NSA says how of­ten, not when, it dis­closes soft­ware flaws

Kuwait Times - - TECHNOLOGY -

SAN FRAN­CISCO: The US Na­tional Se­cu­rity Agency, seek­ing to re­but ac­cu­sa­tions that it hoards in­for­ma­tion about vul­ner­a­bil­i­ties in com­puter soft­ware, thereby leav­ing US com­pa­nies open to cy­ber at­tacks, said last week that it tells US tech­nol­ogy firms about the most se­ri­ous flaws it finds more than 90 per­cent of the time.

The re-as­sur­ances may be mis­lead­ing, be­cause the NSA of­ten uses the vul­ner­a­bil­i­ties to make its own cy­ber-at­tacks first, ac­cord­ing to cur­rent and former US gov­ern­ment of­fi­cials. Only then does NSA dis­close them to tech­nol­ogy ven­dors so that they can fix the prob­lems and ship up­dated pro­grams to cus­tomers, the of­fi­cials said.

At is­sue is the US pol­icy on so-called “ze­ro­days,” the se­ri­ous soft­ware flaws that are of great value to both hack­ers and spies be­cause no one knows about them. The term zero-day comes from the amount of warn­ing users get to patch their ma­chines pro­tec­tively; a two­day flaw is less dan­ger­ous be­cause it emerges two days af­ter a patch is avail­able.

The best-known use of zero-days was in Stuxnet, the at­tack virus de­vel­oped by the NSA and its Is­raeli coun­ter­part to in­fil­trate the Ira­nian nu­clear pro­gram and sab­o­tage cen­trifuges that were en­rich­ing ura­nium.

Be­fore its dis­cov­ery in 2010, Stuxnet took ad­van­tage of pre­vi­ously un­known flaws in soft­ware from Mi­crosoft Corp and Siemens AG to pen­e­trate the fa­cil­i­ties with­out trig­ger­ing se­cu­rity pro­grams.

A shad­owy but ro­bust mar­ket has de­vel­oped for the buy­ing and sell­ing of zero-days, and as Reuters re­ported in May 2013, the NSA is the world’s top buyer of the flaws.[http://www.reuters.com/ar­ti­cle/2013/05/10/us-usa-cy­ber­weapon­sspe­cial­re­port-idUSBRE9490EL20130510 ] The NSA also dis­cov­ers flaws through its own cy­ber pro­grams, us­ing some to break into com­puter and telecom­mu­ni­ca­tions sys­tems over­seas as part of its pri­mary spy­ing mis­sion.

Some zero-days are worth more than oth­ers, de­pend­ing on such fac­tors as the dif­fi­culty in find­ing them and how wide­spread the tar­geted soft­ware is. While some can be bought for as lit­tle as $50,000, a prom­i­nent zero-day bro­ker said this week that he had agreed to pay $1 mil­lion to a team that de­vised a way to break into a fully up­dated Ap­ple iPhone. Chaouki Bekrar, of the firm Zerodium, told Reuters the iPhone tech­nique would “likely be sold to U.S. cus­tomers only,” in­clud­ing gov­ern­ment agen­cies and “very big cor­po­ra­tions.”

Gov­ern­ment of­fi­cials say there is a nat­u­ral ten­sion as to whether zero-days should be used for of­fen­sive op­er­a­tions or dis­closed to tech com­pa­nies and their cus­tomers for de­fen­sive pur­poses.

