Later On

A blog written for those whose interests more or less match mine.

Why everyone is left less secure when the NSA doesn’t help fix security flaws

leave a comment »

The title (from the Wonkblog article described below) is a little odd: the NSA introduced security flaws into our communications and encryption systems. The NSA is all about making systems less secure. It would be nice if they were interested in making systems secure, but that seems (apparently) contrary to their view of their mission.

Andrea Peterson reports in Wonkblog:

n a frank discussion about the government’s approach to vulnerabilities in cyber-infrastructure during a Washington Post Live summit Thursday, former NSA chief Michael Hayden said the agency is not always “ethically or legally compelled” to help fix flaws it knows about. If the agency thinks that no one else will be able to exploit a vulnerability, it leaves the problem unfixed to aid in its own spying efforts. That approach might be convenient for the NSA, but it needlessly endangers the security of Americans’ computers.

The statement came after an audience member asked if backdoors reported in the NSA leaks introduced vulnerabilities that could be exploited by hackers. Craig Mundie, a Senior Adviser to the CEO at Microsoft, took a first crack at the question. He asserted that Microsoft does not engineer in any backdoors nor has there ever been any effort to “facilitate” those kind of things. However, he also noted he could not speak to government capabilities and added “any [backdoor] mechanism that anybody would put into something obviously creates another class of vulnerabilities.”

“Nobody but us”

Hayden argued the concept of vulnerabilities was not unique to the Internet and had been an issue the NSA has dealt with since its founding. “There’s a reason that America’s offensive and defensive squads are up at Fort Meade,” Hayden said, explaining “because both offense and defense at this world hinges on a question of vulnerability.” Hayden then laid out the concept of NOBUS, which stands for “nobody but us,” that he termed “very useful” for making macro-judgments about how to react to vulnerabilities, regardless of if those flaws are “preexistent, not designed, mistake, intended, implanted, [or] whatever”:

You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there’s a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think “NOBUS” and that’s a vulnerability we are not ethically or legally compelled to try to patch — it’s one that ethically and legally we could try to exploit in order to keep Americans safe from others.

You can watch the full exchange in the video embedded below. [see article at link for the video – LG]

To a certain extent, this NOBUS idea reflects the weighing of the dual defensive and offensive mission of the NSA. Sure, patching vulnerabilities might effectively make infrastructure safer on a broad scale. But we’re talking about the same agency that reportedly has a 600-some elite offensive hacker squad, Tailored Access Operations or TAO, working out of its headquarters. And NOBUS also raises a lot of questions about how the intelligence agency determines if something is likely to be exploited by adversaries.

Zero-day exploits

Take the NSA’s connection to the zero-day market. Earlier this year a Freedom of Information Act (FOIA) request revealed that the agency had a significant contract with with Vupen, a French company that deals with zero-day vulnerabilities — security flaws not yet discovered or patched by vendors. Sometimes these zero-days are used to exploit systems by the hackers who discover them, sometimes vendors are told about them as part of bug bounty programs, and sometimes they end up in these digital gray markets.

The United States is a major player in these gray markets, although other nations are reported to be also in on the game. A Reuters’s special report from May claimed the United States was the biggest . . .

Continue reading.

Written by Leisureguy

4 October 2013 at 1:37 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: