NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked

from the and-still-nothing-until-the-last-minute dept

The NSA’s exploit toolkit has been weaponized to target critical systems all over the world. So much for the debate over the theoretical downside of undisclosed vulnerabilities. (It also inadvertently provided the perfect argument against encryption backdoors.) The real world has provided all the case study that’s needed.

It appears the NSA finally engaged in the Vulnerabilities Equity Process — not when it discovered the vulnerability, but rather when it became apparent the agency wouldn’t be able to prevent it from being released to the public. What’s happened recently has been devastating and Microsoft — whose software was targeted — has expressed its displeasure at the agency’s inaction.

Maybe the agency will be a bit more forthcoming in the future. Ellen Nakashima and Craig Timberg of the Washington Post report former NSA employees and officials had concerns about the undisclosed exploit long before the Shadow Brokers gave it to the world.

When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.

Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.

Officials called it “fishing with dynamite.” The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn’t bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.

But there were plenty of others who viewed disclosure as “disarmament.” Somehow, despite three straight years of leaked documents, the NSA still felt it had everything under control. The Shadow Brokers NSA exploit auction made it clear the NSA was no better at securing its software stash than it was at keeping thousands of internal documents from wandering out the door.

The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands. Since the agency cannot possibly ensure this sort of thing won’t happen again, the question now is how much of other people’s security is the agency willing to sacrifice in the name of national security?

The NSA appears to believe it handled this as well as it could given the circumstances, but the outcome could have so much worse. The chain of events leading to the NSA’s eventual disclosure helped minimize the collateral damage. It has very little to do with the steps the NSA took (or, more accurately, didn’t take).

What if the Shadow Brokers had dumped the exploits in 2014, before the [US] government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

There’s your intelligence community nightmare fuel. Had the vulnerability managed to take down US government hardware and software, the NSA would be facing even more criticism and scrutiny that it already is.

The NSA appears to only disclose vulnerabilities when forced to. It may possibly hand over those it finds to be of limited use. Former NSA head Keith Alexander says the agency turns over “90%” of the vulnerabilities it discovers, but that percentage seems inflated. The NSA spent years as “No Such Agency.” It’s only been the last four years that it’s been forced to engage in more transparency and accountability, so it’s tough to believe it’s spent years proactively informing affected companies about the flaws in their products.

In any event, the NSA’s second-guesswork will have do for now. Some legislators are hoping to shore up the vulnerabilities reporting process, but it’s likely by the time it heads for the Oval Office desk, it will be riddled with with enough national security exceptions to make it useless. With the Shadow Brokers hinting they still have more dangerous exploits to release (including one affecting Windows 10), the decision to disclose these vulnerabilities will once again be informed by the NSA’s inability to keep its hacking tools secure, rather than any internal examination of its hoarder mentality.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked”

Subscribe: RSS Leave a comment
28 Comments
Anonymous Coward says:

Re: Re:

The preamble to the question (“Since the agency cannot possibly ensure this sort of thing won’t happen again”) is also not good. If they did, in fact, have misgivings about the exploit they were using, the question isn’t posed on whether or not it will happen AGAIN. It was quite possible in the first place that someone else might have found it as well, or that their tool would be stolen, as it was.
Going by their track record, I don’t think they’ll give two thoughts to doing something similar in the future. They’re more than likely doing it now.

That One Guy (profile) says:

Re: Re: Re:

Exactly. The NSA has made it abundantly clear that it will always prioritize it’s ability to do something over public security, because as Good Guys they seem to operate under the dangerous idea that if it helps them then it helps the public, and any ‘collateral damage’ is an acceptable price (for the public) to pay.

Anonymous Champion says:

i was given a back door

whoever these people are they actually armed us hackers
5 of us in certain nations with these kinda kits

and yes im at actual risk telling you this, ive decided i dont care, and they know it and yes im armed you bastards( not you techdirt peeps , this is directed at them)

they are spying on me and find me in my games and start saying shit only people involved can and boy are they sore im not playing there …game no more
and yes ive leaked shit they cant do nothing about no more

one example is the million of honey pot ips the fbi uses

they other was knowledge that the so called Sony root kit existed in source and binary for years before sony got its part ( binary which is why they had hard time fixing it lol ) ….one day these yahoos will get what they got coming to them….

