November 4, 2024
Hacking Technology

NSA Hoards Zero Days; Doesn’t Disclose Them all to Vendors

Avatar of adezero
  • August 21, 2016
  • 2 min read
NSA Hoards Zero Days; Doesn’t Disclose Them all to Vendors

The NSA does not always disclose the zero day vulnerabilities it finds to unprotected vendors. Some security flaws are kept secret “when they can be used to serve a clear national security or law enforcement need” (Wired).

The US National Security Agency (NSA) was hacked by a suspected Russian hacker group and many of their exploits and hacking tools were archived. Leaked information was made public that showed the NSA collects exploits and does not always disclose them to vulnerable vendors. When vulnerabilities are not disclosed, problems do not get fixed. The NSA appears to operate “on the premise that secrets will never get out. That no one will ever discover the same bug. That no one will ever use the same bug. That there will never be a leak” (Business Insider).

Unfortunately, as we are currently witnessing with this recent leak, other types of hackers are able to find the same bugs and those hackers could have more malicious intent than the NSA. When hackers obtain a trove of U.S. secrets, that could put the government and corporations worldwide in a susceptible position. For example, the leaked data includes information on breaching popular commercial firewalls. Emergency service providers, governments, financial systems and many businesses all rely on these firewall technologies.

Global networking company, Cisco Systems, confirmed last week that the NSA exploited an undetected severe vulnerability that allows remote attackers “who have already gained a foothold in a targeted network to gain full control over a firewall” (Ars Technica). The NSA knew about this vulnerability since 2013 and did nothing to stop it. Now that the data is leaked, Cisco fears that the information “could be used to breach its Adaptive Security Appliance (ASA) software used in its firewalls. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system”. It can be argued that these exploits would have been patched had the NSA disclosed the vulnerabilities instead of collecting them for their own use.

(Watch – Snowden discusses NSA hack, Cisco to cut 5,500 jobs, NASA preps an asteroid rocket):

Comment with Facebook

1 Comment

    Avatar of Neon Sturm
  • NSA’s life would be a lot harder if we all were to use differential-tools.
    If for a specific function 3 algorithm instances are written, their outputs could differ and a protocol filter and data comparison knows exactly which one contains a bug.

    Once such a feature exists, it could be extended to virtually 100 simultaneous choices from various versions or distributors, depending on available CPU power. At least it would detect the error and report it automatically.
    Comparing the implementation from different vendors for all value-ranges for a single function serves bug-fixing and increases trust into a specific vendor. It also discourages abuse of power.

Leave a Reply

Your email address will not be published. Required fields are marked *