Vulnerabilities / Threats
09:12 AM

Bug Data Buys Businesses Intel From U.S. Government

Thousands of businesses are reportedly exchanging information with the government on zero-day vulnerabilities and online threats in return for classified intelligence.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Thousands of American businesses -- technology manufacturers, information security vendors, banks, satellite telecommunications providers and many others -- share threat intelligence with U.S. intelligence agencies, including details of secret zero-day vulnerabilities. In exchange, they receive access to classified intelligence, including early warnings on any attacks that have been detected that may target their networks or intellectual property, as well as where the attacks originated.

These information-sharing arrangements between businesses -- known in government parlance as "trusted partners" -- and the National Security Agency (NSA), CIA, FBI, U.S. military and other government agencies was first reported Thursday by Bloomberg. The revelations suggest that U.S. intelligence agencies' Internet monitoring programs extend far beyond the handful of secret projects detailed by recently leaked NSA documents.

Information published last week, based on secret documents leaked by former NSA contractor Edward Snowden, detailed the existence of a program to intercept metadata -- phone numbers, call duration, approximate geographical location -- on millions of U.S. cell phone subscribers. The leaked information also detailed Prism, which is an arrangement between the NSA's Special Source Operations unit program and nine U.S. Internet companies -- including Facebook, Google, Microsoft and Yahoo -- that targets foreign voice, email and video communications.

[ More information keeps coming out on government-industry security arrangements. Read Obama Defends NSA Prism, Google Denies Back Door. ]

Another secret NSA project made public by Snowden's leaked information was Blarney, which according to the Washington Post is "an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks" by targeting network backbones. Blarney collects metadata for computers being used to send emails or browse the Internet. The collected metadata includes the device's operating system, the browser being used as well as Java software version. Using that information would provide an intelligence agency with a shortcut to infiltrating any of those systems, for example by targeting known vulnerabilities in the browser or Java client.

Some of the shared information reportedly includes zero-day vulnerability details. Microsoft, for example, reportedly participates in the trusted-partner program, and shares information of vulnerabilities in its products with the government, before releasing those details -- or related fixes -- to business partners or the public. Such information could be used not only to proactively secure government computers against attack, but also to infiltrate foreign systems.

But two government officials, speaking anonymously to Bloomberg, said that while Microsoft is aware that the information it divulges can be used to target its foreign customers, legally speaking it's not allowed to ask -- and can't be told -- how the government might us this information. A Microsoft spokesman didn't immediately respond to an emailed request for comment about the full extent of its vulnerability-information-sharing arrangements with the U.S. government.

The Microsoft Active Protections Program (MAPP) counts a number of businesses and government organizations as participants, and gives them early information on vulnerabilities, in part to allow security firms to offer virtual patches against the bugs prior to their being detailed publicly. But the alleged information sharing between Microsoft and intelligence agencies would occur prior to bug information being distributed via MAPP.

The information-sharing news casts new light on how the U.S. government might have obtained the four zero-day vulnerabilities that were targeted by Stuxnet, which anonymous U.S. government officials said was a joint U.S.-Israeli project. Security researchers have said that the Stuxnet code base is quite similar to Flame and Duqu malware, suggesting that they were also the product of a U.S.-commissioned cyber weapons factory.

One critical, legal point is that unlike some U.S. government interception programs -- such as Prism -- trusted partners aren't necessarily at the receiving end of a court order or National Security Letter, which can legally not only force their participation but also silence. Instead, the trusted partner program appears to be voluntary, and includes manufacturers providing detailed information about their hardware and software to the U.S government, although they appear to be sharing no customer information.

Likewise, many telecommunications companies reportedly give U.S. intelligence agencies direct access to their offshore data centers and other facilities, which is both legal and which exempts any resulting information intercepts from oversight under the Foreign Intelligence Surveillance Act.

The former director of the NSA and CIA, Michael Hayden, told Bloomberg that this information sharing would be invaluable. "If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful," he said.

To create these types of relationships, intelligence agencies reportedly first approach one key executive, who then handpicks a few trusted IT administrators to help. "You would keep it closely held within the company and there would be very few cleared individuals," Hayden said. Businesses sometimes also request immunity from any civil suits that might result from their information sharing.

Government officials told Bloomberg that Google co-founder Sergey Brin received a temporary clearance so that he could be briefed on what came to be known as the Operation Aurora advanced persistent threat (APT) attacks against Google. The attacks were reportedly traced to a Chinese People's Liberation Army cyber-attack unit that specialized in launching APT attacks. Based on the documents leaked by Snowden, at that point, Google would have been part of the Prism program for more than a year.

Google CEO Larry Page last week said in a statement that he'd never heard of Prism, denied giving the U.S. government direct access to any Google servers and said the company only shared data with governments "only in accordance with the law."

A Google spokesman didn't immediately respond to a request for comment about Google's information-sharing arrangements with the U.S. government.

But in the face of a potential backlash from domestic and overseas customers, Google, Facebook, Microsoft and Twitter have recently petitioned the Department of Justice and FBI, requesting that they be allowed to publicly detail the ways in which they share information with the U.S. government.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.