet-connected and more importantly, most users haven't opened their SMB-port to the internet (even the ones with illegal never updated Win XP machines).

        Why do supposedly people in the knowing keep sprouting all this FUD?

        1) You're fine behind a properly configured firewall, 2) Anti-malware software is what should keep you safe not (only) OS updates and 3) most of these "security issues" require elaborate actions and/or access to actually be harmful.

        Sure, XP is old. And when needed consumers will (eventually) upgrade but the upgrade has to be worthwhile and IMHO Windows 10 isn't!

        Now provide me a Windows 10 upgrade with a full re-instated PC configuration panel and full beautiful skeuomorphic desktop and I'm interested. For all that fugly flat mono-crap (which I already endured during the eighties)... thanks but no thanks!

        1. Kiwi

          Not every XP PC is internet-connected

          True. But given XP's still pretty high-ranking on various lists of what OS's are connected to the net, I guess there are still quite a few connected XP machines out there. Several million at guess.

          and more importantly, most users haven't opened their SMB-port to the internet (even the ones with illegal never updated Win XP machines).

          This is a MS OS we're talking about. Especially back when MS still had doubts about whether or not this "Internet" thing would ever take off (or rather, they still had delusions that their own network would overtake it and become the global standard). There's tons of services turned on and ports opened that never should be facing the internet but are by default without user intervention. And the included sieve firewall wasn't turned on by default.

          1) You're fine behind a properly configured firewall,

          How many places have default ISP-provided "modems" that are wide open, with several hidden+undocumented+un-killable services facing outwards (eg telnet with default un/pass and often even a HTML-based config page that by default is accessible from the outside web)? Of the XP machines still connected, what percentage are owned by people who don't have the technical expertise to even know what a firewall is let alone "properly configure" one? I'd be willing to wager the number is scary, maybe even 50% or higher (that is a guess, however given the people I know who still run XP, that's a very conservative guess)

          2) Anti-malware software is what should keep you safe not (only) OS updates

          True, but again lots of people don't. It's run out and they never updated the subscription, it's a freebie (McAfee, AVG, some others1), it's not only a freebie but one of those fake ones (at least that were around when 7 was new), or even worse still, it's some of the fecal matter spewed from Symantec.

          3) most of these "security issues" require elaborate actions and/or access to actually be harmful.

          Maybe. Many don't. If "script kiddies" are doing it then it's a fair bet that it doesn't take much at all to be harmful. SK are notorious for looking for the weakest link and being too lazy/inept/after the easy money to go for anything harder.

          Sure, XP is old. And when needed consumers will (eventually) upgrade but the upgrade has to be worthwhile and IMHO Windows 10 isn't!

          On that we can fully agree. In fact the only potential upgrade that was "worth it" was 7, and that's only if your needs really required it.

          Now provide me a Windows 10 upgrade with a full re-instated PC configuration panel and full beautiful skeuomorphic desktop and I'm interested. For all that fugly flat mono-crap (which I already endured during the eighties)... thanks but no thanks!

          Sorry, you can't have that. Desktop design experts say that 10 is just like, you know, the greatest thing ever! All that other stuff is just so old and you have to move with the times. Well except Windows 1.0 - that was so futuristic with it's flat look!

          1 It has been some time since I had to look into these things. Both McAfee and AVG could well have improved. And while the free version of AVG was notoriously bad in 2011-2013 (and maybe later) I must admit their "Rescue CD" was an invaluable tool that I used often and quite liked.

    5. steve 124

      exposed smb

      I'm just trying to think of when you would have an SMB externally exposed. I mean, you would have to have an XP machine sitting directly connected to a non-NATting modem and then manually turn off the windows software firewall to do that, right?

      So, noobs got pwned by scriptkids... Nothing more to see here, move along.

    6. jonfr

      Move Windows XP to VM

      The solution is to move Windows XP to a VM to run software that doesn't run elsewhere. This is excluding games that I don't think run well in a VM at the moment. I haven't tried so I don't know yet.

      1. Charles 9

        Re: Move Windows XP to VM

        You can't VM custom hardware because it won't know how to virtualize it, like that custom ISA lathe controller card (can't be used after XP because Vista dropped the ISA bus).

