NSA Zero Day Tools Likely Left Behind By Careless Operative

from the opsec-only-works-if-you-do-it-100%-of-the-time dept

More information is surfacing on the source of the NSA's hacking tools discovered and published by the Shadow Brokers. Just as Ed Snowden pointed out shortly after the tools first appeared online, the problem with sticking a stash of hacking tools on equipment you don't own is that others can access the tools, too… especially if an operative doesn't follow through on the more mundane aspects of good opsec.

Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

Reuters has exclusive (but anonymous) interviews with personnel involved in the investigation which indicates other, more exculpatory theories are likely wrong.

Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.

But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.

NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.

And what a mistake it was. Tools purchased or developed by the NSA's Tailored Access Operations (TAO) are now -- at least partially -- in the public domain. The other aspect of this unprecedented "mistake" being confirmed is the fact that the NSA couldn't care less about collateral damage.

That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.

Three years of unpatched holes, one of them a zero day that affects a great deal of Cisco's networking equipment. Not only was TAO's operation security compromised, but so were any number of affected products offered by US tech companies.

However, investigators are still looking into the possibility that the tools were left behind deliberately by a disgruntled TAO operative. This theory looks far better on the NSA than another theory also being examined: that multiple operatives screwed up in small ways, compounding each other's mistakes and (eventually) leading to a public showing of valuable surveillance tools.

As for the official, on-the-record comment… no comment. The FBI and Director of National Intelligence declined to provide Reuters with a statement.

The NSA has long refused to acknowledge the inherent dangers of hoarding exploits and deploying them with little to no oversight. It's unclear whether this incident will change this behavior or make it a more-forthcoming partner in the Liability Equities Process. What is has proven is that the NSA makes mistakes like any other agency -- whether the tools were left behind accidentally or deliberately. It's just that when the NSA screws up, it exposes its willingness to harm American tech companies to further its own intelligence needs.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: carelessness, hacking tools, nsa, surveillance, zero day


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 26 Sep 2016 @ 1:57am

    Trust building, government style

    That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.

    And yet somehow it's the fault of the tech industry that the relationship between it and the government isn't as cozy as the government would like it to be. That the tech companies are to blame for not trusting the government and granting their every request, requests which would of course serve only to benefit them, the government, and especially the public, and could never have any unfortunate downsides or ulterior motives.

    Right.

    link to this | view in thread ]

  2. identicon
    Tyl, 26 Sep 2016 @ 3:44am

    But, a golden key would be different. Honest!

    It would be protected by a magic unicorn!

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 26 Sep 2016 @ 3:59am

    Re: But, a golden key would be different. Honest!

    Unicorn? Nah they'd hire some trolls!

    link to this | view in thread ]

  4. icon
    That One Guy (profile), 26 Sep 2016 @ 4:05am

    Re: But, a golden key would be different. Honest!

    ... forged out of leprechaun gold and infused with pixie dust, designed by a government rep who researched the subject before speaking on it and crafted by an honest politician.

    I kid of course, everyone knows those last two are mythical.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 26 Sep 2016 @ 4:23am

    You're Fired!

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 26 Sep 2016 @ 4:41am

    Most likely scenario

    that multiple operatives screwed up in small ways, compounding each other's mistake

    This is how most problems occur. Rarely do they happen for any single given cause but a compounding of errors. Sadly, for all the risk they put tech companies in, and our own government, they haven't prevented a single attack. Not 1. So we should be asking if all the risk is worth it?

    link to this | view in thread ]

  7. identicon
    Quiet Lurcker, 26 Sep 2016 @ 4:58am

    Re: Most likely scenario

    >>> Not 1. So we should be asking if all the risk is worth it?

    I think you've answered your own question.

    link to this | view in thread ]

  8. identicon
    William Null, 26 Sep 2016 @ 5:30am

    These tools were left pretty much on purpose

    Ed Snowden is not the only one. There are multiple people like him working in various intelligence agencies all over the world. The thing is that the intelligence community had became drunk with power and as such, corrupt.

    At first, this was just bunch of random operatives doing stuff like sending docs to wikileaks, but as spies tend to do, they've created network. Data is mostly transmitted over modulated radio frequencies that aren't wifi and can travel pretty damn far (no connection with so-called number stations).

