Where Are NSA’s Overseers on the Shadow Brokers Release?

As Rayne has been noting, a group calling itself the Shadow Brokers released a set of NSA hacking tools. The release is interesting for what it teaches us about NSA’s hacking and the speculation about who may have released so many tools at once. But I’m just as interested by Congress’ reticence about it.

Within hours of the first Snowden leak, Dianne Feinstein and Mike Rogers had issued statements about the phone dragnet. As far as I’ve seen, Adam Schiff is the only Gang of Four member who has weighed in on this

U.S. Rep. Adam Schiff, the ranking Democrat on the House Intelligence Committee, also spoke with Mary Louise. He said he couldn’t comment on the accuracy of any reports about the leak.

But he said, “If these allegations were true, I’d be very concerned about the impact on the intelligence community. I’d also obviously want to know who the responsible parties were. … If this were a Russian actor — and again, this is multiple ‘ifs’ here — we’d have to ask what is causing this escalation.”

Say, Congressman Schiff. Aren’t you the ranking member of the House Intelligence Committee and couldn’t you hold some hearings to get to the bottom of this?

Meanwhile, both Feinstein (who is the only Gang of Four member not campaigning for reelection right now) and Richard Burr have been weighing in on recent events, but not the Shadow Brokers release.

The Shadow Brokers hack should be something the intelligence “oversight” committees publicly engage with — and on terms that Schiff doesn’t seem to have conceived of. Here’s why:

The embarrassing story that the VEP doesn’t work

Whatever else the release of the tools did (and I expect we’ll learn more as time goes on), it revealed that NSA has been exploiting vulnerabilities in America’s top firewall companies for years — and that whoever released these tools likely knew that, and could exploit that, for the last three years.

That comes against the background of a debate over whether our Vulnerabilities Equities Process works as billed, with EFF saying we need a public discussion today, and former NSA and GCHQ hackers claim we ignorant laypeople can’t adequately assess strategy, even while appearing to presume US strategy should not account for the role of tech exports.

We’re now at a point where the fears raised by a few Snowden documents — that the NSA is making tech companies unwitting (the presumed story, but one that should get more scrutiny) or witting partners in NSA’s spying — have born out. And NSA should be asked — and its oversight committees should be asking — what the decision-making process behind turning a key segment of our economy into the trojan horse of our spooks looks like.

Mind you, I suspect the oversight committees already know a bit about this (and the Gang of Four might even know the extent to which this involves witting partnership, at least from some companies). Which is why we should have public hearings to learn what they know.

Did California’s congressional representatives Dianne Feinstein, Adam Schiff, and Devin Nunes sign off on the exploitation of a bunch of CA tech companies? If they did, did they really think through the potential (and now somewhat realized) impact it would have on those companies and, with it, our economy, and with it the potential follow-on damage to clients of those firewall companies?

The embarrassing story of how NSA’s plumbers lost their toolbox

Then there’s the question of how the NSA came to lose these tools in the first place. While the initial (and still-dominant) presumption about the release is that somehow Russia did this, since then, there have been a lot of stories that feel like disinformation.

First there was David Sanger’s piece wondering about NSA being hacked — based entirely on speculative claims of three security experts (including Edward Snowden) — which nevertheless read like this.

Snowden Snowden Snowden Snowden Snowden Snowden Snowden Snowden Snowden Snowden Snowden

Shortly thereafter, there were a series of stories based on anonymous former NSA people also speculating, which had the effect of denying that those tools would be available external to NSA in one place.

The source, who asked to remain anonymous, said that it’d be much easier for an insider to obtain the data that The Shadow Brokers put online rather than someone else, even Russia, remotely stealing it. He argued that “naming convention of the file directories, as well as some of the scripts in the dump are only accessible internally,” and that “there is no reason” for those files to be on a server someone could hack. He claimed that these sorts of files are on a physically separated network that doesn’t touch the internet; an air-gap. (Motherboard was not able to independently verify this claim, and it’s worth bearing in mind that an air-gap is not an insurmountable obstacle in the world of hacking).

That is this story serves to deny what I and others, including Snowden, think is most likely: that someone at the NSA forgot to pack his hammer and screwdriver in his toolbox and his toolbox in his truck after he “fixed” someone’s kitchen sink or, more accurately, a forward deployment got compromised. Which would be embarrassing because we shouldn’t let forward deployments get compromised before we burn all the interesting toys and documents there. But also, we may find out, we’re not supposed to be that far forward deployed. And if we have been, we sure as heck ought not let those we’re forward deploying against find out.

We may learn more about specific targets that make this more clear, which would seem to be the extra bonus that would make compromising all these tools and alerting the NSA that you had them.

The impact of NSA exploiting American firewall companies should have been the subject of public Intelligence Committee oversight hearings when we learned of Juniper Networks vulnerabilities (with whispered comments about the great deal of damage those vulnerabilities had done to US agencies and companies). Given this release, the urgency of some public accountability — from both those at NSA and those purporting to oversee NSA — is overdue.