        1. DJ Smiley

          Re: Move Windows XP to VM

          Internet Of Lathes? Is that a thing now?

    7. Anonymous Coward
      Windows

      @Bongo

      "Bit of a sod for those forced to maintain XP machines due to third party application compatibility issues."

      Yes and no. Of course it can be a drag, but there's also something people could have done about it for a long time already. Windows 7 Professional got shipped with "Windows XP mode", which is basically a virtual Windows XP version which you can run on top of Win7 through "Windows Virtual PC".

      Although not as extensive as VirtualBox it has one very interesting feature: software integration / propagation. So: software which is installed within the virtual machine can also be added to the Windows 7 start menu. When clicked on it will run the VM in the background and only show the application with the same look and feel as the VM it's running in.

      If you wanted to you could have gotten rid of XP a long time ago and have replaced it with Windows 7 + Windows XP.

      1. Roland6 Silver badge

        Re: @Bongo

        >Windows 7 Professional got shipped with "Windows XP mode"

        " Windows XP Mode follows the same support lifecycle as Windows XP - extended support will end April 8, 2014" Microsoft.

        " it has one very interesting feature: software integration / propagation."

        Yes this was an interesting concept, however, for this to work well you needed a machine capable of running VM's at a reasonable pace, also for the integration to work, it performed some 'interesting' and largely undocumented user account credential handling that tended to break when users changed their Windows 7 password. So whilst it had potential, it was worse than pointless on your typical office desktop/laptop.

  3. Hans 1
    Stop

    Windows on the open internet

    You need to be a highly trained professional to lock-down Windows to make it "sort of safe" on the open internet. Who do you think you are ? I am sure, these same corps have open mongoDB databases lying around ...

    SMB (v1, 2, and 3) is so totally obsolete tech and so vulnerable that I wonder why even schools use it in air-tight computer labs. Does not even have educational value, if you ask me.

    BTW, I think I just came along the WORST wikipedia article ever, the one on sshfs. Half the bloody content is plain incorrect, needs some serious fixing. ETA 20:00 Europe/Paris for the English version, German, and French versions will follow over the weekend.

    1. GrumpyOldMan

      Re: Windows on the open internet

      Sorry -

      <OT> But Wikipedia is THE found of all wisdom! Did you not know? Its all 100% correct because 'they wouldn't allow it to be seen otherwise' (daughter's argument). My wife bought a riding book recently that uses a medical illustration from Wikipedia and gives the link to the source - I was aghast! From what I've seem most of it is wrong.

      </OT>

    2. Manu T

      Re: Windows on the open internet

      "...You need to be a highly trained professional to lock-down Windows to make it "sort of safe" on the open internet..."

      Ever heard of a "firewall"? It is feature that's build into routers- and modems the last decade orso...

      Besides, why shouldn't "consumers" hire a professional IT-technician to improve their home-network? Home networks have become as complicated as many company-networks with all their different internet/network connected devices and OS's.

      Instead of complaining, use this opportunity to make a buck or two.

      1. Kiwi

        Re: Windows on the open internet

        why shouldn't "consumers" hire a professional IT-technician to improve their home-network?

        Why should they hire someone? They plug the device in, it connects to the internet and spits out wifi with nice easy default passwords. Easy! Nothing to do but turn it on, and put the password into your devices.

        All you networking types make this stuff sound hard but you're all just talking bullshit. It's easy to create a secure network, and Telecom wouldn't be able to remain business if they were making things as insecure as you claim! You're full of it.

        Yes. Actual discussion (roughly) I had with someone. At the time Telecom (now "Spark" - note the lack of the word "bright" in both the name and the techs) were giving out home routers with a) NO wifi passwords (ie completely insecure wireless) and NO security on the device. If I wanted to I could park outside someone's home, log in to their router, and change whatever I wanted (eg DNS servers....), and they would never know. Yet people could not be told they needed help.

        (In all honesty I never once took the opportunity to point the systems of those I cared about to something that would make it damned obvious they were at threat (eg a page of my own design) and needed to ask someone to step in and sort things out - I never once did that, honest!)

