Skip to Content

Baltimore’s Ransomware Mess Is Its Own Fault—Cyber Saturday

Baltimore Mayor Pugh Announces Her ResignationBaltimore Mayor Pugh Announces Her Resignation
Baltimore City Hall in Maryland. Information security professionals are debating who to blame for a city-crippling ransomware infection that is said to have involved an NSA hacking tool which leaked publicly in 2017.Alex Wroblewski—Getty Images

Since early May, Baltimore has been grappling with a city-crippling ransomware attack. A fiery debate has erupted within the information security community over who is to blame for the mess.

The match that lit the blaze: A story published by the The New York Times last weekend claiming the U.S. National Security Agency is partly responsible for helping to spread the computer-seizing digital infection. The report alleges that hackers used malware, dubbed RobbinHood, paired with EternalBlue, a powerful, self-propagating hacking tool allegedly developed by the NSA to target (now outdated) Microsoft Windows software. The code behind EternalBlue leaked online at the hands of a mysterious, still-unknown entity called the ShadowBrokers in 2017, and nation state actors have used the weapon to launch destructive cyberattacks—including North Korea’s WannaCry and Russia’s NotPetya—costing billions of dollars in damages for businesses and governments around the globe.

Because NSA lost control of this hacking tool, an alleged “key component” of the latest ransomware, according to the Times, the paper lays blame at the spy agency’s feet.

The backlash on that point has been fierce. Some information security professionals have argued that the malware in question did not need EternalBlue to wreak its havoc. Dave Aitel, a former NSA hacker and present chief security officer of Cyxtera, a data center company, wrote on his personal blog that “that particular exploit being used to do lateral movement for this ransomware is neither supported by any public facts, nor my own sources on the issue.” Alternative means of propagation were far likelier, he said. Rob Graham, CEO of Errata Security, a cybersecurity shop, agreed that even if the ransomware incorporated EternalBlue code, it probably didn’t rely on the tool to spread. “Yes, ransomware increasingly includes Eternalblue as part of their arsenal of attacks, but this doesn’t mean Eternalblue is responsible for ransomware,” he wrote on his own blog.

Unsurprisingly, the NSA is disclaiming responsibility for the fallout. C.A. Dutch Ruppersberger, a Maryland congressperson, said that senior NSA leaders told him “there is no evidence at this time that EternalBlue played a role in the ransomware attack affecting Baltimore City,” as the Times reported in a follow-up story on Friday. Rob Joyce, a top NSA bigwig offered his own form of disavowal: “The characterization that there is an indefensible nation-state tool propagating ransomware is simply untrue,” he said in remarks reported by CyberScoop, a cybersecurity news outlet.

The NSA has a point. If EternalBlue truly was key to the Baltimore attack, as the Times initially reported, then it would appear that Baltimore had for years failed to update its computer systems to defend against a known, critical vulnerability. Microsoft released a patch in 2017; the exploit works on machines running Windows software that’s two years out of date. The harsh truth: Baltimore should have been better prepared.

Keeping IT systems up to date and secured is easier said than done, of course. Government offices are perennially resource-strapped and impoverished of tech expertise, struggling to get by on dated equipment. (I used to work in local government—trust me.) And another point to consider: Even if the NSA is not to blame for Baltimore’s debacle, that still does not absolve the agency of its prior negligence. It’s unclear how the spooks lost control of their bag of cyber tricks, including EternalBlue, a couple years ago, let alone the identities of the thieves that call themselves the ShadowBrokers.

As we ponder these questions and wait for Baltimore to release more details about its thwomping, a recommendation: For the love of all that’s holy, please patch this other critical, wormable Windows security hole. Microsoft released a patch for the bug, dubbed BlueKeep, on May 14th, but as of two weeks later 900,000 computers still appear to remain vulnerable, by Wired’s count. If you need a reason to act with celerity, just look at Baltimore.

