vulnerabilities equities program – Techdirt (original) (raw)

Stories filed under: "vulnerabilities equities program"

NSA Surprises Microsoft With A Vulnerability Disclosure Just In Time For Patch Tuesday

from the what-do-you-give-to-a-company-that-has-everything-but-knowledge-of-this-exploit dept

Given the NSA’s track record with vulnerability disclosures, it’s somewhat of an anomaly when it actually decides the security of millions of innocent computer users is more important than its exploitation of a security flaw. Ellen Nakishima has the details for the Washington Post:

The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter.

The flaw affects Windows 10 users, the largest user base Microsoft currently has. The vulnerability could have been weaponized by the NSA, as so many others have been. The agency has consistently withheld knowledge of vulnerabilities from affected companies until the exploits have outlived their uselessness.

The equity program, meant to ensure companies are notified of serious software flaws, has routinely been ignored by the NSA, leading directly to the EternalBlue cataclysm that saw malicious hackers repurpose the exploit and unleash ransomware attacks on multiple targets around the world.

Microsoft was not happy. It released a long statement decrying the Intelligence Community’s refusal to completely participate in the Vulnerability Equities Process. As ransomware attacks brought multiple critical facilities to their knees, the NSA was justifying its “better way too late than never” approach with statements about the difficulty of developing useful surveillance tools.

It may have been Microsoft’s response to the WannaCry attacks that prompted the NSA’s proactive disclosure of this vulnerability. This security flaw is strikingly similar to the one exploited for years by the NSA — the one that became ransomware once the Shadow Brokers made the vulnerability available to whoever wanted it.

The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”

Like EternalBlue, the vulnerability disclosed here is “God mode” for malicious hackers and surveillance agencies.

Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.

Microsoft’s patch will have been issued by the time you read this. The good news beyond the NSA’s surprise disclosure is that Microsoft has not seen the flaw exploited. Yet. A patch is only as good as the end users’ application of it. That’s somewhat beyond Microsoft’s control but Windows 10 is pretty aggressive about pushing updates, so it shouldn’t take too long to close this hole.

This likely doesn’t signal a large-scale change in the way the IC handles vulnerability disclosure. Exploits and vulnerabilities will continue to be hoarded, even if the potential collateral damage is billions of dollars. After all, billions will be lost by targets of attacks predicated on hoarded vulnerabilities. The NSA won’t lose anything, not even a little sleep.

Filed Under: nsa, patch tuesdsay, veb, vulnerabilities, vulnerabilities equities program, windows 10
Companies: microsoft

NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked

from the and-still-nothing-until-the-last-minute dept

The NSA’s exploit toolkit has been weaponized to target critical systems all over the world. So much for the debate over the theoretical downside of undisclosed vulnerabilities. (It also inadvertently provided the perfect argument against encryption backdoors.) The real world has provided all the case study that’s needed.

It appears the NSA finally engaged in the Vulnerabilities Equity Process — not when it discovered the vulnerability, but rather when it became apparent the agency wouldn’t be able to prevent it from being released to the public. What’s happened recently has been devastating and Microsoft — whose software was targeted — has expressed its displeasure at the agency’s inaction.

Maybe the agency will be a bit more forthcoming in the future. Ellen Nakashima and Craig Timberg of the Washington Post report former NSA employees and officials had concerns about the undisclosed exploit long before the Shadow Brokers gave it to the world.

When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.

Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.

Officials called it “fishing with dynamite.” The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn’t bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.

But there were plenty of others who viewed disclosure as “disarmament.” Somehow, despite three straight years of leaked documents, the NSA still felt it had everything under control. The Shadow Brokers NSA exploit auction made it clear the NSA was no better at securing its software stash than it was at keeping thousands of internal documents from wandering out the door.

The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands. Since the agency cannot possibly ensure this sort of thing won’t happen again, the question now is how much of other people’s security is the agency willing to sacrifice in the name of national security?

The NSA appears to believe it handled this as well as it could given the circumstances, but the outcome could have so much worse. The chain of events leading to the NSA’s eventual disclosure helped minimize the collateral damage. It has very little to do with the steps the NSA took (or, more accurately, didn’t take).

What if the Shadow Brokers had dumped the exploits in 2014, before the [US] government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

There’s your intelligence community nightmare fuel. Had the vulnerability managed to take down US government hardware and software, the NSA would be facing even more criticism and scrutiny that it already is.

The NSA appears to only disclose vulnerabilities when forced to. It may possibly hand over those it finds to be of limited use. Former NSA head Keith Alexander says the agency turns over “90%” of the vulnerabilities it discovers, but that percentage seems inflated. The NSA spent years as “No Such Agency.” It’s only been the last four years that it’s been forced to engage in more transparency and accountability, so it’s tough to believe it’s spent years proactively informing affected companies about the flaws in their products.