        1. Anonymous Coward
          Anonymous Coward

          Re: Windows on the open internet

          "They plug the device in, it connects to the internet and spits out wifi with nice easy default passwords. Easy!"

          Except anything THAT easy can be reverse-engineered. Then the malware writers will simply include the algorithm used to derive those passwords. Perhaps one viable solution (though it may raise costs) to that is to use a second line to produce just the security modules and put the two together at the assembly stage.

  4. MacroRodent

    Another way to look at the mess...

    If NSA really needed to infiltrate some Windows machine on the net, they probably could do it with ease, at least up to now. Of course it is possible they also have other ways, not revealed yet.

  5. Charles 9

    Are we SURE this is State-level stuff? If I were running a State-level outfit, I'd accept nothing less than nuke-proof malware that can pwn machines at the HARDWARE level, beyond any hope of recovery. And we KNOW that's possible due to such things already being seen in the wild.

    1. h4rm0ny

      Yes, basically. We know the malware was created by the Equation Group and they are certainly a state-backed group. As you mention it, the Equation Group has created firmware malware. The malware in the article just isn't one of those.

    2. Hans 1
      Holmes

      >pwn machines at the HARDWARE level

      The thing is, you want tools that work "everywhere", not every target runs the same hw, most, if not all, have slurp boxen, though.

      Since slurp software is a security sieve, much easier and thus cheaper to write a few OS exploits! Best of all, slurpOS has tons of unused services running by default, is administered by Window Cleaner and Surface Experts, AND, is closed-source! So chances are high, nobody else will discover the flaw for a while!

      Once your toolbox is outdated, you start distributing it more freely within the NSA, since the new toolbox has much better tools ... until it reaches some insecure system, is exfitrated into the wild and this story appears in the press.

      1. Charles 9

        "The thing is, you want tools that work "everywhere", not every target runs the same hw, most, if not all, have slurp boxen, though."

        No, you want the most effective tools, and you keep as many tools as you need to be as effective as you can in as many things as you can. That's why a good garage keeps a lot of tools. That's why State-level malware writer ALSO write Linux and MacOS malware.

        1. Kiwi

          No, you want the most effective tools, and you keep as many tools as you need to be as effective as you can in as many things as you can.

          Hardware tools aren't the best by a long shot. As others have mentioned, people use different hardware. You have to bribe the manufacturers to do so - and for them it's a matter of once it's known they let the NSA or whoever doctor their stuff that's it, game over. And of course, many hardware manufacturers work for other governments. Hardware can't be changed (short of firmware updates, and how often do users do that?), so you can't update it once people (even ISP's) start taking action to block your tools.

          Software, on the other hand, has at least some room to change should the need arise.

          That's why a good garage keeps a lot of tools.

          A good garage keeps only the tools they need, and maybe a few spares. A garage that has "a lot of tools" is trying to win your custom by being showy, not by the quality of their work. Have a look around people's garages. See that big case of snap-on tools or other namebrand? The really expensive one that's got all the shiny tools that look like they've never been touched? The owner struggles to change a spark plug in a lawnmower, and unlikely the tools have even been used for that much. Now look at the guy who has a quality (maybe) but very well used socket set and a cheap-midrange set of spanners. Notice that they're not in an expensive case with lovingly-made hand-crafted padded housing for each individual tool, but put into a often sturdy but very well used toolbox, that maybe was their dad's.

          The shinier and fancier the tools the less they get used, and the less is known about their use. Except for new replacements when that spanner you've had since you worked on your first engine in your teens which got lost when the !#$^@$ wife let your !@#%^$! former mate borrow it the other day!

          1. Charles 9

            Nope, you forget scenario three. Mine's the large AND well-worn toolbox, because my dad found himself having to fix A LOT of different things of varying shapes and sizes. Anything from a 6mm socket using a 1/4" ratchet to the four-inch pipe wrench. In another box he held a soldering iron and assorted accoutrements. Two multimeters, multiple saws, and a vice. And ALL of them have been used, multiple times. I've been forced to do the same thing. It's called versatility. Sometimes, you DO need the jack of all trades because although he may not be a master of any one, he can still be good enough to be preferable to the alternatives.

            "You have to bribe the manufacturers to do so - and for them it's a matter of once it's known they let the NSA or whoever doctor their stuff that's it, game over."

            Or blackmail. It's not above the Chinese, isn't it? As for "game over," that depends on whether or not an alternative is available. If they're a monopoly (say because they hold an essential patent), then they've basically got you up Crap Creek because there's no alternative other than to go without (which depending on the case is not an option for staying in operation).

            And there's always going AROUND the manufacturers and replacing chips or other things en route, or simply finding ways to tamper with firmware and do it in irreversible ways (like the MacOS exploit that then replaced the encryption keys to prevent a reversal).

            1. Kiwi

              Nope, you forget scenario three. Mine's the large AND well-worn toolbox, because my dad found himself having to fix A LOT of different things of varying shapes and sizes.

              I have 2 socket sets - a "large" one with metric sizes from 8mm to 26mm and comparable imperial sizes (I haven't seen an imperial bolt on a vehicle in many years, I don't think I've ever taken one of the imperial sockets out) and a baby one sizes 4-16mm, again comparable imperial sizes. I don't believe there is an engine from a 20-odd CC chainsaw engine up to a small truck engine that needs anything out of that. I also have a couple of sets of spanners, because sometimes you need two spanners of the same size. I have a couple of special shaped spanners for a couple of bolts on my bike; they're for convenience NOT for need (I can get a normal spanner in there but I can only get a small turn). I have 2 multimeters, a loaner and my good one, which is kept in a locked cabinet thanks to the reason my loaner is now a loaner. I also have a test light I've had for near 30 years and was the first non-soldering/electronic tool I purchased back when I was 16. I also have a small set of "jewelers" screwdrivers and some other tools (like star drives for HDD's and the like) and 2 (yes, only 2) multi-tip screwdrivers. One seems to be cheap plastic but I've had it since my 17th birthday, the other I've had about 10 years. And of course a wide range of tips to match. Oh, and I have 2 sets of Allan keys, one coz it was cheap and has a couple of sizes my other one doesn't (and I've never used them after all) and the other because. Erm. Oh yeah, I wanted a longer one for the capscrews on my bike's engine and decided to buy a set rather than the individual specific tool.

              I have enough tools to dismantle any vehicle from SUV down, and enough for 2 or even 3 people to do it. Anything special I borrow or hire, or get the vehicle owner to buy the tool.

              Anything from a 6mm socket using a 1/4" ratchet to the four-inch pipe wrench.

              Oh, I got one of them too. Not sure why. Probably a throw-back to my farming days and maybe it wasn't even mine. And a couple of pairs of vice-grips, again because sometimes one isn't enough. And a 4x2 that goes with the vice grips - for the prick who tries to use them in place of the proper tool.

              In another box he held a soldering iron and assorted accoutrements.

              Well yes, you keep those things separate. I now actually have 3 "soldering irons", one for computer/electronic work, a larger one for, well, other work, and just this week a small gas one.

              Two multimeters, multiple saws, and a vice. And ALL of them have been used, multiple times.

              I have a hacksaw, a coping saw and a jig saw. The coping saw seldom gets seen, the hacksaw and jigsaw get pulled out when I want to play with wood. Oh, and a couple of ball-peen hammers.

              It's called versatility.

              You can be versatile without a truckload of tools. It's knowing what to use and how to use it properly that matters, NOT how many different spanners of the same size you can call on.

              Sometimes, you DO need the jack of all trades because although he may not be a master of any one, he can still be good enough to be preferable to the alternatives.

              Yup. I'm not a Suzuki specialist and sometimes have to get advice if I can't figure out a fault with a Suzy that doesn't quite seem like a fault I've fixed elsewhere (or seems exactly like one but has another cause). But short of the bits that need specialist tools (eg see John Deere) there is nothing mechanical I can't fix, although sometimes I need a manual (especially where things like camshaft timings are involved).

              "You have to bribe the manufacturers to do so - and for them it's a matter of once it's known they let the NSA or whoever doctor their stuff that's it, game over."

              Or blackmail. It's not above the Chinese, isn't it?

              Er, and how would the NSA etc blackmail a Chinese or other foreign company? Without going to your own peculiar flights of fancy that is, I mean real-world stuff.

