NOBUS

NOBUS, short for "NObody But US", are security vulnerabilities which the United States National Security Agency (NSA) believes that only it can exploit. As such, NSA sometimes chooses to leave such vulnerabilities open if NSA finds them, in order to exploit them against NSA's targets.[1] NSA has a dual mission of both attacking foreign systems and defending U.S. systems, so keeping significant vulnerabilities which affect U.S. systems secret is a conflict of interest.[2]

You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch – it's one that ethically and legally we could try to exploit in order to keep Americans safe from others.
Former NSA chief Michael Hayden[1]

The researchers who wrote the paper on 1024 bit prime reuse Diffie–Hellman key exchange speculates that NSA have used on the order of hundreds of millions of dollars in computing power to break large amounts of encrypted traffic. This vulnerability also affect U.S. traffic, so this would be a good example of Hayden's "four acres of Cray computers" definition of NOBUS.[3]

As stated by the Washington Post, the NSA is believed to sometimes buy knowledge about security vulnerabilities on the gray market, from for example Vupen, in order to use them offensively. Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU's Speech, Privacy and Technology Project, has pointed out that these exploits are not NOBUS, in that anybody else can discover them at any time.[1]

Parts of NSA's toolkit of exploits are believed to have somehow leaked or been hacked in 2013, and then published in 2016 (Snowden speculates that the hacking and leaking party was the Russians).[4] Among the exploits revealed was e.g. a zero day exploit allowing remote code execution on some Cisco equipment. Cisco is a US company, and the vulnerable Cisco equipment was presumably used by US government institutions and US companies, however the NSA had apparently not notified Cisco of this vulnerability.[5][6] NSA's lack of disclosure to Cisco was presumable because of the NOBUS policy, with NSA assuming that only it knew about the exploit.

In regards to asymmetric backdoors, NOBUS follows in the footsteps of kleptography that dates back to the mid 1990s.[7] A case in point is the kleptographic backdoor which NSA is widely believed to have designed into the Dual_EC_DRBG standard, since finding the private key to that backdoor is a cryptographically hard problem (following the definition of a kleptographic attack). Though there is at least one example, ScreenOS, where the cryptovirology backdoor in Dual_EC_DRBG was hijacked by adversaries, possibly using it to attack the American people.[8]

References

  1. 1 2 3 https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/
  2. https://www.schneier.com/blog/archives/2014/02/breaking_up_the.html
  3. Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (October 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF).
  4. https://www.techdirt.com/articles/20160816/07465535255/ed-snowden-explains-why-hackers-published-nsas-hacking-tools.shtml
  5. https://www.techdirt.com/articles/20160818/11593035275/did-nsa-continue-to-stay-silent-zero-day-vulnerabilities-even-after-discovering-it-had-been-hacked.shtml?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+techdirt%2Ffeed+%28Techdirt%29
  6. https://www.washingtonpost.com/world/national-security/nsas-use-of-software-flaws-to-hack-foreign-targets-posed-risks-to-cybersecurity/2016/08/17/657d837a-6487-11e6-96c0-37533479f3f5_story.html
  7. A. Young, M. Yung, "The Dark Side of Black-Box Cryptography, or: Should we trust Capstone?" In Proceedings of Crypto '96, Neal Koblitz (Ed.), Springer-Verlag, pages 89–103, 1996.
  8. http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/
This article is issued from Wikipedia - version of the 8/23/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.