In any event, the NSA’s second-guesswork will have do for now. Some legislators are hoping to shore up the vulnerabilities reporting process, but it’s likely by the time it heads for the Oval Office desk, it will be riddled with with enough national security exceptions to make it useless. With the Shadow Brokers hinting they still have more dangerous exploits to release (including one affecting Windows 10), the decision to disclose these vulnerabilities will once again be informed by the NSA’s inability to keep its hacking tools secure, rather than any internal examination of its hoarder mentality.

Filed Under: exploits, leaks, nsa, vep, vulnerabilities, vulnerabilities equities program, wannacry

Microsoft Is PISSED OFF At The NSA Over WannaCry Attack

from the as-it-should-be dept

So, for about a day, Microsoft followed the usual course of action concerning the WannaCry malware that made the rounds last week. As we noted, this ransomware/attackware was built off some leaked NSA exploit code utilizing a vulnerability in Microsoft Windows… that the NSA failed to tell Microsoft about. Microsoft had actually patched it a few weeks prior to the code leaking online via Shadow Brokers, but, still… the NSA is supposed to disclose most of these vulnerabilities, rather than hold them for offensive use (that’s the theory, at least).

Microsoft did its standard “no comment” bit for a day or so, but then on Sunday, its President and Chief Legal Officer let loose on the NSA for its failures that resulted in all of this happening. First, it officially confirmed what people were saying about the code being built off of leaked NSA code:

The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States.

The post does a good job discussing what Microsoft is doing about this and what it means, but then has this:

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today ? nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ?Digital Geneva Convention? to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it?s why we?ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it?s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we?re putting this principle into action and working with customers around the world.

Whatever you might think of Microsoft and privacy and such, in the last few years (in part thanks to Smith’s focus on this), it has been really good about pushing back on government surveillance and interference. This blog post seems to be the next step in that effort. I’m sure that plenty of readers here have a reflexive dislike of Microsoft (no need to express it in the comments, we know already), but the company has been taking a strong stand against excessive surveillance and other efforts to weaken the public’s security. Calling out the failures of the intelligence community in not disclosing these kinds of vulnerabilities is another good step, and it’s good to see Microsoft make such a clear statement on it.

Filed Under: exploits, nsa, ransomware, vep, vulnerabilities equities program, wannacry
Companies: microsoft

CIA Leak Shows Mobile Phones Vulnerable, Not Encryption

from the and-cia-isn't-helping dept

As you’ve probably heard by now, this morning Wikileaks started releasing a new cache of information regarding CIA hacking tools. This is interesting on a variety of levels, but many of the reports focus on the claims that encrypted chat apps like Signal, Whatsapp and Telegram may be compromised. See the top two links in this screenshot:

Wikileaks itself may have contributed to this view with the following paragraph in its release:

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.

But the details don’t seem to show that those apps are compromised, so much as that Android and iOS devices are compromised. It’s always been true that if someone can get into your phone, the encryption scheme you use doesn’t matter, because they can just pull keystrokes or grab data before you encrypt it — in the same way that someone looking over your shoulder can read your messages as well. That’s not a fault of the encryption or the app, but of the environment in which you’re using the app itself.

And that should really be the bigger concern here. Over the years, nearly all of the focus on hacking mobile phones has been on the NSA and its capabilities, rather than the CIA. But it’s now clear that the CIA has its own operations, akin to the NSA’s hacking operations (kinda makes you wonder why we need that overlap). Except that the CIA’s hacking team seems almost entirely unconcerned with following the federal government’s rules on letting private companies know about vulnerabilities they’ve discovered.

Remember, the Obama White House put in place what it called a Vulnerabilities Equities Program in which the intelligence community is supposed to default to letting private companies know about vulnerabilities. And, yes, this was always something of a joke as there was a giant loophole involving “except for a clear national security or law enforcement need” that the NSA basically used to withhold vulnerabilities all the time. Still, at least the NSA appeared to get around to revealing some vulnerabilities eventually (probably once they were no longer useful).

Here, however, it looks like the CIA was hoarding some really serious vulnerabilities with wild abandon. In a chart released by Wikileaks you see that the CIA is getting these vulnerabilities from a variety of sources. Some it’s finding itself, some it’s purchasing, and some are shared via other agencies, such as the NSA or the UK’s GCHQ. As Ed Snowden notes, there is now clear evidence (which many suspected, but which had not been proven) that the US government was secretly paying to keep US software unsafe and vulnerable. That’s really dangerous. It’s putting basically everyone in much more serious danger, just so the CIA, NSA and others can get in when they want to:

The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. Reckless beyond words.

— Edward Snowden (@Snowden) March 7, 2017

This is why the whole conversation about mandating backdoors and “going dark” was so dangerous in the first place. Those were plans to force even more of these vulnerabilities into the wild, just for the very very rare cases where they were needed by law enforcement or intelligence.

