China Actively Collecting Zero-Days For Use By Its Intelligence Agencies -- Just Like The West
from the no-moral-high-ground-there,-then dept
It all seems so far away now, but in 2013, during the early days of the Snowden revelations, a story about the NSA's activities emerged that apparently came from a different source. Bloomberg reported (behind a paywall, summarized by Ars Technica) that Microsoft was providing the NSA with information about newly-discovered bugs in the company's software before it patched them. It gave the NSA a window of opportunity during which it could take advantage of those flaws in order to gain access to computer systems of interest. Later that year, the Washington Post reported that the NSA was spending millions of dollars per year to acquire other zero-days from malware vendors.
A stockpile of vulnerabilities and hacking tools is great -- until they leak out, which is precisely what seems to have happened several times with the NSA's collection. The harm that lapse can cause was vividly demonstrated by the WannaCry ransomware. It was built on a Microsoft zero-day that was part of the NSA's toolkit, and caused very serious problems to companies -- and hospitals -- around the world.
The other big problem with the NSA -- or the UK's GCHQ, or Germany's BND -- taking advantage of zero-days in this way is that it makes it inevitable that other actors will do the same. An article on the Access Now site confirms that China is indeed seeking out software flaws that it can use for attacking other systems:
In November 2017, Recorded Future published research on the publication speed for China's National Vulnerability Database (with the memorable acronym CNNVD). When they initially conducted this research, they concluded that China actually evaluates and reports vulnerabilities faster than the U.S. However, when they revisited their findings at a later date, they discovered that a majority of the figures had been altered to hide a much longer processing period during which the Chinese government could assess whether a vulnerability would be useful in intelligence operations.
As the Access Now article explains, the Chinese authorities have gone beyond simply keeping zero-days quiet for as long as possible. They are actively discouraging Chinese white hats from participating in international hacking competitions because this would help Western companies learn about bugs that might otherwise be exploitable by China's intelligence services. This is really bad news for the rest of us. It means that China's huge and growing pool of expert coders are no longer likely to report bugs to software companies when they find them. Instead, they will be passed to the CNNVD for assessment. Not only will bug fixes take longer to appear, exposing users to security risks, but the Chinese may even weaponize the zero-days in order to break into other systems.
Another regrettable aspect of this development is that Western countries like the US and UK can hardly point fingers here, since they have been using zero-days in precisely this way for years. The fact that China -- and presumably Russia, North Korea and Iran amongst others -- have joined the club underlines what a stupid move this was. It may have provided a short-term advantage for the West, but now that it's become the norm for intelligence agencies, the long-term effect is to reduce the security of computer systems everywhere by leaving known vulnerabilities unpatched. It's an unwinnable digital arms race that will be hard to stop now. It also underlines why adding any kind of weakness to cryptographic systems would be an incredibly reckless escalation of an approach that has already put lives at risk.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, cybersecurity, disclosure, intelligence, nsa, security, surveillance, vulnerabilities, zero days
Reader Comments
Subscribe: RSS
View by: Time | Thread
Moo Shu DDOS
This may explain why the fortune cookie I opened this weekend said, "L1 Terminal Fault (L1TF) vulnerability may bring you sadness unless patched."
[ link to this | view in chronology ]
Re: Moo Shu DDOS
That's...kinda racist, dude.
[ link to this | view in chronology ]
It is blatantly racist.
[ link to this | view in chronology ]
Re:
It's a comment on a signature cultural food item related to China. It's not a comment about any physical or mental attribute.
If this is racist then any and every cultural expression is racist.
Dial it back a few thousand notches.
[ link to this | view in chronology ]
signature China-related cultural food item
Fortune cookies were never Chinese.
[ link to this | view in chronology ]
Re: signature China-related cultural food item
A mis-attributed cultural practice is not an example of racism though. I stand by that.
[ link to this | view in chronology ]
Oh c'mon now lets not be naive and act like they just started doing this or it was the leaking of the NSA tools that made them do it. That's just silly.
[ link to this | view in chronology ]
Re:
I think one of the problems is that people look at the information space and see that the advantages go to the offence instead of the defence. Which is why governments and people with power horde the exploits.
It's a silly practice to leave your infrastructure vulnerable in the hope that your enemy hasn't also discovered the exploit. It's all part of the game intelligence agencies play and sometimes there is logic to the madness.
But who cares about us mere cannon fodder when the big government boys get to play with their shiney toys.
[ link to this | view in chronology ]
Re: Re:
The patch cycle has become as much a means to introduce new zero-days as a means to patch old zero-days as they are discovered.
[ link to this | view in chronology ]
I know exactly how to fix this; Microsoft needs to dump all the versions of Windows that they've been patching over the years and making them more secure, even Windows 10, and come out with an all new version and start the patching process from scratch! I'm sure that will make us all safer. I mean, that's what they've been doing all along and it's worked great so far...
[ link to this | view in chronology ]
This is how the Ring gets back to Sauron
When the Wrong Thing To Do promises more power it can become too tempting, even when it brings more vulnerability as well.
When hackers grab and dump their arsenal of exploits, and we have another plague of malware attacks, maybe we'll get the message. Or maybe it'll be someone else's turn.
I don't believe there was ever any news about the NSA ceasing their collection of zero day exploits, instead choosing to report them for patching. So it's likely the US didn't learn from the first time.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
can we block them by adding CNAMES
[ link to this | view in chronology ]
Turn-About is Fair Play
This is really bad news for the rest of us. It means that China's huge and growing pool of expert coders are no longer likely to report bugs to software companies when they find them. Instead, they will be passed to the CNNVD for assessment. Not only will bug fixes take longer to appear, exposing users to security risks, but the Chinese may even weaponize the zero-days in order to break into other systems.
We have only ourselves (NSA/GHQ etal) to thank.
For decades western corporations have peddled compromised software/hardware with the exploits baked-in as features not bugs.
Italicized/bold text was excerpted from a report titled NSA’s Own Hardware Backdoors May Still Be a “Problem from Hell” for at the website www.technologyreview.com:
In 2011, General Michael Hayden, who had earlier been director of both the National Security Agency and the Central Intelligence Agency, described the idea of computer hardware with hidden “backdoors” planted by an enemy as “the problem from hell.” This month, news reports based on leaked documents said that the NSA itself has used that tactic, working with U.S. companies to insert secret backdoors into chips and other hardware to aid its surveillance efforts.
That revelation particularly concerned security experts because Hayden’s assessment is widely held to be true. Compromised hardware is difficult, and often impossible, to detect.
https://www.technologyreview.com/s/519661/nsas-own-hardware-backdoors-may-still-be-a-problem -from-hell/
[ link to this | view in chronology ]
Durn!
As to the rest, remember, all the machine codes have been shared thru the educational systems. And, we have only our researchers to blame. Because, you are not born to controul a machine, you have to be taught. You have to be educated by others, and, where are they from. The same boy clubs. Are others allowed to play in the same field? Generally not. Are other nationalities allowed to play? Yes.
Do you remember, where other national researchers are not allowed into our research facilities, manufacturing facilities, or plants and research only based in the us. No. Remember why they moved, and even our defense Contractors have research facilities on "enemy soil" so are they secure? Yes?
[ link to this | view in chronology ]