Vulnerabilities / Threats
6/14/2013
09:12 AM
Connect Directly
RSS
E-Mail
50%
50%

Bug Data Buys Businesses Intel From U.S. Government

Thousands of businesses are reportedly exchanging information with the government on zero-day vulnerabilities and online threats in return for classified intelligence.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Thousands of American businesses -- technology manufacturers, information security vendors, banks, satellite telecommunications providers and many others -- share threat intelligence with U.S. intelligence agencies, including details of secret zero-day vulnerabilities. In exchange, they receive access to classified intelligence, including early warnings on any attacks that have been detected that may target their networks or intellectual property, as well as where the attacks originated.

These information-sharing arrangements between businesses -- known in government parlance as "trusted partners" -- and the National Security Agency (NSA), CIA, FBI, U.S. military and other government agencies was first reported Thursday by Bloomberg. The revelations suggest that U.S. intelligence agencies' Internet monitoring programs extend far beyond the handful of secret projects detailed by recently leaked NSA documents.

Information published last week, based on secret documents leaked by former NSA contractor Edward Snowden, detailed the existence of a program to intercept metadata -- phone numbers, call duration, approximate geographical location -- on millions of U.S. cell phone subscribers. The leaked information also detailed Prism, which is an arrangement between the NSA's Special Source Operations unit program and nine U.S. Internet companies -- including Facebook, Google, Microsoft and Yahoo -- that targets foreign voice, email and video communications.

[ More information keeps coming out on government-industry security arrangements. Read Obama Defends NSA Prism, Google Denies Back Door. ]

Another secret NSA project made public by Snowden's leaked information was Blarney, which according to the Washington Post is "an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks" by targeting network backbones. Blarney collects metadata for computers being used to send emails or browse the Internet. The collected metadata includes the device's operating system, the browser being used as well as Java software version. Using that information would provide an intelligence agency with a shortcut to infiltrating any of those systems, for example by targeting known vulnerabilities in the browser or Java client.

Some of the shared information reportedly includes zero-day vulnerability details. Microsoft, for example, reportedly participates in the trusted-partner program, and shares information of vulnerabilities in its products with the government, before releasing those details -- or related fixes -- to business partners or the public. Such information could be used not only to proactively secure government computers against attack, but also to infiltrate foreign systems.

But two government officials, speaking anonymously to Bloomberg, said that while Microsoft is aware that the information it divulges can be used to target its foreign customers, legally speaking it's not allowed to ask -- and can't be told -- how the government might us this information. A Microsoft spokesman didn't immediately respond to an emailed request for comment about the full extent of its vulnerability-information-sharing arrangements with the U.S. government.

The Microsoft Active Protections Program (MAPP) counts a number of businesses and government organizations as participants, and gives them early information on vulnerabilities, in part to allow security firms to offer virtual patches against the bugs prior to their being detailed publicly. But the alleged information sharing between Microsoft and intelligence agencies would occur prior to bug information being distributed via MAPP.

The information-sharing news casts new light on how the U.S. government might have obtained the four zero-day vulnerabilities that were targeted by Stuxnet, which anonymous U.S. government officials said was a joint U.S.-Israeli project. Security researchers have said that the Stuxnet code base is quite similar to Flame and Duqu malware, suggesting that they were also the product of a U.S.-commissioned cyber weapons factory.

One critical, legal point is that unlike some U.S. government interception programs -- such as Prism -- trusted partners aren't necessarily at the receiving end of a court order or National Security Letter, which can legally not only force their participation but also silence. Instead, the trusted partner program appears to be voluntary, and includes manufacturers providing detailed information about their hardware and software to the U.S government, although they appear to be sharing no customer information.

Likewise, many telecommunications companies reportedly give U.S. intelligence agencies direct access to their offshore data centers and other facilities, which is both legal and which exempts any resulting information intercepts from oversight under the Foreign Intelligence Surveillance Act.

The former director of the NSA and CIA, Michael Hayden, told Bloomberg that this information sharing would be invaluable. "If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful," he said.

To create these types of relationships, intelligence agencies reportedly first approach one key executive, who then handpicks a few trusted IT administrators to help. "You would keep it closely held within the company and there would be very few cleared individuals," Hayden said. Businesses sometimes also request immunity from any civil suits that might result from their information sharing.

Government officials told Bloomberg that Google co-founder Sergey Brin received a temporary clearance so that he could be briefed on what came to be known as the Operation Aurora advanced persistent threat (APT) attacks against Google. The attacks were reportedly traced to a Chinese People's Liberation Army cyber-attack unit that specialized in launching APT attacks. Based on the documents leaked by Snowden, at that point, Google would have been part of the Prism program for more than a year.

Google CEO Larry Page last week said in a statement that he'd never heard of Prism, denied giving the U.S. government direct access to any Google servers and said the company only shared data with governments "only in accordance with the law."

A Google spokesman didn't immediately respond to a request for comment about Google's information-sharing arrangements with the U.S. government.

But in the face of a potential backlash from domestic and overseas customers, Google, Facebook, Microsoft and Twitter have recently petitioned the Department of Justice and FBI, requesting that they be allowed to publicly detail the ways in which they share information with the U.S. government.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.