Did The NSA Continue To Stay Silent On Zero-Day Vulnerabilities Even After Discovering It Had Been Hacked?

from the Betteridge-and-Glomar-combine-to-say-'we'll-probably-never-know' dept

The NSA’s exploit stash is allegedly for sale. As mentioned earlier this week, an individual or a group calling themselves Shadow Brokers claims to be auctioning off parts of the NSA’s Tailored Access Operations (TAO) toolkit, containing several zero days — including one in Cisco’s (a favorite NSA TAO target) Adaptive Security Appliance which allows for remote code execution.

The thing about these vulnerabilities is that they aren’t new. The exploits being hawked by Shadow Brokers date back to 2013, suggesting the agency has been sitting on these exploits for awhile. The fact that companies affected by them don’t know about these flaws means the NSA hasn’t been passing on this information.

Back in 2015, the NSA declared that it passed on information about vulnerabilities to affected companies “90% of the time.” Of course, this statement contained very few details about how long the NSA exploited vulnerabilities before allowing them to be patched.

The White House told the NSA to make disclosure the preferred method of handling discovered vulnerabilities, but also gave it a sizable loophole to work with — “a clear national security or law enforcement need.”

Ellen Nakashima and Andrea Peterson of the Washington Post spoke to former NSA personnel. The statements they gave suggest there’s almost always a “need” that outweighs the general public’s security and safety.

Former NSA personnel who worked with the tool cache that was released say that when they worked at the agency, there was an aversion to disclosure.

“While I was there, I can’t think of a single example of a zero-day [flaw]” used by the agency “where we subsequently said, ‘Okay, we’re done with it and let’s turn it over to the defensive side so they can get it patched,’ ” said the former employee, who worked at the agency’s Tailored Access Organization for years. During that time, he said, he saw “hundreds” of such flaws.

He added: “If it’s something in active use, my experience was they fight like all get-out to prevent it from being disclosed.”

Said a second former employee, who also spoke on the condition of anonymity to describe sensitive government operations: “It’s hard to live in a world where you have capabilities and you’re disclosing your capabilities to your defensive team.”

So, there’s no presumption of disclosure, not even with a Vulnerability Equities Process in place. If the NSA has a vulnerability to exploit, it will continue doing so until it’s no longer effective. The agency’s name alone grants it a presumption of secrecy because, after all, nothing has more “national security needs” than the National Security Agency.

This undercuts everything the disclosure process was supposed to do: allow developers to close holes in their software. With its TAO secrets out in the open, the government can no longer pretend stockpiling exploits is a good idea. Nor can it claim it’s OK because it’s only the “good guys” doing good things with them. The exploits will be sold to the highest bidder — whether that bidder is a criminal or just another private company stockpiling exploits so it can sell those to highest bidder — which in some cases may be UN-blacklisted countries with totalitarian governments and long histories of human rights abuses.

Matt Blaze — referring to the just-disclosed Cisco zero day — wonders if the NSA only just discovered hackers had made off with its stuff. And if it actually knew for three years these exploits had been compromised, why didn’t it disclose the vulnerabilities to affected developers?

I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn’t they report the Cisco 0day?

Neither scenario is particularly flattering. Although it’s presumed the hackers didn’t actually crack an NSA server (theory is the exploits were harvested from a compromised server the NSA was running), not knowing that these vulnerabilities had been obtained by outsiders until possibly three years after it happened is not exactly a flattering look for a security agency.

The alternative is actually worse: that the NSA knew its exploits had been taken but STILL chose not to disclose the vulnerabilities to software developers. In this scenario, there’s no longer any “what if” about it. The NSA knew exploits were in the “wrong” hands but withheld this info to continue utilizing the exploits. If that’s the case, the NSA is complicit in any exploitation by the “wrong” people because it chose to withhold, rather than disclose, major vulnerabilities even after it knew it had been compromised.

It may be that the NSA truly didn’t know about this hacking until the hackers started passing out parts of its exploit hoard, but that’s not exactly comforting considering the agency’s efforts to be declared the overseer of the US government’s CyberWar.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Did The NSA Continue To Stay Silent On Zero-Day Vulnerabilities Even After Discovering It Had Been Hacked?”

Subscribe: RSS Leave a comment
pegr (profile) says:

Re: Yet another backdoor backfiring...

As a current example: Cisco knew they had a problem when Snowden leaked details about SNOWPLOW in 2013, yet, with all the resources and technical expertise at their disposal, didn’t bother to patch their vulnerable code until the actual SNOWPLOW exploit hit the public.

Did Cisco know about the vulnerability but purposefully refuse to address the vulnerability until the exploit leak forced their hand? If so, why?

Mind if I tell you? Because they knew that if they patched that flaw, they would no longer have any Federal government business. The Feds are Cisco’s biggest customer.

TL;DR: Cisco intentionally subjected their customers to a known security flaw for over three years to curry favor with the Feds. So who do you trust?

Jason says:

Leaving aside the current mass surveillance situation (if that’s even possible) this is a perfect example of why the NSA should be split in two. Having the same agency that’s supposedly responsible for protecting national infrastructure from online attack also be responsible for active surveillance and direction of some very similar attacks is practically asking for this kind of thing to happen.

Anonymous Coward says:

Re: hi again techdirt

the hacking group for the nsa stopped using the tools about 1.5 months ago indicating they were no longer usable at that time cause thats when it was discovered they were hacked….

thats still 1.5 months….

…which only means that they discovered the hack 1.5 months ago and said nothing. It says nothing about how long ago the hack actually took place. This actually makes it worse; the NSA didn’t notice the hack for an extended period AND didn’t notify the targets when they discovered the leak.

DannyB (profile) says:

90 % of WHAT time?

NSA declared that it passed on information about vulnerabilities to affected companies “90% of the time.”90% of WHAT time?

90% of the time after NSA learned that a vulnerability had become known outside of NSA?

90% of the time after NSA learned that a vulnerability had been patched by the vendor?

Ransomeware business model . . .
This system has had Windows 10 installed.
To restore this system to a usable state, please send 3 Bitcoin to the following.

That One Guy (profile) says:

Par for the course really

You’re talking about an agency that would be perfectly fine deliberately sabotaging encryption, making everyone less safe and secure, simply because it makes their job easier.

Given that it’s hardly a surprise that they would ‘forget’ to inform companies of an exploit or vulnerability as doing so would make their jobs harder(and everyone else more secure), and we can’t have that now can we?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...