Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] Obama Lets NSA Exploit Internet Flaws

    Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say

    By DAVID E. SANGERAPRIL 12, 2014

    WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.

    But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

    The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.

    But elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.

    Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.

    “This process is biased toward responsibly disclosing such vulnerabilities,” she said.

    Until now, the White House has declined to say what action Mr. Obama had taken on this recommendation of the president’s advisory committee, whose report is better known for its determination that the government get out of the business of collecting bulk telephone data about the calls made by every American. Mr. Obama announced last month that he would end the bulk collection, and leave the data in the hands of telecommunications companies, with a procedure for the government to obtain it with court orders when needed.

    But while the surveillance recommendations were noteworthy, inside the intelligence agencies other recommendations, concerning encryption and cyber operations, set off a roaring debate with echoes of the Cold War battles that dominated Washington a half-century ago.

    One recommendation urged the N.S.A. to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of America’s adversaries. Tempting as it was to create easy ways to break codes — the reason the N.S.A. was established by Harry S. Truman 62 years ago — the committee concluded that the practice would undercut trust in American software and hardware products. In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning American-made equipment and software. Their motives were hardly pure: Foreign companies see the N.S.A. disclosures as a way to bar American competitors.

    Another recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software than can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability.

    The N.S.A. made use of four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named “Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.

    Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.

    “We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”

    At the center of that technology are the kinds of hidden gaps in the Internet — almost always created by mistake or oversight — that Heartbleed created. There is no evidence that the N.S.A. had any role in creating Heartbleed, or even that it made use of it. When the White House denied prior knowledge of Heartbleed on Friday afternoon, it appeared to be the first time that the N.S.A. had ever said whether a particular flaw in the Internet was — or was not — in the secret library it keeps at Fort Meade, Md., the headquarters of the agency and Cyber Command.

    But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun, apparently named for the site of two Civil War battles just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data.

    The government has become one of the biggest developers and purchasers of information identifying “zero days,” officials acknowledge. Those flaws are big business and other countries are gathering them so avidly that something of a modern-day arms race has broken out. Chief among the nations seeking them are China and Russia, though Iran and North Korea are in the market as well.

    The presidential advisory committee did not urge the N.S.A. to get out of the business entirely. But it said that the president should make sure the N.S.A. does not “engineer vulnerabilities” into commercial encryption systems. And it said that if the United States finds a “zero day,” it should patch it, not exploit it, with one exception: Senior officials could “briefly authorize using a zero day for high priority intelligence protection.”
    Última edição por 5ms; 12-04-2014 às 23:11.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    The “New” White House Policy on Security Bugs Changes Nothing

    April 13, 2014, 12:00 PM PDT

    By Arik Hesseldahl

    Let’s take stock of where we are with the Heartbleed vulnerability.

    We now know that it can be used to hijack the private keys used to encrypt traffic to vulnerable sites. Though it has been denied, the U.S. National Security Agency may have known about the vulnerability for about two years before the general public did.

    Let’s assume for the moment that the NSA did know about Heartbleed. If so, it certainly didn’t share its knowledge with anyone else, and instead used the knowledge as one of many weapons in its sophisticated arsenal for compromising the systems of anyone it determined to be an adversary.

    Now we have word from the White House — as detailed in today’s New York Times — that U.S. policy will now require the agency to disclose any major computer flaws it finds so that they can be fixed. However, President Obama has granted the NSA a major exception for carrying out missions in the interest of national security.

    Historically, U.S. government agencies have at times been some of the most eager consumers of so-called Zero Day vulnerabilities, which are available on the black market; they are so named because they have never been disclosed, and thus give victims zero days to respond with a fix.

    The most egregious case was with Stuxnet Worm, said to have been designed by the U.S. Central Intelligence Agency in a joint operation with Israel. It exploited four zero-day vulnerabilities in Microsoft Windows, which cost tens of millions of dollars to procure. The worm was used to seek out and sabotage a set of industrial-control computers in Iran that were connected to a series of nuclear centrifuges. Once control of those computers had been seized, the centrifuges were made to spin too fast, while indicating they were spinning at their normal speed. Many of them exploded, and Iranian nuclear weapons work was by some accounts set back by two years, though opinions on that are mixed.

    The question of “disclose or not disclose,” is a complicated one in an era so dominated by the constant hum of cyber sabotage between the U.S., China, Russia and other countries. Upon learning of a newly disclosed weakness that would open the world’s systems up to attack, the temptation to keep quiet and use it as a weapon is, from a certain point of view, understandable.

    How might the cyberwarriors of China or Russia have reacted to learning about Heartbleed? We don’t know, but we can guess. China has a division of its People’s Liberation Army, Unit 61398, that is devoted to economic warfare. Its hacking campaigns, as described by the security firm Mandiant (now part of FireEye), which disclosed its existence last year, targeted American, British and Canadian companies with the intent to steal confidential data on business plans and manufacturing procedures and the emails of high-ranking executives.

    The NSA may have viewed Heartbleed — given its severity — as a sort of ace up its sleeve. However, it’s unclear if the NSA’s alleged abilities to detect the Heartbleed vulnerability are unique. It was probably discovered via a routine audit of the source code of OpenSSL, the open-source security software that lies at the heart of the bug. It’s hard to imagine that similar audits weren’t performed on the very same software by intelligence agencies all over the world, which stood a pretty good chance of yielding the same result.

    If that’s the case — we don’t yet know — it seems that the most responsible course of action would have been to disclose the vulnerability to all concerned, so it could have been patched sooner. Instead, the world’s trust in the reliability and security of the Internet has been shaken to its core, and billions are being spent on mitigation and damage control.

    Looking back on the mess created by the Heartbleed affair, it’s hard to see how the “new” view on security disclosures put forth by the White House will change anything. The temptation to justify keeping severe vulnerabilities secret and use them as weapons will almost always win out in the closed-door conversations at Fort Meade and at the White House.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens