“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” — Isaac Asimov
The NSA is one of the world’s most notoriously secretive and powerful government agencies, guarding its powerful hacking tools and massive caches of collected data under layers of security clearances and world-class technical protections. But it turns out that three times in three years, that expensive security has been undone by one of its own contract employees simply carrying those secrets out the door.
In 2013, an NSA contractor named Edward Snowden walked out of the agency’s building in Oahu, Hawaii, carrying a USB drive full of thousands of top-secret documents. Last year, a 53-year-old Booz Allen contractor for the NSA named Hal Martin was arrested last year for taking 50 terabytes out of the agency over a period as long two decades. And Thursday, the Wall Street Journal reported that in 2015, a third contract employee of the NSA in as many years took home a trove of classified materials that included both software code and other information that the agency uses in its offensive hacking operations, as well as details of how it protects US systems from hacker adversaries.
That classified data, which wasn’t authorized to be removed from the perimeter of the facility where that contractor worked, was then stolen from the contractor’s home computer by Russian spies, who exploited the unnamed employee’s installation of antivirus software from Kaspersky, a Russian company. And while that revelation has raised yet another round of serious concerns and unanswered questions about Kremlin spying and the role of Kaspersky’s widely used commercial software, it also points to a more fundamental security problem for the NSA: The own-goals it has committed, as a series of its paid employees spill some of its most sensitive secrets—including its intensely guarded and dangerous hacking techniques.
While Kaspersky is one major—though possibly unintentional—culprit in this latest theft of secrets, the root cause of the breach is the deep negligence of the NSA employee who violated his security clearance by taking incredibly sensitive materials home, says Dave Aitel, a former NSA staffer who now runs the security firm Immunity Inc.
There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims’ access to their computers until they pay a fee. Then there are the users who didn’t install the Windows security patch that would have prevented an attack. A small portion of the blame falls on Microsoft, which wrote the insecure code in the first place. One could certainly condemn the Shadow Brokers, a group of hackers with links to Russia who stole and published the National Security Agency attack tools that included the exploit code used in the ransomware. But before all of this, there was the NSA, which found the vulnerability years ago and decided to exploit it rather than disclose it.
All software contains bugs or errors in the code. Some of these bugs have security implications, granting an attacker unauthorized access to or control of a computer. These vulnerabilities are rampant in the software we all use. A piece of software as large and complex as Microsoft Windows will contain hundreds of them, maybe more. These vulnerabilities have obvious criminal uses that can be neutralized if patched. Modern software is patched all the time—either on a fixed schedule, such as once a month with Microsoft, or whenever required, as with the Chrome browser.
When the U.S. government discovers a vulnerability in a piece of software, however, it decides between two competing equities. It can keep it secret and use it offensively, to gather foreign intelligence, help execute search warrants, or deliver malware. Or it can alert the software vendor and see that the vulnerability is patched, protecting the country—and, for that matter, the world—from similar attacks by foreign governments and cybercriminals. It’s an either-or choice. As former U.S. Assistant Attorney General Jack Goldsmith has said, “Every offensive weapon is a (potential) chink in our defense—and vice versa.”
Yahoo last year secretly built a custom software program to search all of its customers’ incoming emails for specific information at the request of US intelligence officials, according to a report.
The company complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency (NSA) or FBI, two former employees and a third person who knew about the program told Reuters.
Some surveillance experts said this represents the first known case of a US internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources.
Reuters was unable to determine what data Yahoo may have handed over, if any, and whether intelligence officials had approached other email providers besides Yahoo with this kind of request.
According to the two former employees, Yahoo CEO Marissa Mayer’s decision to obey the directive troubled some senior executives and led to the June 2015 departure of the chief information security officer, Alex Stamos, who now heads security at Facebook.
Last week, an anonymous group calling itself the Shadow Brokers leaked a bunch of National Security Agency hacking tools. Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.
All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.
Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities. For his experiment, Dolan-Gavitt used a Cisco security software bug from the leak that people have learned to fix with workarounds, but that doesn’t have a patch yet.
Within 24 hours Dolan-Gavitt saw someone trying to exploit the vulnerability, with a few attempts every day since. “I’m not surprised that someone tried to exploit it,” Dolan-Gavitt says. Even for someone with limited technical proficiency, vulnerable systems are relatively easy to find using services like Shodan, a search engine of Internet-connected systems. “People maybe read the blog post about how to use the particular tool that carries out the exploit, and then either scanned the Internet themselves or just looked for vulnerable systems on Shodan and started trying to exploit them that way,” Dolan-Gavitt says. He explains that his honeypot was intentionally very visible online and was set up with easily guessable default passwords so it would be easy to hack.
On August 15, General Michael Hayden, the former head of the CIA and NSA, said Donald Trump has “autocrat envy.” Hayden was one of 50 officials from past Republican administrations who signed a letter labeling Donald Trump a risk to America’s “national security and well-being.”
VICE News’ Michael Moynihan sat down with Hayden shortly after Donald Trump gave his first major policy speech about national security and counter-terrorism.
Former US National Security Agency contractor Edward Snowden appears live by video during a student-organized world-affairs conference at the Upper Canada College private high school in Toronto on February 2, 2015.REUTERS/Mark Blinch
The key to confirming the leaked files, which was uploaded to various file-sharing sites earlier this week by a group called the “Shadow Brokers,” came in a top-secret agency manual published on Friday by Sam Biddle of The Intercept. It instructed NSA hackers on how to track their malicious software by using a 16-character string buried in the code.
The tracking string in the manual, ace02468bdf13579, also appears inside code for a software implant called “Second Date,” which was leaked as part of the archive posted earlier this week.
But that’s not the only piece of evidence that shows the leak was, in essence, a software “toolbox” for NSA hackers to target adversaries. Among other files in the archive are implants code-named Banana Glee, Jet Plow, and Zesty Leak, which were all documented in a top-secret 50-page catalog of NSA tools that was published in late 2013.
The hack involved some of the agency’s coolest toys.
Now it’s the National Security Agency’s turn.
The NSA, responsible for intercepting communications around the world, appears to be the latest victim of hacking, at least indirectly, according to multiple news reports. A group calling itself the Shadow Brokers released a series of files on Saturday that contained the code behind some powerful hacking tools developed by an NSA-linked group. Those tools have been used to carry out cyberattacks on other governments and private corporations across the world over the last 20 years, according to Forbes.
The Shadow Brokers claimed they would release all the files in exchange for 1 million bitcoins (about $560 million) and posted a message in stilted English claiming to have stolen the files from the Equation Group. The message also slammed the “Elites” of the world and said the hack shows that those in control aren’t as powerful as they might think: