NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked
from the and-still-nothing-until-the-last-minute dept
The NSA’s exploit toolkit has been weaponized to target critical systems all over the world. So much for the debate over the theoretical downside of undisclosed vulnerabilities. (It also inadvertently provided the perfect argument against encryption backdoors.) The real world has provided all the case study that’s needed.
It appears the NSA finally engaged in the Vulnerabilities Equity Process — not when it discovered the vulnerability, but rather when it became apparent the agency wouldn’t be able to prevent it from being released to the public. What’s happened recently has been devastating and Microsoft — whose software was targeted — has expressed its displeasure at the agency’s inaction.
Maybe the agency will be a bit more forthcoming in the future. Ellen Nakashima and Craig Timberg of the Washington Post report former NSA employees and officials had concerns about the undisclosed exploit long before the Shadow Brokers gave it to the world.
When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.
Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.
Officials called it “fishing with dynamite.” The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn’t bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.
But there were plenty of others who viewed disclosure as “disarmament.” Somehow, despite three straight years of leaked documents, the NSA still felt it had everything under control. The Shadow Brokers NSA exploit auction made it clear the NSA was no better at securing its software stash than it was at keeping thousands of internal documents from wandering out the door.
The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands. Since the agency cannot possibly ensure this sort of thing won’t happen again, the question now is how much of other people’s security is the agency willing to sacrifice in the name of national security?
The NSA appears to believe it handled this as well as it could given the circumstances, but the outcome could have so much worse. The chain of events leading to the NSA’s eventual disclosure helped minimize the collateral damage. It has very little to do with the steps the NSA took (or, more accurately, didn’t take).
What if the Shadow Brokers had dumped the exploits in 2014, before the [US] government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?
There’s your intelligence community nightmare fuel. Had the vulnerability managed to take down US government hardware and software, the NSA would be facing even more criticism and scrutiny that it already is.
The NSA appears to only disclose vulnerabilities when forced to. It may possibly hand over those it finds to be of limited use. Former NSA head Keith Alexander says the agency turns over “90%” of the vulnerabilities it discovers, but that percentage seems inflated. The NSA spent years as “No Such Agency.” It’s only been the last four years that it’s been forced to engage in more transparency and accountability, so it’s tough to believe it’s spent years proactively informing affected companies about the flaws in their products.
In any event, the NSA’s second-guesswork will have do for now. Some legislators are hoping to shore up the vulnerabilities reporting process, but it’s likely by the time it heads for the Oval Office desk, it will be riddled with with enough national security exceptions to make it useless. With the Shadow Brokers hinting they still have more dangerous exploits to release (including one affecting Windows 10), the decision to disclose these vulnerabilities will once again be informed by the NSA’s inability to keep its hacking tools secure, rather than any internal examination of its hoarder mentality.
Filed Under: exploits, leaks, nsa, vep, vulnerabilities, vulnerabilities equities program, wannacry
Comments on “NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked”
No. It’s not.
Re: Re:
The preamble to the question (“Since the agency cannot possibly ensure this sort of thing won’t happen again”) is also not good. If they did, in fact, have misgivings about the exploit they were using, the question isn’t posed on whether or not it will happen AGAIN. It was quite possible in the first place that someone else might have found it as well, or that their tool would be stolen, as it was.
Going by their track record, I don’t think they’ll give two thoughts to doing something similar in the future. They’re more than likely doing it now.
Re: Re:
The answer to that question has always been known.
“All of it”
Re: Re: Re:
Exactly. The NSA has made it abundantly clear that it will always prioritize it’s ability to do something over public security, because as Good Guys they seem to operate under the dangerous idea that if it helps them then it helps the public, and any ‘collateral damage’ is an acceptable price (for the public) to pay.
Re: Re: Re: Re:
Power is a hell of a drug.
i was given a back door
whoever these people are they actually armed us hackers
5 of us in certain nations with these kinda kits
and yes im at actual risk telling you this, ive decided i dont care, and they know it and yes im armed you bastards( not you techdirt peeps , this is directed at them)
they are spying on me and find me in my games and start saying shit only people involved can and boy are they sore im not playing there …game no more
and yes ive leaked shit they cant do nothing about no more
one example is the million of honey pot ips the fbi uses
they other was knowledge that the so called Sony root kit existed in source and binary for years before sony got its part ( binary which is why they had hard time fixing it lol ) ….one day these yahoos will get what they got coming to them….
