Leaked NSA Zero Days Already Being Exploited By Whoever Thinks They Can Manipulate Them

from the the-best-offense-is-not-giving-a-fuck-about-playing-defense dept

There are still people out there who think it’s a good idea for the government — whether it’s the FBI, NSA, or other agency — to hoover up exploits and hoard vulnerabilities. This activity is still being defended despite recent events, in which an NSA operative apparently left a hard drive full of exploits in a compromised computer. These exploits are now in the hands of the hacking group that took them… and, consequently, also in the hands of people who aren’t nearly as interested in keeping nations secure.

The problem is you can’t possibly keep every secret a secret forever. Edward Snowden proved that in 2013. The hacking group known as the Shadow Brokers are proving it again. The secrets are out and those who wish to use exploits the NSA never disclosed to affected developers are free to wreak havoc. Lily Hay Newman of Wired examines the aftermath of the TAO tools hacking.

Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.

All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.

Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities.

Dolan-Gavitt used the Cisco zero-day — one which the company is still unable to completely thwart — for his honeypot. This exploit was in the hands of the NSA for at least three years and was never disclosed to Cisco. The security researcher saw one attack in the first 24 hours. Since then, there have been a handful of attacks mounted every day.

This is the end result of someone hacking the hackers. The Shadow Brokers have turned the agency’s exploit toolkit into NSA Everywhere!™ — the NSA’s new “Inadvertent Disclosure” project. The hackers have divulged far more exploits than the NSA ever has, even with the (severely loopholed) “presumption of disclosure” mandate handed down by the Obama Administration.

The NSA — and its defenders — remain mostly unworried about this collateral damage. Presumably the nation is still secure, even if its companies and their customers aren’t. I guess that’s supposed to be good enough. Every war inflicts a toll on non-combatants, and the neverending War on Terror will be no different than the neverending War on Drugs in this respect.

But those at the top of the IC heap — and those who work closely with them, like the FBI — need to stop pretending the government can be trusted with keeping its most secret secrets secure. And officials need to stop applying pressure on lawmakers to craft encryption backdoor legislation, because this debacle should make it clear — even to true believers like FBI director James Comey — that any hole labeled “GOVERNMENT USE ONLY” isn’t going to keep bad guys out forever.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Leaked NSA Zero Days Already Being Exploited By Whoever Thinks They Can Manipulate Them”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: It just goes to show

Mebbe s/he meant Albuquerque and will come back to leave a clue. Being a foreigner I am struggling to think of anything historically sinister happening in Albuquerque, maybe it’s a super sekret thing ? Or maybe Los Alamos? Or Santa Fe with all the stenographic secrets hidden in plain view in all the tourist trap art? Las Vegas, NM is definitely not like Las Vegas, NV – I can figure out that much. Albuquerque? Baffled foreigner wants to know.

DebbyS (profile) says:

Re: Re: Re: It just goes to show

The only thing even vaguely sinister around here in Albuquerque is the reason why and when Jimmy McGill will turn into Saul Goodman, and we’re interested because the TV show Better Call Saul is filmed here. Breaking Bad was filmed here, too, but we know pretty much how that turned out… except maybe for Saul’s future post BB. We do have Sandia Laboratories, which has been involved in a variety of “interesting” things over the years. And of course the mayor is pushing vanity projects very few citizens want but that happens everywhere.

mcinsand (profile) says:

what about liability?

If a company knows about an issue that puts people at risk and keeps quiet, then that company will bear some responsibility for damages. Why can’t we do the same with the NSA? They knew that these vulnerabilities were there, and they left the average citizen at risk. Their argument of ‘but terrorists’ holds no water mathematically. For every terrorist’s security that they undermined, they left hundreds of thousands of citizens exposed.

I.T. Guy says:

They have to ask themselves… the NSA… Which would keep the nation safer? Using exploits to “catch” criminals and exactly how many criminals would be caught, or letting Cisco know they had a pretty bad exploit and how many people would be better protected if the NSA gave up this to protect the citizens of the US and others in the world that use Cisco products.

Their take on it is obviously clear. They’d rather keep the exploits and put the nation(s) at risk so they can keep on being supah dupah cool hacking guys. Go Merika!!!

Anonymous Coward says:

Should we really expect the government to safeguard the public from computer viruses any better than this same government’s sorry history with biological viruses?

We must not forget that this is the same government that previously used the American civilian population as (non-consenting) human guinea pigs to test all kinds of chemical, biological, and nuclear weapons.


That One Guy (profile) says:

"Our (job) security IS national Security!"

The NSA doesn’t care because the exploits aren’t likely to be able to be used against them, which means they don’t care who else is impacted so long as their security isn’t compromised and they can continue to use exploits to make their job/whims easier.

The NSA cares about their privacy and security, they couldn’t care less about the privacy and security of anyone else, and if anything they tend to actively works against the privacy and security of others so that they can scoop up more personal data easier.

That One Guy (profile) says:

Re: Re:

Not really. Ignore the badges, the suits, the official positions and statements and look only at what they do. A person can say anything, what they do is what really matters and shows their real goals and positions.

Using that method of sorting it’s pretty clear that the NSA and the other government agencies are not the ‘good guys’, as they demonstrate time and time again that they don’t care about the public and will even actively work against the best interests of the public as they only care about their own power and are willing to do whatever it takes to protect it, even at the public’s expense.

Pronounce (profile) says:

Re: Government of what?

If governing means rising to your level of incompetence, then you’re absolutely correct the government can govern itself.

Typically the government is just in the business of bustin’ whistle blowers, and takin’ money from the populace to fund their pet projects and pad their pockets.

In fact of all the government employees that I got to work with and know personally the ones who only had the authority to govern themselves and no one else are some of the hardest working people I know. Honestly those people make all of our lives better.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop Ā»

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...