The US Uses Vulnerability Data for Offensive Purposes

Companies allow US intelligence to exploit vulnerabilities before it patches them:

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

No word on whether these companies would delay a patch if asked nicely—or if there’s any way the government can require them to. Anyone feel safer because of this?

Tags: , , , , , , ,

Posted on June 20, 2013 at 6:04 AM40 Comments

Comments

wiredog June 20, 2013 6:58 AM

Isn’t this one of those things that everyone has suspected for decades now? Not a surprise at all. And I’m sure that when other countries (China, UK, Iran, etc.) discover vulnerabilities they hold on to them for later use.

zcl June 20, 2013 7:11 AM

It’s just a tiny extra step for them to introduce an “accidental” oopsie. Anyone willing to take that bet, for or against?

Clive Robinson June 20, 2013 7:17 AM

This of course re-opens the debate about what is “reasonable disclosure” and brings in the potential for committing “war crimes”.

In the past the argument for delaying release of details publicaly and giving 60/90 days to the code developers has been one of “minimising harm”.

This revelation flips the argument on it’s head in that now we know the information is being “weaponised” and used to attack others including “civilians”.

Enabaling a soverign nations combatants (US Gov) to attack another soverign nations civilians is a major war crime for which the punishment can range upto execution.

Now based on this you have two choices, keep quiet or tell everyone so that all soverign nations can take steps to defend their citizens from such an attack.

Arguably the only sensible option for your own self deffence is to make immediate public disclosure. Because if you don’t and it is found you were aware of the vulnerability (courtisy of the NSA et al archives) that was subsiquently used to attack civilians then you are looking towards becoming “a swinger with a hemp neck tie”…

Jack June 20, 2013 7:19 AM

From the article:
“Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.”

This, too, is illegal.

There is a lot of worming around the laws, conscience, ethics in all of these things. Very bad precedent to set before the world.

The consistent message is that laws do not matter, if you are powerful enough you can just change them.

Yet per population, the US is claiming to operate for enforcement of laws which includes all of the anti-terrorist actions, and their massive per ratio imprisoned population.

The article points out how companies get something from the US Government for working with them in what is effectively breaking laws.

I know any individual citizen or corporation would strongly hesitate otherwise before doing any of these things being done for fear of getting punished.

Globally, the message being put out is that US corporations can not be trusted.

Not a wise message to be put out.

Bugs:

The defensive value of early bug disclosure is high, but these corporations are somehow getting paid by the US Government for this work. This inclines these corporations to be slow in fixing these security bugs.

These relationships also incline the US to spy on competitors for these larger corporations, giving them data they want.

This may be smaller companies in the US, rival US companies, or any foreign corporation.

Is it impossible for the courts, the Senate, the President to change their hearts and minds and reconsider these things?

All of this makes me think that there is another reason why these corporate heads lied. They are ignorant of the likelihood of getting caught or the pain that can cause them.

Does everyone really want to be remembered as the group of elites who helped destroy liberty and brought down the world by turning the main global superpower into a nexus of lawlessness?

Because history will forget anything else, if they continue on this route.

Larry Seltzer June 20, 2013 7:22 AM

anymoose’s point about MAPP is a good one. The program allows security vendors to have their own tools ready to update when Microsoft releases their fixes.

Jack June 20, 2013 7:23 AM

Clive R:

“Enabaling a soverign nations combatants (US Gov) to attack another soverign nations civilians is a major war crime for which the punishment can range upto execution.”

All of this is very illegal and very unfriendly to everyone not included in the group of victimizers.

This sort of process likely also encourages the same corporations who are delaying bug fixes to give them to the US Government (who gives them who knows what in valuable exchange back) to also have more security bugs in their systems.

That is, of course, all you need for backdoors, intentional security vulnerabilities.

Jackson June 20, 2013 7:39 AM

What next – I’m waiting to hear that the NSA monitors communication of American citizens so it can identify those who don’t support Obama so they can be rounded up. Are mammoth corporations simply commercial arms of the Federal Gov’t in a sort of symbiosis? WTF

Piper June 20, 2013 8:15 AM

This is just a teeny-tiny baby step away from giving the US Gov a deliberate back door into every Windows PC in the world.

It’s a back-door with plausible-deniability.

BD June 20, 2013 8:31 AM

Wondered for a while why individuals were being increasingly prosecuted for finding and reporting software exploits.

Surely organisations (and Government) would be happy that hackers were basically doing work for free and making their software more secure?

But what if the software companies knew about these exploits and didn’t want them to be found, precisely because they were being used maliciously by Intelligence Agencies?

