Did The NSA Continue To Stay Silent On Zero-Day Vulnerabilities Even After Discovering It Had Been Hacked?
from the Betteridge-and-Glomar-combine-to-say-'we'll-probably-never-know' dept
The NSA’s exploit stash is allegedly for sale. As mentioned earlier this week, an individual or a group calling themselves Shadow Brokers claims to be auctioning off parts of the NSA’s Tailored Access Operations (TAO) toolkit, containing several zero days — including one in Cisco’s (a favorite NSA TAO target) Adaptive Security Appliance which allows for remote code execution.
The thing about these vulnerabilities is that they aren’t new. The exploits being hawked by Shadow Brokers date back to 2013, suggesting the agency has been sitting on these exploits for awhile. The fact that companies affected by them don’t know about these flaws means the NSA hasn’t been passing on this information.
Back in 2015, the NSA declared that it passed on information about vulnerabilities to affected companies “90% of the time.” Of course, this statement contained very few details about how long the NSA exploited vulnerabilities before allowing them to be patched.
The White House told the NSA to make disclosure the preferred method of handling discovered vulnerabilities, but also gave it a sizable loophole to work with — “a clear national security or law enforcement need.”
Ellen Nakashima and Andrea Peterson of the Washington Post spoke to former NSA personnel. The statements they gave suggest there’s almost always a “need” that outweighs the general public’s security and safety.
Former NSA personnel who worked with the tool cache that was released say that when they worked at the agency, there was an aversion to disclosure.
“While I was there, I can’t think of a single example of a zero-day [flaw]” used by the agency “where we subsequently said, ‘Okay, we’re done with it and let’s turn it over to the defensive side so they can get it patched,’ ” said the former employee, who worked at the agency’s Tailored Access Organization for years. During that time, he said, he saw “hundreds” of such flaws.
He added: “If it’s something in active use, my experience was they fight like all get-out to prevent it from being disclosed.”
Said a second former employee, who also spoke on the condition of anonymity to describe sensitive government operations: “It’s hard to live in a world where you have capabilities and you’re disclosing your capabilities to your defensive team.”
So, there’s no presumption of disclosure, not even with a Vulnerability Equities Process in place. If the NSA has a vulnerability to exploit, it will continue doing so until it’s no longer effective. The agency’s name alone grants it a presumption of secrecy because, after all, nothing has more “national security needs” than the National Security Agency.
This undercuts everything the disclosure process was supposed to do: allow developers to close holes in their software. With its TAO secrets out in the open, the government can no longer pretend stockpiling exploits is a good idea. Nor can it claim it’s OK because it’s only the “good guys” doing good things with them. The exploits will be sold to the highest bidder — whether that bidder is a criminal or just another private company stockpiling exploits so it can sell those to highest bidder — which in some cases may be UN-blacklisted countries with totalitarian governments and long histories of human rights abuses.
Matt Blaze — referring to the just-disclosed Cisco zero day — wonders if the NSA only just discovered hackers had made off with its stuff. And if it actually knew for three years these exploits had been compromised, why didn’t it disclose the vulnerabilities to affected developers?
I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn't they report the Cisco 0day?
— matt blaze (@mattblaze) August 18, 2016
I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn’t they report the Cisco 0day?
Neither scenario is particularly flattering. Although it’s presumed the hackers didn’t actually crack an NSA server (theory is the exploits were harvested from a compromised server the NSA was running), not knowing that these vulnerabilities had been obtained by outsiders until possibly three years after it happened is not exactly a flattering look for a security agency.
The alternative is actually worse: that the NSA knew its exploits had been taken but STILL chose not to disclose the vulnerabilities to software developers. In this scenario, there’s no longer any “what if” about it. The NSA knew exploits were in the “wrong” hands but withheld this info to continue utilizing the exploits. If that’s the case, the NSA is complicit in any exploitation by the “wrong” people because it chose to withhold, rather than disclose, major vulnerabilities even after it knew it had been compromised.
It may be that the NSA truly didn’t know about this hacking until the hackers started passing out parts of its exploit hoard, but that’s not exactly comforting considering the agency’s efforts to be declared the overseer of the US government’s CyberWar.
Filed Under: disclosure, exploits, nsa, reporting, tao, vep, vulnerabilities equities program, vulnerability, zero days
Comments on “Did The NSA Continue To Stay Silent On Zero-Day Vulnerabilities Even After Discovering It Had Been Hacked?”
Yet another backdoor backfiring...
