Report: NSA hushed up zero-day spyware tool losses for three years Sources close to the investigation into how NSA surveillance tools and zero-day exploits ended up in the hands of hackers has found that the agency knew about the loss for three years but didn’t want anyone to know. Multiple sources told Reuters last night that the investigation into the data dump released by a group calling …
Amazing how often he was right. A regime change did get rid of some of the worst abuses of the glorious war on terror (waterboarding, renditions in ally countries) but it increased others such as a lack of government transparency, unchecked retribution to whistle blowers and push button executions of even citizens.
The fact that they have not seen them for more than 2-3 weeks pretty much means that they got into the hands of a state level actor which has assessed what they got and has assigned it to "special ops duties only". So while they have been in use ever since they were lifted, the use was so selective and rare that they did not see them. Further to this, there is a significant likelihood that the tools and exploits were reverse engineered and used differently (hence not picked up by whatever monitoring tools NSA used).
If it was your usual "darknet numpty" the tools would have been for sale in a week.
They should have declared a "situation brown pants" within 2 months of losing exactly because they did not pick up any traces. As a result, they were used for 3 years for selective special ops only (probably in a re-engineered state) and dumped on the Internet as a "Компромат" only once they have outlived their usefulness.
So, what was their plan if they spotted these tools in use?
If they suspect a "state actor" then what would they be able to do about it anyway?
There is no way they can somehow magically delete them once someone else has copies.
Next port of call should have been CERT. At this point they can't even claim that "only they know the hacks they use", so that argument is demonstrably bullshit.
And these are supposed to be the group that also help stop cyber attacks on US infrastructure...
What a crock.
"The reasoning for this secrecy seems to have been that the NSA wanted to see who was going to use them."
Or to put it another way: The NSA decided that it would prefer to carry on using the exploits (knowing a that a likely malicious third parties had access to them) to protecting US Citizens.
>Ooh look someone has our gun, let's see who they shoot with it.
Wasn't that the whole scandal of the Fast and Furious the GOP beat up on Obama for in one breath yet while making sure anyone with a pulse can buy guns on the other?
Obviously we can slag off the NSA for lots of things about this (ain't it fun!) but there is one very important lesson here. Even though this was the NSA, who are actually pretty good at security (they spend enough money on it) - despite them being good, they STILL managed to lost some very, very important info.
What is the lesson? If there is a way for something to go wrong, it will. If there is information about a backdoor to some software, it WILL get out, somehow, someday. And then the Moscow Mafia or ISIL or whoever can start having fun. Hundreds of lorries simultaneously accelerating into crowds? (Thank you P.C. Hogan-Howe for the suggestion)
Defense is important - detection and response is critical. You WILL be breached no matter what you do, no matter who you are. The key now is how quickly can you discover the breach and how quickly can you clean. Firewalls, IPS and the like are only there to prevent the kiddies and the morons from clogging up your view they are not stopping anyone that really wants in. As always, management is about 5 years behind on this thought & still focused to prevention alone.
"According to US government guidelines the NSA is supposed to assess the seriousness of zero-day flaws it finds and inform companies if it feels they are serious enough. [...] That didn't happen, and a lot of security people are going to be asking why not."
I really don't think anyone will be asking why not; it's completely bloody obvious.
I work in schools.
Because of the junk that is Apple's device management, the children find ways to change settings or install things that they shouldn't be able to do, all the time.
But I have a network MDM that "sees" the change even if it can't do anything about it. It sends me little emails. And I have a little network of informants.
Do I wade in on the first such change, charge into the classroom, confiscate and then reprimand? No. I'd be doing that ALL DAY LONG. And it would give away my informant's identities.
I monitor. Then I wait and see what happens. Sometimes a few days later the thing I spot has reverted back to how it should be. Sometimes, another device from another user gets the same thing and it spreads. Sometimes I spot NEW ways to do things that they've just discovered (e.g. exploits in features in the newer iOS or similar).
