When Edward Snowden provided a power point presentation to media outlets, it contained 41 slides. Thus far, we have seen only a handful. In interviews, Glenn Greenwald has indicated more disclosures are to come – but has also hinted that some slides will not be revealed. I understand a major media outfit handling this type of material is weighing a lot of issues and facing pressure from untold directions. Knowing more details are on the way, perhaps speaking up now is jumping the gun somewhat, but in the spirit of things…
Based on the nature of the presentation, we can infer that certain open-secret capabilities would almost certainly be detailed. The tussle over which operations will see the light of day is undoubtedly pretty intense right now. It would be unfortunate if a decision were made to avoid discussion about the use of intrusive offense capabilities – trojans, viruses, zero day exploits, rootkits, command & control servers and related technologies.
We Know This Should Be In There
In the context of NSA digital surveilence abilities, an overview detailing capabilities to directly monitor and leverage control of a targeted digital system seems obvious in it’s absence. Goodness only knows what far-too-cute name the NSA crew have given, but to imagine these capabilities are not touched upon in the presentation begs disbelief.
Questions of privacy and oversight these approaches raise are apparent. As a result, these issues are an instinctive measure to assess the merits of disclosure against, and are certainly to be kept in mind. But there is more to this question than one of simply ensuring that only bad guys are being targeted or that the privacy of American citizens is protected. Theses bigger issues, though perhaps not immediately apparent, I think, tip balance in favor of putting these cards on the table.
Several events in recent years have revealed information showing this class of capabilities exists and is employed by security agencies. One event stands out as being an exceptionally good case study that ties many of these larger issues together.
The security firm HB Gary was famously hacked by Anonymous a few years back. It was a total loss – terabytes of data accessed and expropriated, scandalous emails released for all to read – a media heyday. Many angles were explored in the reporting ranging from personality profiles of various players involved to questions of corporations trying to undermine Occupy protests. Amid this, Ars Technica published an excellent article about how HB Gary had been crafting and selling backdoors to the government and corporate clients. If you didn’t follow the saga when it occurred or need a refresher, it is well worth the read. The implications of some facts highlighted provide a strong illustration for a very important point.
Hidden Costs in Wholesale Weaponization of Devices
A dynamic highlighted in the article was HB Gary’s competition against much bigger players in the market of selling exploits to the military and intelligence services. One major concern Ars Technica raised was that private contractors appeared more than willing to turn around and work for corporate interests against private citizens. This is similar to the “good-use” vs. “bad-use” dicotomy the current discussion is often presented under. The simple questions of privacy and propriety are one thing, but there are equally important, perhaps larger, questions about the impact wholesale weaponization of commonly used commercial items is having; both in terms of systemic functionality as well as across broader society.
Think about the significance of what HB Gary was selling (and what the now-parent company is probably still selling). One part of it is the rootkit/malware combo; software that can secretly run on a device to collect information and allow the attacker to assert control as desired. The other part is the exploit; the method used to get the malicious software on to a target device. The Ars article sets up the exploit part nicely.
The goal of this sort of work is always to create something undetectable, and there’s no better way to be undetectable than by taking advantage of a security hole that no one else has ever found. Once vulnerabilities are disclosed, vendors like Microsoft race to patch them, and they increasingly push those patches to customers via the Internet. Among hackers, then, the most prized exploits are “0-day” exploits—exploits for holes for which no patch yet exists.
HBGary kept a stockpile of 0-day exploits. A slide from one of the company’s internal presentations showed that the company had 0-day exploits for which no patch yet existed—but these 0-day exploits had not yet even been published. No one knew about them.
The company had exploits “on the shelf” for Windows 2000, Flash, Java, and more; because they were 0-day attacks, any computer around the world running these pieces of software could be infiltrated.
…These exploits were sold to customers. One email, with the subject “Juicy Fruit,” contains the following list of software:
VMware ESX and ESXi *
Win2K3 Terminal Services
Win2K3 MSRPC
Solaris 10 RPC
Adobe Flash *
Sun Java *
Win2k Professional & Server
XRK Rootkit and Keylogger *
Rootkit 2009 *the asterisk beside some of the names “means the tool has been sold to another customer on a non-exclusive basis and can be sold again.”
So, there we have a security researcher that seeks out flaws in major platforms. When flaws are found, rather being reported and fixed, the flaws are leveraged for money. It is a classic black hat hacker operation. Yet this time they are not treated like a black hat. Instead they work for the government and are among the top echelon of respected security researchers.
Another way of looking at it; when the people best at tracking down dangerous security holes successfully find them … they actively hide the security holes from everyone else and leave millions of systems insecure. This is happening in America. In Russia. In China. All over the globe. There is an entire legitimized ecosystem of security researchers who just leave the flaws they find and immediately tip-toe off to start seeking entities who’d like to use the holes to break into unsuspecting systems.
How many of those with a shingle above their door that reads “security researcher” do this? We have no idea. Unsurprisingly, it’s a secret.
For a tragic example, see “Sun Java” (now known as Oracle Java) … featured in that HB Gary 0-day exploit list up there. You may have heard the name recently if you happen to posses something digital. Based on his company’s marketing materials, it is entirely possible that Greg Hogulund could have prevented at least some of that. But for some reason he chose not to. And that’s a huge problem.