              As for "game over," that depends on whether or not an alternative is available. If they're a monopoly (say because they hold an essential patent), then they've basically got you up Crap Creek because there's no alternative other than to go without (which depending on the case is not an option for staying in operation).

              And that happens with general computing tools how often exactly? Extremely rarely. Can you name one actual case of this (again, real world stuff here, sorry but I do have to limit you to reality!)

              And there's always going AROUND the manufacturers and replacing chips or other things en route, or simply finding ways to tamper with firmware and do it in irreversible ways (like the MacOS exploit that then replaced the encryption keys to prevent a reversal).

              The MacOS exploit (like many others of it's ilk) must have been blockable once known, otherwise it would've been much more widespread, no? And once the hardware is tampered with using "irreversible ways" then you replace the hardware or airgap it if necessary. And yes, I know you want to say "but what if it's a critical peice of hardware that your factory depends on that's compromised", well either you airgap it, replace it (or the compromised parts), or you accept that your customers will soon learn of this and you'll go the way of OS/2.

              Oh and El Reg, can we please be done with the recraptcha stuff? So annoying having to go through that sometimes half a dozen times with re-typing the message if you forget to (copy the text).

              1. sabroni Silver badge
                Thumb Up

                re: Oh and El Reg, can we please be done with the recraptcha stuff?

                I've never seen a recaptcha prompt on here. Is it only for posts that are way too long for anyone to bother reading, just to piss the poster off?

                Hope so, that's quality tech!!

              2. Charles 9

                "You can be versatile without a truckload of tools. It's knowing what to use and how to use it properly that matters, NOT how many different spanners of the same size you can call on."

                And having a truckload of tools can make you MORE versatile. Assortment for assortment's sake may not mean much, but an assortment you ACTUALLY USE regularly is a whole other thing. You can't employ something you don't have, and it's hard to reach down to a 6-inch recessed nut without an extension rod, for which there are few acceptable substitutes. Similarly with things like Torx-head screws. Plenty of things in the world where one size can't fit all.

  6. Conundrum1885

    Ah Hell NO!

    The worst thing is that thanks to this my volume of SPAM just went up two orders of magnitude.

    Yes airgaps work. So does Epoxy in the USB, headphone and unused keyboard ports, seems some folks worked out how to use an SDR and powerful ultra-precise narrow band radio transmitter to fake out the signals PC is expecting from a PS2 keyboard *without touching the machine" thus negating airgaps.

    Devised a defence though, put 560 ohm resistor between data/clk lines and GND, then epoxy over that.

    I did work out that modulating the CPU clock can send data at about 100bps, in fact you can get better than that by using mutilevel data ie 0,1,2,3 being different CPU core usage patterns and thus more/less clock speed.

    The VGA hack has been known since way back, similar principles to the "Evil Maid Attack" where someone plugs in a device into a live machine's exposed HDMI or VGA port that then runs attack tools to pwn the host, in less than 24 seconds.

    Fix here is problematic, I resorted to cutting the ID lines and modwire in a written e2prom chip with the most common monitors pre-coded via keyboard shortcuts seems to work so no data can be infiltrated in this way.

    1. Wensleydale Cheese

      Re: Ah Hell NO!

      "The worst thing is that thanks to this my volume of SPAM just went up two orders of magnitude."

      I've noticed an uptick in the level of spam here.

      FWIW, "SPAM" is the trademark for the meat product which comes in tins, "spam" is the stuff that comes by email.

      1. Steve Davies 3 Silver badge

        Re: SPAM

        Don't forget the {immortal} Monty Python sketch of the same name.

  7. Dwarf

    Back doors

    And yet some people don't understand why government back dooors in encryption is a really bad idea

    Trust us they say, we will keep it really secure.

  8. Anonymous Coward
    Trollface

    Nation state grade

    I'm loving seeing the "nation-state grade software" phrase thrown around. Would anyone rush out to buy a nation-state grade wordprocessor? The nation-state grade website I have to use to fill in my tax returns isn't exactly a shining example of the state of the art. This stuff must come from those 'other' government-paid devs, yeah? You know, the really good ones. :-)

    Yes, this is (mostly) a joke. I know it's serious stuff!

