When the NSA discovers a new method of hacking into a piece of software or hardware, it faces a dilemma. Report the security flaw it exploits to the product’s manufacturer so it gets fixed, or keep that vulnerability secret—what’s known in the security industry as a “zero day”—and use it to hack its targets, gathering valuable intelligence. Now a case of data apparently stolen from an NSA hacking team seems to show the risks that result when the agency chooses offense over defense: Its secret hacking tools can fall into unknown hands.
On Wednesday, networking equipment firms Cisco and Fortinet warned customers about vulnerabilities revealed in data posted to the web two days earlier by an anonymous group calling itself Shadow Brokers. The group claimed it obtained the data by hacking of an elite espionage team known as Equation Group and linked to the NSA. Shadow Brokers described its haul as a cache of encrypted “cyberweapons” that it would auction to the highest bidder. The data dump also contained an unencrypted sample with 300 megabytes of information including hacking software—known as “exploits”—designed to target networking appliances from Cisco, Fortinet, Juniper and TopSec.
Based on Fortinet and Cisco’s urgent warnings in response to the exploits’ leak, it appears that some of those exploits had in fact been secret zero-day flaws. That raises the likelihood that the data was in fact stolen from NSA hackers—a view increasingly held by security experts analyzing the data.
More broadly, it also raises new questions about the NSA practice of keeping zero days secret rather than reporting them to affected companies. “There’s always that delicate balance: how do they accomplish their mission, hack their adversaries, and still protect the rest of us?” asks Jeremiah Grossman, a prolific web security researcher and chief of security strategy at the …