German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security
from the is-that-really-a-good-idea? dept
The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its ‘Strategic Technical Initiative’ (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site “The Local” explains how the money will be used:
The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.
Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.
Techdirt has written about Vupen a couple of times recently, and emphasized why buying such zero-day vulnerabilities to use for surveillance purposes without passing them on to be fixed makes the Internet much less safe for everyone. According to a related story in Der Spiegel (original in German), the BND hopes to apply zero-days to undermine the main encryption technology used to protect online communications, the Secure Sockets Layer (SSL) protocol. As The Local writes:
The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.
“Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security,” said Jim Killock of London-based digital rights NGO Open Rights Group.
“There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects.”
SIT means that not only will the privacy of millions of people be at risk, but so will their economic activities and that of all the companies that use SSL to carry out online transactions.
The BND’s move is particularly worrying, since it could well encourage spy agencies in other nations to follow suit, thus starting a bidding war for serious software flaws. That, in its turn, will encourage even more people to find and sell zero-days, rather than report them, reducing security online. It’s probably too much to hope that government agencies would ever agree to give up acquiring and using software bugs in this way, but they should at least be required to limit their use so as to minimize the serious harm they could wreak across the entire Internet.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: bnd, germany, security, spy agency, ssl, surveillance, zero days
Companies: vupen
Comments on “German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security”
Well at the very least, in a world where nobody trusts anybody because of moves like this, encryption research and development should accelerate.
Re: At the rate things are going
At the rate things are going, encryption research and development will be deemed a national security risk and anybody other than state-approved research will be deemed a terrorist threat.
Re: Re: At the rate things are going
In a way they already do — under copyright law, it’s not just one-sided with the rights owners having rights and no one else, consumers have statutory rights too. But DRM frequently prevents the exercise of those rights, and it’s illegal to circumvent DRM.
Given the way DMCA violators are pursued, it’s not a very big step from there to terrorists.
when you get some organisations, especially ones with paranoid and over the top beliefs, they are gonna try to do whatever they want, whatever they can to satisfy their particular issue(s). they do not think about the catastrophic damage that would come along with what they want and the way they want to do it. their ‘problem’, their ‘aim’ is the most important in the world and having medical and banking information running rampant, unchecked, all offer the internet means nothing to them, as long as they can SAY they stopped another terrorist plot! the real truth is that these people are creating more terrorist plots than the terrorists planned, so playing right into their hands. how ridiculous!!
Back to the 90s
Does anyone remember what e-commerce was like in the 1990s? Basically it was little to none. Because no one trusted putting their credit cards into some form on a computer. Do we really want to head back to the bad old days?
(disclosure: I work in information security at a major bank, so it could be bad for me if trust in being able to securely conduct financial dealings online was significantly disrupted)
This article is timed pretty well. Microsoft just 2 days ago issued a critical patch for vulnerabilities in their version of TLS (schannel or secure channel – update now if you haven’t yet, this one is important). And within the last year, every major implementation of TLS has had serious vulnerabilities – OpenSSL (Heartbleed), Apple’s SecureTransport, and GNUTLS.
Who's paying for it.
All the world’s governments are spending enormous sums to attack the cyber security of their own (and others) citizenry. Firstly, the citizens themselves are funding the attacks on themselves. Secondly, we are now beginning to see the additional costs to the citizens.
Re: Who's paying for it.
When you put it that way, it makes a fairly compelling case in favor of encryption, and darknet/undernet/… instead of doing things out in the open. Anyone doing anything the way Teresa May suggests it be done is just setting themselves up to be roadkill. When you can’t trust the authorities and you can’t find any functional difference between cops and thugs, we’re back in the jungle. Everything you see is a potential predator whether it’s carrying a badge or not.
Welcome to the jungle. Be careful what you wish for, Teresa.
Bidding war? Oh, heavens no
Bidding is tedious, potentially quite expensive, and well, you might lose. If you’re a spy agency, there are better ways.
How? Well, for starters, consider that not everyone who has their paycheck signed by spy agency X is working for spy agency X. There are, no doubt, British in the Kremlin, and Japanese in the CIA, and Iranians in GCHQ, and so on. Of course there are: it’s what they do. And some of them are very good at it.
So if I were running the Elbonian spy agency, I wouldn’t bother bidding on these: instead, I’d work on placing my people inside the agencies which are likely to be the winning bidders most of the time, let them fork over the cash, and then just lift it from them. Failing that — which I might, given limited budget and personnel — there are always the old ways: bribery and seduction, extortion and blackmail, and so on — all the things that have a long history of yielding successful results in the world of secrets.
So let the Americans and the Brits and the Germans knock themselves out competing for exploits: I’ll just sit back, watch, and wait for my chance to pick the pocket of the winner.
Re: Bidding war? Oh, heavens no
The other problem, what is to stop the seller selling to other spy agencies, especially as this activity is largely carried out in secret.
Re: Re: Bidding war? Oh, heavens no
The seller might get away with this duplicitous tactic…for a while.
But the problem is that once it’s detected, the unhappy purchasers — who are, let’s remember, governments who possess enormous weapons stocks of all descriptions as well as military forces and clandestine assassins — may choose to express their dissatisfaction in ways that are very unpleasant. So yes, it might be tempting to make, let’s say, $2.5M three times instead of once…but it’s probably not good for one’s health.
Re: Re: Re: Bidding war? Oh, heavens no
“The seller might get away with this duplicitous tactic…for a while.”
Oh yeah, because spy agencies always keep each other fully informed of everything they’re doing. Just out of professional courtesy, you see.
I don’t think so.