    There's in fact a pretty huge leak incoming, regarding some space stuff and also more survelliance tools. Most intelligence agencies that matter have been infiltrated by the network, American, Russian, British, German, you name it. And even if an operative is caught, they can't reveal any valuable info as most of network operatives don't even know who others are, for their own protection. While those who know, are at or near the top of their respective agency so they are well-protected and can arrange escape in case operative of the network is caught.

    link to this | view in thread ]

  9. icon
    cryophallion (profile), 26 Sep 2016 @ 5:55am

    Supposedly were watching to see who used them

    I read in some article on this that the NSA was "watching the internet closely" to see if anyone else started using these tools, to try and use it to see if whoever did it would out themselves, so they could track them down.

    On the other hand, I can also see that these tools were sold to other parties, so that couldn't be the sole identifier (unless there were code fingerprints). That is, unless there are bidding wars by different nations to the companies that sell the tools, requiring that only they hold that zero day. Which could also be why they didn't want to report it: they spent a lot to outbid everyone, they don't want to lose their tool. But I've seen other articles which seem to indicate that tools are sold to multiple parties, so take that for what it is worth.

    Either way, in their zeal to catch whoever got the tools, they failed to realize that maybe, just maybe, those people would be better at covering their tracks, perhaps by not trying to hack everyone on the face of the earth with them so they wouldn't be so likely to leave traces.

    This just goes to show: When your motivation is retaliation or face saving, you almost never win. When you own up, it almost always goes better for you. Everyone makes mistakes, so people are (generally) understanding of making mistakes. It's when people lie, blame someone else, make excuses, etc that people start to get really annoyed. When will corporations and politicians finally understand this? It's almost never the mistake that causes all the issues. If Hillary had just said "Yup, I ran a private server, that was dumb of me, I am sorry", then seriously, I doubt we'd still be talking about it. If Clinton and Bush had said "Yup, we thought there were WMD's, but we were wrong, we are sorry", people wouldn't be quite so pissed off.

    I used to love deflating my boss storming in mad by admitting I was wrong, and owning it. I told him I'd go back to being perfect tomorrow, but I'd try to fix this issue today. Half his bluster was lost because he knew he'd made mistakes too, but he expected me to throw someone else under the bus or make excuses. Then I'd call the customer, admit I was wrong, make it right, and then shockingly, the next time they needed something, they'd call me since I treated them right and was honest.

    So instead of just owning it, they hid and were looking at the internet to "catch them". They should have come out. But then again, we just expect this narrative now, don't we?

    link to this | view in thread ]

  10. identicon
    Jim, 26 Sep 2016 @ 5:57am

    But:

    Remember this part, left in 2014. I wonder what they modified since?

    link to this | view in thread ]

  11. icon
    DannyB (profile), 26 Sep 2016 @ 6:22am

    What is has proven (typo)

    I think that should read: What it has proven

    link to this | view in thread ]

  12. icon
    DannyB (profile), 26 Sep 2016 @ 6:31am

    Re:

    Can a president create a new form of press conference called the "You're Fired!" press conference? The purpose of calling one of these particular press conferences would be to make a public spectacle of someone who disagrees with an administration policy, or who failed to show deep enough submission and respect, or who has done the unthinkable and submitted a resignation.

    This type of press conference would be held in a different press facility that has suitable lighting and pyrotechnic effects in order to give the proper reality tv show dignity that such a presidential function deserves.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 26 Sep 2016 @ 6:49am

    Re: Re:

    Presidential Apprentice could be shot in the oval office, where people are fired for ridiculous reasons. I'm sure it would get good ratings because it would be put on the list of mandatory viewing.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 26 Sep 2016 @ 7:21am

    Re: Trust building, government style

    Of course it's the tech industry's fault. If they'd only give the government all the back doors that folks like the NSA ask for, they wouldn't need all these hacking tools or hoarded exploits.

    link to this | view in thread ]

  15. identicon
    Michael, 26 Sep 2016 @ 7:25am

    Re: Supposedly were watching to see who used them

    the NSA was "watching the internet closely" to see if anyone else started using these tools

    You must be confusing the 3 letter acronym agencies. It's the FBI that crafts conspiracies, provides tools to conduct illegal activity, and then waits for some unsuspecting idiot to follow them into a jail sentence.