While these may not be officially sanctioned backdoors by companies, they have the same effect… Yet another reason we don’t need to willfully undermine security… There is no such thing as a safe backdoor (exploits included).
Re: Yet another backdoor backfiring...
As a current example: Cisco knew they had a problem when Snowden leaked details about SNOWPLOW in 2013, yet, with all the resources and technical expertise at their disposal, didn’t bother to patch their vulnerable code until the actual SNOWPLOW exploit hit the public.
Did Cisco know about the vulnerability but purposefully refuse to address the vulnerability until the exploit leak forced their hand? If so, why?
Mind if I tell you? Because they knew that if they patched that flaw, they would no longer have any Federal government business. The Feds are Cisco’s biggest customer.
TL;DR: Cisco intentionally subjected their customers to a known security flaw for over three years to curry favor with the Feds. So who do you trust?
Re: Re: Yet another backdoor backfiring...
Or Cisco had received an NSL
forbidding them from disclosing
the flaw AND forbidding a fix.
Would love to hear Cisco publicly
state how long the flaw has existed.
Probably longer than 3 years.
Re: Re: Re: Yet another backdoor backfiring...
That is the most likely scenario. +5 internet’s
This should be pointed to any time someone prominently wants to promote forcibly backdooring encryption. Ask them what happens when (not if) the backdoor keys are released via hack. If the NSA cannot keep its own stuff secure, how do we expect a multitude of law enforcement agencies with the backdoor keys to all keep those keys safe?
Leaving aside the current mass surveillance situation (if that’s even possible) this is a perfect example of why the NSA should be split in two. Having the same agency that’s supposedly responsible for protecting national infrastructure from online attack also be responsible for active surveillance and direction of some very similar attacks is practically asking for this kind of thing to happen.
Re: Re:
Your mistake was in assuming that anyone in the government actually wants to protect national infrastructure from online attack.
Re: Re: Re:
far more profitable to exploit it. what does the lives of their fellow citizens mean when they can make a few hundred thousand or more from not saying anything.
National Security… at the expense of National Security.
WTF NSA? They need to change the name to National Spying Agency. It’s clear they don’t care about our security.
Re: Re:
They believe in retroactive security. Once we are attacked the first time, the attackers can be relatively quickly tracked down and eliminated.
Of course the terrorists know this, which is why they always send suicide bombers.
Super patch
Easiest way to stop this threat to national security is to tell all the companies about the exploits then help close them up. I would hate to lose all power in America due to the NSA wanting to see my private photos.
hi again techdirt
the hacking group for the nsa stopped using the tools about 1.5 months ago indicating they were no longer usable at that time cause thats when it was discovered they were hacked….
thats still 1.5 months….
Re: hi again techdirt
…which only means that they discovered the hack 1.5 months ago and said nothing. It says nothing about how long ago the hack actually took place. This actually makes it worse; the NSA didn’t notice the hack for an extended period AND didn’t notify the targets when they discovered the leak.
hehe 3 years of yeeeee haw
and remember they had these tools in 2013..as the tools state
90 % of WHAT time?
NSA declared that it passed on information about vulnerabilities to affected companies “90% of the time.”90% of WHAT time?
90% of the time after NSA learned that a vulnerability had become known outside of NSA?
90% of the time after NSA learned that a vulnerability had been patched by the vendor?
Ransomeware business model . . .
This system has had Windows 10 installed.
To restore this system to a usable state, please send 3 Bitcoin to the following.
The NSA really does inform companies about 90% of the vulnerabilities it’s found. It just forgot to complete the sentence and say that it’s 90% of flaws from 35 year old computers of the early 80’s that they’re only now just getting around to informing the companies about.
We’ve clearly lost the moral high ground when we purposely let our people be vulnerable in the name of protecting them.
Re: Re:
we let the criminals in and they used crony capitalism to subvert the system
Par for the course really
You’re talking about an agency that would be perfectly fine deliberately sabotaging encryption, making everyone less safe and secure, simply because it makes their job easier.
Given that it’s hardly a surprise that they would ‘forget’ to inform companies of an exploit or vulnerability as doing so would make their jobs harder(and everyone else more secure), and we can’t have that now can we?
I wonder how many NSA agents will be found out as having sold state secretes to foreign powers before this is over.
Yes, pay attention
The phrase “I can neither confirm nor deny,” has meaning. They aren’t going to confirm or deny capabilities, exploits, etc. Plausible deniability, giving away information and a litany of other reasons are why.