[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Rick Ledgett’s Straw Malware

For some reason, over a month after NotPetya and almost two months after WannaCry, former Deputy DIRNSA Rick Ledgett has decided now’s the time to respond to them by inventing a straw man argument denying the need for vulnerabilities disclosure. In the same (opening) paragraph where he claims the malware attacks have revived calls for the government to release all vulnerabilities, he accuses his opponents of oversimplification.

The WannaCry and Petya malware, both of which are partially based on hacking tools allegedly developed by the National Security Agency, have revived calls for the U.S. government to release all vulnerabilities that it holds.  Proponents argue this will allow for the development of patches, which will in turn ensure networks are secure.  On the face of it, this argument might seem to make sense, but it is actually a gross oversimplification of the problem, would not have the desired effect, and would in fact be dangerous.

Yet it’s Ledgett who is oversimplifying. What most people engaging in the VEP debate — even before two worms based, in part, on tools stolen from NSA — have asked for is for some kind of sense and transparency on the process by which NSA reviews vulnerabilities for disclosure. Ledgett instead poses his opponents as absolutists, asking for everything to be disclosed.

Ledgett then spends part of his column claiming that WannaCry targeted XP.

Users agree to buy the software “as is” and most software companies will attempt to patch vulnerabilities as they are discovered, unless the software has been made obsolete by the company, as was the case with Windows XP that WannaCry exploited.


Customers who buy software should expect to have to patch it and update it to new versions periodically.

Except multiple reports said that XP wasn’t the problem, Windows 7 was. Ledgett’s mistake is all the more curious given reports that EternalBlue was blue screening at NSA when — while he was still at the agency — it was primarily focused on XP. That is, Ledgett is one of the people who might have expected WannaCry to crash XP; that he doesn’t even when I do doesn’t say a lot for NSA’s oversight of its exploits.

Ledgett then goes on to claim that WannaCry was a failed ransomware attack, even though that’s not entirely clear.

At least he understands NotPetya better, noting that the NSA component of that worm was largely a shiny object.

In fact, the primary damage caused by Petya resulted from credential theft, not an exploit.

The most disturbing part of Ledgett’s column, however, is that it takes him a good eight (of nine total) paragraphs to get around to addressing what really has been the specific response to WannaCry and NotPetya, a response shared by people on both sides of the VEP debate: NSA needs to secure its shit.

Some have made the analogy that the alleged U.S. government loss of control of their software tools is tantamount to losing control of Tomahawk missile systems, with the systems in the hands of criminal groups threatening to use them.  While the analogy is vivid, it incorrectly places all the fault on the government.  A more accurate rendering would be a missile in which the software industry built the warhead (vulnerabilities in their products), their customers built the rocket motor (failing to upgrade and patch), and the ransomware is the guidance system.

We are almost a full year past the day ShadowBrokers first came on the scene, threatening to leak NSA’s tools. A recent CyberScoop article suggests that, while government investigators now have a profile they believe ShadowBrokers matches, they’re not even entirely sure whether they’re looking for a disgruntled former IC insider, a current employee, or a contractor.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.


While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.


It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

At least some of Shadow Brokers’ tools were stolen after Edward Snowden walked out of NSA Hawaii with the crown jewels, at a time when Rick Ledgett, personally, was leading a leak investigation into NSA’s vulnerabilities. And yet, over three years after Snowden stole his documents, the Rick Ledgett-led NSA still had servers sitting unlocked in their racks, still hadn’t addressed its privileged user issues.

Rick Ledgett, the guy inventing straw man arguments about absolutist VEP demands is a guy who’d do the country far more good if he talked about what NSA can do to lock down its shit — and explained why that shit didn’t get locked down when Ledgett was working on those issues specifically.

But he barely mentions that part of the response to WannaCry and NotPetya.

5 replies
  1. Rugger9 says:

    I do not know why NSA is airing out this dirty laundry now (I am including incompetence on a Luddite scale from professionals who ought to know better).  As I had noted on an earlier thread, publicly acknowledging ownership of code is advertising the tendencies most coders will have (variable names and the like) that identify the authors, and now can be used to search for other rakes waiting to be stepped on.

    For an agency renowned for secrecy (NSA = No Such Agency) this is very strange and there is also the connection to the events of the last week.  I do not believe it is a coincidence between this communique and Hutchins being detained.

  2. Rapier says:

    What’s good for the country has nothing to do with it. What is important is the tens of billions of dollars a year going to the spook industry.  .

    It’s beyond impossible for NSA to secure its shit with thousands of contract employees and I assume a large turnover. It’s a counter espionage black hole. Every leak and escaped piece of malware is actually a plus for the industry because such holds the promise of even more money in a virtuous circle.

    ‘Oh look, we are under attack. More money please’

  3. SpaceLifeForm says:

    Rick, maybe you have heard of Dridex?

    I’m sure you have.

    Note to readers, the following links are very technical. Very. I am including dates for a reason. Evidence that Marcus Hutchins is a WhiteHat.

    Also note that the attack leverages explorer.exe which is always running on Windows. This is the program you use to browse your folders/files.

    Last note. If you really care about security and privacy, you really should avoid Windows. It has been an exploit hole for two decades now.

    First link is from Marcus himself.

    Second link from yesterday. Can not be Marcus.

    Final note (I swear!), the second link refers to how Dridex avoids Anti Virus tools.


    Due to popular request I’m starting a new reverse engineering article series which will detail how I go about analyzing various samples, instead of just presenting my findings like I normally do. Most of the posts will be centered around IDA Pro (evaluation edition should work too) with WinDbg as a backend (you can use whatever backend you’re comfortable with). If you’re using something like Immunity or OllyDbg for malware analysis, I recommended following these posts anyway as you’ll soon see why it’s worth learning IDA. I should also add that I am by no means a professional, so if you have a better way to do something please leave a comment explaining your method.


    Dridex has evolved, and now Dridex V4 uses Atom Bombing to perform process injection.

    This method allows Dridex to perform sneaky injections to evade AV solutions.

  4. martin says:

    Meanwhile, after the noise of the reality of what NSA really does was redirected, Mr. Binney slaps our face to get our attention again.
    “Treasure Map is also how intelligence agencies use GPS from cell phones to target drone attack victims. Binney noted there are at least 1.2 million people on the drone hit list.”
    Let that sink in.

    “Binney added that the See Something, Say Something (about your fellow workers) program inside the NSA is “what the Stasi did. They’re picking up all the techniques from the Stasi and the KGB and the Gestapo and the SS; they just aren’t getting violent yet — that we know of — internally in the U.S.; outside is another story.”



Comments are closed.