In the wake of rev­e­la­tions by former NSA con­trac­tor Ed­ward Snow­den and a Reuters re­port that de­tailed how the gov­ern­ment paid se­cu­rity firm RSA to in­clude NSA-tainted en­cryp­tion in its soft­ware, [http://www.reuters.com/arti- cle/2013/12/21/us-usa-se­cu­rity-rsaidUSBRE9BJ1C220131221 ] a White House re­view panel rec­om­mended tilt­ing gov­ern­ment pol­icy more to­wards de­fense. [http://www.reuters.com/ar­ti­cle/2014/05/16/us-cy­ber-sum­mit-re­form­sidUSBREA4F0MX20140516

Pres­i­dent Barack Obama’s cy­ber­se­cu­rity co­or­di­na­tor, Michael Daniel, then said he had “rein­vig­o­rated” the re­view process that de­cides what to do about each flaw that comes to gov­ern­ment at­ten­tion. The de­tails of that process re­main clas­si­fied, but in­ter­views show that the changes sharply el­e­vated the role of the Depart­ment of Home­land Se­cu­rity, which is re­spon­si­ble for de­fense and had not pre­vi­ously been at the cen­ter of in­ter­gov­ern­men­tal de­bates on the is­sue.

Af­ter Daniel de­scribed the re­vamped process broadly, the ac­tivist Elec­tronic Fron­tier Foundation sued for doc­u­ments about it un­der the Free­dom of In­for­ma­tion Act.

The most sig­nif­i­cant re­lease in that case came in Septem­ber, with an un­dated and partly redacted 13-page memo out­lin­ing how agen­cies should han­dle knowl­edge about soft­ware vul­ner­a­bil­i­ties. The memo [https://www.eff.org/doc­u­ment/vul­ner­a­bil­i­ties-eq­ui­ties-process-redac­tions ] states that the NSA’s de­fen­sive arm, the In­for­ma­tion As­sur­ance Direc­torate, served as the ex­ec­u­tive sec­re­tar­iat for the process.


A redacted por­tion of the memo lists the agen­cies that par­tic­i­pated in the process as a mat­ter of course. An unredacted part refers to other agen­cies that can ask to par­tic­i­pate on a case-by-case ba­sis, and the Depart­ment of Home­land Se­cu­rity ap­pears in that sec­tion, along with the de­part­ments of State, Jus­tice, Trea­sury and Com­merce.

Two former White House of­fi­cials said that the memo re­ferred to the old sys­tem, be­fore Daniel re­or­ga­nized it about a year and a half ago. In an in­ter­view, Daniel told Reuters that DHS was a key part of the new sys­tem, which is run by the White House’s Na­tional Se­cu­rity Coun­cil. “DHS is at the ta­ble in the process I’m run­ning,” Daniel said. An NSA spokes­woman re­ferred ques­tions about its pol­icy to the NSC, where a spokesman re­ferred Reuters back to the NSA. The NSA says on its web­site that it un­der­stands the need to use most flaws for de­fense.

“In the vast ma­jor­ity of cases, re­spon­si­bly dis­clos­ing a newly dis­cov­ered vul­ner­a­bil­ity is clearly in the na­tional in­ter­est,” ac­cord­ing to the web­site. [https:// www.nsa.gov/ pub­lic_info/ news_in­for­ma­tion/2015/nc­sam /dis­cov­er­ing_­solv­ing_shar­ing_it_­so­lu­tions.sht ml]

“But there are le­git­i­mate pros and cons to the de­ci­sion to dis­close vul­ner­a­bil­i­ties, and the trade-offs be­tween prompt dis­clo­sure and with­hold­ing knowl­edge of some vul­ner­a­bil­i­ties for a lim­ited time can have sig­nif­i­cant con­se­quences. — Reuters

HELSINKI: Th­ese is a com­puter gen­er­ated emo­jis made avail­able by Fin­land’s For­eign Min­istry on Wed­nes­day Nov. 4, 2015. Fin­land is launch­ing a se­ries of ‘na­tional emo­jis’ that in­clude peo­ple sweat­ing in saunas, clas­sic Nokia phones and heavy me­tal head-bangers. Pe­tra The­man from the Fin­nish For­eign Min­istry says the emo­jis will be re­leased as a way to pro­mote the coun­try’s im­age abroad and are based on themes as­so­ci­ated with Fin­land. — AP

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.