If you're surprised the NSA can hack your computer, you need a reality check

We’ve reached a situation where OSes are so complex, they're impossible to secure

NSA data

Colour me shocked. It appears the NSA has been collecting a treasure trove of hacks for Windows, both desktop and servers, covering all versions of the OS bar Windows 10. And this toolbox of capabilities, which also included ways to get into banking and other related systems, has leaked to the public.

I suspect your jaw isn't gaping in surprise. What's followed has been just as predictable.

First, there's shock that the NSA might have built such a collection of exploits. Sorry, what do you expect the NSA to be doing? Creating toolkits that can be used against undesirables is what it exists for. Injecting custom spyware onto the laptop of a terrorist could bring up incredibly useful intelligence information, after all.

Then there's the public horror that the NSA didn't tell Microsoft about the exploits. Why is anyone surprised? Sure, it's good practice for security researchers to tell Microsoft (or Apple, Facebook, Google, whoever) that they've uncovered a security hole. There are processes in place by which such reports are made, the vendor is given time to patch things and issue an update, and then the exploit is made public once the patch has been issued. It's all very gentlemanly, and some companies even offer financial rewards.

Would I expect the NSA to tell Microsoft about the exploits? Of course not. Keeping such flaws hidden from Microsoft meant they were exploitable for as long as possible.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

No-one is suggesting the NSA, or any other equivalent organisation, is using these tools against the wider population. I don't think there have been mass deployments of EmeraldThread or EternalRomance or EclipsedWing or any of the other rather charming codenames. (Nasty1 and Nasty2 and ReallyNasty3 just don't have the same ring to them.)

But then we come onto the real problems. The tools have now been released into the wild, and it doesn't take much effort to download them. This means there will be a flood of script kiddies trying them out and targeting everyone from NASA to the takeaway down the street. That's a whole pile of grief no-one needed.

It would be interesting to analyse which antivirus packages would protect you against these exploits. My hunch, backed by discussions with friends in the industry, is almost none. As they say about financial results, past performance is no guarantee of future results.

Even so, now the toolkit has leaked, it's of much less use to the NSA, and any other organisations that might have had access to it. That can't be a good thing. Don't confuse that statement with any desire on my part to see government-mandated encryption backdoors being forced into end user applications. I see a difference between what an organisation such as the NSA or GCHQ does and the far more widespread misuse of data-snooping that we have seen in the UK. And my distrust of the ability of government departments, including the NHS, to keep massive datasets secure has almost no limits.

Then we come to Microsoft's interesting claim that these exploits have been patched already, but only very recently. One wonders whether the NSA told Microsoft about the leak once it knew its toolkit was compromised and Microsoft went into top gear to get fixes out as soon as possible.

Advertisement - Article continues below

It does mean, of course, that the old mantra about running only the most current and fully patched versions of applications and operating systems is as true today as it has ever been. Microsoft rather coyly states that "Of the three remaining exploits, EnglishmanDentist', EsteemAudit', and ExplodingCan', none reproduces on supported platforms, which means that customers running Windows 7 and recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk." So if you're on XP, you're on your own.

It's also true that we've managed to get ourselves into a situation where OSes are so complex that it is now effectively impossible to ensure they are secure. The approach taken by Apple's iOS, forcing a walled garden approach on the developers and the execution of code, is arguably the most secure widespread end user platform available. But that still doesn't mean that the core OS itself is secure. Is open source the answer? Maybe, but exploits are found there too.

You may be thinking I'll use this final paragraph to deliver the answer. Sadly, there isn't one. If GCHQ or the NSA want to access my computers, they will either hack their way in, use a backdoor that we don't know about, or just turn up with a warrant and remove every device fitted with a mains plug. And there is nothing I, or you, can do.

This article originally appeared in PC Pro.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/cyber-security/354540/nsa-hands-serious-flaw-to-microsoft-rather-than-use-it
cyber security

NSA hands serious flaw to Microsoft rather than use it

15 Jan 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020