NSA Zero Day Tools Likely Left Behind By Careless Operative
from the opsec-only-works-if-you-do-it-100%-of-the-time dept
More information is surfacing on the source of the NSA's hacking tools discovered and published by the Shadow Brokers. Just as Ed Snowden pointed out shortly after the tools first appeared online, the problem with sticking a stash of hacking tools on equipment you don't own is that others can access the tools, too… especially if an operative doesn't follow through on the more mundane aspects of good opsec.
Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.
Reuters has exclusive (but anonymous) interviews with personnel involved in the investigation which indicates other, more exculpatory theories are likely wrong.
Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.
But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.
NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.
And what a mistake it was. Tools purchased or developed by the NSA's Tailored Access Operations (TAO) are now -- at least partially -- in the public domain. The other aspect of this unprecedented "mistake" being confirmed is the fact that the NSA couldn't care less about collateral damage.
That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.
Three years of unpatched holes, one of them a zero day that affects a great deal of Cisco's networking equipment. Not only was TAO's operation security compromised, but so were any number of affected products offered by US tech companies.
However, investigators are still looking into the possibility that the tools were left behind deliberately by a disgruntled TAO operative. This theory looks far better on the NSA than another theory also being examined: that multiple operatives screwed up in small ways, compounding each other's mistakes and (eventually) leading to a public showing of valuable surveillance tools.
As for the official, on-the-record comment… no comment. The FBI and Director of National Intelligence declined to provide Reuters with a statement.
The NSA has long refused to acknowledge the inherent dangers of hoarding exploits and deploying them with little to no oversight. It's unclear whether this incident will change this behavior or make it a more-forthcoming partner in the Liability Equities Process. What is has proven is that the NSA makes mistakes like any other agency -- whether the tools were left behind accidentally or deliberately. It's just that when the NSA screws up, it exposes its willingness to harm American tech companies to further its own intelligence needs.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: carelessness, hacking tools, nsa, surveillance, zero day
Reader Comments
Subscribe: RSS
View by: Time | Thread
Trust building, government style
And yet somehow it's the fault of the tech industry that the relationship between it and the government isn't as cozy as the government would like it to be. That the tech companies are to blame for not trusting the government and granting their every request, requests which would of course serve only to benefit them, the government, and especially the public, and could never have any unfortunate downsides or ulterior motives.
Right.
[ link to this | view in chronology ]
Re: Trust building, government style
[ link to this | view in chronology ]
But, a golden key would be different. Honest!
[ link to this | view in chronology ]
Re: But, a golden key would be different. Honest!
[ link to this | view in chronology ]
Re: Re: But, a golden key would be different. Honest!
[ link to this | view in chronology ]
Re: But, a golden key would be different. Honest!
I kid of course, everyone knows those last two are mythical.
[ link to this | view in chronology ]
Re: Re: But, a golden key would be different. Honest!
[ link to this | view in chronology ]
Re: Re: Re: But, a golden key would be different. Honest!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
This type of press conference would be held in a different press facility that has suitable lighting and pyrotechnic effects in order to give the proper reality tv show dignity that such a presidential function deserves.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Most likely scenario
This is how most problems occur. Rarely do they happen for any single given cause but a compounding of errors. Sadly, for all the risk they put tech companies in, and our own government, they haven't prevented a single attack. Not 1. So we should be asking if all the risk is worth it?
[ link to this | view in chronology ]
Re: Most likely scenario
I think you've answered your own question.
[ link to this | view in chronology ]
Re: Re: Most likely scenario
[ link to this | view in chronology ]
These tools were left pretty much on purpose
At first, this was just bunch of random operatives doing stuff like sending docs to wikileaks, but as spies tend to do, they've created network. Data is mostly transmitted over modulated radio frequencies that aren't wifi and can travel pretty damn far (no connection with so-called number stations).
There's in fact a pretty huge leak incoming, regarding some space stuff and also more survelliance tools. Most intelligence agencies that matter have been infiltrated by the network, American, Russian, British, German, you name it. And even if an operative is caught, they can't reveal any valuable info as most of network operatives don't even know who others are, for their own protection. While those who know, are at or near the top of their respective agency so they are well-protected and can arrange escape in case operative of the network is caught.
