lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: Microsoft slams NSA over EternalBlue

Listen to this podcast

In this week's Risk & Repeat podcast, SearchSecurity editors discuss Microsoft's sharp criticism of the NSA over the EternalBlue Windows vulnerability and WannaCry ransomware.

In the aftermath of the WannaCry ransomware attacks this month, Microsoft took the unprecedented step of publically calling out the National Security Agency for hoarding vulnerabilities and exploits, such as EternalBlue.

The WannaCry ransomware worm used a critical vulnerability in the Windows Server Message Block protocol, known as EternalBlue, which was released to the public by the Shadow Brokers last month.

The Shadow Brokers claim to have stolen EternalBlue and other exploits and cyberweapons from another hacking outfit called the Equation Group, which has been tied to the NSA. While Microsoft issued a patch for the vulnerability a month before its disclosure, many organizations failed to update their Windows systems and were left exposed to the WannaCry ransomware worm.

Brad Smith, president and chief legal officer at Microsoft, wrote a blog post regarding WannaCry and claimed it was "yet another example of why the stockpiling of vulnerabilities by governments is such a problem." He also criticized the NSA by name for failing to disclose EternalBlue and other serious exploits to vendors like Microsoft so they could be patched.

"This is an emerging pattern in 2017," Smith wrote. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world."

In part two of Risk & Repeat's discussion on the WannaCry ransomware attacks, SearchSecurity Senior Reporter Michael Heller joins editors Rob Wright and Peter Loshin to discuss Microsoft's pointed criticism of the U.S. government, the repercussions of the NSA's practice of hoarding vulnerabilities and the effect WannaCry may have on the Vulnerabilities Equities Process

Next Steps

Risk & Repeat: Analyzing President Trump's cybersecurity executive order

Risk & Repeat: Dangerous Windows bug sparks disclosure debate

Risk & Repeat: Symantec strives to restore certificate trust

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

In light of the WannaCry ransomware attacks, how should the U.S. government handle undisclosed vulnerabilities?
It is the duty of every user when they install a software application by clicking "I agree" that if they discover a software vulnerability to submit it to the manufacturer. Even if that wasn't in the "agreement", it's still a moral and ethical dilemma by not submitting it for patching. The NSA's lack of due diligence is one of two things...either they wanted something like this to happen...or they didn't. Either way, it did, and is leaving American's open in the future...because everyone knows that vulnerabilities in the future will not be handed over freely - and hackers will always know there is a backdoor into the software because of it.
Switch to a verson of Linux.
A RANDOM version.
If everyone is scattered across 100 different operating systems , then the take from building a piece of malware to target one is so much less ...

Go to national internets (restricted to one nation). If they hack you from inside your country , you can send the cops after them. If they hack you from central china, you can't do nothing.
I'm not about to switch to Linux (ugh...) but logic behind this idea isn't bad. Too many companies/agencies have nearly identical IT stacks, which makes it easier for hackers to re-use their attacks on mutliple targets.