NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked

from the and-still-nothing-until-the-last-minute dept

Mon, May 22nd 2017 3:25am — Tim Cushing

The NSA's exploit toolkit has been weaponized to target critical systems all over the world. So much for the debate over the theoretical downside of undisclosed vulnerabilities. (It also inadvertently provided the perfect argument against encryption backdoors.) The real world has provided all the case study that's needed.

It appears the NSA finally engaged in the Vulnerabilities Equity Process -- not when it discovered the vulnerability, but rather when it became apparent the agency wouldn't be able to prevent it from being released to the public. What's happened recently has been devastating and Microsoft -- whose software was targeted -- has expressed its displeasure at the agency's inaction.

Maybe the agency will be a bit more forthcoming in the future. Ellen Nakashima and Craig Timberg of the Washington Post report former NSA employees and officials had concerns about the undisclosed exploit long before the Shadow Brokers gave it to the world.

When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.

Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.

Officials called it "fishing with dynamite." The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn't bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.

But there were plenty of others who viewed disclosure as "disarmament." Somehow, despite three straight years of leaked documents, the NSA still felt it had everything under control. The Shadow Brokers NSA exploit auction made it clear the NSA was no better at securing its software stash than it was at keeping thousands of internal documents from wandering out the door.

The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands. Since the agency cannot possibly ensure this sort of thing won't happen again, the question now is how much of other people's security is the agency willing to sacrifice in the name of national security?

The NSA appears to believe it handled this as well as it could given the circumstances, but the outcome could have so much worse. The chain of events leading to the NSA's eventual disclosure helped minimize the collateral damage. It has very little to do with the steps the NSA took (or, more accurately, didn't take).

What if the Shadow Brokers had dumped the exploits in 2014, before the [US] government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

There's your intelligence community nightmare fuel. Had the vulnerability managed to take down US government hardware and software, the NSA would be facing even more criticism and scrutiny that it already is.

The NSA appears to only disclose vulnerabilities when forced to. It may possibly hand over those it finds to be of limited use. Former NSA head Keith Alexander says the agency turns over "90%" of the vulnerabilities it discovers, but that percentage seems inflated. The NSA spent years as "No Such Agency." It's only been the last four years that it's been forced to engage in more transparency and accountability, so it's tough to believe it's spent years proactively informing affected companies about the flaws in their products.

In any event, the NSA's second-guesswork will have do for now. Some legislators are hoping to shore up the vulnerabilities reporting process, but it's likely by the time it heads for the Oval Office desk, it will be riddled with with enough national security exceptions to make it useless. With the Shadow Brokers hinting they still have more dangerous exploits to release (including one affecting Windows 10), the decision to disclose these vulnerabilities will once again be informed by the NSA's inability to keep its hacking tools secure, rather than any internal examination of its hoarder mentality.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: exploits, leaks, nsa, vep, vulnerabilities, vulnerabilities equities program, wannacry

28 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 22 May 2017 @ 4:00am

...the question now is how much of other people's security is the agency willing to sacrifice in the name of national security?

No. It's not.
[ link to this | view in thread ]
Anonymous Champion, 22 May 2017 @ 4:00am

i was given a back door
whoever these people are they actually armed us hackers
5 of us in certain nations with these kinda kits

and yes im at actual risk telling you this, ive decided i dont care, and they know it and yes im armed you bastards( not you techdirt peeps , this is directed at them)

they are spying on me and find me in my games and start saying shit only people involved can and boy are they sore im not playing there ...game no more
and yes ive leaked shit they cant do nothing about no more

one example is the million of honey pot ips the fbi uses

they other was knowledge that the so called Sony root kit existed in source and binary for years before sony got its part ( binary which is why they had hard time fixing it lol ) ....one day these yahoos will get what they got coming to them....
[ link to this | view in thread ]
Anonymous Coward, 22 May 2017 @ 4:41am

