Kaspersky Admits To Reaping Hacking Tools From NSA Employee PC (zdnet.com) 139
Kaspersky has acknowledged that code belonging to the US National Security Agency (NSA) was lifted from a PC for analysis but insists the theft was not intentional. From a report: In October, a report from the Wall Street Journal claimed that in 2015, the Russian firm targeted an employee of the NSA known for working on the intelligence agency's hacking tools and software. The story suggested that the unnamed employee took classified materials home and operated on their PC, which was running Kaspersky's antivirus software. Once these secretive files were identified -- through an avenue carved by the antivirus -- the Russian government was then able to obtain this information. Kaspersky has denied any wrongdoing, but the allegation that the firm was working covertly with the Russian government was enough to ensure Kaspersky products were banned on federal networks. There was a number of theories relating to what actually took place -- was Kaspersky deliberately targeting NSA employees on behalf of the Kremlin, did an external threat actor exploit a zero-day vulnerability in Kaspersky's antivirus, or were the files detected and pulled by accident? According to Kaspersky, the latter is true. On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place. It was actually a year earlier than the WSJ believed, in 2014, that code belonging to the NSA's Equation Group was taken.
I call BullSh!t (Score:1)
WSJ, MSM,..... WMD anyone?
Smear, smear, smear, its the russian!!! Oh wait its the DNC!!!! Squirrel with Tits just ran behind that tree!!!
Beleivable (Score:5, Insightful)
Their version of events is much more believable than the others offers so far. Guy takes home the NSA malware, disables Kaspersky to install some warez and then realizes his machine has been p0wned, so does multiple full scans. The NSA malware is picked up during those scans and automatically submitted for analysis (the default behaviour). During this time his machine had an open backdoor.
What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details. Failure to do so is far worse than simply sharing it with the Russian government, who I'd assume already had copies anyway given how leaky the NSA is.
Re: Beleivable (Score:1)
Quite. I wouldn't trust Kapersky at this point - not because muh Russia, but because it's clear they're hands off when removing malware from state actors.
Not that I care if the NSA figures out my porn preferences - the idea that state sponsored malware will remain solely in the hands of states is pretty daft.
Re: Beleivable (Score:5, Insightful)
>Not that I care if the NSA figures out my porn preferences
You should, so long as there are people out there who would punish you for them. There's a seemingly unending supply of sanctimonious people out there who will outright ruin your life if they find something about you personally distasteful.
Even though you and I are likely so unimportant to the state and they're unlikely to use what they find against you, just on general principles you should want privacy from the government as a general rule whenever it is practical.
When the three letter agencies have access to everyone's secrets, they're no longer serving the public since they have the power to control those who are supposed to be in power.
Re: (Score:3)
>Not that I care if the NSA figures out my porn preferences
You should, so long as there are people out there who would punish you for them. There's a seemingly unending supply of sanctimonious people out there who will outright ruin your life if they find something about you personally distasteful.
In a twist of irony, those selfsame people will as likely as not have much more interesting porn records than anything a normal person has. Its projection, and we see it time and time again, from Jimmy Swaggert's television set top wanking while a hooker does God knows what, to that creep preacher in Colorado who railed on about them thar homos, but enjoyed screwing his male masseuse, to better than the rest of us Josh Duggar who has some very interesting and illegal preferences. Brings new meaning to famil
Re: (Score:1)
People would be wise to remember how sociopathic the masses can be when lead by psychopaths. Most people are crude, cruel, egotistical and short-sighted when pushed in certain directions by certain demagoges. In such a world, anything will be punishable, to meet quite different goals than what is said.
Re:Beleivable (Score:5, Interesting)
Doing that with Officially Classified materials has legal consequences. For example, I assume employees of Kaspersky want to be able to travel outside of Russia without getting arrested and imprisoned. And to be able to travel to the US for security conferences.
Re: (Score:3, Funny)
Doing that with Officially Classified materials has legal consequences. .
Unless you're Hillary Clinton, of course.
Re: (Score:3, Informative)
Re: (Score:1)
...and can't forget Sandy Berger being caught with classified documents down his pants: Unauthorized Removal and destruction of classified material [wikipedia.org]
Re:Beleivable (Score:4)
Sandy Berger as a Clinton insider who actually got some real punishments, albeit wrist slaps aside from losing his law license, doesn't do a good job of making my greater point that there's a Ruling Class that's essentially not subject to the Rule of Law we peons in theory live under.
On the other hand, he's a good example of how this crosses nominal party lines, this particular crime of his was done while Team Bush was at least nominally running the Executive, they should have nailed him to the wall.
Re: (Score:3, Interesting)
Both parties cover for each other in the hope that when out of power they will be protected as a courtesy from the other party. This is the textbook reason why special prosecutors should always be used when there is evidence of criminal activity (as opposed to the Trump Russia investigation, where there is a lot of innuendo, but no actual allegation or evidence of criminal activity, ask a real prosecutor, they will tell you).
As far as Sandy Berger, the guy was on camera stuffing classified documents into h
Re: (Score:2)
Nit, he did that in late 2003, to destroy evidence pertaining to the Clinton Administration's handling of al-Qaeda's plots in 2000, before that was considered by the 9/11 Commission. Which continuing this theme of the parties covering for each other, included Jamie Gorelick, who should have been on the dock instead of in the commission, she had created the formerly notorious "wa
Re: (Score:1)
AFAIK Individuals without security clearance have no legal obligations around classified material.
Re: (Score:2)
Re: (Score:2)
Wait, your thesis is that Russian companies who do lots of business outside of Russia should be scared of the USA based on the way that political prosecutions happen in Russia? So they should just be basically stupid idiots who can't do a business analysis, because they're so damaged by their national civics?
It doesn't seem like a very good argument. It seems that the businesses who do a lot of business in the rest of the world would be the most aware of how the world works, not the most absurdly fearful.
An
Re: (Score:1)
Re: (Score:2)
That's why security conferences need to move out of the US.
Re: (Score:2)
That's why security conferences need to move out of the US.
Or, why they will continue to prefer having them here. ;)
Re: (Score:2)
They might on the source code, which is what this incident is primarily about.
Re: (Score:2)
Doing that with Officially Classified materials has legal consequences. For example, I assume employees of Kaspersky want to be able to travel outside of Russia without getting arrested and imprisoned. And to be able to travel to the US for security conferences.
Does the NSA know Kaspersky's signature algorithm, and do they check the signatures 'their' code produces in Kaspersky's malware signature list?
Re: (Score:1)
What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details. Failure to do so is far worse than simply sharing it with the Russian government, who I'd assume already had copies anyway given how leaky the NSA is.
They said that their software sent them for analysis some files that belonged to the customer, and they deleted the files as soon as they realized that these were customer files.
If Kaspersky did not delete customer files that their software sends them, then I would definitely say you have to dump them.
"We found some of the software you were working on when we scanned your machine. Mostly we delete customer files we access by accident, but we thought this one was useful to us, so we kept it so we can reverse
Take your customer's stuff and publish it (Score:2)
Yes, that's a different question. I was addressing the post by AmiMoJo stating that what they should have done was copied the customer's files, analyzed them, and published them.
Re: (Score:2)
"if we accidentally get some of your files, we delete them immediately-- any files of any type, no matter what they are or what they do."
But if it got malware, how are they supposed to know if YOU wrote the malware (and thus the policy would be to delete it) or if you just downloaded it (and thus their policy should be to catalogue and hash)?
Clues [Re:Beleivable] (Score:2)
"if we accidentally get some of your files, we delete them immediately-- any files of any type, no matter what they are or what they do."
But if it got malware, how are they supposed to know if YOU wrote the malware (and thus the policy would be to delete it) or if you just downloaded it (and thus their policy should be to catalogue and hash)?
We are assuming here that Kaspersky is not actually clueless.
Among other things, the fact that you have source code and several previous versions of the file might serve as a clue.
Re: (Score:2)
If only they'd listened to you APK, NSA could've stopped this leak if only they'd just black holed Kaspersky's servers with hosts file :(
Re: (Score:2)
Or this is how the NSA malware was obtained and leaked in the first place. There is already a lot of evidence that Kaspersky is in bed with the FSB, there is no way in the real world that those hacking tools were just deleted before copies were made and sent to the FSB, AKA the Shadow Broker. Those hacking tools represented millions if not billions of dollars of investment and were active and potent cyber weapons. The jackass who took them home would have been executed for treason a few decades ago, and
Re: Believable (Score:2)
Iâ(TM)m pretty sure nobody got executed for mishandling cyber weapons a few decades ago.
Oh, and I corrected that annoying spelling error in the subject that everyone else has been ignoring.
Re: (Score:2)
In the era when literally everything is networked and you can crash a country's economy or power grid with the right cyber weapon, they are the WMD of the modern era, and we did execute the Rosenbergs for stealing US nuclear bomb technology for the Russians.
Re: (Score:2)
Guy takes home the NSA malware, disables Kaspersky to install some warez and then realizes his machine has been p0wned, so does multiple full scans. The NSA malware is picked up during those scans and automatically submitted for analysis (the default behaviour).
In other words, the Antimalware software did exactly what it should do and is disclosed to its users of doing ---- SAMPLING SUSPICIOUS RUNNING PROGRAM FILES
There's nothing shady about that..... Indeed failing to develop signatures for NSA malwa
Re: (Score:1)
Re: (Score:2)
They have seen a lot of NSA malware before, and been monitoring them for years. They regularly inform US authorities when infections are found in the US, because the NSA isn't supposed to do domestic spying.
Re: (Score:2)
Their version of events is much more believable than the others offers so far. ...
What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details.
You sound like have some bias of some sort interfering with your analysis, as your conclusion contradicts the details.
It seems that parts of their story are more believable simply by being more specific, but it also includes some very not-believable but important details. To me they look less trustworthy from their story; they want me to believe they're incompetent, not malicious, and I'm just not convinced that I should believe them, or that the specific incompetence involved is even different than being m
The AV software was configured as such (Score:5, Insightful)
No surprise here,
Source: https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/?comments=1
Direct quote:
The NSA worker's computer ran a home version of Kaspersky AV that had enabled a voluntary service known as Kaspersky Security Network. When turned on, KSN automatically uploads new and previously unknown malware to company Kaspersky Lab servers. The setting eventually caused the previously undetected NSA malware to be uploaded to Kaspersky Lab servers, where it was then reviewed by a company analyst.
KSN should be illegal (Score:1)
KSN and all similar technologies, including the Microsoft malware submission tool, should be made illegal.
Rationale:
* All software is protected by copyright.
* Only the copyright holder has the legal authority to authorized copying the software.
* Transferring malware from the infected user to researchers therefore violates the rights of the copyright holder.
To what extent the above is sarcasm is left as an exercise for the reader.
Exercise Solution (Score:1)
The sarcasm begins in part 2 of the rationale, with "Only the copyright holder has the legal authority to authorized copying the software." The copying would almost certainloy be found, by any court, to be defensible as Fair Use.
The purpose of the copying is to analyze the malware, not to use/enjoy the malware in the usual manner.
The nature of the copyrighted work is functional, not artistic. And it's already published and shared with whomever the NSA has chosen to investigate.
The effect of the copying on t
Re: (Score:2)
Alternatively, the FSB has an agent in the NSA, and they figured out a way to steal cyber weapons without getting caught (or so they thought). He illegally, under penalty of jail time or worse, brings home a trove of cyber weapons. He then turns on his home Kaspersky AV and infects himself and begins making AV scans, uploading all of the cyber weapons to Kaspersky in Russia, where his FSB counterpart makes copies to later leak as the Shadow Broker costing the US billions and destroying a decades worth of
Re: (Score:2)
No surprise here.
No, not at all.
Many AV are set up that way, it was just bad luck for kaspersky, it was being run.
I use Comodo firewall, it's deliberately hard to configure for the on-line support. I've used it for so long I've got it down and have disabled sending suspicious files it's way.
Re: (Score:1)
Exactly -- once the thickheaded ignoramuses and dumbasses spend one second thinking about it, they will finally realize that in fact Kaspersky did everyone a favor by learning how to keep those tools from breaking into everyone's computers.
Here comes the "but, but, but!!" squad (Score:1)
Some bullshit about the product working only as intended. Hackers have been practicing obfuscated, "looks good but has a malicious side-channel" code since forever, [underhanded-c.org] and you'd be an utter dimwit (or vatnik!) to think that Mr. Kaspersky himself of the KGB's technical school doesn't know how to put these ideas into practice both programmatically AND socially.
But guess what? Even if Kaspersky has the most honest intentions in the world, which they don't, that still doesn't prevent SORM from capturing everyt
Data trail (Score:4, Insightful)
If Kaspersky isn't working with the Russian govt, how did their Lab data end up with the Russian govt?
Oh, and the NSA dude needs some jail time as well.
Re: Data trail (Score:5, Insightful)
Nobody has ever said the Russians had the malware. Russian government involvement is a red herring spun to distract you from the Russia-Clinton-Obama inconvenience.
Re: (Score:3, Informative)
I see people making this mistake a lot. Occam's razor isn't a law. It doesn't "tell us" anything. It doesn't say "The simplest explanation is the correct one."
It actually goes: "The simplest explanation tends to be the correct one." Occam's razor merely suggests what is the most probable answer. It doesn't prove or tell us anything, it simply lets you organize hypotheses into, lacking any other evidence, the most likely or
Re:Relativity (Score:2)
You still have to prove the most-likely hypothesis is correct. And a less-likely (more complicated) hypothesis can still turn out to be the correct one.
Rational people assume the most-likely until reasonable evidence proves otherwise.
Re: (Score:2)
You still have to prove the most-likely hypothesis is correct. And a less-likely (more complicated) hypothesis can still turn out to be the correct one.
Rational people assume the most-likely until reasonable evidence proves otherwise.
The problem with all conspiracy theories, which to me is when the people employing them work their way backwards, picking and choosing what they accept, and miraculously, it just so happens to align with their world view. They will even manage to deny it when Kaspersky admits they accessed the idiot's computer.
So this is what happened, So this is how it was found, This is who did it, this is how it happened, and the people who did it admitted they did it.
The only thing left is that somehow the person
Re: (Score:2)
"And a less-likely (more complicated) hypothesis can still turn out to be the correct one."
And often it is the correct one when you are dealing with espionage, hostile foreign governments and treason.
Re: (Score:2)
"And a less-likely (more complicated) hypothesis can still turn out to be the correct one."
And often it is the correct one when you are dealing with espionage, hostile foreign governments and treason.
Give us the citations to support your thesis. Surely you have an example or two in support of that.
Re: (Score:2)
I pity your failed public school education...
Here are a few:
The Rosenbergs and how they stole US nuclear bomb technology and sold it to the Russians.
John Walker and his family and how they managed to steal US Navy secrets for over 15 years and sell it to the Russians.
CIA double agent Aldrich Ames penetration of the CIA on behalf of the Russians.
NSA agent James Hall III spying for the Russians.
Wikipedia is your friend. There is a list as long as my arm of individuals in the US who were turned or used by the
Re: (Score:2)
I pity your failed public school education...
Here are a few:
You aren't making sense. Those are not complicated conspiracies.
Those are people who were enriched or bribed by Russians, not the convoluted moon landing type conspiracies you seem to be claiming they are.
Certainly no more complicated than an Israeli agency discovering an AV software manufacturer scanning and stealing information it had access to and passing it up the line to people who would be interested in it. And said intelligence agency who after discovering it, passed that information along to
Re: (Score:2)
Um, John walker spied on the US Navy for like 16 years and only got caught because his ex wife turned him in...
The Rosenbergs stole secrets from the Manhattan project from 1942 until they were caught in 1950 (8 years).
These acts only seem simple or easily understandable after decades of investigation and perspective. You have no clue what the motivation was of the NSA guy who brought home cyber weapons and loaded them on his personal machine, and until we have dug through that guy's life and associates wit
Re: (Score:2)
Um, John walker spied on the US Navy for like 16 years and only got caught because his ex wife turned him in....
Umm yourself, muchacho. Seriously, you aren't even arguing the same thing I am. I said that Occam's razor was in effect, that A group with Kremlin ties that had root level access to a computer that some dumfuk illegally stored classified data on would be interested in that data, and would send that data up the line. I mean I've been trying to stop picking on Russian trolls here, but that should be obvious to anyone who isn't simply supporting the FSI or FIS.
And that is in opposition to the rather compli
Re: (Score:2)
OK look, I am not being insulting (I can be if you really want). I was replying to your reply to my post (not to the other guy who you say you were replying to, I suspect I may have my filters set to nuke him because he is a Russian troll and life is too short to read their bullshit).
My basic position is simple. The chain of events makes it highly likely that there was collusion with Russia by the NSA double agent that took home classified cyber weapons under penalty of jail time or firing squad. It is a
Re: (Score:1)
This will never get modded because it's buried, but one does not prove hypotheses, generally speaking. One fails to falsify them. Thus occam's razor permits one to consider the most likely hypothesis, consider/test methods of failure, and allows you to consider the simplest hypothesis as probable until and unless you find a way to falsify it. (Or, yes, prove it's true. Which is hard to do in most cases.)
Re: (Score:2)
I'm not sure if you're just stupid or trolling, the Clinton "conspiracy" is pretty well covered these days on national and international media. I watch BBC, CNN doesn't make much of a mention of it but obviously Fox would.
I can imagine how (Score:2)
Re: (Score:2)
NSA->employee->Home system->Kaspersky AV->Kaspersky Lab servers --------> Russian Govt?
If Kaspersky isn't working with the Russian govt, how did their Lab data end up with the Russian govt?
Your "missing link" was already reported two weeks ago: https://politics.slashdot.org/... [slashdot.org]
Israeli Spies 'Watched Russian Agents Breach Kaspersky Software'
Israeli spies looked on as Russian hackers breached Kaspersky cyber-security software two years ago, according to reports. The Russians were allegedly attempting to gather data on US intelligence programs, according to the New York Times and Washington Post. Israeli agents made the discovery after breaching the software themselves. Kaspersky has said it was neither involved in nor aware of the situation and denies collusion with authorities.
Re: (Score:2)
If Kaspersky isn't working with the Russian govt, how did their Lab data end up with the Russian govt?
We don't know that the data ended up with the government.
Here is what is claimed:
Reports published in the United States are that Israeli government hackers broke into Kaspersky and saw the NSA data. While the Israelis were there they witnessed Russian government hackers also break into Kaspersky and access the NSA data. Kaspersky claims the only people who hacked them were the Israelis and they were never hacked by the Russians.
So if the Israelis are wrong the Russian government doesn't have the data. If
Re: (Score:2)
There is "hacking" and then there is tacit approval:
Potential Kaspersky employee: "Hey, I will be leaving this backdoor open at 1am, here are the passwords you need and here is the location of the files you are looking for, please don't hurt my family"
While technically hacking (unauthorized access) it may not have left any traces if it was an inside job, but either way, the FSB got in to Kaspersky's files and lifted all the NSA cyber weapons.
I trust the Israelis (an actual democracy with similar values to A
Re: (Score:2)
Re: (Score:2)
Exactly so.
Why not disclose it? (Score:5, Interesting)
So it looks like what happened is what I suspected, that Kaspersky's Heuristic analysis found the file and submitted it for analysis. Which is fine since that's what it's supposed to do.
The real question is why wouldn't Kaspersky submit it to other AV Firms or even Microsoft for analysis instead of just deleting it? From what it sounds like they had full source code on a virus. I would think that would be the equivalent of striking gold in the AV community regardless of the virus's source, Unless Kaspersky was afraid that the US would Pressure the heck out of them if they disclosed, which is not much different from what's happening now.
Re: (Score:1)
Re: (Score:1)
So it looks like what happened is what I suspected, that Kaspersky's Heuristic analysis found the file and submitted it for analysis. Which is fine since that's what it's supposed to do.
Really? It is supposed to upload all the source code of whatever the user is working on to the KAV mothership? Sounds like corporate espionage to me:
KAV: Oh no, we didn't intentionally download the source code to Microsoft's new super-secret application. The user was just running KAV and it happened to flag on a malware signature (wink wink).
Re: (Score:2)
Have you ever purchased something from a store, only later to find that another item had been hidden inside, and tried to return that item to the store? I have.
I purchased a household item like a comforter that had curtains stuffed inside. Nothing particularly high value. I returned the items I had not purchased to the store. When returning the items, while it was not overt, the store basically suspected me of theft and I was not exactly rewarded for "doing the right thing". Never again.
Can you imagine
Re: (Score:2)
How to create phone home software that just works but will not get detected/reported/studied by an advanced OS or AV?
The mission is for a US persistent, generational file tracking effort that works, phones home and stays with documents.
How to avoid that user alert but not have to worry about upgraded AV/OS detection/discovery globally?
Some social engineering?
Networking that looks just like all the other ongoing past/existing national/international contractor grade "poli
Overreaction to business as usual (Score:5, Insightful)
So basically, commercial software, namely an antivirus, proceeded as intended (detected malicious/suspicious code). Nothing new.
Then the Russian gov., just like the US or the UK govs. pulled that software/information based on the principle of screwing anyone's privacy (especially foreigners) over national security concerns (which when you look at it from an impartial point of view, like me (someone who literally stands between both countries in western Europe), it's a contextually solid argument, even though I am completely opposed to this relegation of privacy to second place. This is also not new, and the US knows this happens frequently. They know it because they also do it. How many Sillicon Valley corps. are sueing the US gov. to prevent just that? (Well, Microsoft just dropped it because, well, the government had a bad case and decided to pull back).
At least they're not loading Linksys hardware with trojans for deployment to China and Russia's top tier installations.
Seems like a very plausible explanation from Kaspersky, clearly not at fault, and will be a clear case of hypocrisy by whichever government decides to slander private business of the company. Not only is the government at fault (that was bad BAD behavior from the employee, unless he was whistleblowing something, like Snowden), but they also do this.
