NSA Zero Day Tools Likely Left Behind By Careless Operative

from the opsec-only-works-if-you-do-it-100%-of-the-time dept

More information is surfacing on the source of the NSA's hacking tools discovered and published by the Shadow Brokers. Just as Ed Snowden pointed out shortly after the tools first appeared online, the problem with sticking a stash of hacking tools on equipment you don't own is that others can access the tools, too… especially if an operative doesn't follow through on the more mundane aspects of good opsec.

Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

Reuters has exclusive (but anonymous) interviews with personnel involved in the investigation which indicates other, more exculpatory theories are likely wrong.

Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.

But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.

NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.

And what a mistake it was. Tools purchased or developed by the NSA's Tailored Access Operations (TAO) are now -- at least partially -- in the public domain. The other aspect of this unprecedented "mistake" being confirmed is the fact that the NSA couldn't care less about collateral damage.

That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.

Three years of unpatched holes, one of them a zero day that affects a great deal of Cisco's networking equipment. Not only was TAO's operation security compromised, but so were any number of affected products offered by US tech companies.

However, investigators are still looking into the possibility that the tools were left behind deliberately by a disgruntled TAO operative. This theory looks far better on the NSA than another theory also being examined: that multiple operatives screwed up in small ways, compounding each other's mistakes and (eventually) leading to a public showing of valuable surveillance tools.

As for the official, on-the-record comment… no comment. The FBI and Director of National Intelligence declined to provide Reuters with a statement.

The NSA has long refused to acknowledge the inherent dangers of hoarding exploits and deploying them with little to no oversight. It's unclear whether this incident will change this behavior or make it a more-forthcoming partner in the Liability Equities Process. What is has proven is that the NSA makes mistakes like any other agency -- whether the tools were left behind accidentally or deliberately. It's just that when the NSA screws up, it exposes its willingness to harm American tech companies to further its own intelligence needs.

Filed Under: carelessness, hacking tools, nsa, surveillance, zero day


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 26 Sep 2016 @ 1:57am

    Trust building, government style

    That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.

    And yet somehow it's the fault of the tech industry that the relationship between it and the government isn't as cozy as the government would like it to be. That the tech companies are to blame for not trusting the government and granting their every request, requests which would of course serve only to benefit them, the government, and especially the public, and could never have any unfortunate downsides or ulterior motives.

    Right.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Sep 2016 @ 7:21am

      Re: Trust building, government style

      Of course it's the tech industry's fault. If they'd only give the government all the back doors that folks like the NSA ask for, they wouldn't need all these hacking tools or hoarded exploits.

      reply to this | link to this | view in chronology ]

  • identicon
    Tyl, 26 Sep 2016 @ 3:44am

    But, a golden key would be different. Honest!

    It would be protected by a magic unicorn!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Sep 2016 @ 3:59am

      Re: But, a golden key would be different. Honest!

      Unicorn? Nah they'd hire some trolls!

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 26 Sep 2016 @ 4:05am

      Re: But, a golden key would be different. Honest!

      ... forged out of leprechaun gold and infused with pixie dust, designed by a government rep who researched the subject before speaking on it and crafted by an honest politician.

      I kid of course, everyone knows those last two are mythical.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Sep 2016 @ 8:05am

        Re: Re: But, a golden key would be different. Honest!

        True story. Even Tolkien balked at including them in LotR. He was going for a certain magical realism that would be completely broken by including them.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 4:23am

    You're Fired!

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 26 Sep 2016 @ 6:31am

      Re:

      Can a president create a new form of press conference called the "You're Fired!" press conference? The purpose of calling one of these particular press conferences would be to make a public spectacle of someone who disagrees with an administration policy, or who failed to show deep enough submission and respect, or who has done the unthinkable and submitted a resignation.

      This type of press conference would be held in a different press facility that has suitable lighting and pyrotechnic effects in order to give the proper reality tv show dignity that such a presidential function deserves.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Sep 2016 @ 6:49am

        Re: Re:

        Presidential Apprentice could be shot in the oval office, where people are fired for ridiculous reasons. I'm sure it would get good ratings because it would be put on the list of mandatory viewing.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Sep 2016 @ 12:01pm

      Re:

      You know, that could be an extremely good campaign point for Trump... he could fire large swathes of the Executive.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 4:41am

    Most likely scenario

    that multiple operatives screwed up in small ways, compounding each other's mistake

    This is how most problems occur. Rarely do they happen for any single given cause but a compounding of errors. Sadly, for all the risk they put tech companies in, and our own government, they haven't prevented a single attack. Not 1. So we should be asking if all the risk is worth it?

    reply to this | link to this | view in chronology ]

    • identicon
      Quiet Lurcker, 26 Sep 2016 @ 4:58am

      Re: Most likely scenario

      >>> Not 1. So we should be asking if all the risk is worth it?

      I think you've answered your own question.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Sep 2016 @ 12:04pm

        Re: Re: Most likely scenario

        Well, we are fairly confident that they didn't prevent a single attack. If we didn't have anything in place, we wouldn't know whether attacks had been prevented or not, nor by whom. Take that any way you'd like :)

        reply to this | link to this | view in chronology ]

  • identicon
    William Null, 26 Sep 2016 @ 5:30am

    These tools were left pretty much on purpose

    Ed Snowden is not the only one. There are multiple people like him working in various intelligence agencies all over the world. The thing is that the intelligence community had became drunk with power and as such, corrupt.

    At first, this was just bunch of random operatives doing stuff like sending docs to wikileaks, but as spies tend to do, they've created network. Data is mostly transmitted over modulated radio frequencies that aren't wifi and can travel pretty damn far (no connection with so-called number stations).

    There's in fact a pretty huge leak incoming, regarding some space stuff and also more survelliance tools. Most intelligence agencies that matter have been infiltrated by the network, American, Russian, British, German, you name it. And even if an operative is caught, they can't reveal any valuable info as most of network operatives don't even know who others are, for their own protection. While those who know, are at or near the top of their respective agency so they are well-protected and can arrange escape in case operative of the network is caught.

    reply to this | link to this | view in chronology ]

  • icon
    cryophallion (profile), 26 Sep 2016 @ 5:55am

    Supposedly were watching to see who used them

    I read in some article on this that the NSA was "watching the internet closely" to see if anyone else started using these tools, to try and use it to see if whoever did it would out themselves, so they could track them down.

    On the other hand, I can also see that these tools were sold to other parties, so that couldn't be the sole identifier (unless there were code fingerprints). That is, unless there are bidding wars by different nations to the companies that sell the tools, requiring that only they hold that zero day. Which could also be why they didn't want to report it: they spent a lot to outbid everyone, they don't want to lose their tool. But I've seen other articles which seem to indicate that tools are sold to multiple parties, so take that for what it is worth.

    Either way, in their zeal to catch whoever got the tools, they failed to realize that maybe, just maybe, those people would be better at covering their tracks, perhaps by not trying to hack everyone on the face of the earth with them so they wouldn't be so likely to leave traces.

    This just goes to show: When your motivation is retaliation or face saving, you almost never win. When you own up, it almost always goes better for you. Everyone makes mistakes, so people are (generally) understanding of making mistakes. It's when people lie, blame someone else, make excuses, etc that people start to get really annoyed. When will corporations and politicians finally understand this? It's almost never the mistake that causes all the issues. If Hillary had just said "Yup, I ran a private server, that was dumb of me, I am sorry", then seriously, I doubt we'd still be talking about it. If Clinton and Bush had said "Yup, we thought there were WMD's, but we were wrong, we are sorry", people wouldn't be quite so pissed off.

    I used to love deflating my boss storming in mad by admitting I was wrong, and owning it. I told him I'd go back to being perfect tomorrow, but I'd try to fix this issue today. Half his bluster was lost because he knew he'd made mistakes too, but he expected me to throw someone else under the bus or make excuses. Then I'd call the customer, admit I was wrong, make it right, and then shockingly, the next time they needed something, they'd call me since I treated them right and was honest.

