#software vulnerabilities

How to Combat and Overcome Software Vulnerabilities

By Nicole Perlroth and David E. Sanger, NY Times, June 28, 2017

Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States--Britain and Ukraine.

The N.S.A. has kept quiet, not acknowledging its role in developing the weapons. White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons.

But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands.

On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul. Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.

In an email on Wednesday evening, Michael Anton, a spokesman for the National Security Council at the White House, noted that the government “employs a disciplined, high-level interagency decision-making process for disclosure of known vulnerabilities” in software, “unlike any other country in the world.”

Mr. Anton said the administration “is committed to responsibly balancing national security interests and public safety and security,” but declined to comment “on the origin of any of the code making up this malware.”

Beyond that, the government has blamed others. Two weeks ago, the United States--through the Department of Homeland Security--said it had evidence North Korea was responsible for a wave of attacks in May using ransomware called WannaCry that shut down hospitals, rail traffic and production lines. The attacks on Tuesday against targets in Ukraine, which spread worldwide, appeared more likely to be the work of Russian hackers, though no culprit has been formally identified.

In both cases, the attackers used hacking tools that exploited vulnerabilities in Microsoft software. The tools were stolen from the N.S.A., and a group called the Shadow Brokers made them public in April. The group first started offering N.S.A. weapons for sale in August, and recently even offered to provide N.S.A. exploits to paid monthly subscribers.

Though the identities of the Shadow Brokers remain a mystery, former intelligence officials say there is no question from where the weapons came: a unit deep within the agency that was until recently called “Tailored Access Operations.”

While the government has remained quiet, private industry has not. Brad Smith, the president of Microsoft, said outright that the National Security Agency was the source of the “vulnerabilities” now wreaking havoc and called on the agency to “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

For the American spy agency, which has invested billions of dollars developing an arsenal of weapons that have been used against the Iranian nuclear program, North Korea’s missile launches and Islamic State militants, what is unfolding across the world amounts to a digital nightmare. It was as if the Air Force lost some of its most sophisticated missiles and discovered an adversary was launching them against American allies--yet refused to respond, or even to acknowledge that the missiles were built for American use.

Officials fret that the potential damage from the Shadow Brokers leaks could go much further, and the agency’s own weaponry could be used to destroy critical infrastructure in allied nations or in the United States.

“Whether it’s North Korea, Russia, China, Iran or ISIS, almost all of the flash points out there now involve a cyber element,” Leon E. Panetta, the former defense secretary and Central Intelligence Agency chief said in a recent interview, before the weapons were turned against American interests.

“I’m not sure we understand the full capability of what can happen, that these sophisticated viruses can suddenly mutate into other areas you didn’t intend, more and more,” Mr. Panetta said. “That’s the threat we’re going to face in the near future.”

Using the remnants of American weapons is not entirely new. Elements of Stuxnet, the computer worm that disabled the centrifuges used in Iran’s nuclear weapons program seven years ago, have been incorporated in some attacks.

In the past two months, attackers have retrofitted the agency’s more recent weapons to steal credentials from American companies. Cybercriminals have used them to pilfer digital currency. North Korean hackers are believed to have used them to obtain badly needed currency from easy hacking targets like hospitals in England and manufacturing plants in Japan.

And on Tuesday, on the eve of Ukraine’s Constitution Day--which commemorates the country’s first constitution after breaking away from the Soviet Union--attackers used N.S.A.-developed techniques to freeze computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.

The so-called ransomware that gained the most attention in the Ukraine attack is believed to have been a smoke screen for a deeper assault aimed at destroying victims’ computers entirely. And while WannaCry had a kill switch that was used to contain it, the attackers hitting Ukraine made sure there was no such mechanism. They also ensured that their code could infect computers that had received software patches intended to protect them.

“You’re seeing a refinement of these capabilities, and it only heads in one direction,” said Robert Silvers, the former assistant secretary of cyber policy at the Department of Homeland Security, now a partner at the law firm Paul Hastings.

Though the original targets of Tuesday’s attacks appear to have been government agencies and businesses in Ukraine, the attacks inflicted enormous collateral damage, taking down some 2,000 global targets in more than 65 countries, including Merck, the American drug giant, Maersk, the Danish shipping company, and Rosneft, the Russian state owned energy giant. The attack so crippled operations at a subsidiary of Federal Express that trading had to be briefly halted for FedEx stock.

“When these viruses fall into the wrong hands, people can use them for financial gain, or whatever incentive they have--and the greatest fear is one of miscalculation, that something unintended can happen,” Mr. Panetta said.

Mr. Panetta was among the officials warning years ago of a “cyber Pearl Harbor” that could bring down the American power grid. But he and others never imagined that those same enemies might use the N.S.A.’s own cyberweapons.