11 replies
  1. WB says:

    Wheeler writes: “Say, Congressman Schiff. Aren’t you the ranking member of the House Intelligence Committee and couldn’t you hold some hearings to get to the bottom of this?”
    Actually, no he can’t. The chair has complete control over the committee’s agenda. That includes the scheduling of hearings. Only Devin Nunes has the authority to set up formal meetings, whether closed or open. The ranking member is powerless here.
    This is the case for all committees and chairs.

    • emptywheel says:

      Actually, the Ranking member on SSCI (DiFi) is Vice Chair, where it is somewhat different. But yes, Schiff only has hte ability to request that Nunes exercise oversight, but he has been effective in using his Ranking role.

  2. SpaceLifeForm says:

    “that doesn’t touch the internet”

    Absolute bs. That ‘source’ is a misdirection player.
    The hacking tools in question absolutely have to
    get to the targeted routers and once the routers
    become part of the internet, they are on the internet.
    The tools may have ‘landed’ on the routers via the
    interdiction process or via an exploit. But once the
    router goes live, it is there. And of course, if there
    is any exploit, then others can find it too. And then
    find the tools.

    Mayb the reason for the ‘story’ is cover for
    the interdiction process. And possibly the tools
    were preplanted via the interdiction process, but
    instead of the router ever being made ‘live’ on
    the internet, it had some forensics applied and
    the tools were found. It is quite likely that once
    the router was deployed live on the internet, it would
    ‘call home’, the analysts would use the tools for
    whatever purpose was planned (ex: planting a rootkit
    on an admin machine behind the router), and
    then wiping out the tools on the router. But if
    the router was never deployed, they could not
    perform the cleanup to cover their tracks.

    How long has the exploit hole existed in the
    Cisco software? They certainly know and it
    likely more than 3 years old.

    Did Cisco know of the exploit hole but was directed
    via an NSL to not disclose nor fix said hole?
    Maybe SSCI already knows that is the case.

    Same questions for Cisco apply to Fortinet.

  3. Trevanion says:

    So this is the week we learned that:

    (1) the untouchable heroes in Rio re-establishing the singular greatness of a nation are, like most their age, unexceptional self-centered knuckleheads, and

    (2) the superstar NSA mavens given a pass on oversight because it’s our team and they’re so smart also, like most human beings on the planet, do stupid things, fuck up, and get their ass kicked every now and then.

  4. SpaceLifeForm says:

    Typo on prior, should be SECONDDATE.
    Also left out ELIGIBLE BOMBSHELL.

    As I’ve pointed out before, you can not trust net.
    From the article:

    SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware.
    …SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world.
    …The top-secret manual that authenticates the SECONDDATE found in the wild as the same one used within the NSA is a 31-page document titled “FOXACID SOP for Operational Management” and marked as a draft. It dates to no earlier than 2010.

  5. Hieronymus Howard says:

    That VEP is an interesting acronym.  acronymfinder.com doesn’t have it yet.  Nor can it be found at Wikipedia’s disambiguation page for VEP.
    EFF’s document that covers it (replete with silly redactions) is a PDF from March of 2015 (?) that was apparently composed in 2010:
    Looks like dense matter & may be time-consuming to digest.  Avec a plethora of gratuitous IC acronyms to be savored.

  6. SpaceLifeForm says:

    Cisco being used way before 2013

    ..The discovery is significant because the attack code, dubbed BenignCertain, worked on PIX versions Cisco released in 2002 and supported through 2009. Even after Cisco stopped providing PIX bug fixes in July 2009, the company continued offering limited service and support for the product for an additional four years.
    …Before the confirmation came, Ars asked Cisco to investigate the exploit. The company declined, citing this policy for so-called end-of-life products. The exploit helps explain documents leaked by NSA contractor Edward Snowden and cited in a 2014 article that appeared in Der Spiegel.
    [Also is a cover tell that they had received NSLs
    to not fix or have long been in bed with nsa]
    …The revelation is also concerning because data returned by the Shodan search engine indicate more than 15,000 networks around the world still use PIX, with the Russian Federation, the US, and Australia being the top three countries affected.
    …[here is the big oh-crap part]

    BenignCertain exploits a vulnerability in Cisco’s implementation of the Internet Key Exchange, a protocol that uses digital certificates to establish a secure connection between two parties. The attack sends maliciously manipulated packets to a vulnerable PIX device. The packets cause the vulnerable device to return a chunk of memory. A parser tool included in the exploit is then able to extract the VPN’s shared key and other configuration data out of the response. According to one of the researchers who helped confirm the exploit, it works remotely on the outside PIX interface. This means anyone on the Internet can use it.

  7. SpaceLifeForm says:

    Update[by Dan Goodin, authour of the Ars article]: Cisco PR just emailed to say its researchers decided to investigate BenignCertain after all and found that it works as described against PIX 6.x and earlier. Pix 7.x and ASA remain unaffected.
    [Yeah, via the PIX exploit. But new exploits?]
    [Cisco feeling some heat at this point]

  8. leveymg says:

    If the pattern holds, these tools get revealed the moment the next gen replacements are already in place, but never before. Takes a lot of time, money and scarce talent to go on a large scale bug hunt. This is the dessert course after the exploit has already happened.

Comments are closed.