Nick Asks the NSA: Shadow Brokers and the Leaking Ship

By Nicholas Weaver
Wednesday, August 24, 2016, 9:14 AM

For the second installation of Nick Asks the NSA, I offer Congress my services as to what questions in their oversight capacity they should be asking NSA about the Shadow Broker leak.

It now safe to say that the "Equation Group" leak by Shadow Brokers is real and consists of a genuine trove of NSA tools used to hack firewalls. The leaked code references known programs, uses a particularly unusual RC6 and cruddy crypto techniques previously associated with NSA implants, and the Washington Post has confirmed the authenticity of the materials with two anonymous ex-NSA employees.

And the threat of blackmail is also real. In addition to the now-public achieve offered as proof, the Shadow Broker group released an additional encrypted achieve which has not been unlocked. While the “auction” for the second file is little more than theater, we do not know what is in that 130MB of encrypted data. It is possible the file contains nothing authentic, but as far as the NSA knowns it is just as likely that the Shadow Broker group, on a whim, could release the key and contents to the world.

The whole episode raises a host of oversight questions. How and why did NSA lose 280MB of Top Secret attack tools, including multiple zero day exploits and un-obfuscated implants. As with my previous "Nick Asks the NSA," I doubt I’ll ever hear the answers in an unclassified space. But that’s why we need the Senate and House intelligence oversight committees to ask the hard questions for us.

Here is why they should be grilling NSA officials over:

When did NSA become aware of the breach? The answer to this initial question affects the subsequent questions. Whether NSA knew about the breach in 2013 or shortly thereafter or whether the agency learned of it approximately when the rest of the world did, there are significant implications.

If the NSA was aware of the breach in 2013, why didn't they contact Fortinet and Cisco? Among the information stolen in the breach was a series of fully-weaponized exploits, including ones targeting Fortigate (codename EGREGIOUSBLUNDER) and Cisco (codenames EXTRABACON and EPICBANANA) firewalls. These exploits represent vulnerabilities in US manufacturers which pose serious risks to both US government and corporate deployments.

Cisco has effectively confirmed that it was never notified by the NSA, since their hardware is still vulnerable to EXTRABACON and they have no patch yet. Presumably, if Cisco was aware before now of an issue of this magnitude, it would have fixed the problem. If NSA was aware of the breach, they could not have simply watched for the Cisco vulnerability in the wild, and only upon evidence of use notify the vendor. The only location one would expect to see this exploit is in the network between a sysadmin's computer and the firewall itself, which is not an area where NSA could have visibility.

If the NSA knew of the breach of their tools and failed to notify Cisco and Fortinet, this would represent a serious dereliction of the NSA's Information Assurance mission because both of those products are used by the government and on DOD systems which IAD is charged with protecting.

If NSA only recently learned of the breach, what failed? After the Snowden revelations, the NSA greatly increased increasing overall security in order to address the insider threat vulnerabilities that Snowden exploited. But it would appear that this data was stolen in October 2013, four months following Snowden’s disclosures. It might be impossible to prevent data exfiltration all of the time, but a functioning system should at least be able to detect the loss.

Is NSA recently learned of the breach, what steps does it plan to take regarding vendor notification and public announcements? Yes, it would be embarrassing for NSA to admit that it was unaware of a significant theft. But, as with Heartbleed, the agency should acknowledge that it is did not know about the theft in order to reassure the public that it remains committed to its Information Assurance mission. Incompetence is a black eye, but malfeasance has far more pernicious consequences. So it is it is only guilty of the first, NSA would be wise to make that clear.

Does NSA have a reasonable estimate of what exists in the second, still-unreleased file? One would certainly hope it does. There are key components missing from the “proof” files that are necessary to conduct an actual operation. These firewall tools generally require that the NSA operator already has control over a system administrator's system in order to launch these exploits. The code for controlling such implants, if made public, could potentially compromise many NSA operations by enabling direct detection of implant command and control. If there is any possibility of the second file including that kind of material, NSA needs to fess up to Congress and quick.

Did NSA or the executive interagency performed any sort of equities evaluation on the Cisco and Fortigate vulnerabilities? The likely timing of the theft in 2013 makes it unclear whether these exploits went through a formal Vulnerabilities Equities Process or similar analysis. Separate and apart from the compromise, there is a serious debate as to whether these are the kinds of vulnerabilities that NSA should ever remain confidential to the NSA. Vulnerabilities in firewalls are of extreme concern because someone who controls the firewall is able to control the entire network, monitoring everything and capable of launching attacks at will.

Further affecting the calculation as to whether these exploits should have been retained is the ease of exploitation. Although both exploits require a privileged location—namely having previously compromised a system administrator's computer—the actual exploits themselves are easy to recreate—they are classic "buffer overflow" attacks of the sort that undergraduate computer science students learn to exploit.

The other factor to consider is the damage which occurs on successful exploitation. If Chinese, Russian, Israeli, French, or other hackers take over a victim network's firewall, then they effectively control everything. They can spy on all unencrypted traffic. In most networks, the VPN ends at the firewall, allowing easy observation.  The firewall can even modify traffic, redirecting specific targets to exploit servers.

Under equities calculations, it is important to understand the case when these exploits are easy to develop and potentially discover, difficult to actually deliver, but potentially catastrophically damaging to US interests if used against us. Based on the specific classified details, one could make a strong case on either side for disclose or retain—particularly for the EXTRABACON exploit—but this is a case where Congress could gain considerable insight into the process of equities balancing in general.

How is NSA changing the equities process now that "someone stealing the NSA's tools" has to be explicitly included in the threat model? Previously, equities calculations generally relied on the probability that someone else might independently discover and exploit a vulnerability. How does this calculation change when the NSA's own tools might be stolen, without detection? Is there a policy on what to do when the NSA knows that their tools are compromised?

Has NSA identified the source of the breach? At present, there appear to be three possibilities. (1) An insider stole this data. (2) An adversary somehow exfiltrated data from a Top Secret system. Or (3) an NSA operator, seriously breaches operational security protocols and copied all these files—presumably a substantial part of an "ops disk"—onto an unclassified system for attack staging and then left it there for four months. None of these possibilities should be especially comforting, but Congress should at least expect NSA to account for which scenario occurred.

Has NSA identified the actual employee or contractor who set up the files that were stolen? Again, we should hope so. The SCRIPTS directory doesn't contain what computer programmers classically call "scripts." Instead, it is a set of notes, both general ones for the tools and ones for the particular operation. These internal notes—in particular those on BOOKISHMUTE—should help identify the operator.

Has NSA improved operator OPSEC with ops disks/Ops stations/reflectors? The possibility of an entire attack flow ending up on an unclassified system is troubling, but could easily result if tools are insufficient to provide a nice "pick and choose" interface to update a deployment server during an attack. Currently, rumors are circulating that this is not an unheard of error at NSA. Congress should ask whether NSA has improved the operator workflow so that Ops Stations only receive the minimum necessary tools for an operation and only retain these tools for the minimum necessary time.

It may be tempting for NSA to "blame the operator" here—and certainly somewhere there’s been a substantial screw up. But Congress should not let the agency off the hook, good security systems should make things difficult to fail. The public discussion indicates a serious point of failure with NSA OPSEC: operators apparently feel the need to upload all tools they might possibly end up needing to an unclassified space. This might be prevented by creating better tools.