Leaked NSA Zero Days Already Being Exploited By Whoever Thinks They Can Manipulate Them

from the the-best-offense-is-not-giving-a-fuck-about-playing-defense dept

Mon, Aug 29th 2016 9:40am — Tim Cushing

There are still people out there who think it's a good idea for the government -- whether it's the FBI, NSA, or other agency -- to hoover up exploits and hoard vulnerabilities. This activity is still being defended despite recent events, in which an NSA operative apparently left a hard drive full of exploits in a compromised computer. These exploits are now in the hands of the hacking group that took them… and, consequently, also in the hands of people who aren't nearly as interested in keeping nations secure.

The problem is you can't possibly keep every secret a secret forever. Edward Snowden proved that in 2013. The hacking group known as the Shadow Brokers are proving it again. The secrets are out and those who wish to use exploits the NSA never disclosed to affected developers are free to wreak havoc. Lily Hay Newman of Wired examines the aftermath of the TAO tools hacking.

Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.

All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.

Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities.

Dolan-Gavitt used the Cisco zero-day -- one which the company is still unable to completely thwart -- for his honeypot. This exploit was in the hands of the NSA for at least three years and was never disclosed to Cisco. The security researcher saw one attack in the first 24 hours. Since then, there have been a handful of attacks mounted every day.

This is the end result of someone hacking the hackers. The Shadow Brokers have turned the agency's exploit toolkit into NSA Everywhere!™ -- the NSA's new "Inadvertent Disclosure" project. The hackers have divulged far more exploits than the NSA ever has, even with the (severely loopholed) "presumption of disclosure" mandate handed down by the Obama Administration.

The NSA -- and its defenders -- remain mostly unworried about this collateral damage. Presumably the nation is still secure, even if its companies and their customers aren't. I guess that's supposed to be good enough. Every war inflicts a toll on non-combatants, and the neverending War on Terror will be no different than the neverending War on Drugs in this respect.

But those at the top of the IC heap -- and those who work closely with them, like the FBI -- need to stop pretending the government can be trusted with keeping its most secret secrets secure. And officials need to stop applying pressure on lawmakers to craft encryption backdoor legislation, because this debacle should make it clear -- even to true believers like FBI director James Comey -- that any hole labeled "GOVERNMENT USE ONLY" isn't going to keep bad guys out forever.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 0days, exploits, nsa, routers, zero days

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 29 Aug 2016 @ 9:47am

The problem is you can't possibly keep every secret a secret forever.

Whoever it was that said that two people can keep a secret if one of them is dead, was an optimist.
[ link to this | view in chronology ]
- Rick, 29 Aug 2016 @ 10:17am
  
  Re: NSA secrets
  The only secret that can be kept forever is Obama's college records.
  [ link to this | view in chronology ]
Pixelation, 29 Aug 2016 @ 10:04am

It just goes to show
It shows that taking care of the citizens is secondary at best. The mission is more important than the people. I think they took a wrong turn at Albequerque
[ link to this | view in chronology ]
- Anonymous Coward, 29 Aug 2016 @ 10:23am
  
  Re: It just goes to show
  Albuquerque? I think you meant Roswell aka the "Weather Baloon Incident".
  [ link to this | view in chronology ]
  - Anonymous Coward, 29 Aug 2016 @ 12:13pm
    
    Re: Re: It just goes to show
    Mebbe s/he meant Albuquerque and will come back to leave a clue. Being a foreigner I am struggling to think of anything historically sinister happening in Albuquerque, maybe it's a super sekret thing ? Or maybe Los Alamos? Or Santa Fe with all the stenographic secrets hidden in plain view in all the tourist trap art? Las Vegas, NM is definitely not like Las Vegas, NV - I can figure out that much. Albuquerque? Baffled foreigner wants to know.
    [ link to this | view in chronology ]
    - Anonymous Coward, 29 Aug 2016 @ 12:20pm
      
      Re: Re: Re: It just goes to show
      It's a Bugs Bunny quote.
      
      https://www.youtube.com/watch?v=e8TUwHTfOOU
      [ link to this | view in chronology ]
    - DebbyS, 30 Aug 2016 @ 8:48am
      
      Re: Re: Re: It just goes to show
      The only thing even vaguely sinister around here in Albuquerque is the reason why and when Jimmy McGill will turn into Saul Goodman, and we're interested because the TV show Better Call Saul is filmed here. Breaking Bad was filmed here, too, but we know pretty much how that turned out... except maybe for Saul's future post BB. We do have Sandia Laboratories, which has been involved in a variety of "interesting" things over the years. And of course the mayor is pushing vanity projects very few citizens want but that happens everywhere.
      [ link to this | view in chronology ]
mcinsand, 29 Aug 2016 @ 10:05am

what about liability?
If a company knows about an issue that puts people at risk and keeps quiet, then that company will bear some responsibility for damages. Why can't we do the same with the NSA? They knew that these vulnerabilities were there, and they left the average citizen at risk. Their argument of 'but terrorists' holds no water mathematically. For every terrorist's security that they undermined, they left hundreds of thousands of citizens exposed.
[ link to this | view in chronology ]
- Anonymous Coward, 29 Aug 2016 @ 10:24am
  
  Re: what about liability?
  If a company knows about an issue that puts people at risk and keeps quiet, then that company will bear some responsibility for damages.
  Clearly, you've never read a EULA. That's OK. Nobody else does either. ;)
  [ link to this | view in chronology ]
I.T. Guy, 29 Aug 2016 @ 10:09am

They have to ask themselves... the NSA... Which would keep the nation safer? Using exploits to "catch" criminals and exactly how many criminals would be caught, or letting Cisco know they had a pretty bad exploit and how many people would be better protected if the NSA gave up this to protect the citizens of the US and others in the world that use Cisco products.

