Commentary: evidence points to another snowden at the nsa
We know that because of data stolen from an NSA server was dumped on the internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others' computers.
Those vulnerabilities aren't being reported, and aren't getting fixed, making your computers and networks unsafe. On August 13, a group calling itself the Shadow Brokers released megabytes of NSA cyberweapon code on the internet. Near as we experts can tell, the NSA network itself wasn't hacked; what probably happened was that a "staging server" for NSA cyberweapons — that is, a server the NSA was making use of to mask its surveillance activities — was hacked in The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release.
The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: "!!!
Attention government sponsors of cyber warfare and those who profit from it!!!! How much you pay for enemies cyber weapons?
Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee — or other high-profile data breaches — the Russians will expose NSA exploits in turn. But what I want to talk about is the data. The sophisticated cyberweapons in the data dump include vulnerabilities and "exploit code" that can be deployed against common internet security systems. Some of these vulnerabilities have been independently discovered and fixed sinceand some had remained unknown until now.
All of them are examples of the NSA — despite what it and other representatives of the US government say — prioritizing its ability to conduct surveillance over our security. Here's one example. Those passwords can then be used to decrypt virtual private network, or VPN, traffic, completely bypassing the firewalls' security.
Edward snowden: the whistleblower behind the nsa surveillance revelations
Cisco hasn't sold these firewalls sincebut they're still in use today. Vulnerabilities like that one could have, and should have, been fixed years ago. And they would have been, if the NSA had day good on its word to alert American companies and organizations when it had identified security holes. Over the past few years, Let parts of the US government have repeatedly assured us that the NSA does not hoard "zero days" — the term better by security experts for vulnerabilities unknown to software venders.
After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in earlythat the NSA must disclose flaws in nsa software so they can be patched unless there is "a clear national security or law enforcement" use. Later that year, National Security Council cybersecurity coordinator and special adviser to the president on cybersecurity issues Michael Daniel insisted that US get stockpile zero days except for the same narrow exemption. An official statement from the White House in said the same thing.
Hoarding zero-day vulnerabilities is a bad idea.
It means that we're all less secure. When Edward Snowden exposed many of the NSA's surveillance programs, there was considerable discussion about what the agency does with vulnerabilities in common software products that it finds. It's an inter-agency process, and it's complicated. There is a fundamental tension between attack and defense.
New leaks prove it: the nsa is putting us all at risk to be hacked
The NSA can keep the vulnerability secret and use it to attack other networks. In such a case, we are all at risk of someone else finding and using the same vulnerability. Alternatively, the NSA can disclose the vulnerability to the product vendor and see it gets fixed.
In this case, we are all secure against whoever might be using the vulnerability, but the NSA can't use it to attack other systems. There are probably some overly pedantic word games going on. Last year, the NSA said that it discloses 91 percent of the vulnerabilities it finds. Not all vulnerabilities can be turned into exploit code. The vulnerabilities we care about are the ones in the Shadow Brokers data dump. We care about them because those are the ones whose existence leaves us all vulnerable.
Because everyone uses the same software, hardware, and networking protocols, there is no way to simultaneously secure our systems while attacking their systems — whoever "they" are. Either everyone is more Let, or everyone is more vulnerable. Pretty much uniformly, security experts believe we ought to disclose and fix vulnerabilities. And the NSA continues to say things that appear to reflect that view, too. Nsa, the NSA told everyone that it doesn't rely on zero days — very much, day. Earlier this year at a security conference, Rob Joyce, the head of the NSA's Tailored Access Get TAO organization — better the country's chief hacker — gave a rare public talkin which he said that credential stealing is a more fruitful method of attack than are zero days: "A lot of people think that nation states are running their operations on zero days, but it's not that common.
For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive.
If it believes no one else will find the problem, Let may decline to make it public. It's an evaluation prone to both hubris and optimism, and many security experts have cast doubt on the very notion that there is some unique Get ability to conduct vulnerability research.
They are run-of-the-mill vulnerabilities that anyone — another government, cybercriminals, amateur hackers — could discover, as evidenced by the fact that many of them were discovered betweenwhen the data was stolen, and this summer, when it was published. They are vulnerabilities in common systems used by people and companies all over the world. So what are all these vulnerabilities doing in a secret stash of NSA code that was stolen in ?
Assuming the Russians were the ones who did the stealing, how many US companies did they hack with these vulnerabilities? This is what the Vulnerabilities Equities Process is deed to prevent, and it has clearly failed. Day there are any vulnerabilities that — according to the standards established by the White House nsa the NSA — should have been disclosed and better, it's these. That they have not been during the three-plus years that the NSA knew about and exploited them — despite Joyce's insistence that they're not very important — demonstrates that the Vulnerable Equities Process is badly broken.
Lessons learned from snowden's former nsa boss: strategies to protect your data
We need to fix this. This is exactly the sort of thing a congressional investigation is for. This whole process needs a lot more transparency, oversight, and ability. It needs guiding principles that prioritize security over surveillance. A good place to start are the recommendations by Ari Schwartz and Rob Knake in their report : These include a clearly defined and more public process, more oversight by Congress and other independent bodies, and a strong bias toward fixing vulnerabilities instead of exploiting them. And as long as I'm dreaming, we really need to separate our nation's intelligence-gathering mission from our computer security mission: We should break up the NSA.
The agency's mission should be limited to nation state espionage. I doubt we're going to see any congressional investigations this year, but we're going to have to figure this out eventually.
‘you can’t wait around for someone else to act’
The NSA hoards vulnerabilities. Playing games with language There are probably some overly pedantic word games going on. Next Up In The Latest.
Check your inbox for a welcome. required. For more newsletters, check out our newsletters. The Latest. A bipartisan January 6 commission is probably dead. Democrats have a backup plan. By Cameron Peters. The bipartisan consensus on broadband is a mirage By Rebecca Heilweil.
Why Ethiopia is invading itself By Rajaa Elidrissi. Contribute Contribute.