Pat June 20, 2013 8:38 AM

Monsterzero – Trust me, the NSA has developers combing over the source code for Linux [nsa.gov]. Of course they are hardening it for the public, but I would be shocked if they weren’t keeping a few bugs for their own use.

If you want something resembling security, try Anonym.OS. I don’t think anything will stop a Government from monitoring you if they want to target you, but this should help keep prying eyes to a minimum.

kingsnake June 20, 2013 8:59 AM

Not an issue with open source, since there is no “company” to threaten or single scared teenager to Guantanamo …

Nick P June 20, 2013 9:11 AM

Anyone using software that’s highly targeted for vulnerabilities must assume their applications will be compromised. So, there are countermeasures, detection, and recovery mechanisms for that which should already be in play. Organizations trying to avoid such situations should be using lesser known proprietary or OSS software on more robust platforms.

So, for smart organizations, I think this changes nothing. It also changes nothing for foolish organizations: they will be compromised anyway. 😉

ATN June 20, 2013 10:12 AM

@Jackson: What next – I’m waiting to hear that the NSA monitors communication of American citizens…

Put it simply, they can’t build a database of American gun owners by law, so they just want to know who search gun store location and prices, at which time and with which frequency they collect their goods, and the exact description of the goods…

Chris W June 20, 2013 11:17 AM

@zcl

They did/do. Early versions of windows had ‘feature’ that created a log file entry of every website visited and mark that log file super hidden (Hidden+System attribute) each startup. And included a filter in Windows Explorer to keep that file hidden in all cases. (Yes, much like rootkits)
That way forensics had an easier time getting intel.

Please note that we’re talking about like more than a decade ago. That feature has been retired long ago. They don’t need it anymore anyway, nowadays we have ISPs with data retention regulations and cookie files.

Heard a story about a FBI cyber investigations/forensics team that developed some pretty good tools that allowed them to plant backdoors in computers. They were pretty smart about how often to deploy it. Until another department thought it was a nice tool and started using it indiscriminately. Result: The backdoor was detected and eventually the exploit got fixed. You can imagine how pissed off the team was.

@Jack

Microsoft just started offering rewards for exploits. Smart, coz that allows them to keep a lid on it for a short while, sell the exploit to the government and fix the bug 4 weeks later. “yeah, sorry, Patch Tuesday just passed, we’ll fix it in the next one, please keep it secret until then.”
Assuming enough exploits come in each week, they’ll be able to supply the government with usable exploits almost all the time.

h4xx June 20, 2013 11:20 AM

I’m surprised these countries are still using Microsoft, like when Iran got zerg rushed by flame and stuxnet. You’d think they could find at least one person there who can set up openbsd or even hardened gentoo to run their nuclear reactor software and laptops.

I’ve always asumed windows was backdoored or that the NSA/military would have access to the source so they can make their own backdoors.

Of course this is a dbl edged sword, Iran gets a hold of stuxnet and uses it to attack Saudi oil field software creating chaos. US isnt sharing MS patches with their allies so their cyber warfare advantage becomes a major liability when oil supply chaos erupts from their lack of security vision

Reality Cheque June 20, 2013 11:34 AM

JOLD TJE PRESSES!!!! Major news flash!!! Spy agencies actually look forways to infiltrate foriegn governmetn offices and compnaies!!! News @ 11!!!

Comone – how about telling us something that’s actually newsworthy and surprising?

Jack June 20, 2013 12:24 PM

@Chris W

“Microsoft just started offering rewards for exploits. Smart, coz that allows them to keep a lid on it for a short while, sell the exploit to the government and fix the bug 4 weeks later. “yeah, sorry, Patch Tuesday just passed, we’ll fix it in the next one, please keep it secret until then.”
Assuming enough exploits come in each week, they’ll be able to supply the government with usable exploits almost all the time.”

With the telecoms & major internet communications services opening their legs for the spy agencies, there is a lot of this mixed responsibility that will lead to problems.

The NSA, for instance, is charged with both performing security audits on code which ends up on sensitive systems & for compromising those same networks.

Likewise, the FBI is in charge of counterintelligence in the US, which includes investigations in all of these companies – telecom and prism – but they are also charged with implementing spy systems and subverting their security.

Delaying the release of security bugs… how many corporations and individuals get hacked by those while the US Government is busy using those to subvert foreign nations and businesses?

This kind of “keep things insecure so we can do our thieving work” we saw with trying to get secure encryption as well.

Likely, this is why router (wired or wireless) security remains so poor. I was not at all surprised that the US Government mass hacks routers to surveil nations.

