China Actively Collecting Zero-Days For Use By Its Intelligence Agencies -- Just Like The West

from the no-moral-high-ground-there,-then dept

It all seems so far away now, but in 2013, during the early days of the Snowden revelations, a story about the NSA's activities emerged that apparently came from a different source. Bloomberg reported (behind a paywall, summarized by Ars Technica) that Microsoft was providing the NSA with information about newly-discovered bugs in the company's software before it patched them. It gave the NSA a window of opportunity during which it could take advantage of those flaws in order to gain access to computer systems of interest. Later that year, the Washington Post reported that the NSA was spending millions of dollars per year to acquire other zero-days from malware vendors.

A stockpile of vulnerabilities and hacking tools is great -- until they leak out, which is precisely what seems to have happened several times with the NSA's collection. The harm that lapse can cause was vividly demonstrated by the WannaCry ransomware. It was built on a Microsoft zero-day that was part of the NSA's toolkit, and caused very serious problems to companies -- and hospitals -- around the world.

The other big problem with the NSA -- or the UK's GCHQ, or Germany's BND -- taking advantage of zero-days in this way is that it makes it inevitable that other actors will do the same. An article on the Access Now site confirms that China is indeed seeking out software flaws that it can use for attacking other systems:

In November 2017, Recorded Future published research on the publication speed for China's National Vulnerability Database (with the memorable acronym CNNVD). When they initially conducted this research, they concluded that China actually evaluates and reports vulnerabilities faster than the U.S. However, when they revisited their findings at a later date, they discovered that a majority of the figures had been altered to hide a much longer processing period during which the Chinese government could assess whether a vulnerability would be useful in intelligence operations.

As the Access Now article explains, the Chinese authorities have gone beyond simply keeping zero-days quiet for as long as possible. They are actively discouraging Chinese white hats from participating in international hacking competitions because this would help Western companies learn about bugs that might otherwise be exploitable by China's intelligence services. This is really bad news for the rest of us. It means that China's huge and growing pool of expert coders are no longer likely to report bugs to software companies when they find them. Instead, they will be passed to the CNNVD for assessment. Not only will bug fixes take longer to appear, exposing users to security risks, but the Chinese may even weaponize the zero-days in order to break into other systems.

Another regrettable aspect of this development is that Western countries like the US and UK can hardly point fingers here, since they have been using zero-days in precisely this way for years. The fact that China -- and presumably Russia, North Korea and Iran amongst others -- have joined the club underlines what a stupid move this was. It may have provided a short-term advantage for the West, but now that it's become the norm for intelligence agencies, the long-term effect is to reduce the security of computer systems everywhere by leaving known vulnerabilities unpatched. It's an unwinnable digital arms race that will be hard to stop now. It also underlines why adding any kind of weakness to cryptographic systems would be an incredibly reckless escalation of an approach that has already put lives at risk.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Vidiot (profile), 24 Sep 2018 @ 11:06am

    Moo Shu DDOS

    Chinese programmers need less obvious ways to report exploits.

    This may explain why the fortune cookie I opened this weekend said, "L1 Terminal Fault (L1TF) vulnerability may bring you sadness unless patched."

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 24 Sep 2018 @ 11:10am

    "but the Chinese may even weaponize the zero-days"
    Oh c'mon now lets not be naive and act like they just started doing this or it was the leaking of the NSA tools that made them do it. That's just silly.

    reply to this | link to this | view in chronology ]

    • identicon
      bob, 24 Sep 2018 @ 11:28am

      Re:

      Agreed.

      I think one of the problems is that people look at the information space and see that the advantages go to the offence instead of the defence. Which is why governments and people with power horde the exploits.

      It's a silly practice to leave your infrastructure vulnerable in the hope that your enemy hasn't also discovered the exploit. It's all part of the game intelligence agencies play and sometimes there is logic to the madness.