Re: Re: Re:2 Bidding war? Oh, heavens no
You do not understand. Of course the spy agencies won’t explicitly inform each other. (Unless they’re allies, but of course we can presume that anyone trying to scam intelligence services is bright enough to work out who’s working with who.)
But — as I pointed out — not everyone working at spy agency X is working FOR spy agency X. Thus when zero-day exploit #1234 is sold to X and to Y, it’s possible that one of the agents of Y — working inside X — will this relay this interesting tidbit back to Y.
There’s precedent for this, you know — a LOT of precedent, as spy agencies are not only extremely interested in knowing things, but also extremely interested in knowing how much their counterparts know. So while the seller of #1234 might escape detection this time — because it turns out that Y doesn’t have an agent inside X, or the agent they do have isn’t positioned to find about it — every time they pull this stunt, they’re spinning the roulette wheel.
There’s another way as well: these agencies intend to use these zero-days, and well, they will. Eventually that will come out: see, for example, “Stuxnet”. It took a while. I’m sure we don’t know the whole story. But it did come out and so will some/most/all other similar exploits will too. So when X uses exploit #5678 against country A, and Y uses exploit #5678 against country B, it’s probably only a matter of time until someone, somewhere in the world, puts the pieces together and deduces that the attacks have an awful lot in common.
There’s more, but I think this will suffice to illustrate the point, and that is, the double- or triple-dipping at the expense of multiple intelligence agencies is likely a good way to get them to momentarily put aside their mutual dislike and distrust of one another and divert some of their energy in your direction. Kinetic energy, perhaps.
Re: Re: Re: Bidding war? Oh, heavens no
There is always the excuse that we do not keep records, and I forgot to tell the person who sold it to the other agency that I had sold it to you.
Re: Re: Re:2 Bidding war? Oh, heavens no
Yes, yes, I’m sure that “we don’t keep records of our high-priced secret transactions with government intelligence agencies” will work perfectly as an excuse.
Re: Bidding war? Oh, heavens no
Consider as well that multinational corporations and organized criminal organizations often have budgets that rival small nations — It’s not just foreign espionage to consider when spy agencies are buying back doors and zero-day exploits, it’s the big time criminals as well.
Re: Re: Bidding war? Oh, heavens no
An excellent point. And of course many of the big-time criminals you mention have people on their payrolls in law enforcement agencies, intelligence agencies, regulatory agencies, etc. It’s just good business.
It has been the stance of the NSA as well that what they do has little effect on other businesses. Yet the financial business being conducted on the internet revolves around trust. Trust that your data is safe to be used.
That very trust is what is being undermined in these efforts to round up zero days for spying uses. It is not by accident that people are distrustful and don’t want to have anything to do with US businesses. They are losing the faith of their customers unless they do something to counteract these attempts at government meddling. The cost is hidden but it is meaningful and present none the less.
I personally refuse to do banking by the internet. Any exposure of my data won’t come from me. But I can not control these banks and their security. That is completely out of my hands. This news does not inspire me with trust to do internet business but rather encourages me not to put my info out in any manner. There are enough out there between the government and these various corporations wanting to know everything for the purpose of targeted ads. While I may not prevent them from knowing everything I do all I can to prevent my data from being out there.
You will not find financial info on my computer. If it isn’t there it can’t be hacked to find it out from my side. I’m already paranoid enough when it comes to finances. This will only make it worse.
SSL?
I thought we were all supposed to be phasing out SSL in favour of TLS after the POODLE attack proved SSL to be insecure.
Government agencies: Protecting you by making you less safe
Actions like this provide monetary incentive, large monetary incentive, for companies to not fix critical security issues, but instead sell information on them to everyone they can.
As such, when you’ve got agencies who claim to be doing what they are to protect the public… yeah, it’s pretty clear that they’re lying through their teeth. They are intentionally doing something that makes everyone less secure, that is the direct opposite of their claimed justification for their actions.
That's not the worst of it.
“That, in its turn, will encourage even more people to find and sell zero-days…”
It will also provide a way for software developers to get rich by purposely including security weaknesses that they can then legally and secretly sell to the highest government bidder (and maybe a few others on the side). Governments will be effectively secretly paying software developers to compromise their products and there will be no practical way to know which ones have been compromised. Way to go!
Credit cards? Never use 'em.
>… Because no one trusted putting their credit cards into some form on a computer. Do we really want to head back to the bad old days?
The bad old days? You HAVE been paying attention to the news, haven’t you?
“Why this is hell, nor am I out of it.”
Meanwhile Chinese hackers put NOAA to bed and don’t bother to tuck them in. I see the NSA is hard at work protecting us from the bad guys, so I can sleep better at night.
At some point such behavior is bound to cause massive financial damages. When it happens money will make it stop. Much like losses attributed to climate change will make some quite stubborn countries go green.
Why throw “criminal gangs”?
Fckng idiots
So instead of the direction to improve the internets security, the direction is to keep it perpetually insecure, WHY, to SPY on people
Fckng idiots, in my book, up there ^, that makes YOU the bad guy……..that means, any actions reported i pay attention, , your words untrusted, and your motives suspected………and once its at this point, weak action/lipservice is so FARRRRRRR, to far from being enough to trust these folks again, barely scratches the surface………once you fck up this spectacularly.
idiots for either not realising how far accross the line they’ve gone, or tyrants for knowing, not caring, and forcing without consent………..free western governments…..my ass…….more like “civilized” tyrants.
“Without leaders”
A more cynical headline might be:
Modern Day German Stasi Seek to Buy Exploits from French Black Hat Hackers to Reduce Trust in E-commerce Worlwide
Seems like Stasi is still alive.