China Actively Collecting Zero-Days For Use By Its Intelligence Agencies — Just Like The West

from the no-moral-high-ground-there,-then dept

It all seems so far away now, but in 2013, during the early days of the Snowden revelations, a story about the NSA’s activities emerged that apparently came from a different source. Bloomberg reported (behind a paywall, summarized by Ars Technica) that Microsoft was providing the NSA with information about newly-discovered bugs in the company’s software before it patched them. It gave the NSA a window of opportunity during which it could take advantage of those flaws in order to gain access to computer systems of interest. Later that year, the Washington Post reported that the NSA was spending millions of dollars per year to acquire other zero-days from malware vendors.

A stockpile of vulnerabilities and hacking tools is great — until they leak out, which is precisely what seems to have happened several times with the NSA’s collection. The harm that lapse can cause was vividly demonstrated by the WannaCry ransomware. It was built on a Microsoft zero-day that was part of the NSA’s toolkit, and caused very serious problems to companies — and hospitals — around the world.

The other big problem with the NSA — or the UK’s GCHQ, or Germany’s BND — taking advantage of zero-days in this way is that it makes it inevitable that other actors will do the same. An article on the Access Now site confirms that China is indeed seeking out software flaws that it can use for attacking other systems:

In November 2017, Recorded Future published research on the publication speed for China’s National Vulnerability Database (with the memorable acronym CNNVD). When they initially conducted this research, they concluded that China actually evaluates and reports vulnerabilities faster than the U.S. However, when they revisited their findings at a later date, they discovered that a majority of the figures had been altered to hide a much longer processing period during which the Chinese government could assess whether a vulnerability would be useful in intelligence operations.

As the Access Now article explains, the Chinese authorities have gone beyond simply keeping zero-days quiet for as long as possible. They are actively discouraging Chinese white hats from participating in international hacking competitions because this would help Western companies learn about bugs that might otherwise be exploitable by China’s intelligence services. This is really bad news for the rest of us. It means that China’s huge and growing pool of expert coders are no longer likely to report bugs to software companies when they find them. Instead, they will be passed to the CNNVD for assessment. Not only will bug fixes take longer to appear, exposing users to security risks, but the Chinese may even weaponize the zero-days in order to break into other systems.

Another regrettable aspect of this development is that Western countries like the US and UK can hardly point fingers here, since they have been using zero-days in precisely this way for years. The fact that China — and presumably Russia, North Korea and Iran amongst others — have joined the club underlines what a stupid move this was. It may have provided a short-term advantage for the West, but now that it’s become the norm for intelligence agencies, the long-term effect is to reduce the security of computer systems everywhere by leaving known vulnerabilities unpatched. It’s an unwinnable digital arms race that will be hard to stop now. It also underlines why adding any kind of weakness to cryptographic systems would be an incredibly reckless escalation of an approach that has already put lives at risk.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “China Actively Collecting Zero-Days For Use By Its Intelligence Agencies — Just Like The West”

Subscribe: RSS Leave a comment
15 Comments
bobsays:

Re:

Agreed.

I think one of the problems is that people look at the information space and see that the advantages go to the offence instead of the defence. Which is why governments and people with power horde the exploits.

It’s a silly practice to leave your infrastructure vulnerable in the hope that your enemy hasn’t also discovered the exploit. It’s all part of the game intelligence agencies play and sometimes there is logic to the madness.

But who cares about us mere cannon fodder when the big government boys get to play with their shiney toys.

Rekrulsays:

I know exactly how to fix this; Microsoft needs to dump all the versions of Windows that they’ve been patching over the years and making them more secure, even Windows 10, and come out with an all new version and start the patching process from scratch! I’m sure that will make us all safer. I mean, that’s what they’ve been doing all along and it’s worked great so far…

Uriel-238says:

This is how the Ring gets back to Sauron

When the Wrong Thing To Do promises more power it can become too tempting, even when it brings more vulnerability as well.

When hackers grab and dump their arsenal of exploits, and we have another plague of malware attacks, maybe we’ll get the message. Or maybe it’ll be someone else’s turn.

I don’t believe there was ever any news about the NSA ceasing their collection of zero day exploits, instead choosing to report them for patching. So it’s likely the US didn’t learn from the first time.

Personanongratasays:

Turn-About is Fair Play

This is really bad news for the rest of us. It means that China’s huge and growing pool of expert coders are no longer likely to report bugs to software companies when they find them. Instead, they will be passed to the CNNVD for assessment. Not only will bug fixes take longer to appear, exposing users to security risks, but the Chinese may even weaponize the zero-days in order to break into other systems.

We have only ourselves (NSA/GHQ etal) to thank.

For decades western corporations have peddled compromised software/hardware with the exploits baked-in as features not bugs.

Italicized/bold text was excerpted from a report titled NSA?s Own Hardware Backdoors May Still Be a ?Problem from Hell? for at the website http://www.technologyreview.com:

In 2011, General Michael Hayden, who had earlier been director of both the National Security Agency and the Central Intelligence Agency, described the idea of computer hardware with hidden ?backdoors? planted by an enemy as ?the problem from hell.? This month, news reports based on leaked documents said that the NSA itself has used that tactic, working with U.S. companies to insert secret backdoors into chips and other hardware to aid its surveillance efforts.

That revelation particularly concerned security experts because Hayden?s assessment is widely held to be true. Compromised hardware is difficult, and often impossible, to detect.

https://www.technologyreview.com/s/519661/nsas-own-hardware-backdoors-may-still-be-a-problem-from-hell/

Jimsays:

Durn!

Like the article on Hayden, but, by time the generals get an idea, it’s been in the works for at least a decade. That’s “information sharing” and, it was available and active in 96, when I retired. Not much has changed since then. The same crowd is in the lead. And that’s not the best and the brightest. They get nowhere near that high.
As to the rest, remember, all the machine codes have been shared thru the educational systems. And, we have only our researchers to blame. Because, you are not born to controul a machine, you have to be taught. You have to be educated by others, and, where are they from. The same boy clubs. Are others allowed to play in the same field? Generally not. Are other nationalities allowed to play? Yes.
Do you remember, where other national researchers are not allowed into our research facilities, manufacturing facilities, or plants and research only based in the us. No. Remember why they moved, and even our defense Contractors have research facilities on “enemy soil” so are they secure? Yes?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it