Sophos Cloud Optix
The zero-day business is booming, with the US’s National Security Agency (NSA) being one of the most eager buyers, as the New York Times reported last July.
Wouldn’t it be nice to know just how, exactly, the spy agency determines when to let vendors, and the vulnerable users of their products, know about new flaws?
Wouldn’t it be nice to know how long the NSA silently sits on those zero days, leaving businesses and individuals with their bellies exposed, as it exploits vulnerabilities for spying purposes?
The Electronic Frontier Foundation (EFF) has stepped up to help find answers to those questions.
On Tuesday, the EFF filed a Freedom of Information Act (FOIA) lawsuit against the NSA and the Office of the Director of National Intelligence (ODNI) to access documents showing how intelligence agencies choose whether to disclose zero days.
In April 2014, Bloomberg News published a story alleging that the NSA had secretly exploited the Heartbleed bug in the OpenSSL cryptographic library for at least two years before the public learned of the devastating vulnerability.
The White House strongly denied the allegations, claiming that the government has a “bias” toward responsible bug disclosure and that it had developed a new “Vulnerability Equities Process” for deciding when to share vulnerabilities with companies and the public.
That process dictates that, unless there’s a “clear national security or law enforcement need”, the process is biased toward responsibly disclosing vulnerabilities.
The White House said that the process is based on “principles to guide agency decision-making” including “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”
The public hasn’t been told what those principles are.
The EFF filed a FOIA request for records related to the processes on 6 May.
As yet, there haven’t been any documents forthcoming, despite ODNI having agreed to expedite the request, the EFF says.
The digital privacy rights group on Monday filed a FOIA complaint for injunctive relief.
After all, EFF Global Policy Analyst Eva Galperin said, as intelligence agencies eschew responsible disclosure to milk zero days so as to infiltrate targeted computers or devices, the public languishes, unprotected from identity thieves and other governments that might also be aware of – and exploit – unpatched vulnerabilities.
Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors.
I wonder when I’ll hear something good about the NSA. Every time I hear about them it just makes me hate them more.
Same. I think it’s safe to assume most accusations of the NSA are true until proven false.
Holding back the zero is only a benefit if it is sure that there is no bad guy already knowing it or not capable of detecting&exploiting it before intended disclosure. If the agency keeps the secret door open for the earlier-than-zero, i.e. minus-one guy, then the potential harm for the national and international security can be disastrous.
How can you be sure that there is no minus-one exploit? Just because the agency has almost unlimited resources and lots of smart experts?? This kind of arrogance would be a big step towards non-security.
Imho the how of “weighing the risks and benefits” is not important. Knowing the how will only reveal the degree of overestimation of the agencies own capablities. No matter how, a responsible result of weighing unknown risks with potential black swan impacts can only be immediate responsible disclosure.
Time the NSA was held accountable for the actions taken. spying is not the way to gain confidence in any security service that puts businesses into an unsafe state. There are enough breaches of security online without the NSA creating more security holes in anyone system just for spying.
despite all of this security online is constantly shouted out to all. so stop the exploitation NSA . hope congress terminate all your funding with the view of shutting you down permanently.
you don’t think they will have damning evidence/leverage to bend the decision makers’ arms in the last minute.
this theatrical act of dragging them through the mud and cutting some funding is just a facade. it is orchestrated so “joe public”‘s mind will be at ease that justice has been served.
they might even destroy the NSA and build something more secretive in the background.
I think it’s pretty easy to see how this is an advantage to national security. If we are just referring to “zero-day” knowledge, then the risk includes the timespan that it takes others find that same knowledge, IF they even do. I would imagine that their “Vulnerability Equities Process” involves weighing both sides of the issue to determine if the greater good is exposing the information or exploiting it: both of which involve national security.
Most likely, the NSA gains its collection of zero-days in a couple of different ways — from its own security researchers, and by purchasing vulnerabilities from vendors such as Vupen.
In both cases, a significant pile of US taxpayers’ money is being spent to ensure that we all remain vulnerable in ways that the NSA wants to know about. For people like me this is particularly ironic.
I am employed as an Information Security professional by a private company in the US. Thus I’m paying taxes to undermine myself. Genius!
G
The NSA’s mission is
“The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.” (source: nsa.gov)
I don’t see anything in there about protecting private enterprise or citizens. Their mission is to “gain … advantage for the Nation and our allies ….” While it may be unpopular, until Congress changes their reason for existence, they have no obligation to divulge zero-days. In fact, they have an obligation to exploit them “for the Nation and its allies”.
You are sadly misguided, deeply confused or simply a willing tool of the government. You equate “Nation” with Government, but in the USA, the nation is “We the People”… its citizens and the enterprises they individually or collectively own.
Neither misguided nor confused. But, willing tool? Yes: I used to be a member of InfraGard, the FBI’s public/private org. whose mission was to improve security in critical private infrastructure. I would be a willing tool again in a heartbeat if the situation warranted it (i.e. if I worked for an infrastructure company again). Security is everybody’s job, and I’ll happily help that any way I can.
But, I think you missed my point: exposing zero-days is simply not in the NSA’ mission. It doesn’t matter if it’s right or wrong; it’s simply not their job.
It IS part of the FBI’s job, though. And to a degree, the CIA’s. But, the NSA and the military? No. Their obligation is to protect and give advantage to the nation and allies.
If we don’t like that mission, we should encourage Congress to change it.
Shutting down the NSA won’t happen, in my life time. But it is a correct appraisal of the problem that others probably know about these bugs also and sitting on them is detrimental to our nation.
All of these types of agencies, know about each other and all spy on enemy as well as friends. That information gives many ‘friends’ the ability to know what may transpire before meetings an other type of communications. You could see how well it went over that they were spying on the Brits.
The only way to slow this to a stop is releasing information from top officials that thought they were ‘above’ this type of breach. Such as senators or congressional members, Judges and so forth. When these become public information, you will see an immediate change.
Jack