NSA gets early access to zero-day data from Microsoft, others

Meant to help secure network, data could be used to attack foreign governments

by Sean Gallagher - June 14 2013, 12:55pm EST       http://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-day-data-from-microsoft-others/

• Cyberwar
• Privacy
• White Hat

NSA leaks

• Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?
• An open (of course) letter to my friend, the NSA
• NSA leaker Ed Snowden’s life on Ars Technica
• Icelandic lawmaker: Asylum for NSA leaker far from a sure thing
• NSA leaker’s girlfriend blogged about “feeling alone” when he left

View all…

The National Security Agency (NSA) has used sensitive data on network threats and other classified information as a carrot to gain unprecedented access to information from thousands of companies in technology, telecommunications, financial, and manufacturing companies, according to a report by Michael Riley of Bloomberg. And that data includes information on “zero-day” security threats from Microsoft and other software companies, according to anonymous sources familiar with the data-swapping program.

The NSA isn’t alone in the business of swapping secrets with the corporate world. The FBI, CIA, and Department of Defense (DOD) also have programs enabling them to exchange sensitive government information with corporate “partners” in exchange for access to things like information on cyberattacks, traffic patterns, and other information that relate to network security.

The NSA’s dual role as the security arbiter for many government networks and as point organization for the US government’s offensive cyberwarfare capabilities means that the information it gains from these special relationships could be used to craft exploits to gain access to the computer systems and networks of foreign governments, businesses, and individuals. But it remains unclear just how much of a head start information about bugs actually gives NSA or whether companies actually delay posting fixes on the NSA's behalf.

Unlocking Windows

According to Bloomberg’s sources, Microsoft provides information about security flaws and other bugs in its software in advance of public releases of fixes. The information provides the government an important early warning about potential attacks on systems, especially DOD networks. The military is Microsoft’s single largest customer; systems on both its unclassified and secret networks (NIPRNET and SIPRNET) use Microsoft software. Microsoft has similar early-access programs for other customers, and it often deploys patches to large customers for testing prior to pushing them out on its monthly “Patch Tuesday” schedule.

But early access to information about bugs also opens up the opportunity for the NSA and DOD’s Cyber Command (both of which are headquartered at Fort Meade, Maryland, and both of which are led by Army General Keith Alexander) to use them for potential “weaponized” exploits.

Antivirus provider McAfee also shares data with the NSA, providing information about threat trends. Michael Fey, McAfee’s worldwide CTO, told Bloomberg that the company also shares information about “cyberattack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity.”

Metadata on targets

Information about bugs from software providers could be used in a very targeted way by the NSA based on the metadata collected from its network monitoring operations. According to the Bloomberg report, US telecommunications companies willingly give access to the NSA at overseas points of presence that would require a FISA warrant in the US, allowing them to collect information that can be pieced together to build profiles of individual systems from the traffic they send over the Internet. That includes information passed in Web requests and other application traffic that reveals the OS and browser versions the systems are using, the version of Java that they have installed, and other information that could be used to target them with exploits.

As a result, the NSA can turn to its in-house exploit-building capabilities or turn to suppliers who are paid for zero-day exploits to create specially targeted packages of attacks to go after systems of interest, much in the way it reportedly contributed to the development of Stuxnet and Flame to attack systems connected to Iranian nuclear research. The result, while similar in ways to the capabilities demonstrated by the Chinese People’s Liberation Army’s cyberwarfare unit, could be a much more sophisticated offensive capability aided and abetted by the very companies that wrote the software targeted in the first place.

These revelations could have severe repercussions for the US software and cloud computing services industries. US surveillance laws have already been cause for concern and outrage among European customers. And the implications of the USA PATRIOT Act have caused problems for software-as-a-service providers with US-based data centers in Canada as well. With the NSA’s relationship with software companies (and especially with Microsoft) now out in the open, more foreign governments may follow the route that China has taken in developing their own operating system for government use.