Ever since a group hackers calling themselves the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the dark web, a debate has raged about what happened, how, and what it means for the future of internet security both in America and on a global scale.
The “how” of the attack remains obscure, though people have accused everyone from Russian spies to rogue NSA insiders of being responsible for the leak. The most recent theory is that the information was hacked from one of NSA’s “staging servers” way back in 2013. A staging server in this case is a server that the NSA uses to mask its surveillance activities.
However the hackers got their hands on the data, experts no longer consider the Shadow Brokers’ auction of the rest of the data as a viable option. Most people seem to think that the hack was the work of Russian state-sponsored cyber criminals and that the entire exposition was actually a political message, perhaps one warning the American government that if it exposes Russian forces as being responsible for the hack of the Democratic National Committee, the Russians can expose the NSA for its own exploits.
And what were these cyber weapons? The NSA has made it a priority to discover zero day vulnerabilities in software and hardware produced by major manufacturers. Instead of reporting these vulnerabilities to providers, the NSA covertly exploits the holes for their own surveillance purposes. Products exploited included those made by Cisco, Fortinet, TOPSEC, Watchguard and Juniper and are used by private and public organizations that span the globe.
Some of the vulnerabilities that were outed had already been discovered and patched by other entities, but a good handful of the zero-days were unknown until the Shadow Brokers published the leaked data.
One example of a recently discovered hole was code named BENIGHCERTAIN. The tool was able to trick certain kinds of Cisco firewalls into exposing bits and pieces of their memory, which often included authentication information and passwords. Those passwords often decrypted virtual private networks (VPNs) entirely, allowing an intruder to bypass the firewall’s security.
While Cisco had discontinued the production of these firewalls back in 2009, many of the products were still in use.
According to some critics, all of the vulnerabilities are examples of how the NSA prioritizes its ability to perform mass surveillance over directly protecting its own citizens from cyber crime.
According to the Obama administration, the NSA has to disclose zero day flaws in commonly used software so that the flaws can be patched unless there is “a clear national security or law enforcement use.”
Whether or not a zero day flaw meets this exception is determined by a set of secret guidelines called the “Vulnerabilities Equities Process.” The VEP functions across agencies and has been criticized by many as a compromise where nobody wins.
Also relevant to the discussion is the term “NOBUS” which stands for “nobody but us” and refers to the NSA’s attempts to figure out if a vulnerability it discovered could only be discovered by the NSA. If the NSA believes that only it could have found the vulnerability, it may decide to keep it secret and exploit it. However, the NSA may have forfeited the nation’s trust in determining NOBUS situations. After all, the Shadow Brokers proved that even the NSA’s own staging servers don’t fall under the “NOBUS” accessibility standards.