NSA's Malware Heroics Questioned By Security Experts - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity

NSA's Malware Heroics Questioned By Security Experts

NSA says it thwarted a nation state's BIOS-bricking malware plot, but info security and privacy experts say the agency is trying to snow the American public.

Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
(click image for larger view)

The National Security Agency (NSA) helped foil a "nation state" that planned to launch a BIOS-bricking malware attack against the United States.

That claim was delivered Sunday night in an Inside the NSA segment on CBS's 60 Minutes that was partially filmed inside the intelligence agency's headquarters.

The agency, of course, is struggling to repair its image -- and stave off additional oversight or curtailing of its intelligence-gathering techniques -- since documents leaked by former agency contractor Edward Snowden revealed how the NSA has created a massive digital dragnet that's been intercepting millions of Americans' communications and related tracking data. Industry analysts have said that the fallout from those revelations could cost technology businesses billions in lost revenue over the next few years.

If a classic counterinsurgency tactic is to make a "hearts and minds" appeal to the public at large (rather than adversaries), that's what the NSA appeared to be doing via 60 Minutes, in part by arguing that its tactics are required to stop foreign nations that are intent on disrupting US systems.

[Presidential advisers say government cybersecurity isn't pretty. Learn Why Fed Cybersecurity Reboot Plan Fails To Convince.]

For example, Deborah Plunkett, the NSA's information assurance director -- described in the newscast as the official who directs cyberdefense -- told CBS correspondent John Miller that the agency had foiled a malware attack that would have corrupted the BIOS inside a PC, thus turning the machine into a brick. "One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability -- to destroy computers," Plunkett said. "This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would've infected the computer."

She added: "Think about the impact of that across the entire globe. It could literally take down the US economy."

But the NSA's detailing of a BIOS-attack plot that it supposedly foiled drew a tepid response from many information security professionals. For starters, that's because during the interview, Plunkett wasn't holding the type of BIOS she described -- which would be installed on a motherboard -- but rather a serial ATA controller BIOS, according to Robert David Graham, CEO of Errata Security.

In addition, nothing Plunkett said suggested that the alleged plot was anything more than script kiddies brainstorming up potential future attacks. Furthermore, the supposed plot can't be verified, based on the details that were provided, which included an unnamed NSA official pointing the finger at China. "Same as with #badbios, there's no question it's possible, whether it happened in this case, nobody knows," tweeted computer security researcher Dan Kaminsky.

Other security professionals noted that BIOS-attacking malware isn't anything new, or really all that big of a threat. Perhaps the NSA simply couldn't come up with a scarier-sounding attack?

"We experts just aren't impressed. We know how viruses work, and see nothing special here. We know how stories get distorted. We know how paranoia makes minor things look scary," Errata Security's Graham said in a blog post. "If there were something momentous here, they would say so. But instead, they used techno mumbo jumbo to confuse the typical '60 Minutes' viewer into believing something that was never explicitly stated."

Stepping back from the BIOS plot, information security and privacy experts also criticized the entire 60 Minutes segment for failing to pose the "tough questions" promised by CBS correspondent Miller, who previously worked for both the Office of the Director of National Intelligence and the FBI.

As F-Secure chief research officer Mikko Hypponen summarized the segment via Twitter: "Turns out, NSA is doing an outstanding job and Snowden is the bad guy."

Gen. Keith Alexander

Miller's interviewees included NSA director Gen. Keith Alexander, who first approached CBS about doing the news segment. But Alexander relied on evasion and doublespeak when it came to addressing some of the NSA's more contentious practices, for example when responding to questions about whether the agency hacks into datacenters run by the likes of Google and Yahoo.

"We do target terrorist communications. And terrorists use communications from Google, from Yahoo, and from other service providers. So our objective is to collect those communications no matter where they are," Alexander said. "But we're not going into a facility or targeting Google as an entity or Yahoo as an entity. But we will collect those communications of terrorists that flow on that network."

A presidential commission is reportedly preparing to recommend that some of the NSA's mass data collection practices should be curtailed or stopped. But rather than advancing any nuanced arguments about how the NSA might respond to leading political, legal, and privacy criticisms, Alexander instead argued that the status quo should prevail. "My concern on that is [especially] what's going on in the Middle East, what you see going on in Syria, what we see going on-- Egypt, Libya, Iraq, it's much more unstable, the probability that a terrorist attack will occur is going up," he said. "And this is precisely the time that we should not step back from the tools that we've given our analysts to detect these types of attacks."

Will Alexander's 60 Minutes appeal for business as usual at the NSA succeed? Let us know your opinion in the comments section below.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Shane M. O'Neill
100%
0%
Shane M. O'Neill,
User Rank: Author
12/16/2013 | 12:34:54 PM
NSA puff piece
The whole time I was watching the "60 Minutes" segment I kept waiting for a counterpoint to the NSA's FUD spreading and its denial of privacy violations. Lord knows there are plent of security experts who could have provided some balance. But it never happened. The reporter was too soft and the final result was an NSA infomercial. Seems like in return for unprecedented access to NSA facilities "60 Minutes" agreed to do a puff piece.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Author
12/16/2013 | 3:43:04 PM
Re: NSA puff piece
Agreed. A very one-sided piece, and it's not as if it would have been difficult to find a source with different viewpoint.
WKash
100%
0%
WKash,
User Rank: Author
12/16/2013 | 6:08:55 PM
Re: NSA puff piece
Shane, I have to agree. 

NSA is just borrowing a page from the crisis managment playbook that corporations use when the media pounces on wrong doing. But it's disappointing to see 60 Minutes playing into the game.

 
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
Slideshows
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
News
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll