Have you heard of Automated Indicator Sharing capability? No? Well, rumors are that the Trump administration is hoping you get to find out a little more about this intel-sharing program run through the Department of Homeland Security. It apparently involves intelligence sharing between several intel actors in the international community. Does it include Russia? That seems to be the question that President Trump would like asked of DHS. Perhaps as a pushback against the leaks that portrayed (rather accurately) the president as unwittingly sharing at least some classified information with top Russian officials.

The way it works is companies provide information on hackers and potential vulnerabilities to DHS who then use the data to run super-duper-real-secret algorithms that analyze the data (which includes IP addresses) and thus create threat profiles that can be acted on before any planned hacks occur.

As a former official (gee what previous administration might have he or she worked for? Bush 43?) stated:

…there’s certain information out there that’s beneficial for everyone to have, like, ‘Hey, this Windows program has a bug.’ When we share cybersecurity information with the Russians, we’re protecting their systems, making sure that no one hijacks their planes and missiles.

Ah. So in that case it’s cool to share, as long as you follow standard protocol. And yes, there is a logic there. You have to compartmentalize information and just give what you need to give. And no more. Fair enough.

But guess what? There is a bug in a certain Windows program that’s been around for awhile. And boy did that little bug have consequences as the world has seen in the last few days. And who first found how to exploit that bug for their own intel gathering purposes? Who else but the NSA!

Welcome to the worm-ridden world of SMB V.1, apparently a rather old bit of Microsoft code that lets users share files and other stuff. And which if you’re not still using Windows XP and have actually allowed Microsoft to update your operating system, is probably not on your laptop or other devices. But many people still love their XP and don’t like downloading every update from Microsoft. So we have a problem.

What problem you say? Well, back around 2013 the NSA found out how vulnerable this bit of code – our SMB V.1 – could be and hijacked it to use to get inside the SWIFT banking system for transferring funds between banks. With a focus on the Middle East. Follow the money as they say. Unfortunately, the Shadow Brokers cyber criminal group released this flaw and other related tools in their notorious data dump a few months ago.

And now we have the logical consequence of this meshing of private hackers and public spy agencies: WannaCry, the ransomeware that shut down Hospitals and Banks and Trains and PC’s on a couple of continents. And that seeks out and exploits that old bit of Microsoft code: SMB V.1; in order to search for and seal with an encrypting key any documents and other valuable files that your infected computer might contain. You get your files back if you deposit BitCoin at an address, with a conveniently located button on the screen that shows up on your infected machine. And it’s not impossible that WannaCry is being run by Russian hackers.

So just one question for the DHS’ Automated Indicator Sharing capability folks. Did you get the IP addresses of the Shadow Brokers or whoever hacked the NSA and dumped all those vital software tools into the public domain? Or of the cyber thugs who launched the ransomeware? And will you help out the public in general with some useful intel? Or is WannaCry just an unfortunate bit of collateral damage in the current landscape of cybersecurity warfare? And the DHS and NSA and whoever else will not be revealing anything that a good Russian hacker can’t steal.

Comments