For the past six years, government officials were comforted by the fact that their most fervent adversaries--North Korea, Iran, extremist groups--did not have the skills or digital tools to inflict major damage. The bigger cyberpowers, Russia and China in particular, seemed to exercise some restraint, though Russia’s meddling in the 2016 presidential election added a new, more subtle threat.

But armed with the N.S.A.’s own tools, the limits are gone.

“We now have actors, like North Korea and segments of the Islamic State, who have access to N.S.A. tools who don’t care about economic and other ties between nation states,” said Jon Wellinghoff, the former chairman of the Federal Energy Regulatory Commission.

Aliya Sternstein, CS Monitor, February 10, 2017

By day, John Bambenek is a successful, if pretty ordinary, cybersecurity professional. The 39-year-old father of four spends most of his days trying to safeguard a bevy of corporate clients from malicious hackers. He analyzes digital threats for the Bethesda, Md., firm Fidelis Cybersecurity and runs his own security consultancy from his suburban Champaign, Ill., home. He’s active on LinkedIn and Twitter and once even ran for the Illinois state senate--as a Republican.

But Bambenek is also a digital vigilante. Part of an exclusive but growing group of skilled coders who moonlight for the FBI, he is quietly playing both defense and offense. If federal investigators need technical assistance to pursue targets, Bambenek infiltrates their networks, hacks websites, and stalks their digital footprints. He spends hours hunting for vulnerabilities in commonly used software--and turning them into tools for spying to steal critical and compromising data.

He’s helped the FBI dismantle two crime rings by writing software tools that take advantage of so-called “zero-days,” or unknown vulnerabilities in digital products that manufacturers have not fixed. He says that investigators are currently using one of his surveillance tools to monitor the digital trails of 39 criminal operations.

In one case, in September 2015, Bambenek discovered a flaw in a website where a European criminal software syndicate sold surveillance technology to governments and nefarious hackers. Within minutes, he broke in and uncovered a virtual Rolodex of customers, payments, and products, all of which he turned over to the FBI.

Still, deploying vulnerabilities to hack digital networks, even those used by suspected criminals, raises serious legal questions. The spyware syndicate operation, he admits, is “definitely a gray area ... . Yeah, I work for a security company, but nobody’s protecting Joe Sixpack, and you really can’t protect them. All you can do is just go after the criminals and change the dynamics, hopefully.”

Much of Bambenek’s work is possible because the technology that underpins most of daily life--the websites we all use, the apps on our smartphones, the software on our laptops, and industrial systems running critical infrastructure--is flawed. It’s rife with vulnerabilities. It has bugs and shoddy code. For law enforcement, those flaws might provide a way of tapping a criminal’s smartphone. But for repressive governments, bugs could help them break into activists’ email accounts or spy on their Skype calls.

And in an age in which criminal hackers or intelligence operatives may be able to influence entire democracies by breaching and leaking sensitive emails, such as those in the Democratic National Committee’s mailbox, software flaws are increasingly valuable to both the people trying to break into digital networks and those trying to defend them.

“Much of cybersecurity can be reduced to a constant race between the software developers and security experts trying to discover and patch vulnerabilities, and the attackers seeking to uncover and exploit those vulnerabilities,” says a recent report from New America, a Washington think tank. “There is a wide range of actors seeking to discover security flaws in software, whether to fix them, exploit them, or sell them to someone else who will fix or exploit them.”

That demand for vulnerabilities helps drive the lucrative marketplace for malicious software that generates as much as $100 million annually in sales, estimates Trey Herr, a coauthor of the New America report and fellow with the Belfer Center’s Cyber Security Project at the Harvard Kennedy School.

Even though some hackers are selling vulnerabilities back to tech companies in so-called “bug bounty” programs, much of the top-dollar trade in vulnerabilities takes place in the digital underground. “The most expensive, the most interesting transactions ... take place in the darkest corners and the farthest from public view,” he says.

The value of a software defect often depends on how much the seller has weaponized it, and how valuable the targeted system is to a particular mission, according to insiders. An exploit that can crack an iPhone without the victim noticing could be worth double the price of the flaw alone, says Jared DeMott, a former vulnerability exploit analyst at the National Security Agency (NSA) and government contractor Harris Corporation. He now serves as chief technology officer of Binary Defense Systems.

“If you want to maximize your profit, let’s say you have a good bug, like a really juicy bug. It’s a zero-day for the iPhone. That’s super juicy. That’d be worth a ton of money,” says Mr. DeMott.

In August, Apple launched a bug bounty program that would pay researchers as much as $200,000 for finding vulnerabilities in its products. But some third-party bug buyers, who sell software secrets to governments, might shell out more than seven times that amount. Zerodium, one of the most popular online marketplaces for vulnerabilities, is currently offering security researchers $1.5 million for a “fully functional zero-day exploit” that can crack iOS 10, Apple’s mobile operating system.