Re:
The preamble to the question ("Since the agency cannot possibly ensure this sort of thing won't happen again") is also not good. If they did, in fact, have misgivings about the exploit they were using, the question isn't posed on whether or not it will happen AGAIN. It was quite possible in the first place that someone else might have found it as well, or that their tool would be stolen, as it was.
Going by their track record, I don't think they'll give two thoughts to doing something similar in the future. They're more than likely doing it now.
[ link to this | view in thread ]
drewmerc (profile), 22 May 2017 @ 5:11am

if the NSA has this type of exploit makes me wonder what the CIA has
[ link to this | view in thread ]
Anonymous Coward, 22 May 2017 @ 5:14am

Well, you just have to love the hypocrisy of the government. They were concerned about the exploit but not concerned enough to report it to Microsoft? This is exactly why Americans and American voters do not trust the government and why we have so much contempt for our elected officials.
[ link to this | view in thread ]
Peter (profile), 22 May 2017 @ 6:16am

Why not give the exploit to Microsoft asap, so they can prepare a patch asap and keep it locked up (with NDAs, NSLs, injunctions), so it can be released immediately when Hackers discover it?
[ link to this | view in thread ]
Chris-Mouse (profile), 22 May 2017 @ 6:43am

Re:
The answer to that question has always been known.
"All of it"
[ link to this | view in thread ]
Anonymous Coward, 22 May 2017 @ 7:21am

says the agency turns over "90%" of the vulnerabilities it discovers, but that percentage seems inflated.

I don't know, it seems reasonable to me. 90% of everything is crap, so the NSA just turns over the crappy exploits(don't give much access, are easily detected, only affect a small number of machines, etc), and keeps the remaining 10% of really good and powerful exploits for itself.
[ link to this | view in thread ]
That One Guy (profile), 22 May 2017 @ 8:33am

Re: Re:
Exactly. The NSA has made it abundantly clear that it will always prioritize it's ability to do something over public security, because as Good Guys they seem to operate under the dangerous idea that if it helps them then it helps the public, and any 'collateral damage' is an acceptable price (for the public) to pay.
[ link to this | view in thread ]
Bergman (profile), 22 May 2017 @ 8:40am

Re: i was given a back door
People have been prosecuted before for inadvertently aiding terrorists -- for example, donating to a legit charity, only for the money to be diverted by someone at the charity into funding terrorism.

The US government takes the view that it does not matter what your intent was, only the end result... right up until it would have to prosecute itself for treason, then intent is all that matters.
[ link to this | view in thread ]
Bergman (profile), 22 May 2017 @ 8:44am

Re:
The CIA isn't tasked with electronic intelligence. They have to make do with second best tools the way the FBI does.
[ link to this | view in thread ]
Bergman (profile), 22 May 2017 @ 8:47am

Re:
The US government exists to represent the people of the United States, since you can't exactly poll hundreds of millions of people when a decision must be made when seconds count.

Somewhere along the way, the government has forgotten that fact. They exist to protect us, yet the ease at which they will sacrifice us and our interests for at best nebulous gains is horrifying.

What is even worse though, is how many government officials consider the general public to be their enemies -- which means they meet the mens rea definition of treason, even if they haven't gotten around to the actus rea portion yet.
[ link to this | view in thread ]
Bergman (profile), 22 May 2017 @ 8:48am

Re:
Because that would require that the NSA trust someone?
[ link to this | view in thread ]
Anonymous Anonymous Coward (profile), 22 May 2017 @ 8:55am

Re: Re:
It would also require that someone trust Microsoft. How many users turned off Updates due to the force 'upgrade' to Windows 10? None of those people would get the update.

On the other hand, Microsoft put the update to fix WannaCry into the Windows Defender stream. Even though I am one of those who turned off Windows Update, I still update and use Defender weekly.

While it probably won't surprise many, check out the Twitter feed in this comment
[ link to this | view in thread ]
Anonymous Coward, 22 May 2017 @ 8:59am

NSA fucked up. Goodbye golden key.
[ link to this | view in thread ]
Anonymous Coward, 22 May 2017 @ 9:43am

What happened is that the NSA had such power behind the WCry exploit that they didn't want to relinquish that power because it allowed them unfettered access to thousands, if not millions of vulnerable computers owned by its citizens.

