Did The NSA Continue To Stay Silent On Zero-Day Vulnerabilities Even After Discovering It Had Been Hacked?

from the Betteridge-and-Glomar-combine-to-say-'we'll-probably-never-know' dept

Fri, Aug 19th 2016 6:33am — Tim Cushing

The NSA's exploit stash is allegedly for sale. As mentioned earlier this week, an individual or a group calling themselves Shadow Brokers claims to be auctioning off parts of the NSA's Tailored Access Operations (TAO) toolkit, containing several zero days -- including one in Cisco's (a favorite NSA TAO target) Adaptive Security Appliance which allows for remote code execution.

The thing about these vulnerabilities is that they aren't new. The exploits being hawked by Shadow Brokers date back to 2013, suggesting the agency has been sitting on these exploits for awhile. The fact that companies affected by them don't know about these flaws means the NSA hasn't been passing on this information.

Back in 2015, the NSA declared that it passed on information about vulnerabilities to affected companies "90% of the time." Of course, this statement contained very few details about how long the NSA exploited vulnerabilities before allowing them to be patched.

The White House told the NSA to make disclosure the preferred method of handling discovered vulnerabilities, but also gave it a sizable loophole to work with -- "a clear national security or law enforcement need."

Ellen Nakashima and Andrea Peterson of the Washington Post spoke to former NSA personnel. The statements they gave suggest there's almost always a "need" that outweighs the general public's security and safety.

Former NSA personnel who worked with the tool cache that was released say that when they worked at the agency, there was an aversion to disclosure.

“While I was there, I can’t think of a single example of a zero-day [flaw]” used by the agency “where we subsequently said, ‘Okay, we’re done with it and let’s turn it over to the defensive side so they can get it patched,’ ” said the former employee, who worked at the agency’s Tailored Access Organization for years. During that time, he said, he saw “hundreds” of such flaws.

He added: “If it’s something in active use, my experience was they fight like all get-out to prevent it from being disclosed.”

Said a second former employee, who also spoke on the condition of anonymity to describe sensitive government operations: “It’s hard to live in a world where you have capabilities and you’re disclosing your capabilities to your defensive team.”

So, there's no presumption of disclosure, not even with a Vulnerability Equities Process in place. If the NSA has a vulnerability to exploit, it will continue doing so until it's no longer effective. The agency's name alone grants it a presumption of secrecy because, after all, nothing has more "national security needs" than the National Security Agency.

This undercuts everything the disclosure process was supposed to do: allow developers to close holes in their software. With its TAO secrets out in the open, the government can no longer pretend stockpiling exploits is a good idea. Nor can it claim it's OK because it's only the "good guys" doing good things with them. The exploits will be sold to the highest bidder -- whether that bidder is a criminal or just another private company stockpiling exploits so it can sell those to highest bidder -- which in some cases may be UN-blacklisted countries with totalitarian governments and long histories of human rights abuses.

Matt Blaze -- referring to the just-disclosed Cisco zero day -- wonders if the NSA only just discovered hackers had made off with its stuff. And if it actually knew for three years these exploits had been compromised, why didn't it disclose the vulnerabilities to affected developers?

I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn't they report the Cisco 0day?
— matt blaze (@mattblaze) August 18, 2016

I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn't they report the Cisco 0day?

Neither scenario is particularly flattering. Although it's presumed the hackers didn't actually crack an NSA server (theory is the exploits were harvested from a compromised server the NSA was running), not knowing that these vulnerabilities had been obtained by outsiders until possibly three years after it happened is not exactly a flattering look for a security agency.

The alternative is actually worse: that the NSA knew its exploits had been taken but STILL chose not to disclose the vulnerabilities to software developers. In this scenario, there's no longer any "what if" about it. The NSA knew exploits were in the "wrong" hands but withheld this info to continue utilizing the exploits. If that's the case, the NSA is complicit in any exploitation by the "wrong" people because it chose to withhold, rather than disclose, major vulnerabilities even after it knew it had been compromised.

It may be that the NSA truly didn't know about this hacking until the hackers started passing out parts of its exploit hoard, but that's not exactly comforting considering the agency's efforts to be declared the overseer of the US government's CyberWar.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: disclosure, exploits, nsa, reporting, tao, vep, vulnerabilities equities program, vulnerability, zero days

21 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

aerinai (profile), 19 Aug 2016 @ 5:34am

Yet another backdoor backfiring...
While these may not be officially sanctioned backdoors by companies, they have the same effect... Yet another reason we don't need to willfully undermine security... There is no such thing as a safe backdoor (exploits included).
[ link to this | view in chronology ]
- pegr, 19 Aug 2016 @ 8:08am
  
  Re: Yet another backdoor backfiring...
  As a current example: Cisco knew they had a problem when Snowden leaked details about SNOWPLOW in 2013, yet, with all the resources and technical expertise at their disposal, didn't bother to patch their vulnerable code until the actual SNOWPLOW exploit hit the public.
  
  Did Cisco know about the vulnerability but purposefully refuse to address the vulnerability until the exploit leak forced their hand? If so, why?
  
  Mind if I tell you? Because they knew that if they patched that flaw, they would no longer have any Federal government business. The Feds are Cisco's biggest customer.
  
  TL;DR: Cisco intentionally subjected their customers to a known security flaw for over three years to curry favor with the Feds. So who do you trust?
  [ link to this | view in chronology ]
  - SpaceLifeForm, 19 Aug 2016 @ 10:00am
    
    Re: Re: Yet another backdoor backfiring...
    Or Cisco had received an NSL
    forbidding them from disclosing
    the flaw *AND* forbidding a fix.
    