At a time when the President is suddenly acting as if he’s concerned about domestic surveillance (at least of himself), perhaps now would be a good time to crack down on this kind of stuff. I’m not holding my breath — but, for now, we’re getting a lot more insight into the CIA’s electronic surveillance methods, and it sounds like there’s more to come.

Filed Under: cia, encryption, hacking, nsa, phones, surveillance, vep, vulnerabilities, vulnerabilities equities program
Companies: wikileaks

Did The NSA Continue To Stay Silent On Zero-Day Vulnerabilities Even After Discovering It Had Been Hacked?

from the Betteridge-and-Glomar-combine-to-say-'we'll-probably-never-know' dept

The NSA’s exploit stash is allegedly for sale. As mentioned earlier this week, an individual or a group calling themselves Shadow Brokers claims to be auctioning off parts of the NSA’s Tailored Access Operations (TAO) toolkit, containing several zero days — including one in Cisco’s (a favorite NSA TAO target) Adaptive Security Appliance which allows for remote code execution.

The thing about these vulnerabilities is that they aren’t new. The exploits being hawked by Shadow Brokers date back to 2013, suggesting the agency has been sitting on these exploits for awhile. The fact that companies affected by them don’t know about these flaws means the NSA hasn’t been passing on this information.

Back in 2015, the NSA declared that it passed on information about vulnerabilities to affected companies “90% of the time.” Of course, this statement contained very few details about how long the NSA exploited vulnerabilities before allowing them to be patched.

The White House told the NSA to make disclosure the preferred method of handling discovered vulnerabilities, but also gave it a sizable loophole to work with — “a clear national security or law enforcement need.”

Ellen Nakashima and Andrea Peterson of the Washington Post spoke to former NSA personnel. The statements they gave suggest there’s almost always a “need” that outweighs the general public’s security and safety.

Former NSA personnel who worked with the tool cache that was released say that when they worked at the agency, there was an aversion to disclosure.

“While I was there, I can’t think of a single example of a zero-day [flaw]” used by the agency “where we subsequently said, ‘Okay, we’re done with it and let’s turn it over to the defensive side so they can get it patched,’ ” said the former employee, who worked at the agency’s Tailored Access Organization for years. During that time, he said, he saw “hundreds” of such flaws.

He added: “If it’s something in active use, my experience was they fight like all get-out to prevent it from being disclosed.”

Said a second former employee, who also spoke on the condition of anonymity to describe sensitive government operations: “It’s hard to live in a world where you have capabilities and you’re disclosing your capabilities to your defensive team.”

So, there’s no presumption of disclosure, not even with a Vulnerability Equities Process in place. If the NSA has a vulnerability to exploit, it will continue doing so until it’s no longer effective. The agency’s name alone grants it a presumption of secrecy because, after all, nothing has more “national security needs” than the National Security Agency.

This undercuts everything the disclosure process was supposed to do: allow developers to close holes in their software. With its TAO secrets out in the open, the government can no longer pretend stockpiling exploits is a good idea. Nor can it claim it’s OK because it’s only the “good guys” doing good things with them. The exploits will be sold to the highest bidder — whether that bidder is a criminal or just another private company stockpiling exploits so it can sell those to highest bidder — which in some cases may be UN-blacklisted countries with totalitarian governments and long histories of human rights abuses.

Matt Blaze — referring to the just-disclosed Cisco zero day — wonders if the NSA only just discovered hackers had made off with its stuff. And if it actually knew for three years these exploits had been compromised, why didn’t it disclose the vulnerabilities to affected developers?

I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn't they report the Cisco 0day?

— matt blaze (@mattblaze) August 18, 2016

I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn’t they report the Cisco 0day?

Neither scenario is particularly flattering. Although it’s presumed the hackers didn’t actually crack an NSA server (theory is the exploits were harvested from a compromised server the NSA was running), not knowing that these vulnerabilities had been obtained by outsiders until possibly three years after it happened is not exactly a flattering look for a security agency.

The alternative is actually worse: that the NSA knew its exploits had been taken but STILL chose not to disclose the vulnerabilities to software developers. In this scenario, there’s no longer any “what if” about it. The NSA knew exploits were in the “wrong” hands but withheld this info to continue utilizing the exploits. If that’s the case, the NSA is complicit in any exploitation by the “wrong” people because it chose to withhold, rather than disclose, major vulnerabilities even after it knew it had been compromised.

It may be that the NSA truly didn’t know about this hacking until the hackers started passing out parts of its exploit hoard, but that’s not exactly comforting considering the agency’s efforts to be declared the overseer of the US government’s CyberWar.

Filed Under: disclosure, exploits, nsa, reporting, tao, vep, vulnerabilities equities program, vulnerability, zero days