Leaked NSA Zero Days Already Being Exploited By Whoever Thinks They Can Manipulate Them

from the the-best-offense-is-not-giving-a-fuck-about-playing-defense dept

There are still people out there who think it's a good idea for the government -- whether it's the FBI, NSA, or other agency -- to hoover up exploits and hoard vulnerabilities. This activity is still being defended despite recent events, in which an NSA operative apparently left a hard drive full of exploits in a compromised computer. These exploits are now in the hands of the hacking group that took them… and, consequently, also in the hands of people who aren't nearly as interested in keeping nations secure.

The problem is you can't possibly keep every secret a secret forever. Edward Snowden proved that in 2013. The hacking group known as the Shadow Brokers are proving it again. The secrets are out and those who wish to use exploits the NSA never disclosed to affected developers are free to wreak havoc. Lily Hay Newman of Wired examines the aftermath of the TAO tools hacking.

Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.

All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.

Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities.

Dolan-Gavitt used the Cisco zero-day -- one which the company is still unable to completely thwart -- for his honeypot. This exploit was in the hands of the NSA for at least three years and was never disclosed to Cisco. The security researcher saw one attack in the first 24 hours. Since then, there have been a handful of attacks mounted every day.

This is the end result of someone hacking the hackers. The Shadow Brokers have turned the agency's exploit toolkit into NSA Everywhere!™ -- the NSA's new "Inadvertent Disclosure" project. The hackers have divulged far more exploits than the NSA ever has, even with the (severely loopholed) "presumption of disclosure" mandate handed down by the Obama Administration.

The NSA -- and its defenders -- remain mostly unworried about this collateral damage. Presumably the nation is still secure, even if its companies and their customers aren't. I guess that's supposed to be good enough. Every war inflicts a toll on non-combatants, and the neverending War on Terror will be no different than the neverending War on Drugs in this respect.

But those at the top of the IC heap -- and those who work closely with them, like the FBI -- need to stop pretending the government can be trusted with keeping its most secret secrets secure. And officials need to stop applying pressure on lawmakers to craft encryption backdoor legislation, because this debacle should make it clear -- even to true believers like FBI director James Comey -- that any hole labeled "GOVERNMENT USE ONLY" isn't going to keep bad guys out forever.

Filed Under: 0days, exploits, nsa, routers, zero days


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 29 Aug 2016 @ 9:47am

    The problem is you can't possibly keep every secret a secret forever.

    Whoever it was that said that two people can keep a secret if one of them is dead, was an optimist.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 29 Aug 2016 @ 10:04am

    It just goes to show

    It shows that taking care of the citizens is secondary at best. The mission is more important than the people. I think they took a wrong turn at Albequerque

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2016 @ 10:23am

      Re: It just goes to show

      Albuquerque? I think you meant Roswell aka the "Weather Baloon Incident".

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Aug 2016 @ 12:13pm

        Re: Re: It just goes to show

        Mebbe s/he meant Albuquerque and will come back to leave a clue. Being a foreigner I am struggling to think of anything historically sinister happening in Albuquerque, maybe it's a super sekret thing ? Or maybe Los Alamos? Or Santa Fe with all the stenographic secrets hidden in plain view in all the tourist trap art? Las Vegas, NM is definitely not like Las Vegas, NV - I can figure out that much. Albuquerque? Baffled foreigner wants to know.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 Aug 2016 @ 12:20pm

          Re: Re: Re: It just goes to show

          reply to this | link to this | view in chronology ]

        • identicon
          DebbyS, 30 Aug 2016 @ 8:48am

          Re: Re: Re: It just goes to show

          The only thing even vaguely sinister around here in Albuquerque is the reason why and when Jimmy McGill will turn into Saul Goodman, and we're interested because the TV show Better Call Saul is filmed here. Breaking Bad was filmed here, too, but we know pretty much how that turned out... except maybe for Saul's future post BB. We do have Sandia Laboratories, which has been involved in a variety of "interesting" things over the years. And of course the mayor is pushing vanity projects very few citizens want but that happens everywhere.

          reply to this | link to this | view in chronology ]

  • identicon
    mcinsand, 29 Aug 2016 @ 10:05am

    what about liability?