Do the right thing. Patch.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Ad and subtract. Google is planning to deprecate support for ad blockers in its Chrome browser, save for some enterprise users. Apple has released a technical proposal for limiting the tracking capabilities of web advertisements. For all Apple’s privacy talk, however, it’s got issues of its own; the Washington Post found 5,400 hidden app trackers siphoning data from an iPhone over the course of a single week. Meanwhile, the Wall Street Journal reported on an academic study that found targeted ads are mostly worthless to publishers from a revenue-generating perspective.

Mad-Eye Moody. Credit ratings agency Moody’s on Wednesday downgraded from “stable” to “negative” its outlook for Equifax, the credit bureau, based on fallout from a major 2017 cyberattack. This is “the first time that cyber has been a named factor in an outlook change,” Joe Mielenhausen, a Moody’s spokesperson, told CNBC. Contributing to the markdown: an estimated $690 million in regulatory fines and legal settlements, plus an expected $400 million per year in cybersecurity and infrastructure upgrades for the next couple years. On the other side of the world, Chinese billionaire tech tycoons are losing billions of dollars for other reasons.

Crossing off the shopping list. Cybersecurity “unicorn” CrowdStrike is planning to raise $350 million in an initial public offering on the Nasdaq stock exchange (after settling a two-year lawsuit). Palo Alto Networks continued its months-long acquisition spree, buying two companies: Twistlock, a container security firm, for $410 million in cash and PureSec, a so-called server-less security firm, for an undisclosed sum. Insight Partners, the investment firm, bought out its portfolio company, Recorded Future, a threat intelligence startup, for $780 million. And FireEye picked up Verodin, a cybersecurity firm, for $250 million in cash and stock.

Too big for one’s breaches. Fast food restaurants Checker’s and Rally’s got hit by a data breach that affects customer payment cards at more than 100 locations. Flipboard, the social news app, reset users’ account passwords after suffering a data breach that exposed people’s names, usernames, email addresses, and cryptographically hashed passwords.

Don’t pick a fight with the bouncer.

Share today’s Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/

Looking for previous Data Sheets? Click here

ACCESS GRANTED

John Podesta’s creamy risotto recipe. What’s it like to train political campaigns on the art of cybersecurity? Maciej Cegłowski, founder of the social bookmarking site Pinboard (perhaps you know his Twitter account), describes the hellish experience in this incredibly entertaining post on his personal blog. If you’re in a rush, skim down to the section titled “things that worked well,” which offers tips on teaching best practices to the uninitiated.

Practical campaign security is a wood chipper for your hopes and dreams. It sits at the intersection of 19 kinds of status quo, each more odious than the last. You have to accept the fact that computers are broken, software is terrible, campaign finance is evil, the political parties are inept, the DCCC exists, politics is full of parasites, tech companies are run by arrogant man-children, and so on.

Putting aside the urge to fix these broken systems long enough to help people get work done is the great unsolved problem of campaign security. You will start out a descriptivist and end up a zealot, like I did. Trying to secure a modern campaign is like doing surgery with a scalpel made out of anthrax spores. At some point you will throw down the anthrax scalpel and say “this is impossible!”, as it disappears in a puff of lethal dust. But the patient still needs you!

FORTUNE RECON

British Spies Tried to End Tech’s Encryption Debate. But Their ‘Ghost Proposal’ Only Rekindled It by David Meyer

How Your Privacy Will Be Protected in the 2020 Census by Robert Hackett

The Splinternet Is Growing by Jeff John Roberts

Someone Just Paid $1.3 Million for a Laptop Infested With Malware by Chris Morris

Charges Against Julian Assange Violate First Amendment, Advocates Say by Mark Dent

ONE MORE THING

A plum job. Every six months the U.S. military’s skunkworks, the Defense Advanced Research Agency, or DARPA, runs mock cyberattack exercises on Plum Island, a small piece of land in the Long Island Sound. The objective: Restart a power grid that’s been taken offline by hackers. The drills are practice for adversary-initiated blackouts, as Russia has allegedly caused in places like Ukraine.