    1. Anonymous Coward
      Anonymous Coward

      Re: Nation state grade

      Of course, the USA isn't a "nation state". A "nation state" would be something like Armenia, say: https://en.wikipedia.org/wiki/Nation_state

    2. Wensleydale Cheese

      Re: Nation state grade

      "I'm loving seeing the "nation-state grade software" phrase thrown around. "

      I think it's meant to indicate that huge bucket loads of money are available to buy the expertise and support it with loads of hardware.

      In reality,

      a) government pay scales are simply not that good

      b) truly bright developers will choose to work in industry sectors involving something more constructive.

  9. John Smith 19 Gold badge
    Unhappy

    Congratulations US readers. These really are your tax $ at work.

    Admittedly mostly what they are at work doing is sending you spam, pwning your machines, slurping your data or just plain robbing you through online card fraud.

    You must be so proud your country can field such top drawer malware writing talent on Civil Service salaries. For some it's still about more than money. It's about doing a solid job of work and a real sense of achievement.

    Of creating a range of tools with which now almost anyone on the planet can screw up almost any PC on the planet.

    Yey for that.

    God bless America.

  10. Anonymous Coward
    Trollface

    Criminal..

    >Alphabet agencies destroying your rights (for your safety of course) so those nasty criminal types cant hurt you,

    >then be completely incompetent at keeping their own criminal tools secured

    >that there are now more better equipped criminals making your systems unsafe

    With so much FAIL I have to wonder who is on the line for it all, as we hear of these fuck ups but rarely hear of anyone being held responsible for it.

  11. Anonymous Coward
    Anonymous Coward

    Remember folks, if its done by the government, its normally the work of the lowest bidder.

  12. Missing Semicolon Silver badge
    Happy

    All these caps....

    Sounds like CASE NIGHTMARE GREEN.

    Or even SCORPION STARE

    -)

    1. GrapeBunch

      Re: All these caps....

      Or even SCORPION STARE

      SCO-R-PION'S TARE

      FTFY

      Anachronistic wish fulfillment where annoying corp reduced to the sweat-soaked shirt on a farm worker's back. Mud-encrusted trousers optional.

  13. Doctor Syntax Silver badge

    Forget the fact that these might be old versions of the OS. Forget the fact that they're not patched. Why are these idiots exposing SMB services on the open net?

    1. Anonymous Coward
      Anonymous Coward

      I'm not an idiot. I'm running a fake SMB node with a vampire sniffer on the network port of a honeypot host to capture whatever people are using to break into systems and then use it for my own porpoises. *squeek* *squeek*

      NSA or Scripty McKiddie, you can't hide your packets from me. No device is phoning home without leaving a trace at my egress, and you can't break down the door without me recording it. It's just not done, me old son. You need to get a vuln into my hardware at the factory BEFORE I purchase it, or get with the big boys and buy a white van and stick your fancy Tempest gear in there and pretend your a laundry, or pet grooming, service. Otherwise, no sale, Agent 86.

      "SHOOT THE MOON!"

      "NO, YOU IDIOT, over the radio!"

      "Sorry. shoot the moon. repeat. shoot the moon."

      1. Charles 9

        Easy enough. Encrypted packets bound for a white listed address or mixed into an existing encrypted session. The plods intercept the data upstream. Plus they really could be pwning the network chips. What then? You can't roll your own because of hardware patents.

        1. Kiwi

          You can't roll your own because of hardware patents.

          Erm, you do know that Patents aren't a magical spell that stops someone else from copying/doing the same thing as you, right? I'm pretty sure that all the details on how stuff works to get a data packet created in a computer and then on it's way out to a router are readily available online and such that someone with the technical expertise and appropriate tools could create what they wished. And if I was going so far as to create my own network hardware, I doubt some magical spell patent would bother me.

          1. Charles 9

            "I doubt some magical spell patent would bother me."

            But you'd also running the significant risk of being found out and having another excuse for the plods to come after you.

    2. P. Lee

      >Forget the fact that these might be old versions of the OS. Forget the fact that they're not patched. Why are these idiots exposing SMB services on the open net?

      Realistically, if SMB is open on the net, they've already been pwned. Its just now that the script kiddies have got hold of the machines and are making it obvious.