Because these vulnerabilities often provide the building blocks for hacking tools that government agencies use to carry out espionage activities, former exploit suppliers believe the NSA and other spy agencies around the world are active buyers.

“I have very little doubt that the US government, along with many other governments in the world, buys zero-days on the black market,” says Michael Borohovski, who worked in the intrusion operations division of ManTech International Corp., a government contractor, between 2009 and 2011.

The number of cyberexploits the US spy community buys in a single year can vary depending on the type of intelligence operations underway, say insiders. A single operation might require multiple zero-days.

“One would get you some level of access, the other would escalate access, and so on and so forth,” says Mr. Borohovski. For instance, he said, ManTech held a number of contracts with a range of government agencies where the order “was to perform vulnerability discovery, develop exploits and then weaponize them as needed.”

Often, by the time ManTech tried to deliver a software exploit to the customer, the security vulnerability had already been found, so the contractor would go back to the drawing board and try to find new entryways, he said. On “Patch Tuesday,” the day of the week software developers such as Adobe and Microsoft update commercial software, “sometimes they’ll simply fix the bugs that you spent the last six months weaponizing,” says Borohovski.

“I always call it a cat-and-mouse game between the manufacturers and us. Us being able to find a vulnerability, being able to utilize that to assist law enforcement, before they close the door,” says Lee Reiber, chief operating officer of Oxygen Forensics, one of the many smaller firms in the growing market of phone hacking technology. “Then we start back over again to find it,” hunting for other vulnerabilities and zero-days.

Oxygen Forensics recently helped local police officers extract data from an Android smartphone as part of a kidnapping investigation. The firm cracked the phone in minutes. Across the forensics industry, it typically takes just six hours to physically decrypt a 16GB Android device. A tool known as the “Android Jet Imager” decodes smartphone contents within seven minutes, according to Oxygen.

The large federal defense contractor MITRE licenses the Android decoder to Oxygen. While building the technology, MITRE consulted numerous federal forensics laboratories, federal law enforcement agencies, and Pentagon officials that all stressed a need for “rapid acquisition and analysis of Android devices,” Mark Guido, principal cybersecurity engineer at MITRE, said in an email.

The speed of MITRE’s method relies on, among other things, an algorithm that limits the amount of unnecessary data blocks sent from the smartphone to the receiving computer. “The applications for our approach include crime scenes, border crossings, and any other situation where performing a mobile forensic acquisition is time-sensitive,” according to the Aug. 7, 2016, issue of Journal of Digital Investigation.

Typically, the federal government doesn’t ask a cybersecurity contractor for a bug, say former suppliers. It approaches a contractor with a goal. The objective might be, hypothetically speaking, “we need to get past a certain antivirus tool” or “get into an internet cafe through some particular method,” says Borohovski, now an executive at cyberdefense firm Tinfoil Security.

As the US government’s interest in these kinds of digital operations increases, military contractors have scooped up boutique firms that concentrate on spy technology, industry insiders say. ManTech, for instance, bought exploit researcher Oceans Edge last June for an undisclosed amount and Raytheon purchased bug developer SI Government Solutions in 2008 for an undisclosed sum. What’s more, defense contractors ManTech, Booz Allen Hamilton, Harris, and Raytheon have all landed formal US government contracts to infiltrate targeted software, say former employees there.

While controversial, it’s legal to peddle security exploits to most governments, companies and individuals--as long as the seller doesn’t use them. “Selling software itself is not generally a crime,” says Peter Swire, a professor of law and ethics at the Georgia Institute of Technology. Still, he says, “hacking into a protected computer is a crime.”

A blanket US antihacking law, the Computer Fraud and Abuse Act, prohibits breaking into someone else’s computer without consent but doesn’t forbid playing around with code that has the potential to, say, hack a firewall.

What’s more, US intelligence agencies such as the NSA are free to break into computers, phones, and networks to pursue foreign espionage operations. And if local and federal law enforcement agencies such as the Secret Service or the FBI obtain a warrant, they can also use vulnerabilities to hack a suspects’ computer or mobile device.

To be sure, the misuse of government-grade exploits unnerves many civil liberties groups.

“Governments shouldn’t be able to use them to crack down on free speech or dissidents,” says Andrew Crocker, staff attorney for the Electronic Frontier Foundation (EFF), which is suing the Ethiopian government on behalf of a blogger, now residing in Maryland, who alleges his Skype communications were tapped through malware made by German surveillance-tech company Gamma Group.

Even when it has a firm argument for keeping a software defect quiet, the government faces the possibility of its closeted cyberespionage arsenal escaping into the wild. Just this summer there was an online leak of alleged NSA hacking tools by a mysterious group calling itself the “Shadow Brokers.” The US government also identified some of the blueprints for the tools among the immense cache of classified material that ex-Booz Allen contractor Harold Martin allegedly took home from the NSA.