    Would love to hear Cisco publicly
    state how long the flaw has existed.
    Probably longer than 3 years.
    [ link to this | view in chronology ]
    - Hephaestus (profile), 19 Aug 2016 @ 10:15am
      
      Re: Re: Re: Yet another backdoor backfiring...
      That is the most likely scenario. +5 internet's
      [ link to this | view in chronology ]
TexasAndroid (profile), 19 Aug 2016 @ 6:47am

This should be pointed to any time someone prominently wants to promote forcibly backdooring encryption. Ask them what happens when (not if) the backdoor keys are released via hack. If the NSA cannot keep its own stuff secure, how do we expect a multitude of law enforcement agencies with the backdoor keys to all keep those keys safe?
[ link to this | view in chronology ]
Jason, 19 Aug 2016 @ 7:00am

Leaving aside the current mass surveillance situation (if that's even possible) this is a perfect example of why the NSA should be split in two. Having the same agency that's supposedly responsible for protecting national infrastructure from online attack also be responsible for active surveillance and direction of some very similar attacks is practically asking for this kind of thing to happen.
[ link to this | view in chronology ]
- Anonymous Coward, 19 Aug 2016 @ 7:18am
  
  Re:
  Your mistake was in assuming that anyone in the government actually wants to protect national infrastructure from online attack.
  [ link to this | view in chronology ]
  - Padpaw (profile), 19 Aug 2016 @ 4:53pm
    
    Re: Re:
    far more profitable to exploit it. what does the lives of their fellow citizens mean when they can make a few hundred thousand or more from not saying anything.
    [ link to this | view in chronology ]
I.T. Guy, 19 Aug 2016 @ 7:00am

National Security... at the expense of National Security.
WTF NSA? They need to change the name to National Spying Agency. It's clear they don't care about our security.
[ link to this | view in chronology ]
- Anonymous Coward, 19 Aug 2016 @ 7:22am
  
  Re:
  They believe in retroactive security. Once we are attacked the first time, the attackers can be relatively quickly tracked down and eliminated.
  
  Of course the terrorists know this, which is why they always send suicide bombers.
  [ link to this | view in chronology ]
Capt ICE Enforcer, 19 Aug 2016 @ 8:01am

Super patch
Easiest way to stop this threat to national security is to tell all the companies about the exploits then help close them up. I would hate to lose all power in America due to the NSA wanting to see my private photos.
[ link to this | view in chronology ]
all your hacking tools are belong to us, 19 Aug 2016 @ 8:04am

hi again techdirt
the hacking group for the nsa stopped using the tools about 1.5 months ago indicating they were no longer usable at that time cause thats when it was discovered they were hacked....

thats still 1.5 months....
[ link to this | view in chronology ]
- Anonymous Coward, 19 Aug 2016 @ 9:37am
  
  Re: hi again techdirt
  the hacking group for the nsa stopped using the tools about 1.5 months ago indicating they were no longer usable at that time cause thats when it was discovered they were hacked....
  
  thats still 1.5 months....
  
  ...which only means that they discovered the hack 1.5 months ago and said nothing. It says nothing about how long ago the hack actually took place. This actually makes it worse; the NSA didn't notice the hack for an extended period AND didn't notify the targets when they discovered the leak.
  [ link to this | view in chronology ]
all your hacking tools are belong to us, 19 Aug 2016 @ 8:06am

hehe 3 years of yeeeee haw
and remember they had these tools in 2013..as the tools state
[ link to this | view in chronology ]
DannyB (profile), 19 Aug 2016 @ 8:10am

90 % of WHAT time?
NSA declared that it passed on information about vulnerabilities to affected companies "90% of the time."90% of WHAT time?

90% of the time after NSA learned that a vulnerability had become known outside of NSA?

90% of the time after NSA learned that a vulnerability had been patched by the vendor?

Ransomeware business model . . .
This system has had Windows 10 installed.
To restore this system to a usable state, please send 3 Bitcoin to the following.
[ link to this | view in chronology ]
Anonymous Coward, 19 Aug 2016 @ 9:39am

The NSA really does inform companies about 90% of the vulnerabilities it's found. It just forgot to complete the sentence and say that it's 90% of flaws from 35 year old computers of the early 80's that they're only now just getting around to informing the companies about.
[ link to this | view in chronology ]
Mark Wing, 19 Aug 2016 @ 11:47am

We've clearly lost the moral high ground when we purposely let our people be vulnerable in the name of protecting them.
[ link to this | view in chronology ]
- Padpaw (profile), 19 Aug 2016 @ 4:50pm
  
  Re:
  we let the criminals in and they used crony capitalism to subvert the system
  [ link to this | view in chronology ]
That One Guy (profile), 19 Aug 2016 @ 12:52pm

Par for the course really
You're talking about an agency that would be perfectly fine deliberately sabotaging encryption, making everyone less safe and secure, simply because it makes their job easier.

Given that it's hardly a surprise that they would 'forget' to inform companies of an exploit or vulnerability as doing so would make their jobs harder(and everyone else more secure), and we can't have that now can we?
[ link to this | view in chronology ]
Padpaw (profile), 19 Aug 2016 @ 4:09pm

I wonder how many NSA agents will be found out as having sold state secretes to foreign powers before this is over.
[ link to this | view in chronology ]
Anon, 24 Aug 2016 @ 1:40pm

Yes, pay attention
The phrase "I can neither confirm nor deny," has meaning. They aren't going to confirm or deny capabilities, exploits, etc. Plausible deniability, giving away information and a litany of other reasons are why.
[ link to this | view in chronology ]