    If a company knows about an issue that puts people at risk and keeps quiet, then that company will bear some responsibility for damages. Why can't we do the same with the NSA? They knew that these vulnerabilities were there, and they left the average citizen at risk. Their argument of 'but terrorists' holds no water mathematically. For every terrorist's security that they undermined, they left hundreds of thousands of citizens exposed.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2016 @ 10:24am

      Re: what about liability?

      If a company knows about an issue that puts people at risk and keeps quiet, then that company will bear some responsibility for damages.
      Clearly, you've never read a EULA. That's OK. Nobody else does either. ;)

      reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 29 Aug 2016 @ 10:09am

    They have to ask themselves... the NSA... Which would keep the nation safer? Using exploits to "catch" criminals and exactly how many criminals would be caught, or letting Cisco know they had a pretty bad exploit and how many people would be better protected if the NSA gave up this to protect the citizens of the US and others in the world that use Cisco products.

    Their take on it is obviously clear. They'd rather keep the exploits and put the nation(s) at risk so they can keep on being supah dupah cool hacking guys. Go Merika!!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Aug 2016 @ 10:28am

    Should we really expect the government to safeguard the public from computer viruses any better than this same government's sorry history with biological viruses?

    We must not forget that this is the same government that previously used the American civilian population as (non-consenting) human guinea pigs to test all kinds of chemical, biological, and nuclear weapons.

    http://www.rense.com/general36/history.htm

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2016 @ 1:32pm

      Re:

      You forgot actively poising people during (and after) prohibition, withholding effective medial treatment for STDs to name just two more.

      reply to this | link to this | view in chronology ]

  • icon
    Norahc (profile), 29 Aug 2016 @ 10:32am

    To paraphrase

    To paraphrase President Reagan, "The scariest words in the English language are, 'We are the government, and you can trust us.'"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Aug 2016 @ 11:44am

    National Anti-Security Agency

    To help make our nation more secure the NSA kept secret security flaws that existed in US Government networks.

    Wonder how well thats working out for them.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2016 @ 12:14pm

      Re: National Anti-Security Agency

      "To help make our nation more secure the NSA kept secret security flaws that existed in US Government networks.

      Wonder how well thats working out for them."

      Just fine. Best job creation scheme and budget multiplier they've thought up so far.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 29 Aug 2016 @ 12:25pm

    "Our (job) security IS national Security!"

    The NSA doesn't care because the exploits aren't likely to be able to be used against them, which means they don't care who else is impacted so long as their security isn't compromised and they can continue to use exploits to make their job/whims easier.

    The NSA cares about their privacy and security, they couldn't care less about the privacy and security of anyone else, and if anything they tend to actively works against the privacy and security of others so that they can scoop up more personal data easier.

    reply to this | link to this | view in chronology ]

  • icon
    Mike Shore (profile), 29 Aug 2016 @ 1:16pm

    It's getting more difficult by the day to discern the good guys from the bad guys...

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 29 Aug 2016 @ 2:13pm

      Re:

      Not really. Ignore the badges, the suits, the official positions and statements and look only at what they do. A person can say anything, what they do is what really matters and shows their real goals and positions.

      Using that method of sorting it's pretty clear that the NSA and the other government agencies are not the 'good guys', as they demonstrate time and time again that they don't care about the public and will even actively work against the best interests of the public as they only care about their own power and are willing to do whatever it takes to protect it, even at the public's expense.

      reply to this | link to this | view in chronology ]

  • identicon
    David, 29 Aug 2016 @ 4:30pm

    Government of what?

    Again the government shows that it's not the government of the people, but the government of itself.

    reply to this | link to this | view in chronology ]

    • icon
      Pronounce (profile), 29 Aug 2016 @ 11:57pm

      Re: Government of what?

      If governing means rising to your level of incompetence, then you're absolutely correct the government can govern itself.

      Typically the government is just in the business of bustin' whistle blowers, and takin' money from the populace to fund their pet projects and pad their pockets.

      In fact of all the government employees that I got to work with and know personally the ones who only had the authority to govern themselves and no one else are some of the hardest working people I know. Honestly those people make all of our lives better.

      reply to this | link to this | view in chronology ]

  • identicon
    Anon Coward, 30 Aug 2016 @ 5:22am

    Golden Key

    This is but further proof that an encryption "golden key" for "Official Government Use" is a monumentally bad idea. If you can't keep track of your toys, we will not give you any more!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.