  14. zen1

    I dunno

    Something still smells rotten... How do we know this isn't some sort of way of infecting the wanna-be's for more intel? And given what little I know about NSA Ops, this stuff was probably considered obsolete awhile, even though it's "new" to us.

  15. Anonymous Coward
    Anonymous Coward

    "The polite term for what's happening is a bloodbath. The impolite version is dumpster fire clown shoes shit show," Tentler said.

    ----

    I like this guy. He has a way with words...

    FUBAR also works.

    I wonder how long it will take for the next toolkit to get written then released out into the wild. I figure the bad guys will wait a while, there are a lot of victims out there to chew through.

    On the bright side, the hackers will get lazy and stop writing new code/exploits waiting for their next free bounty curtesy of the American taxpayers.

    1. John Smith 19 Gold badge
      Unhappy

      "how long it will take for the next toolkit to get written then released out into the wild."

      Shouldn't that be "stolen" and then dumped in the wild, like an unwanted kitten (or perhaps given the potential threat level a baby Wolverine)?

      It remains quite extraordinary, given the NSA's awareness of computer and communications security threats, how it was even possible to acquire a copy of these applications in the first place.

  16. Bearshark

    Most Bank ATM's still use an embedded version of XP. Now banks and technology don't mix very well (yelling at my bank for no 2FA)

    That being said, how many banks are too nub to block these ATM's from the internet???

  17. Chronos
    FAIL

    Potentially useful precedent

    If their "secret" hacks can leak, what is to stop any backdoor crypto key, something they seem to want to force upon us, doing the same? QED.

  18. Grunchy Silver badge

    Can you hack my DOS 6.22?

    If you can't then I don't think I've got a problem.

    1. Anonymous Coward
      Anonymous Coward

      Re: Can you hack my DOS 6.22?

      Don't think they can't. DOS doesn't carry any kind of authentication, so what's to stop them replacing any number of baseline utilities with hacked versions while you're away? As for egress, perhaps using the PC speaker at either ultrasonic or infrasonic frequencies.

      Just remember some of the first malwares ever created targeted console-based OS's.

    2. patrickstar

      Re: Can you hack my DOS 6.22?

      Back in the days, DOS boxes were frequently crawling with virii.

      And BBS systems running on DOS were frequently hacked.

      Even simply stuff like ANSI bombs were a thing too (print ANSI escape sequences to re-map the keyboard to do nasty things next time you pressed a key). Or shell escape hacks.

      Since DOS has no memory protection at all, plus pre-dates secure coding practices, I'd assume you'd be quite royally screwed if you ran some sort of network server on DOS and someone was actually out to get you. Maybe your average DOS application is a little less worse off since Pascal was a lot more common than C, but still.

      (Yes, there are network services and Ethernet drivers for DOS - I haven't done much TCP/IP personally though, maybe setting up a BBS for inbound telnet or such. I have run a lot of TCP/IP on Win 3.1x though, and it's not much better protection wise).

  19. Anonymous Coward
    Anonymous Coward

    All part of the plan.

    1. Leak a load of hacks.

    2. Create chaos.

    3. Use the same attacks to hide in the chaos.

    /Tinfoil hat

  20. Craig 31

    And it's coming

    What i'm waiting for is when they realise BITS is open to vulnerabilities.

    Rebuild a pc, no NIC drivers installed but it still gets windows updates. HOW?

  21. This post has been deleted by its author

  22. This post has been deleted by its author

  23. John Smith 19 Gold badge
    Unhappy

    Does anyone but MS understand BITS?

    I saw this thing running on a machine and thought "WTF is this taking up resources doing?"

    TBH I get the feeling it's one of those ideas that is probably quite clever and deserves a wider audience, except no one else actually uses it.

    1. patrickstar

      Re: Does anyone but MS understand BITS?

      It's well documented, and is even usable from PowerShell.

      Can't say I have seen it used much in third-party software though.

      As to vulnerabilities - it's basically a glorified HTTP client. I wouldn't be more worried about it than any other. Which is still a non-zero amount of worry, since apparently humanity hasn't evolved to the point where a simple protocol implementation can't pwn your computer...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like