Demand local servers, just like Brasil did to Facebook, if you are worried about your info being offshored to jurisidictions you can't control the full chain of behavior.
Kaspersky Investigation - original release (Score:1)
lol (Score:2)
In their defense of deleting the files (Score:5, Insightful)
After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.
To be fair, this puts them in a bind. They acquired NSA malware source code but they got it because their product uploaded it to them. If they keep it and use it they are breaching the trust of their client. I trust and give Kaspersky permission to scan for viruses and pull their executables. I don't give them permission to look through various source code on my computer. This isn't about saving or shielding the NSA, it's about the integrity of their contract with their users. Screw the NSA but Kaspersky showed more integrity here than the NSA has ever shown in its entire existence.
Re: (Score:1)
Actually, if you enable the reporting product you very much gave them permission to upload anything their software hits on as a target and give them permission to take it the hell apart so they learn how to stop it. Which is why you should read teh EULAs. And if you are doing work for your employer or the government, you do so on a machine they supply to you with the software they supply, so it is their lookout as to whether they should enable reporting features on the antivirus product they give to you.
Just assume your home PC was never secure. (Score:2)
I mean are you REALLY naive enough to believe that Windows is
1) an even slightly secure OS
2) Microsoft (and therefore the NSA) really don't/aren't using their own backdoors built right into Windows (and maybe Intel's IME) to conduct ongoing scans, analysis and upload of anything/everything of "interest" that you ever have on your PC ?
The problem is clearly the NSA employee who took the code home and put it on his Windows PC in the first place. He of all people should have known WAAAY better.
Re: (Score:2)
Adding AV to Microsoft is about as bad as adding an anonymous FTP server to your desktop. Passwords are only going to keep your friends honest.
NSA guy should have know. What on earth was he thinking to allow his data to be uploaded to Russia. He's going ot have a court date coming up.
Willing to bet KGB employee (Score:3)
I'm willing to bet that Kaspersky had an employee who was also an unknown intelligence spy on the payroll.
The intelligence agency figured out the US Govt was using software - submitted resume for spy to open job - and spy reported to work as instructed. Aren't we worried that the NSA is asking Google/Apple/ISP (cough AT&T) to open the door a crack?
Isn't this the fear of many in security? - that an unknown group could change the C compiler source code to ignore or replace certain instructions. Then modify the encryption software with a backdoor that matches the pattern the compiler is looking for - and thus inject a backdoor? Said backdoor is not visible/obvious in the encryption software.
And the method to do this is have spies report to work at legitimate businesses. with external orchestration of their activities.
Also possible that said spy figured out the zero-day which was put to use from another group outside. OR coded said backdoor or side-channel vector.
Is it Executive IT Syndrome? (Score:4, Funny)
Here's another thought about why it happened -- is it possible that NSA treats some of their more brilliant analysts the same way companies treat executives? Everywhere I've worked, security policies apply to absolutely everyone except the C-level and senior VP ranks. Execs just tell IT to plug whatever new shiny thing they got at a conference or Best Buy into the network, override password policy so they don't have to log in to their machines, and a whole bunch of other things that would get ordinary workers fired. Maybe if you're a super-brilliant borderline autistic cybersecurity genius, the NSA decides it's not worth it to try to enforce policy?
I'm sure a lot of the safeguards around classified information are the equivalent of "security theatre" but I'm kind of surprised NSA would let their analysts casually walk out the door with unreleased exploit code and bring it home with them. People I know who work for defense contractors on much more mundane stuff can't even mount USB drives on their computers read-only, let alone copy files, but it seems like they just let things like this happen once you get a certain level of access beyond the perimeter. Some of the things I've heard described are totally security theatre, like covering whiteboards when the janitor comes through or insisting that every piece of garbage be burned _and_ shredded...but at least they have the common sense to prohibit employees from taking confidential data home and employees I've spoken with are well-trained to not talk about exactly what they're working on. I have a feeling we'd never know about this if it hadn't gotten to a machine without Internet access.
Almost all companies work like this too -- once you're inside everything is trusted and can talk to everything else. That's absolutely the wrong thing to do, but rebuilding the network and walling things off to an "assumed-compromised" posture is super expensive and hard to implement. Lots of companies don't even have internal PKI right yet so port-level authentication on network gear isn't even possible. And the app landscape is so vast and much of it is so old that totally locking down some things would take tons of research and effort...all of which the company won't pay for. You would think NSA would be all over that though, given what they work on.