NOBUS

NOBUS, short for "NObody But US", are security vulnerabilities which NSA thinks only NSA can exploit. As such, NSA sometimes chooses to leave such vulnerabilities open if NSA finds them, in order to exploit them against NSA's targets.[1] NSA has a dual mission of both attacking foreign systems and defending US systems, so keeping significant vulnerabilities which affect US systems secret is a conflict of interest.[2]

You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch – it's one that ethically and legally we could try to exploit in order to keep Americans safe from others.
Former NSA chief Michael Hayden[1]

NSA is speculated to have used on the order of hundreds of millions of dollars in computing power to break large amounts of encrypted traffic reliant on the Diffie–Hellman key exchange using 1024-bit keys. This vulnerability also affect US traffic, so this would be a good example of Hayden's "four acres of Cray computers" definition of NOBUS.[3]

The NSA is believed to sometimes buy knowledge about security vulnerabilities on the gray market, from for example Vupen, in order to use them offensively. Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU's Speech, Privacy and Technology Project, has pointed out that these exploits are not NOBUS, in that anybody else can discover them at any time.[1]

The kleptographic backdoor which NSA is widely believed to have inserted into Dual_EC_DRBG is an example of NOBUS, since finding the secret key to that backdoor is a cryptographically hard problem. Though there is at least one example, ScreenOS, where the Dual_EC_DRBG backdoor infrastructure has possibly been used by attackers hostile to the NSA's mission.[4]

References

  1. 1 2 3 https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/
  2. https://www.schneier.com/blog/archives/2014/02/breaking_up_the.html
  3. Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (October 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF).
  4. http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/
This article is issued from Wikipedia - version of the Monday, April 11, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.