On Monday, when tech executives arrived in their offices, just days after a mysterious group of hackers released what they claimed were a set of NSA hacking tools, a familiar and frustrating pattern was taking shape. America’s premier signals intelligence agency had once again discovered unknown flaws in products used to secure computer networks around the globe, but instead of telling the manufacturers, the NSA pocketed those flaws, like skeleton keys that would let them open doors to others’ networks whenever and wherever they wanted.
If the tools released by the group known as the “Shadow Brokers” are legitimately from the NSA — and security researchers and agency veterans say that they appear to be — the agency now faces a fresh round of questions about how the breach occurred and when the agency found out.
That’s because the data released by the Shadow Brokers contained what are known as “zero days,” software flaws that are unknown to the manufacturer of a piece of software or hardware, and thus flaws for which no patch is even in the works.
Stockpiling such vulnerabilities is part of an international arms race in cyberspace. Last weekend’s dump exposed what is likely a small part of the American arsenal of such high tech battering rams, and it has reignited a debate among security researchers about whether the government should be stockpiling them, or if it should be revealing those vulnerabilities to manufacturers to make American networks more robust.
Given that the hardware made by the likes of Cisco Systems and Fortinet are often the backbone of the networks used by the U.S. military and State Department, helping those companies lock the back door should be a “no-brainer,” said Jason Healey, a former cyber operator for the U.S. Air Force and now a researcher at Columbia University.
“It would disappoint me if they knew and didn’t tell” the very vendors that are outfitting critical parts of the U.S. government, he said.
But some NSA veterans tick off plenty reasons not to share the information. Tipping off the Chinese and Russians about potential weaknesses makes no sense, said Dave Aitel, a former NSA research scientist and the CEO of Immunity, a security firm. And broadcasting just what tools the NSA is using risks compromising operations both past and present, he said.
On Wednesday, Cisco and Fortinet said they had not been notified about the software flaws that had been exposed. Timestamps in the released NSA code indicate that the hacking tools were likely swiped in October of 2013, though such marks can be easily faked.
On paper, the U.S. government has a process to determine whether to tell manufacturers they’ve got a problem. The interagency process was established in 2010, fell into disuse, and was then “reinvigorated” in 2014, in the words of White House cybersecurity chief Michael Daniel.
But security experts across the political spectrum scoff at the process and the notion that it seriously considers giving away potentially valuable zero-day vulnerabilities.
“Anything that has intelligence value is not going to be released,” Aitel says.
Chris Soghoian, the chief technologist at the ACLU, agrees. “It’s clear the game is rigged” against disclosure, he said.
But thanks to the #Shadow_Brokers, the vulnerabilities have been disclosed after all — not to the manufacturers, but to the entire world. What amounts to a series of military-grade hacking tools are now freely available on the internet, on sites such as this one. These tools can be used by hackers to break into firewalls, control a network, and spy on users. Another tool may be capable of stealing a users’ encryption keys.
So far, one of the tools released stands out: #ExtraBacon. That piece of code targets Cisco’s Adaptive Security Appliance firewall, widely used widely by both the U.S. government and private sector companies. ExtraBacon allows an attacker to take control of the firewall and monitor all traffic on it — a classic NSA strategy. On Wednesday, Cisco issued a security alert for the high-severity vulnerability; The company has so far not patched it, and has only issued a “work-around” for the problem.