Bergman (profile) says:

Re: i was given a back door

People have been prosecuted before for inadvertently aiding terrorists — for example, donating to a legit charity, only for the money to be diverted by someone at the charity into funding terrorism.

The US government takes the view that it does not matter what your intent was, only the end result… right up until it would have to prosecute itself for treason, then intent is all that matters.

Bergman (profile) says:

Re: Re:

The US government exists to represent the people of the United States, since you can’t exactly poll hundreds of millions of people when a decision must be made when seconds count.

Somewhere along the way, the government has forgotten that fact. They exist to protect us, yet the ease at which they will sacrifice us and our interests for at best nebulous gains is horrifying.

What is even worse though, is how many government officials consider the general public to be their enemies — which means they meet the mens rea definition of treason, even if they haven’t gotten around to the actus rea portion yet.

Anonymous Anonymous Coward (profile) says:

Re: Re: Re:

It would also require that someone trust Microsoft. How many users turned off Updates due to the force ‘upgrade’ to Windows 10? None of those people would get the update.

On the other hand, Microsoft put the update to fix WannaCry into the Windows Defender stream. Even though I am one of those who turned off Windows Update, I still update and use Defender weekly.

While it probably won’t surprise many, check out the Twitter feed in this comment

Anonymous Coward says:

Re: Re:

Why not give the exploit to Microsoft asap, so they can prepare a patch asap and keep it locked up (with NDAs, NSLs, injunctions), so it can be released immediately when Hackers discover it?

  1. It would make Microsoft an accomplish to the backdoors. MS has a lot of explaining to do when that leaks out.
  2. It takes time to patch all systems. Hackers operate faster than many sysops can patch, making these systems vulnerable.
Anonymous Coward says:

says the agency turns over "90%" of the vulnerabilities it discovers, but that percentage seems inflated.

I don’t know, it seems reasonable to me. 90% of everything is crap, so the NSA just turns over the crappy exploits(don’t give much access, are easily detected, only affect a small number of machines, etc), and keeps the remaining 10% of really good and powerful exploits for itself.

Anonymous Coward says:

What happened is that the NSA had such power behind the WCry exploit that they didn’t want to relinquish that power because it allowed them unfettered access to thousands, if not millions of vulnerable computers owned by its citizens.

That they couldn’t keep it from being stolen by hackers and those hackers used it to spread ransomware on such a massive scale …

It’s not a good thing when our government is more paranoid of the people than the people are paranoid of it.

Watchman says:

Watch

It appears that none of these TLAs were watching for the exploit. Shouldn’t they be monitoring the internet for their vulnerabilities in the wild, even before it’s known that they’ve leaked (or even been discovered independently), or is it not technically possible?

“What’s that – that one of ours?”
“Yep that’s for Tehran University – that’s OK.”

Anonymous Coward says:

Once it was out there

Why was the NSA not leading the charge to mitigate it’s damage? It was other independent security researchers who stopped it from getting worse and developed tools to decrypt hosed machines. Where was the NSA? Why weren’t they trying to clean up their mess?

(I think they ought to be held liable for the ransoms that people paid.)

Personanongrata says:

NSA is Concerned with CYA

The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands.

wrong hands?

You write as if NSA’s motives were pure as the driven snow.

They are not.

Remember NSA surveillance isn’t about catching terrorists but keeping tabs on 330 million American citizens, corporate espionage and political blackmail.

Surveilling terrorists is simply the specious rational that is paraded about in public to make NSA’s unconstitutional actions seem more palatable to Americans living under the US governments omnipresent stare.

Any well trained terrorist is quite aware of NSA’s electronic surveillance and would more than likely practice good operational security and forgo cell phones, email, satellite communications gear, etc.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...