It is like buying protection from the Mafia.

http://25.media.tumblr.com/tumblr_m6gedaqonJ1qhq953o1_500.png

Jack June 20, 2013 12:52 PM

@Reality Cheque

‘Spy agencies actually look forways to infiltrate foriegn governmetn offices and compnaies’

Google, Microsoft, Yahoo, Verizon, etc are not foreign companies.

A bigger issue is, ‘is this kind of behavior okay in a global economy’. The US Senate said it was not okay with some major Chinese companies.

People do not buy and use services if they believe the nation they are buying from will provide them secretly dangerous products.

Why not just make all toys with mercury and lead? Or bother with inspecting beef before it goes out?

Also, this is from a supposedly “free” country. Where that definition hinges on rights to free speech, press, peaceful protest, free beliefs. In all of these areas, the US Government has gotten an F as these disclosures over the past few months have shown.

“Free” nation status now appears to be a hypocritical term.

Somehow, there is popular consent for this.

name.withheld.for.obvious.reasons June 20, 2013 2:25 PM

Does the Computer Abuse Act of 1984 apply here? If the gobnent is deploying “bugs”, doesn’t this run afoul of the federal statue?

Would Aaron Swartz have been immune from prosecution if he’d just said he was with the government? I have to wonder if he didn’t stumble upon something?

My argument about lawless stands.

Len jaffe June 20, 2013 2:50 PM

Well, that explains the whining about researchers who release their findings publicly while MS is apparently dragging their heels on the fix.

Helter June 20, 2013 3:44 PM

@guillem
Because, I suppose, eventually someone would find that backdoor and either use it for his/her whatever needs or blow the whistle.

Chris W June 20, 2013 4:07 PM

@cl0wn

Gotta dig into my memory for that coz it was like a decade ago. Internet Explorer was first released around Win95, so it can’t be 3.x.
But I didn’t have access to internet until later on so my guess that I read about it when Win98 was still popular.
In any case, I was merely using it as a springboard to tell that we can be sure that backdoors are intentionally added. I guess Skype can serve as recent proof? Just a guess, but I’m pretty sure there are opensource alternatives to Skype, but those aren’t popular. If you consider the abysmal security of the most popular services (WhatsApp anyone?) then there’s little hope for improvement either.

@Jack

Yup, that’s what we call a conflict of interest. But if we step back for a second, the best hackers have become the best investigators. It’s a field where you have to be involved in both facets of security to be good. The only thing that could keep those organisations in check is adequate oversight.

You’re comment about FBI being in charge of implementing spy systems. Is that true? I thought one of the foreign intelligence agencies was in charge of that (CIA for example). I thought the FBI was only interested in systems used for investigations. Spying is obviously a different field.

“Delaying the release of security bugs… how many corporations and individuals get hacked by those while the US Government is busy using those to subvert foreign nations and businesses?”
They will surely chalk that up as Collateral damage.

In the end, buying protection from the mafia may give you the best value for your money. 😉

In the next comment you mention about ‘popular consent’.
I guess quite a lot of people don’t care or are assume they can do little about it.
Do you see people go to protests? Hardly. Would you?
Instead, we sign petitions and write angry letters to our representatives. Scratch that, it’s more likely we’ll send angry tweets and then wonder what we’re going to eat next for take-out.

Jack June 20, 2013 5:57 PM

@Chris W

“You’re comment about FBI being in charge of implementing spy systems. Is that true? I thought one of the foreign intelligence agencies was in charge of that (CIA for example). I thought the FBI was only interested in systems used for investigations. Spying is obviously a different field.”

From the book cover of Enemies:

“Enemies is the first definitive history of the FBI’s secret intelligence operations, from an author whose work on the Pentagon and the CIA won him the Pulitzer Prize and the National Book Award.

We think of the FBI as America’s police force. But secret intelligence is the Bureau’s first and foremost mission. Enemies is the story of how presidents have used the FBI to conduct political warfare, and how the Bureau became the most powerful intelligence service the United States possesses.

Here is the hidden history of America’s hundred-year war on terror. The FBI has fought against terrorists, spies, anyone it deemed subversive—and sometimes American presidents. The FBI’s secret intelligence and surveillance techniques have created a tug-of-war between national security and civil liberties. It is a tension that strains the very fabric of a free republic.”

I did not intend for my statement to be all inclusive. My understanding is the other US intelligence agencies also have some leeway in operating onshore.

Figureitout June 20, 2013 6:07 PM

Chris W
–You’re right. Send those angry tweets and if you’re considered a threat then say hello to some new friends; I just want people to know that if you can’t handle it b/c they will infiltrate every aspect of your life, spread false rumors…unless you stoop to their level.

But if no one stands up to them and forces them to give you the “umbrella poke” or you start noticing some funny medical symptoms…they will do this to other people unopposed. And that is my motivation.

