The NSA's exploit stash is allegedly for sale. As mentioned earlier this week, an individual or a group calling themselves Shadow Brokers claims to be auctioning off parts of the NSA's Tailored Access Operations (TAO) toolkit, containing several zero days -- including one in Cisco's (a favorite NSA TAO target) Adaptive Security Appliance which allows for remote code execution.
The thing about these vulnerabilities is that they aren't new. The exploits being hawked by Shadow Brokers date back to 2013, suggesting the agency has been sitting on these exploits for awhile. The fact that companies affected by them don't know about these flaws means the NSA hasn't been passing on this information.
Back in 2015, the NSA declared that it passed on information about vulnerabilities to affected companies "90% of the time." Of course, this statement contained very few details about how long the NSA exploited vulnerabilities before allowing them to be patched.
The White House told the NSA to make disclosure the preferred method of handling discovered vulnerabilities, but also gave it a sizable loophole to work with -- "a clear national security or law enforcement need."
Ellen Nakashima and Andrea Peterson of the Washington Post spoke to former NSA personnel. The statements they gave suggest there's almost always a "need" that outweighs the general public's security and safety.
Former NSA personnel who worked with the tool cache that was released say that when they worked at the agency, there was an aversion to disclosure.
“While I was there, I can’t think of a single example of a zero-day [flaw]” used by the agency “where we subsequently said, ‘Okay, we’re done with it and let’s turn it over to the defensive side so they can get it patched,’ ” said the former employee, who worked at the agency’s Tailored Access Organization for years. During that time, he said, he saw “hundreds” of such flaws.
He added: “If it’s something in active use, my experience was they fight like all get-out to prevent it from being disclosed.”
Said a second former employee, who also spoke on the condition of anonymity to describe sensitive government operations: “It’s hard to live in a world where you have capabilities and you’re disclosing your capabilities to your defensive team.”
So, there's no presumption of disclosure, not even with a Vulnerability Equities Process in place. If the NSA has a vulnerability to exploit, it will continue doing so until it's no longer effective. The agency's name alone grants it a presumption of secrecy because, after all, nothing has more "national security needs" than the National Security Agency.
This undercuts everything the disclosure process was supposed to do: allow developers to close holes in their software. With its TAO secrets out in the open, the government can no longer pretend stockpiling exploits is a good idea. Nor can it claim it's OK because it's only the "good guys" doing good things with them. The exploits will be sold to the highest bidder -- whether that bidder is a criminal or just another private company stockpiling exploits so it can sell those to highest bidder -- which in some cases may be UN-blacklisted countries with totalitarian governments and long histories of human rights abuses.
Matt Blaze -- referring to the just-disclosed Cisco zero day -- wonders if the NSA only just discovered hackers had made off with its stuff. And if it actually knew for three years these exploits had been compromised, why didn't it disclose the vulnerabilities to affected developers?
I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn't they report the Cisco 0day?
Neither scenario is particularly flattering. Although it's presumed the hackers didn't actually crack an NSA server (theory is the exploits were harvested from a compromised server the NSA was running), not knowing that these vulnerabilities had been obtained by outsiders until possibly three years after it happened is not exactly a flattering look for a security agency.
The alternative is actually worse: that the NSA knew its exploits had been taken but STILL chose not to disclose the vulnerabilities to software developers. In this scenario, there's no longer any "what if" about it. The NSA knew exploits were in the "wrong" hands but withheld this info to continue utilizing the exploits. If that's the case, the NSA is complicit in any exploitation by the "wrong" people because it chose to withhold, rather than disclose, major vulnerabilities even after it knew it had been compromised.
It may be that the NSA truly didn't know about this hacking until the hackers started passing out parts of its exploit hoard, but that's not exactly comforting considering the agency's efforts to be declared the overseer of the US government's CyberWar.