The public release of what appears to be top-secret computer code used by the National Security Agency (NSA) to break into the networks of foreign governments has caused deep concern in the cyber-security industry. The finger of blame for the breach was first pointed at China, and now Russia, but a legendary cyber analyst told Federal News Radio the source is more likely something that lies undiscovered inside most computer networks.
“What I keep hoping will happen as a side effect of one of these announcements is that people will realize that they aren’t taking a serious look at what they are running, how vulnerable it is,” said Paul Vixie, chairman and CEO of Farsight Security. “People need to review their practice for auditing what they have, ask if people are bringing laptops from home into a secure network —those sort of things.”
Vixie knows of what he speaks. A member of the Internet Hall of Fame as an innovator, Vixie discussed what can be known about the NSA breach onFederal Drive with Tom Temin. He agrees with most experts that the posts by a group calling itself the Shadow Brokers contained what appear to be genuine samples of outdated code used by NSA in the production of custom-built malware.
While the tools that were made available online for free appear to be several versions old, Vixie said they could still be quite useful.
“Someone could infer from the way the software works the techniques and strategies used by the NSA. There’s a lot of people trying to use these tricks, or vulnerabilities, to emulate what the NSA was doing with these tools in order to find out how effective they are.”
The biggest and most important vulnerability, according to Vixie, was a buffer overrun in the Cisco firewall that would allow one to get into the firewall and disable it — something he called “pretty standard.” And while Cisco has released a patch for it, the problem is how long it will be before the patch is adopted by the broader community. Some people don’t have current service contracts or don’t know they have to patch.
Once you have the keys to the firewall, Vixie explained, you have the keys to the kingdom and everything else is fairly easy to reach.
“The way most enterprise networks are built — including government agency networks — is to have a hard firewall at the edge of the network to try to keep bad things out. But once you’re inside, past the firewall, there’s not a lot of security,” he said. That’s because while sitting at your desk, you don’t want to worry about jumping through a lot of hoops in order to get your daily work done.
Vixie said for many people the controversy and the big surprise is that the NSA and other government agencies have vulnerabilities.
“All software has bugs,” said Vixie. “We don’t know that they are there at the time that we ship the software, or as a consumer when we first buy it. You have to patch it or give the vendor who wrote the code a chance to fix the bugs. Anything that sits on the networks for more than a year without some kind of patch is highly suspect.”
The sermon being preached by Vixie is that agencies need to make sure their networks are secure.
“If some CIO or CTO decides the NSA breach is a big deal and they’d better carefully study the various reports of what was released, and then they check to see if their network needs a patch, they’d be missing the point,” said Vixie. The point he makes is everything is broken. “If you have something that is no longer being supported by a vendor, the safest thing you can do is turn it off,” he said.
In what CNN called “the biggest government hack ever,” OPM should have had its network turned off. The fact that the records of more than four million current and former government employee were exposed wasn’t just because of lax maintenance. It was because there wasn’t a culture of security consciousness. Until 2013, OPM reported it had no internal IT staff with “professional IT security experience and certifications.” It wasn’t until December 2014, when OPM believes the first intrusion into its systems occurred, seven such professionals had been hired. Still, at the time of hack only a fraction of the agency’s systems had been brought under the control of a central IT security organization.
In the case of the NSA breach, it couldn’t have been the lack of desire for security. Did it overlook something?
“The people at NSA are top-tier,” said Vixie. “No one should take away the idea from this that the NSA systems are full of holes or run by incompetent people.”
He said there has been a lot of speculation that the software that was released was somehow left outside a secure perimeter by NSA on purpose, and that it was from an unsecure system that these files were taken.
“There’s no credible evidence that this was taken from something inside the NSA. There’s no reason to believe that the NSA’s current systems are vulnerable to whatever allowed this leak to happen,” said Vixie.
What Vixie said concerns him more is that headline grabbing events like the NSA breach, or the myriad of other hacks before, take away attention from his main theme. He said when people focus on something new, they forget about old problems.
“It’s human nature. We can worry about everything all the time. Think back to 2009 and the Conficker virus. There was a huge response to that worm, and then it went out of the headlines when something else came along. A lot of these things don’t go away, they just leave the headlines. There are a million hosts that are still infected with that malicious software,” he said.
Vixie said what he keeps hoping for as a side effect of events like the NSA breach is that people will realize they aren’t taking a serious look at what they are running, how vulnerable it is.
“If we can raise awareness about those things, then there will be some good coming from this NSA leak.”