Jack June 20, 2013 6:52 PM

@Chris W

“Yup, that’s what we call a conflict of interest. But if we step back for a second, the best hackers have become the best investigators”

That is surprising to me. Care to elaborate?

I am not aware of any of my old peers becoming investigators. Some did go into government — or came from government. Sometimes both.

“I guess quite a lot of people don’t care or are assume they can do little about it.
Do you see people go to protests? Hardly. Would you?”

I look at things in an entirely different way. Look at how the disclosures came about in the 70s. It was a complicated, lengthy series of events.

Also, I do not like crowds, and my beliefs are … arcane.

“Instead, we sign petitions and write angry letters to our representatives. Scratch that, it’s more likely we’ll send angry tweets and then wonder what we’re going to eat next for take-out.”

Look what Bruce is doing. Look what Snowden is doing.

What matters is what you judge in your heart. Words and actions spring from that. Everyone stands on their own.

Jack June 20, 2013 6:59 PM

@Chris W

“Instead, we sign petitions and write angry letters to our representatives. Scratch that, it’s more likely we’ll send angry tweets and then wonder what we’re going to eat next for take-out.”

Words can topple empires and change nations.

No one should take the law into their own hands, as this is exactly the primary fault of what these guilty elements within the US Government is doing.

Except for leakers. Leakers should go for it. That is lawful.

Jack June 20, 2013 7:02 PM

name.withheld.for.obvious.reasons

“Does the Computer Abuse Act of 1984 apply here? If the gobnent is deploying “bugs”, doesn’t this run afoul of the federal statue?”

I think they are breaking so many laws it would be difficult to count.

“My argument about lawless stands.”

I think any honest person in law enforcement or who is law abiding would heartily agree that these moves by elements within the US Government are highly lawless.

They have laid a foundation for tyranny on top of the existing foundation for liberty.

Dirk Praet June 20, 2013 7:04 PM

And for the 64k $ question: which other companies are doing the same thing ?

mayberrymachiavelli June 20, 2013 11:08 PM

“said the officials, who asked not to be identified because the matter is confidential.”

I should start highlighting every instance of this phrase. Remember the sturm und drang over Snowden.. he has a GED! it’s treason! — Where is that attitude with the regular release of fouo/classified info to the press? Or was all that just so much fuss by people who were embarrassed they didn’t understand what was going on?

Stephen Watt June 21, 2013 12:19 AM

Another reason to cheers up full disclosure. OSS operating systems are an option but you can’t trust majors distributions and that is very time consuming (like manual patching, security focused kernel configuration, etc). Die bugs Die!

name.withheld.for.obvious.reasons June 21, 2013 5:31 AM

A few things to consider, the U.S. government has annoited itself with the power to execute what might be called a “Cyber Action” that has several significant features. In addition, covert and overt actions can be taken, including infiltration without detection of any/all systems or networks. Departments (DOJ, DOE, DOI, DOC, etc.) may execute responses without seeking approval.

Most disturbing is what might be called “Collection” that defines the covert hoovering of any and all information “without authorization” and without detection and or attribution even if it creates “effects”. It also includes retaining the hoovered data for future operations.

Hide your computers, turn off the power, and grab your pitch forks.

fear_the_tyrants June 21, 2013 7:22 AM

They don’t care if they are breaking the CFAA or a hundred other laws with these programs, why would they care?? They’ll just override it with a secret interpretation of a secret law, ruled on by a secret court. Theoretically there will be oversight, which means a couple of politicians will be lied to about the scope of the activities in a secret meeting from time to time. They won’t be permitted to tell the public anyways.

But remember, Ignorance of the law is no excuse, even when the law is a state secret! We don’t ever need to stop someone and ask “Papers, please!” because our all-seeing panopticon knows who they are anyway. We don’t need to induce paranoid neighbors to snitch on each other, because we have backdoors into their computers and can scoop all of their traffic off the backbone anyway.

We are the Land of the Free, Home of the Brave! Our state intelligence organs are in fact so brave that they have built the most vast tools for oppression that have ever existed in human history. They either forgot what history tells will happen, or they don’t fucking care because for some reason they believe they will always be on the winning side.

Terrorism is an annoyance, a hot-button issue but hardly an existential threat to our way of life. But these unaccountable elite ARE an existential threat. They are probably the gravest threat to the American nation since it was founded. And it may be too late–of the ideals of that nation, there might be nothing left worth defending.

Dave Postles June 21, 2013 12:58 PM

Interesting that the Department of Defence made public its LPS (Lightweight Portable Security) Linux liveDVD. I wonder what might lie inside there! It is distributed as a secure system, but who would believe that now?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.