    So instead of just owning it, they hid and were looking at the internet to "catch them". They should have come out. But then again, we just expect this narrative now, don't we?

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 26 Sep 2016 @ 7:25am

      Re: Supposedly were watching to see who used them

      the NSA was "watching the internet closely" to see if anyone else started using these tools

      You must be confusing the 3 letter acronym agencies. It's the FBI that crafts conspiracies, provides tools to conduct illegal activity, and then waits for some unsuspecting idiot to follow them into a jail sentence.

      The NSA simply waits for something bad to happen and then complains that they need more power to prevent this from happening again in the future.

      reply to this | link to this | view in chronology ]

  • identicon
    Jim, 26 Sep 2016 @ 5:57am

    But:

    Remember this part, left in 2014. I wonder what they modified since?

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 26 Sep 2016 @ 6:22am

    What is has proven (typo)

    I think that should read: What it has proven

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 7:47am

    NSA, the only government agency that actually listens to the people

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 7:48am

    Re: But people get lazy

    Spoken like somebody who has never configured themselves out of a remote machine.

    These hacks, are by definition experimental. The likelyhood of things going wrong in a way that breaks network connectivity is actually quite high.

    Not to mention that simply pulling the CAT5 out of the machine, is often the first move made by admins when they detect a compromise.

    Yes, the binaries are often left behind. That is not necessarily within the control of the hacker. It is a known risk.

    And since the risk is known, doing so makes the accidental dissemination of their tools criminal negligence. They knew that there would be side effects. They did it anyway. The side effects caused a loss. The parties who have experienced a loss have a case.

    The fact that the source refers to binaries being left behind as being the result of "lazy" people, is telling. This is either an attempt to obfuscate the situation, or the source isn't close enough to the metal to know much.

    My understanding is that national security does not mitigate the related liability.

    However the area 51 chemical burning case seems to suggest that the POTUS may just declare the NSA's activities legal by presidential order, as Bill Clinton did when workers were poisoned by burning dioxin at groom lake.

    reply to this | link to this | view in chronology ]

    • identicon
      SpaceLifeForm, 26 Sep 2016 @ 11:28am

      pulling the ne6work cable(s)

      "Not to mention that simply pulling the CAT5 out of the machine, is often the first move made by admins when they detect a compromise."

      s/detect/suspect/

      Even then, that may be a mistake.
      It may be better to capture packets
      on the next upstream router to try to
      identify where the malware is calling
      home to.

      Of course, you may not have any
      way to access the next upstream
      router or obtain any tech support
      from those that manage the next
      upstream router. Even worse, that
      upstream router may already be
      compromised also, so you could not
      trust any packet capture there either.

      All your packets are belong to us.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Sep 2016 @ 1:24pm

    And yet, supporters of the spies wonder why people don't want careless and illegal surveillance by the NSA.

    reply to this | link to this | view in chronology ]

  • icon
    AC720 (profile), 27 Sep 2016 @ 2:20am

    There will be casualties

    The point lost in all of this is that the NSA does not care at all if American companies are damaged by this or American citizen's data is compromised.

    The NSA's mission is to preserve and defend the nation. If companies or even citizens have to go down as part of the NSA's job, so be it.

    Not one company or person is more important than their mission, probably not even the President.

    The ONLY agency with an even higher mission than the NSA is the MJ-12 group, if they even exist at all. Those people put the nation second after whatever is their prime mission.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 27 Sep 2016 @ 1:28pm

      Re: There will be casualties

      The NSA's mission is to preserve and defend the nation. If companies or even citizens have to go down as part of the NSA's job, so be it.

      Maybe on paper, but in practice it's more along the lines of:

      The NSA's mission is to preserve the NSA's power and budget. If companies or even citizens have to go down as part of the NSA's job, so be it.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.