But what you do is - unless it's something CRITICAL - you wait for them to drop themselves in it deep enough that it can't be "It was an accident, I just clicked X". A guaranteed conviction / sanction. You wait for their friends to catch on. Or wait for a whistleblower to "inform" you (it happens - especially when playground rivalries are at a peak!). Then you take a whole group of them down.
If sensible, you've left it until the point that they know they are going to get caught and start to look for another way. And then when you confiscate you are a step ahead because you LEAVE THAT ON THERE. Let them think you haven't spotted it. Watch who uses that next week. It's a heads-up on their next tactic and an easy way to monitor a group that you think are going to repeat their actions. And it provides instant proof of who the ringleaders are and who to keep an eye on.
Rather than having to constantly run all over the school for every minor infraction, I organise purges at infrequent intervals, with guaranteed success, inside information capture, a headstart on the next fad, guaranteed "conviction" / sanction, and no wasted effort. And the kids CONSTANTLY think "Oh, we got one over on them, they don't know about..." and aren't aware that I've already got them tagged for the next purge on exactly that thing.
I fail to believe that someone like the NSA isn't doing exactly the same all the time in their playgrounds too.
That they don't notify Cisco et al, though, is making their argument about protecting National Security a bit blurry. At least let them get their patches ready to go so you can do a blitz on the vulnerabilities as soon as they are allowed to be announced.
The correct analogy in this case is:
you manage a school network.
Unbeknownst to the principle and staff, you (however unwisely) have a copy of all their passwords that you use to access their systems at will, which you use to "check for viruses/fix issues" etc. Obviously you could use that power to steal cash/read private emails/sell exam paper access, but you don't because you are nice, even though there is no oversight (so maybe you do). The passwords don't expire, so you don't have to worry about getting the new ones unless someone changes theirs for some reason.
One day you find that a hard copy of your list of all the staffs passwords has been stolen by someone (probably a student).
Rather than admit what you have been doing, and getting all the staff to change their passwords, you instead just do extra monitoring to see if you can spot when someone logs in with those accounts who isn't the teacher involved.
After a few weeks you think, "Ok, probably fine, I cant see any dodgy logins".
Three years later someone posts the password list to the schools internal mailing list using the Principles account.
It's a bit different from rounding up criminal conspiracies or thwarting student pranks.
How do you think an auditor should react should they find a situation like the one described?
How trustworthy are your schools exam results for the last 3 years...
So, what you are saying is that you:
1) are an incompetent security administrator;
2) are an incompetent educator;
3) you have wet dreams about becoming a cop;
4) are paid on a quota/bonus system based on the number and size of the 'arrests';
5) are ensuring your job by inflating how big the issue is by ALLOWING the increased penetration of your network.
So, you implicitly authorise an activity (you know it's occurring but do nothing about it), so that people who might not otherwise engage in the activity do so because it seems to be implicitly accepted. Then, when it looks good for your 'stats', you "make a big bust" of this activity you have implicitly authorised and encouraged?
People like you are the reason our schools and law enforcement agencies are failing, are regarded with contempt. Rather than trying to encourage people to follow the rules, you un-officially encourage it, then bring the hammer down.
There's a word for people like you, and it starts with the letter 'cee'.
NSA has the advantage of brute force, massive wiretapping, legal immunity... so they don't have to work as hard as regular hackers to get results, which dulls their chops. Plus, they have to deal with government employee bullshit. They probably get disillusioned and depressed, and take a lot of antidepressants, which further dulls their chops.
And that's just the hackers willing to work there in the first place.
Because that's what they are. Sworn to defend the nation against all enemies, etc. But instead they leave us vulnerable so they can play their spy games. All offense, no defense. Kind of like all those nuclear forces. Just one madman who doesn't care about getting incinerated (or frozen in a nuclear winter) is all it takes, and we've now got tens of 1,000's of them (at least) courtesy of a brilliant plan to take down an enemy that no longer exists by incubating a fanatical anti-Western movement in the hills of Afghanistan (with the help of our friends the Wasabi-funding Saudis and anti-democratic Pakistani Intelligence).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