[ link to this | view in chronology ]
Supposedly were watching to see who used them
On the other hand, I can also see that these tools were sold to other parties, so that couldn't be the sole identifier (unless there were code fingerprints). That is, unless there are bidding wars by different nations to the companies that sell the tools, requiring that only they hold that zero day. Which could also be why they didn't want to report it: they spent a lot to outbid everyone, they don't want to lose their tool. But I've seen other articles which seem to indicate that tools are sold to multiple parties, so take that for what it is worth.
Either way, in their zeal to catch whoever got the tools, they failed to realize that maybe, just maybe, those people would be better at covering their tracks, perhaps by not trying to hack everyone on the face of the earth with them so they wouldn't be so likely to leave traces.
This just goes to show: When your motivation is retaliation or face saving, you almost never win. When you own up, it almost always goes better for you. Everyone makes mistakes, so people are (generally) understanding of making mistakes. It's when people lie, blame someone else, make excuses, etc that people start to get really annoyed. When will corporations and politicians finally understand this? It's almost never the mistake that causes all the issues. If Hillary had just said "Yup, I ran a private server, that was dumb of me, I am sorry", then seriously, I doubt we'd still be talking about it. If Clinton and Bush had said "Yup, we thought there were WMD's, but we were wrong, we are sorry", people wouldn't be quite so pissed off.
I used to love deflating my boss storming in mad by admitting I was wrong, and owning it. I told him I'd go back to being perfect tomorrow, but I'd try to fix this issue today. Half his bluster was lost because he knew he'd made mistakes too, but he expected me to throw someone else under the bus or make excuses. Then I'd call the customer, admit I was wrong, make it right, and then shockingly, the next time they needed something, they'd call me since I treated them right and was honest.
So instead of just owning it, they hid and were looking at the internet to "catch them". They should have come out. But then again, we just expect this narrative now, don't we?
[ link to this | view in chronology ]
Re: Supposedly were watching to see who used them
You must be confusing the 3 letter acronym agencies. It's the FBI that crafts conspiracies, provides tools to conduct illegal activity, and then waits for some unsuspecting idiot to follow them into a jail sentence.
The NSA simply waits for something bad to happen and then complains that they need more power to prevent this from happening again in the future.
[ link to this | view in chronology ]
But:
[ link to this | view in chronology ]
What is has proven (typo)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: But people get lazy
These hacks, are by definition experimental. The likelyhood of things going wrong in a way that breaks network connectivity is actually quite high.
Not to mention that simply pulling the CAT5 out of the machine, is often the first move made by admins when they detect a compromise.
Yes, the binaries are often left behind. That is not necessarily within the control of the hacker. It is a known risk.
And since the risk is known, doing so makes the accidental dissemination of their tools criminal negligence. They knew that there would be side effects. They did it anyway. The side effects caused a loss. The parties who have experienced a loss have a case.
The fact that the source refers to binaries being left behind as being the result of "lazy" people, is telling. This is either an attempt to obfuscate the situation, or the source isn't close enough to the metal to know much.
My understanding is that national security does not mitigate the related liability.
However the area 51 chemical burning case seems to suggest that the POTUS may just declare the NSA's activities legal by presidential order, as Bill Clinton did when workers were poisoned by burning dioxin at groom lake.
[ link to this | view in chronology ]
pulling the ne6work cable(s)
s/detect/suspect/
Even then, that may be a mistake.
It may be better to capture packets
on the next upstream router to try to
identify where the malware is calling
home to.
Of course, you may not have any
way to access the next upstream
router or obtain any tech support
from those that manage the next
upstream router. Even worse, that
upstream router may already be
compromised also, so you could not
trust any packet capture there either.
All your packets are belong to us.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
There will be casualties
The NSA's mission is to preserve and defend the nation. If companies or even citizens have to go down as part of the NSA's job, so be it.
Not one company or person is more important than their mission, probably not even the President.
The ONLY agency with an even higher mission than the NSA is the MJ-12 group, if they even exist at all. Those people put the nation second after whatever is their prime mission.
[ link to this | view in chronology ]
Re: There will be casualties
Maybe on paper, but in practice it's more along the lines of:
The NSA's mission is to preserve the NSA's power and budget. If companies or even citizens have to go down as part of the NSA's job, so be it.
[ link to this | view in chronology ]