    The NSA simply waits for something bad to happen and then complains that they need more power to prevent this from happening again in the future.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 26 Sep 2016 @ 7:47am

    NSA, the only government agency that actually listens to the people

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 26 Sep 2016 @ 7:48am

    Re: But people get lazy

    Spoken like somebody who has never configured themselves out of a remote machine.

    These hacks, are by definition experimental. The likelyhood of things going wrong in a way that breaks network connectivity is actually quite high.

    Not to mention that simply pulling the CAT5 out of the machine, is often the first move made by admins when they detect a compromise.

    Yes, the binaries are often left behind. That is not necessarily within the control of the hacker. It is a known risk.

    And since the risk is known, doing so makes the accidental dissemination of their tools criminal negligence. They knew that there would be side effects. They did it anyway. The side effects caused a loss. The parties who have experienced a loss have a case.

    The fact that the source refers to binaries being left behind as being the result of "lazy" people, is telling. This is either an attempt to obfuscate the situation, or the source isn't close enough to the metal to know much.

    My understanding is that national security does not mitigate the related liability.

    However the area 51 chemical burning case seems to suggest that the POTUS may just declare the NSA's activities legal by presidential order, as Bill Clinton did when workers were poisoned by burning dioxin at groom lake.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 26 Sep 2016 @ 8:03am

    Re: Re: But, a golden key would be different. Honest!

    Nah, they were all hired for the DMCA and patents.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 26 Sep 2016 @ 8:05am

    Re: Re: But, a golden key would be different. Honest!

    True story. Even Tolkien balked at including them in LotR. He was going for a certain magical realism that would be completely broken by including them.

    link to this | view in thread ]

  20. identicon
    SpaceLifeForm, 26 Sep 2016 @ 11:28am

    pulling the ne6work cable(s)

    "Not to mention that simply pulling the CAT5 out of the machine, is often the first move made by admins when they detect a compromise."

    s/detect/suspect/

    Even then, that may be a mistake.
    It may be better to capture packets
    on the next upstream router to try to
    identify where the malware is calling
    home to.

    Of course, you may not have any
    way to access the next upstream
    router or obtain any tech support
    from those that manage the next
    upstream router. Even worse, that
    upstream router may already be
    compromised also, so you could not
    trust any packet capture there either.

    All your packets are belong to us.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 26 Sep 2016 @ 12:01pm

    Re:

    You know, that could be an extremely good campaign point for Trump... he could fire large swathes of the Executive.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 26 Sep 2016 @ 12:04pm

    Re: Re: Most likely scenario

    Well, we are fairly confident that they didn't prevent a single attack. If we didn't have anything in place, we wouldn't know whether attacks had been prevented or not, nor by whom. Take that any way you'd like :)

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 26 Sep 2016 @ 1:24pm

    And yet, supporters of the spies wonder why people don't want careless and illegal surveillance by the NSA.

    link to this | view in thread ]

  24. icon
    That One Guy (profile), 26 Sep 2016 @ 2:18pm

    Re: Re: Re: But, a golden key would be different. Honest!

    Which, leprechauns or honest politicians?

    link to this | view in thread ]

  25. identicon
    Whatever, 26 Sep 2016 @ 5:57pm

    Re:

    Because I hate Snowden, that's why. Comey 2020! Whoo!

    link to this | view in thread ]

  26. icon
    AC720 (profile), 27 Sep 2016 @ 2:20am

    There will be casualties

    The point lost in all of this is that the NSA does not care at all if American companies are damaged by this or American citizen's data is compromised.

    The NSA's mission is to preserve and defend the nation. If companies or even citizens have to go down as part of the NSA's job, so be it.

    Not one company or person is more important than their mission, probably not even the President.

    The ONLY agency with an even higher mission than the NSA is the MJ-12 group, if they even exist at all. Those people put the nation second after whatever is their prime mission.

    link to this | view in thread ]

  27. icon
    That One Guy (profile), 27 Sep 2016 @ 1:28pm

    Re: There will be casualties

    The NSA's mission is to preserve and defend the nation. If companies or even citizens have to go down as part of the NSA's job, so be it.

    Maybe on paper, but in practice it's more along the lines of:

    The NSA's mission is to preserve the NSA's power and budget. If companies or even citizens have to go down as part of the NSA's job, so be it.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.