      But who cares about us mere cannon fodder when the big government boys get to play with their shiney toys.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Sep 2018 @ 3:38pm

        Re: Re:

        Creating Zero-Days may be better term than Collecting.

        The patch cycle has become as much a means to introduce new zero-days as a means to patch old zero-days as they are discovered.

        reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 24 Sep 2018 @ 11:22am

    I know exactly how to fix this; Microsoft needs to dump all the versions of Windows that they've been patching over the years and making them more secure, even Windows 10, and come out with an all new version and start the patching process from scratch! I'm sure that will make us all safer. I mean, that's what they've been doing all along and it's worked great so far...

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 24 Sep 2018 @ 11:33am

    This is how the Ring gets back to Sauron

    When the Wrong Thing To Do promises more power it can become too tempting, even when it brings more vulnerability as well.

    When hackers grab and dump their arsenal of exploits, and we have another plague of malware attacks, maybe we'll get the message. Or maybe it'll be someone else's turn.

    I don't believe there was ever any news about the NSA ceasing their collection of zero day exploits, instead choosing to report them for patching. So it's likely the US didn't learn from the first time.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 24 Sep 2018 @ 12:08pm

    Part of me thinks every govt is doing it for ages now. The other part thinks the US opened the floodgates and we are going to suffer because of it.

    reply to this | link to this | view in chronology ]

  • identicon
    stine, 24 Sep 2018 @ 1:22pm

    can we block them by adding CNAMES

    What if I create a CNAME for my website and call it rememberTiananmenSquare.company.com. Will the great firewall of China block access from their APT groups to my site? Or will they just block the rest of China? Either way, I'll end up with a smaller list of IPs to block.

    reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 24 Sep 2018 @ 7:38pm

    Turn-About is Fair Play

    This is really bad news for the rest of us. It means that China's huge and growing pool of expert coders are no longer likely to report bugs to software companies when they find them. Instead, they will be passed to the CNNVD for assessment. Not only will bug fixes take longer to appear, exposing users to security risks, but the Chinese may even weaponize the zero-days in order to break into other systems.

    We have only ourselves (NSA/GHQ etal) to thank.

    For decades western corporations have peddled compromised software/hardware with the exploits baked-in as features not bugs.

    Italicized/bold text was excerpted from a report titled NSA’s Own Hardware Backdoors May Still Be a “Problem from Hell” for at the website www.technologyreview.com:

    In 2011, General Michael Hayden, who had earlier been director of both the National Security Agency and the Central Intelligence Agency, described the idea of computer hardware with hidden “backdoors” planted by an enemy as “the problem from hell.” This month, news reports based on leaked documents said that the NSA itself has used that tactic, working with U.S. companies to insert secret backdoors into chips and other hardware to aid its surveillance efforts.

    That revelation particularly concerned security experts because Hayden’s assessment is widely held to be true. Compromised hardware is difficult, and often impossible, to detect.

    https://www.technologyreview.com/s/519661/nsas-own-hardware-backdoors-may-still-be-a-problem -from-hell/

    reply to this | link to this | view in chronology ]

  • identicon
    Jim, 25 Sep 2018 @ 3:21am

    Durn!

    Like the article on Hayden, but, by time the generals get an idea, it's been in the works for at least a decade. That's "information sharing" and, it was available and active in 96, when I retired. Not much has changed since then. The same crowd is in the lead. And that's not the best and the brightest. They get nowhere near that high.
    As to the rest, remember, all the machine codes have been shared thru the educational systems. And, we have only our researchers to blame. Because, you are not born to controul a machine, you have to be taught. You have to be educated by others, and, where are they from. The same boy clubs. Are others allowed to play in the same field? Generally not. Are other nationalities allowed to play? Yes.
    Do you remember, where other national researchers are not allowed into our research facilities, manufacturing facilities, or plants and research only based in the us. No. Remember why they moved, and even our defense Contractors have research facilities on "enemy soil" so are they secure? Yes?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Close
Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.