For the past year and a change, the security industry has been mesmerized by a steady trickle of leaks that expose some of the offensive tooling belonging to the Western world's foremost intelligence agencies. To some folks, the leaks are a devastating blow to national security; to others, they are a chilling peek at the inner workings of an intrusive security apparatus that could be used to attack political enemies within.
I find it difficult to get outraged at revelations such as the compromise of some of the banking exchanges in the Middle East, presumably to track the sources of funding for some of our sworn enemies; at the same time, I'm none too pleased about the reports of the agencies tapping overseas fiber cables of US companies, or indiscriminately hacking university e-mail servers in Europe to provide cover for subsequent C&C ops. Still, many words have been written on the topic, so it is not a debate I am hoping to settle here; my only thought is that if we see espionage as a legitimate task for a nation state, then the revelations seem like a natural extension of what we know about this trade from pre-Internet days. Conversely, if we think that spying is evil, we probably ought to rethink geopolitics in a more fundamental sense; until then, there's no use complaining that the NSA is keeping a bunch of 0-days at hand.
In a more pragmatic sense, there is one consequence of the leaks that I worry about: the inevitable shifts in IT policies and the next crop of commercial tools and services meant to counter this supposedly new threat. I fear this outcome because I think that the core technical capabilities of the agencies - at least to the extent exposed by the leaks - are not vastly different from those of a talented teenager: somewhat disappointingly, they accomplish their goals chiefly by relying on public data sources, the exploitation of unpatched or poorly configured systems, and the fallibility of human beings. In fact, it's quite likely that many of the leaked exploits were not developed in-house by the agencies, but purchased through intermediaries from talented hobbyists (a semi-common practice over the past ten years). By constantly re-framing the conversation as a response to some new enemy, we tend to forget that the underlying problems that enable such hacking have been with us since the 1990s - and that they have not been truly solved by any of the previous tooling and IT spending shifts.
Yes, the NSA is a unique "adversary", but probably not because of their extraordinary technical prowess (modulo the capabilities we do not know about). If anything, I think that they resemble another, far better understood actor: the law enforcement agencies. In particular:
-
Both the intelligence agencies and law enforcement are very patient and systematic in their pursuits. If they want to get to you but can't do so directly, they can always convince, coerce, or compromise your friends, your sysadmins - or heck, just tamper with your supply chain.
-
Both kinds of actors operate under the protection of the law - which means that they are taking relatively few risks in going after you, can refine their approaches over the years, and can be quite brazen in their plans. They prefer to hack you remotely, of course - but if they can't, they might just as well break into your home or office, or plant a mole within your org.
-
Both have nearly unlimited resources. You probably can't outspend them, so for most people, the best survival strategy is not to invite their undivided attention in the first place.
Once you make yourself interesting enough to be in the crosshairs, the game changes in a pretty spectacular way, and the steps to take might have to come from the playbooks of rebels holed up in the mountains of Pakistan more than from a glossy folder of Cyberintellics Inc. There are no simple, low-cost solutions: you will find no click-and-play security product to help you, and there is no "one weird trick" to keep you safe; taping over your camera or putting your phone in the microwave won't save the day.
Ultimately, let's face it: if you're scrambling to lock down your Internet-exposed SMB servers in response to the most recent revelations from Shadow Brokers, you are probably in deep trouble, and it's not because of the NSA.
Source: lcamtuf.blogspot.com
