NSA – Never Safe Again?

Lee Parkes 02 Jan 2014

There has been a lot of press recently about the Snowden leaks (I leave it as an exercise for the reader to decide the morals and ethics….). However, from a security perspective, the most interesting things to come out of this are the vulnerabilities that the NSA are/were exploiting in order to gain access to information. The URL below (assuming it doesn’t get taken down) gives some idea of what they are capable of:

Some of this is seriously hardcore stuff. What makes it even scarier is the fact that it’s all from 2007/2008. As far as I’m aware, at least in the white hat world, no-one is anywhere near this level of sophistication (email me if you think you know of something!). This all leads up to a *big* question: will we ever be safe again? Any vulnerability in a piece of software or firmware that is exposed to a public network, be it the Internet or an internal corporate network, is a target for exploitation. There are, probably, a lot more undisclosed vulnerabilities than those that are disclosed responsibly. Long gone are the days where discovering a vulnerability brought kudos from peers. There are still, of course, researchers who discover vulnerabilities and report them to vendors so that they may be fixed in order to protect the public. However, with numerous other parties (both government and criminal) realising that exploiting a vulnerability can provide access to useful information, the traditional drivers for reporting vulnerabilities are gone. Money and power over your enemy are powerful reasons to keep techniques and vulnerabilities hidden under wraps. Of course, people like the NSA will shroud what they do in the cloak of “national security”. Being able to spy on anyone, whenever and wherever, is a useful tool to have….

So, what does this mean for penetration testers and security researchers? If an issue is discovered and reported, will it be fixed? What incentive is there for a vendor to fix something when they have the NSA leaning on them? Given that, I still think that vulnerabilities need to be reported. Irrespective of whether they are fixed, public knowledge of what the issues are in a particular product will help the public and companies in choosing what is right for them and to weigh risk against benefit. Meanwhile, we, as security professionals, need to step up and get even deeper into any and all software that we find….