Leaked NSA Zero Days Already Being Exploited By Whoever Thinks They Can Manipulate Them
from the the-best-offense-is-not-giving-a-fuck-about-playing-defense dept
There are still people out there who think it’s a good idea for the government — whether it’s the FBI, NSA, or other agency — to hoover up exploits and hoard vulnerabilities. This activity is still being defended despite recent events, in which an NSA operative apparently left a hard drive full of exploits in a compromised computer. These exploits are now in the hands of the hacking group that took them… and, consequently, also in the hands of people who aren’t nearly as interested in keeping nations secure.
The problem is you can’t possibly keep every secret a secret forever. Edward Snowden proved that in 2013. The hacking group known as the Shadow Brokers are proving it again. The secrets are out and those who wish to use exploits the NSA never disclosed to affected developers are free to wreak havoc. Lily Hay Newman of Wired examines the aftermath of the TAO tools hacking.
Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.
All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.
Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities.
Dolan-Gavitt used the Cisco zero-day — one which the company is still unable to completely thwart — for his honeypot. This exploit was in the hands of the NSA for at least three years and was never disclosed to Cisco. The security researcher saw one attack in the first 24 hours. Since then, there have been a handful of attacks mounted every day.
This is the end result of someone hacking the hackers. The Shadow Brokers have turned the agency’s exploit toolkit into NSA Everywhere!™ — the NSA’s new “Inadvertent Disclosure” project. The hackers have divulged far more exploits than the NSA ever has, even with the (severely loopholed) “presumption of disclosure” mandate handed down by the Obama Administration.
The NSA — and its defenders — remain mostly unworried about this collateral damage. Presumably the nation is still secure, even if its companies and their customers aren’t. I guess that’s supposed to be good enough. Every war inflicts a toll on non-combatants, and the neverending War on Terror will be no different than the neverending War on Drugs in this respect.
But those at the top of the IC heap — and those who work closely with them, like the FBI — need to stop pretending the government can be trusted with keeping its most secret secrets secure. And officials need to stop applying pressure on lawmakers to craft encryption backdoor legislation, because this debacle should make it clear — even to true believers like FBI director James Comey — that any hole labeled “GOVERNMENT USE ONLY” isn’t going to keep bad guys out forever.
Comments on “Leaked NSA Zero Days Already Being Exploited By Whoever Thinks They Can Manipulate Them”
Whoever it was that said that two people can keep a secret if one of them is dead, was an optimist.
Re: NSA secrets
The only secret that can be kept forever is Obama’s college records.
It just goes to show
It shows that taking care of the citizens is secondary at best. The mission is more important than the people. I think they took a wrong turn at Albequerque
Re: It just goes to show
Albuquerque? I think you meant Roswell aka the “Weather Baloon Incident”.
Re: Re: It just goes to show
Mebbe s/he meant Albuquerque and will come back to leave a clue. Being a foreigner I am struggling to think of anything historically sinister happening in Albuquerque, maybe it’s a super sekret thing ? Or maybe Los Alamos? Or Santa Fe with all the stenographic secrets hidden in plain view in all the tourist trap art? Las Vegas, NM is definitely not like Las Vegas, NV – I can figure out that much. Albuquerque? Baffled foreigner wants to know.
Re: Re: Re: It just goes to show
It’s a Bugs Bunny quote.
https://www.youtube.com/watch?v=e8TUwHTfOOU
Re: Re: Re: It just goes to show
The only thing even vaguely sinister around here in Albuquerque is the reason why and when Jimmy McGill will turn into Saul Goodman, and we’re interested because the TV show Better Call Saul is filmed here. Breaking Bad was filmed here, too, but we know pretty much how that turned out… except maybe for Saul’s future post BB. We do have Sandia Laboratories, which has been involved in a variety of “interesting” things over the years. And of course the mayor is pushing vanity projects very few citizens want but that happens everywhere.
what about liability?
If a company knows about an issue that puts people at risk and keeps quiet, then that company will bear some responsibility for damages. Why can’t we do the same with the NSA? They knew that these vulnerabilities were there, and they left the average citizen at risk. Their argument of ‘but terrorists’ holds no water mathematically. For every terrorist’s security that they undermined, they left hundreds of thousands of citizens exposed.
Re: what about liability?
Clearly, you’ve never read a EULA. That’s OK. Nobody else does either. 😉
They have to ask themselves… the NSA… Which would keep the nation safer? Using exploits to “catch” criminals and exactly how many criminals would be caught, or letting Cisco know they had a pretty bad exploit and how many people would be better protected if the NSA gave up this to protect the citizens of the US and others in the world that use Cisco products.
Their take on it is obviously clear. They’d rather keep the exploits and put the nation(s) at risk so they can keep on being supah dupah cool hacking guys. Go Merika!!!
Re: Re:
In the next breath, they’ll ask for Silicon Valley’s help. Hmmm… Sure!
Should we really expect the government to safeguard the public from computer viruses any better than this same government’s sorry history with biological viruses?
We must not forget that this is the same government that previously used the American civilian population as (non-consenting) human guinea pigs to test all kinds of chemical, biological, and nuclear weapons.
http://www.rense.com/general36/history.htm
Re: Re:
You forgot actively poising people during (and after) prohibition, withholding effective medial treatment for STDs to name just two more.
To paraphrase
To paraphrase President Reagan, “The scariest words in the English language are, ‘We are the government, and you can trust us.'”
Re: To paraphrase
No. That’s second scariest. The scariest words are “I have run out of things to read.”
National Anti-Security Agency
To help make our nation more secure the NSA kept secret security flaws that existed in US Government networks.
Wonder how well thats working out for them.
Re: National Anti-Security Agency
“To help make our nation more secure the NSA kept secret security flaws that existed in US Government networks.
Wonder how well thats working out for them.”
Just fine. Best job creation scheme and budget multiplier they’ve thought up so far.
"Our (job) security IS national Security!"
The NSA doesn’t care because the exploits aren’t likely to be able to be used against them, which means they don’t care who else is impacted so long as their security isn’t compromised and they can continue to use exploits to make their job/whims easier.
The NSA cares about their privacy and security, they couldn’t care less about the privacy and security of anyone else, and if anything they tend to actively works against the privacy and security of others so that they can scoop up more personal data easier.
It’s getting more difficult by the day to discern the good guys from the bad guys…
Re: Re:
Not really. Ignore the badges, the suits, the official positions and statements and look only at what they do. A person can say anything, what they do is what really matters and shows their real goals and positions.
Using that method of sorting it’s pretty clear that the NSA and the other government agencies are not the ‘good guys’, as they demonstrate time and time again that they don’t care about the public and will even actively work against the best interests of the public as they only care about their own power and are willing to do whatever it takes to protect it, even at the public’s expense.
Re: Re: Re:
And this is why the claims that America is becoming a Global threat are valid and serious!
Government of what?
Again the government shows that it’s not the government of the people, but the government of itself.
Re: Government of what?
If governing means rising to your level of incompetence, then you’re absolutely correct the government can govern itself.
Typically the government is just in the business of bustin’ whistle blowers, and takin’ money from the populace to fund their pet projects and pad their pockets.
In fact of all the government employees that I got to work with and know personally the ones who only had the authority to govern themselves and no one else are some of the hardest working people I know. Honestly those people make all of our lives better.
Golden Key
This is but further proof that an encryption “golden key” for “Official Government Use” is a monumentally bad idea. If you can’t keep track of your toys, we will not give you any more!