A primary reason millions of devices have been compromised pretty much boils down to being because the government pays the best and the brightest a crap-ton of money not to fix any security holes in our devices. They do this so it is possible to spy on you and me – just in case you and me happen to turn out to be a terrorist. How’s that for flipping genius?
In the end, five years after we find HB Gary commercializing Java exploits rather than exposing them, Homeland Security finally steps in with the only solution that makes any sense in the environment … simply stop using what was once a cornerstone of the internet and embedded systems. By any reckoning, this is a multibillion dollar negative impact that touches an immense number of lives.
Perverse Market Incentives
In the traditional view of our information economy, to exchange money Black-Hats must trade in bitcoin or use a service like Liberty Reserve to even operate. And when they catch the eye of government, they go to jail. Juxtaposed, an IT professional can earn a nice living writing anti-virus software or providing protective services to companies and individuals; enjoying good benefits and stability for a family. And generally such folks also enjoy a reasonably benign relationship with their government when they happen to cross paths. This dynamic creates a strong market incentive in the direction of fixing holes and a strong disincentive to keeping holes hidden and using them to compromise unsuspecting digital systems.
Then along comes those like HB Gary, who sold a base rootkit for $60,000 cash money – and the price went up from there depending on the zero-day exploits a customer (agency or contractor) purchased to compromise targeted systems. Their business model is identical to that of the “hackers” illicitly selling their wares. But the government greets them with a chest-bump and a hoo-ha. This dynamic has no choice but create an undercurrent in the systemic security profile having all the negative impacts of black hat hackers paired with the institutional acceptance of white hat security professional – driven by a financial incentive beyond the wildest dreams of most typical private-sector IT security workers.
If there is any truth to markets, with the direction things are heading now, ultimately the system will become so bug-riddled and insecure that it will collapse. The situation with Java is a canary in the coalmine. Even if we imagine that the good guys will use the capabilities they uncover only for good, the good guys aren’t the only ones who end up having them.
Leaving Our Pants Down To Stare Closely At Our Own Butts
For these government-sponsored black-hats, all of the dynamics of an illicit underground information economy apply. Keeping the details of how to execute an exploit secret is key to keeping it’s capacity potent. The more widely an exploit is used, the more likely it will be detected – either by a security researcher/contractor acting legitimately or by a rival black-hat group that might utilize it in a way the original group disapproves of (and in a way that almost certainly will stupidly call more attention and increase detection risk).
An email snippit from the HB Gary article provides an instructive illustration of just how dangerous the current situation really is.
“I got this word doc linked off a dangler site for Al Qaeda peeps,” wrote Hoglund. “I think it has a US govvy payload buried inside. Would be neat to [analyze] it and see what it’s about. DONT open it unless in a [virtual machine] obviously… DONT let it FONE HOME unless you want black suits landing on your front acre. :-)”
In this, we find Gary Hoglund trolling Al Qaeda sites looking for dangerous payloads. It seems likely he captured a tool sold by one of his competitors that had been deployed by a government outfit hunting Al Qaeda. Obviously, he’s not the only one who can and does troll like this. Anyone with the requisite abilities and an internet connection can do it.
There are any number of ways hackers actively seek out infection sequences to acquire unknown skills and exploits … and the more “good guys” are using any given one, the more likely it is for an actual bad guy to capture it for their own use. Which is where the asterisks in the HB Gary zero-day menu become important. If something has never been sold, there is a much greater chance of using it without someone else blowing your operation … and the more times it is sold, the more likely it is for an exploit to fall into the hands of undesired individuals.
And that’s where reality heaps even more scary atop concerns of a government-run-amok. There is absolutely nothing to keep folks aligned with Al Qaeda or any other terrorist organization from capturing these exploits in exactly the same way that HB Gary does. Just like a host of other researchers and hackers do now. And when a terrorist network inevitably captures the government’s best 0-day? The NSA backdoor which allowed our government to individually check that 300,000,000-odd Americans (and, of course, countless foreigners) aren’t busy being terrorists – just to be sure – becomes a backdoor by which a legitimate terrorist network takes control of millions of American devices … and instructs them to do whatever the terrorists’ hearts desire.
Another under-discussed issue is what happens when a government aligned black-hat security firm such as HB Gary gets hacked? In short, the hackers acquire any software on their network. Is it any wonder that Lulzsec went on a rampage across the wider tubes of these here internets? If they had access to everything advertised, the HB Gary hack put a ton of zero-day exploits directly into their hands. It is bad enough when this happens in a legitimate security company to prematurely expose exploits software manufacturers know about and are actively working to fix. The potential damage is exponentially greater when dealing with exploits software makers are completely unaware of – especially when it is entirely possible some have been actively deployed in national security operations.
The questions about national security vs. civilian network security become pretty hazy. The whole situation feels a total mess that we’re currently dealing with by ignoring it. And it doesn’t seem to be getting better.
Back to Glenn Greenwald
So. Back to the Guardian and Glen Greenwald. If the nature of the NSA’s approach in this respect has been laid bare in the power-point slides and documentation they have been given the journalistic responsibility of representing to the public, I certainly hope they consider releasing enough data to help frame a very important conversation. Seeing the concrete policy would absolutely help Americans to better understand to what extent the entirety of issues related to this are impacting us on a daily basis.
And if, for some unfathomable reason, the leaked presentation outlining capacities NSA operatives have at their disposal didn’t mention these known tools … maybe we can take advantage of the current dynamic to start discussing the issue even without a power-point slide?