Their take on it is obviously clear. They'd rather keep the exploits and put the nation(s) at risk so they can keep on being supah dupah cool hacking guys. Go Merika!!!
[ link to this | view in chronology ]
- Anonymous Coward, 29 Aug 2016 @ 10:24am
  
  Re:
  In the next breath, they'll ask for Silicon Valley's help. Hmmm... Sure!
  [ link to this | view in chronology ]
Anonymous Coward, 29 Aug 2016 @ 10:28am

Should we really expect the government to safeguard the public from computer viruses any better than this same government's sorry history with biological viruses?

We must not forget that this is the same government that previously used the American civilian population as (non-consenting) human guinea pigs to test all kinds of chemical, biological, and nuclear weapons.

http://www.rense.com/general36/history.htm
[ link to this | view in chronology ]
- Anonymous Coward, 29 Aug 2016 @ 1:32pm
  
  Re:
  You forgot actively poising people during (and after) prohibition, withholding effective medial treatment for STDs to name just two more.
  [ link to this | view in chronology ]
Norahc (profile), 29 Aug 2016 @ 10:32am

To paraphrase
To paraphrase President Reagan, "The scariest words in the English language are, 'We are the government, and you can trust us.'"
[ link to this | view in chronology ]
- Anonymous Coward, 29 Aug 2016 @ 11:47am
  
  Re: To paraphrase
  No. That's second scariest. The scariest words are "I have run out of things to read."
  [ link to this | view in chronology ]
Anonymous Coward, 29 Aug 2016 @ 11:44am

National Anti-Security Agency
To help make our nation more secure the NSA kept secret security flaws that existed in US Government networks.

Wonder how well thats working out for them.
[ link to this | view in chronology ]
- Anonymous Coward, 29 Aug 2016 @ 12:14pm
  
  Re: National Anti-Security Agency
  "To help make our nation more secure the NSA kept secret security flaws that existed in US Government networks.
  
  Wonder how well thats working out for them."
  
  Just fine. Best job creation scheme and budget multiplier they've thought up so far.
  [ link to this | view in chronology ]
That One Guy (profile), 29 Aug 2016 @ 12:25pm

"Our (job) security IS national Security!"
The NSA doesn't care because the exploits aren't likely to be able to be used against them, which means they don't care who else is impacted so long as their security isn't compromised and they can continue to use exploits to make their job/whims easier.

The NSA cares about their privacy and security, they couldn't care less about the privacy and security of anyone else, and if anything they tend to actively works against the privacy and security of others so that they can scoop up more personal data easier.
[ link to this | view in chronology ]
Mike Shore (profile), 29 Aug 2016 @ 1:16pm

It's getting more difficult by the day to discern the good guys from the bad guys...
[ link to this | view in chronology ]
- That One Guy (profile), 29 Aug 2016 @ 2:13pm
  
  Re:
  Not really. Ignore the badges, the suits, the official positions and statements and look only at what they do. A person can say anything, what they do is what really matters and shows their real goals and positions.
  
  Using that method of sorting it's pretty clear that the NSA and the other government agencies are not the 'good guys', as they demonstrate time and time again that they don't care about the public and will even actively work against the best interests of the public as they only care about their own power and are willing to do whatever it takes to protect it, even at the public's expense.
  [ link to this | view in chronology ]
  - Anonymous Coward, 29 Aug 2016 @ 7:51pm
    
    Re: Re:
    And this is why the claims that America is becoming a Global threat are valid and serious!
    [ link to this | view in chronology ]
David, 29 Aug 2016 @ 4:30pm

Government of what?
Again the government shows that it's not the government of the people, but the government of itself.
[ link to this | view in chronology ]
- Pronounce (profile), 29 Aug 2016 @ 11:57pm
  
  Re: Government of what?
  If governing means rising to your level of incompetence, then you're absolutely correct the government can govern itself.
  
  Typically the government is just in the business of bustin' whistle blowers, and takin' money from the populace to fund their pet projects and pad their pockets.
  
  In fact of all the government employees that I got to work with and know personally the ones who only had the authority to govern themselves and no one else are some of the hardest working people I know. Honestly those people make all of our lives better.
  [ link to this | view in chronology ]
Anon Coward, 30 Aug 2016 @ 5:22am

Golden Key
This is but further proof that an encryption "golden key" for "Official Government Use" is a monumentally bad idea. If you can't keep track of your toys, we will not give you any more!
[ link to this | view in chronology ]