Apparently, NSA saves zero-day exploits for high value targets onlyOctober 14, 2013 1 Email article | Print article
The United States National Security Agency (NSA) has several range of software exploits at its disposal to tailor the right way to attack the person or persons it wants to monitor. This doesn’t come as a surprise considering the amount of information leaked by Edward Snowden. What also shouldn’t come as a surprise is that NSA saves its best exploits for “high value” targets.
A recent publication of NSA documents by the Guardian shows the Security Agency operates servers it calls FoxAcid that is capable of exploiting software vulnerabilities on targeted computers. By the time the NSA unleash those attacks, analyst will have already known a lot about the person on the receiving end.
Based on the information gathered, the spies will use a complex trade-off method to automatically select an attack from a multitiered list of options.
“If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased,” security analyst Bruce Schneier wrote. “If the target is technically sophisticated, FoxAcid might decide that there’s too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that’s less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability.”
There’s also a detailed flowchart at the NSA showing when to stop a successful attack. Those situations include when something fails to work as expected, whenever a particular security product is spotted, or “anything goes weird.” The idea here is for all exploits to go undetected; though it is not sure how many of the NSA attacks were thwarted.
“While the NSA excels at performing this cost-benefit analysis at the tactical level, it’s far less competent at doing the same thing at the policy level,” wrote Schneier. “The organization seems to be good enough at assessing the risk of discovery—for example, if the target of an intelligence-gathering effort discovers that effort—but to have completely ignored the risks of those efforts becoming front-page news.”
So. No real breaking news here.