That they couldn't keep it from being stolen by hackers and those hackers used it to spread ransomware on such a massive scale ...

It's not a good thing when our government is more paranoid of the people than the people are paranoid of it.
[ link to this | view in thread ]
Michael, 22 May 2017 @ 10:32am

Re:
That's exactly what they are SUPPOSED to do.

The Vulnerabilities Equity Process is supposed to be used by the NSA to disclose vulnerabilities to technology companies. The technology companies are supposed to work with them to close the vulnerabilities in an appropriate manner.
[ link to this | view in thread ]
SpaceLifeForm, 22 May 2017 @ 10:39am

Re: Re:
Not if CIA hacked NSA and got the NSA tools.
[ link to this | view in thread ]
Watchman, 22 May 2017 @ 11:09am

Watch
It appears that none of these TLAs were watching for the exploit. Shouldn't they be monitoring the internet for their vulnerabilities in the wild, even before it's known that they've leaked (or even been discovered independently), or is it not technically possible?

"What's that - that one of ours?"
"Yep that's for Tehran University - that's OK."
[ link to this | view in thread ]
Anonymous Coward, 22 May 2017 @ 12:46pm

Once it was out there
Why was the NSA not leading the charge to mitigate it's damage? It was other independent security researchers who stopped it from getting worse and developed tools to decrypt hosed machines. Where was the NSA? Why weren't they trying to clean up their mess?

(I think they ought to be held liable for the ransoms that people paid.)
[ link to this | view in thread ]
Anonymous Coward, 22 May 2017 @ 12:55pm

Re: Once it was out there
Telling Microsoft about the exploitable bugs after the tools to exploit them were on the verge of leaking is the NSA's idea of trying to clean up their mess.
[ link to this | view in thread ]
Anonymous Coward, 22 May 2017 @ 1:10pm

So?
> The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands.

So? It already knew but doesn't care.
[ link to this | view in thread ]
Personanongrata, 22 May 2017 @ 2:15pm

NSA is Concerned with CYA
The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands.

wrong hands?

You write as if NSA's motives were pure as the driven snow.

They are not.

Remember NSA surveillance isn't about catching terrorists but keeping tabs on 330 million American citizens, corporate espionage and political blackmail.

Surveilling terrorists is simply the specious rational that is paraded about in public to make NSA's unconstitutional actions seem more palatable to Americans living under the US governments omnipresent stare.

Any well trained terrorist is quite aware of NSA's electronic surveillance and would more than likely practice good operational security and forgo cell phones, email, satellite communications gear, etc.
[ link to this | view in thread ]
Rekrul, 22 May 2017 @ 6:03pm

(It also inadvertently provided the perfect argument against encryption backdoors.)

But if we had encryption backdoors, then the government would be able to help all those hit with with the ransomware decrypt their files...
[ link to this | view in thread ]
orbitalinsertion (profile), 22 May 2017 @ 7:26pm

Re: Re: Re:
Power is a hell of a drug.
[ link to this | view in thread ]
orbitalinsertion (profile), 22 May 2017 @ 7:35pm

Re: Re:
Never mind the whole NVD... CVEs should go in there after companies are notified. The equity process is a lie on it's face.
[ link to this | view in thread ]
Anonymous Coward, 23 May 2017 @ 1:37am

Re: Re:
They're not officially tasked with running heroin out of Afghanistan either...
[ link to this | view in thread ]
Anonymous Coward, 24 May 2017 @ 8:20am

Re:
Why not give the exploit to Microsoft asap, so they can prepare a patch asap and keep it locked up (with NDAs, NSLs, injunctions), so it can be released immediately when Hackers discover it?
1. It would make Microsoft an accomplish to the backdoors. MS has a lot of explaining to do when that leaks out.
2. It takes time to patch all systems. Hackers operate faster than many sysops can patch, making these systems vulnerable.
[ link to this | view in thread ]