Re: i was given a back door
People have been prosecuted before for inadvertently aiding terrorists — for example, donating to a legit charity, only for the money to be diverted by someone at the charity into funding terrorism.
The US government takes the view that it does not matter what your intent was, only the end result… right up until it would have to prosecute itself for treason, then intent is all that matters.
if the NSA has this type of exploit makes me wonder what the CIA has
Re: Re:
The CIA isn’t tasked with electronic intelligence. They have to make do with second best tools the way the FBI does.
Re: Re: Re:
Not if CIA hacked NSA and got the NSA tools.
Re: Re: Re:
They’re not officially tasked with running heroin out of Afghanistan either…
Well, you just have to love the hypocrisy of the government. They were concerned about the exploit but not concerned enough to report it to Microsoft? This is exactly why Americans and American voters do not trust the government and why we have so much contempt for our elected officials.
Re: Re:
The US government exists to represent the people of the United States, since you can’t exactly poll hundreds of millions of people when a decision must be made when seconds count.
Somewhere along the way, the government has forgotten that fact. They exist to protect us, yet the ease at which they will sacrifice us and our interests for at best nebulous gains is horrifying.
What is even worse though, is how many government officials consider the general public to be their enemies — which means they meet the mens rea definition of treason, even if they haven’t gotten around to the actus rea portion yet.
Why not give the exploit to Microsoft asap, so they can prepare a patch asap and keep it locked up (with NDAs, NSLs, injunctions), so it can be released immediately when Hackers discover it?
Re: Re:
Because that would require that the NSA trust someone?
Re: Re: Re:
It would also require that someone trust Microsoft. How many users turned off Updates due to the force ‘upgrade’ to Windows 10? None of those people would get the update.
On the other hand, Microsoft put the update to fix WannaCry into the Windows Defender stream. Even though I am one of those who turned off Windows Update, I still update and use Defender weekly.
While it probably won’t surprise many, check out the Twitter feed in this comment
Re: Re:
That’s exactly what they are SUPPOSED to do.
The Vulnerabilities Equity Process is supposed to be used by the NSA to disclose vulnerabilities to technology companies. The technology companies are supposed to work with them to close the vulnerabilities in an appropriate manner.
Re: Re: Re:
Never mind the whole NVD… CVEs should go in there after companies are notified. The equity process is a lie on it’s face.
Re: Re:
I don’t know, it seems reasonable to me. 90% of everything is crap, so the NSA just turns over the crappy exploits(don’t give much access, are easily detected, only affect a small number of machines, etc), and keeps the remaining 10% of really good and powerful exploits for itself.
NSA fucked up. Goodbye golden key.
What happened is that the NSA had such power behind the WCry exploit that they didn’t want to relinquish that power because it allowed them unfettered access to thousands, if not millions of vulnerable computers owned by its citizens.
That they couldn’t keep it from being stolen by hackers and those hackers used it to spread ransomware on such a massive scale …
It’s not a good thing when our government is more paranoid of the people than the people are paranoid of it.
Watch
It appears that none of these TLAs were watching for the exploit. Shouldn’t they be monitoring the internet for their vulnerabilities in the wild, even before it’s known that they’ve leaked (or even been discovered independently), or is it not technically possible?
“What’s that – that one of ours?”
“Yep that’s for Tehran University – that’s OK.”
Once it was out there
Why was the NSA not leading the charge to mitigate it’s damage? It was other independent security researchers who stopped it from getting worse and developed tools to decrypt hosed machines. Where was the NSA? Why weren’t they trying to clean up their mess?
(I think they ought to be held liable for the ransoms that people paid.)
Re: Once it was out there
Telling Microsoft about the exploitable bugs after the tools to exploit them were on the verge of leaking is the NSA’s idea of trying to clean up their mess.
So?
> The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands.
So? It already knew but doesn’t care.
NSA is Concerned with CYA
The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands.
wrong hands?
You write as if NSA’s motives were pure as the driven snow.
They are not.
Remember NSA surveillance isn’t about catching terrorists but keeping tabs on 330 million American citizens, corporate espionage and political blackmail.
Surveilling terrorists is simply the specious rational that is paraded about in public to make NSA’s unconstitutional actions seem more palatable to Americans living under the US governments omnipresent stare.
Any well trained terrorist is quite aware of NSA’s electronic surveillance and would more than likely practice good operational security and forgo cell phones, email, satellite communications gear, etc.
But if we had encryption backdoors, then the government would be able to help all those hit with with the ransomware decrypt their files…