The Washington PostDemocracy Dies in Darkness

The latest NSA leak shows why it’s so hard to trust even tech designed to keep computers safe

The NSA logo in front of the National Security Agency's headquarters in Fort Meade, Maryland, USA. (Image courtesy NSA)

Leaked National Security Agency hacking tools are exposing how even the technology designed to safeguard our computer networks can put users at risk — and how poor security practices like clinging to old equipment can make things worse.

The trove, which mysteriously appeared online last weekend, is full of hacking tools that can break through systems that businesses and even government agencies use to secure their digital infrastructure. In some cases, the tools can be used to attack equipment that is still being used, but so outdated that the companies that made them don't plan to release fixes.

The NSA has not commented on the leak, but multiple anonymous former officials and new Snowden documents released by the Intercept on Friday appear to confirm the tools are the real deal.

Many are exploits and implants targeting firewalls from major tech firms Cisco, Juniper and Fortinet. The firewalls are used by many large organizations to defend their internal systems from threats lurking on the Internet at large.

 "What is a company supposed to do when the very technology that they bought to protect them makes them vulnerable?" said Jeff Pollard, a principal analyst focused on IT security at Forrester Research.

Part of the problem is that security software is still, well, software. Just like any other piece of software, it can be riddled with bugs — some which may go undiscovered for years or even decades. Cases in point: Although the leaked hacking tools date back to 2013, they've exposed previously unknown flaws that hardware and software makers are now scrambling to fix.

And enterprise firewalls don't get upgraded or replaced very frequently, in part because they are stand-alone pieces of equipment — think of a box you plug into the wall and your network, not just a program installed on an organization's larger IT infrastructure. Matthew Green, a computer science professor at Johns Hopkins University, compared them to kitchen appliances.

"People don't think of these as running software, so you end up with old appliances online," he said. "When is the last time you bought a new toaster?"

But firewalls are also much more expensive than toasters. New enterprise models often cost tens of thousands of dollars. That hefty price tag is one reason that many mid-sized and enterprise organizations only replace firewalls every four to five years, according to Pollard. Smaller businesses may stick with old devices for even longer, he said — leaving them reliant on devices that are well past their prime.

"There's just so much equipment out there, some of it very expensive, that is not aging well," said Joseph Lorenzo-Hall, the chief technologist at the Center for Democracy & Technology. "It poses a real problem."

An exploit in the hacking tool trove called "BENIGNCERTAIN" drives that point home. The tool helps attackers figure out the digital keys needed to unlock virtual private networks that rely on Cisco's PIX line of equipment. The VPNs help a company's employees to securely connect with networks and access confidential when out of the office. Based on the versions of PIX vulnerable to the attack, it appears the NSA was able to penetrate the device's encryption for much of the 2000s.

That's a big deal because PIX was hugely popular then. "Ten years ago, Cisco PIX was everywhere," according to security researcher Kevin Beaumont. "It was the industry standard" for connecting offices, he said.

But Cisco stopped selling PIX equipment in 2009 — and in a statement to The Post, the company suggested that it doesn't plan to release a fix for the issue by noting that the company stopped providing support and upgrades for the PIX line years ago.

"Prolonging the use of older technology exponentially increases risk," Cisco engineer Omar Santos wrote in a Friday update to a blog post about the hacking tools.

He also said that Cisco "should be notified of all vulnerabilities if they are found" -- an apparent jab at the NSA. In some cases the agency has withheld information about security bugs so it could use the flaws to spy on foreign adversaries, a practice criticized by many experts who say it leaves innocent users at risk.

"Manufacturers don't want to support equipment forever — they want people to upgrade." said Green. "But not everyone upgrades, and the people left behind are basically sitting ducks."

It's not clear how many PIX units are still supporting VPNs, but there are "probably way more out there than we would think," according to Pollard. Security researcher Mustafa Al-Bassam's initial investigation found at least 15,000 PIX units vulnerable to the exploit still online — some 9,000 of them in Russia.

One reason they're still around is that even when an organization upgrades their primary firewall unit, they might use their old device somewhere else. "What often happens is they get re-purposed for a different function — maybe deployed internally or at small local or regional offices," said Pollard.

Even organizations with newer firewalls in place also may be at risk to known attacks if they fail to apply regular security patches, he said. Not all offices stay on top of those updates — in some cases because they would have to take down or restart their equipment to patch it, making key digital services temporarily unavailable to employees.

The sheer scope of the problems revealed in the NSA hacking tool leak has left even some experts feeling overwhelmed.

"It's becoming increasingly hard to have a good assessment of how secure you are," Lorenzo-Hall said.

Considering what the hacking tools reveal about the NSA's prowess at breaking some of the last generation security tech, it's "hard not to be a little paranoid" about what the agency might be able to do now, he said.

This post has been updated with details from a Cisco blog post about the hacking tools.