Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Security Services May 'Have Moles Within Microsoft,' Says Researcher

Posted by Soulskill on from the clippy-was-a-double-agent dept.

Barence writes "U.S. government officials could be working under cover at Microsoft to help the country's cyber-espionage programme, according to one leading security expert. According to Mikko Hypponen, chief research officer at security firm F-Secure, the claim is a logical conclusion to a series of recent discoveries and disclosures linking the U.S. government to 2010's Stuxnet attack on Iran and ties between Stuxnet and the recent Flame attack. 'It's plausible that if there is an operation under way and being run by a U.S. intelligence agency it would make perfect sense for them to plant moles inside Microsoft to assist in pulling it off, just as they would in any other undercover operation,' he said. 'It's not certain, but it would be common sense to expect they would do that.'"

24 of 228 comments (clear)

  1. Ockham's razor by Anonymous Coward · · Score: 5, Insightful

    ... or they just paid/threatened Microsoft. Much simpler and easier.

    1. Re:Ockham's razor by Culture20 · · Score: 3, Insightful

      ... or they just paid/threatened Microsoft. Much simpler and easier.

      And it has the added bonus of being legal. "Moles in MS" would be a big no-no, no?

    2. Re:Ockham's razor by JeffSh · · Score: 3, Insightful

      Only if it were to ever be acknowledged, something that has zero possibility of ever happening.

    3. Re:Ockham's razor by Sir_Sri · · Score: 4, Informative

      Or they just paid former microsoft employees with technical positions to come work for the government.

      Didn't the NSA offer to help 'secure' windows 7 (http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development), they could just offer to help with 'collaboration' and then provide some security fixes and use some of the loopholes they find before anyone else does.

      Now the israeli's. They have spies at microsoft. The US government probably not directly, at least not in the US, there are enough cheaper no risk ways to get what they want.

    4. Re:Ockham's razor by Anonymous Coward · · Score: 5, Funny

      "Moles in MS" would be a big no-no, no?

      Actually, it sounds like it'd be a runaway hit reality show.

      "For the past year, we sent a Google developer deep undercover at Microsoft armed with an Android-powered hidden camera and an agenda to subtly promote open technologies. Now, we're going to show you the results. Sometimes hilarious, sometimes heartbreaking, sometimes horrifying; tune in starting this August on Slashdot TV for 'Moles in Microsoft' to see what happens when development ideologies collide in the real world."

    5. Re:Ockham's razor by Aighearach · · Score: 5, Interesting

      We can get even simpler and easier, MS already gives the military access to their source code so that it can be reviewed. This is a requirement for all the software used on the most secure systems.

      It has always been viewed as a joke around here, because unless they are going to fix the bugs themselves, having the source isn't going to make windoze take extra care about your data.

      So the simplest and most obvious answer is, they didn't need to sneak in, and they didn't need to make threats either.

    6. Re:Ockham's razor by s.petry · · Score: 5, Insightful

      I'm not even sure they would have to do that. The technical details in TFA are a bit scarce, but enough exists for a better theory than the TFA presents.

      Someone with some hefty CPU power broke the MS cert, which allowed them to create their own at will and spoof a MS cert.

      The Government has the access to MS source code, and their methods. If you know where hooks get applied and how priorities work, you don't need to be from MS to write good code. You just need to be a good coder.

      Spoofing Windows Update server really would not be that hard. Hell you don't even need a real man in the middle attack if you have a forged Cert and know the structure. You just need to spoof a DNS answer, the client will do everything else for you.

      Having the fake key is huge! Write an application, sign as Genuine MS, put on a faked Windows update server, reroute a DNS call. Shazam! Of course there is other knowledge required, such as evading AV detection, etc.. but they had that figured out very well also.

      It would take a good team, and time, but no need to have a mole. I would not be surprised if the US Government had moles in MS, but if they did it would primarily be for reasons other than Stuxnet and Flame, or any other computer espionage program.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    7. Re:Ockham's razor by ackthpt · · Score: 5, Funny

      We can get even simpler and easier, MS already gives the military access to their source code so that it can be reviewed. This is a requirement for all the software used on the most secure systems.

      It has always been viewed as a joke around here, because unless they are going to fix the bugs themselves, having the source isn't going to make windoze take extra care about your data.

      So the simplest and most obvious answer is, they didn't need to sneak in, and they didn't need to make threats either.

      That explains some of the mental breakdown of returning veterans...

      --

      A feeling of having made the same mistake before: Deja Foobar
    8. Re:Ockham's razor by flyingsquid · · Score: 4, Insightful

      ... or they just paid/threatened Microsoft. Much simpler and easier.

      The problem with the claim put forward in the article is that it is *not* the logical conclusion of what we know about Stuxnet and Flame. What we know about Flame is that (i) it's the most advanced piece of malware ever created (that we know about), (ii) it has connections to Stuxnet, (iii) it's primarily targeting Iran, but it's also targeting Syria, Palestine, Egypt, Saudi Arabia. That information tells us a lot about who was behind it.

      Okay, so first off, Flame is very large and extremely advanced. That implies a country with an advanced cyber-warfare program. That list is fairly short, and the big names on it are the United States, Russia, China, and Israel.

      Second, the people behind Flame were also involved in Stuxnet. The people analyzing Stuxnet came to the conclusion that it was the work of two different countries, with suspicion falling on the U.S. and Israel. In the New York Times article, it's reported that Stuxnet is designed by the U.S., but the Israelis helped out. The Obama Administration has not denied anything published in that article.

      Third, Flame is primarily targeting Iran, again that points to the U.S. and Israel, Iran's primary enemies. However, Flame's secondary targets are all areas that are potential threats to Israel (Syria, Palestine, Egypt, Saudi Arabia) but this list does not include countries that pose security threats to the U.S. but not to Israel (Afghanistan, Iraq, North Korea). Finally, there are also some Flame infections in Israel itself. Given that one of the purposes of an intelligence organization is (unfortunately) to spy on their own citizens, that also fits the idea that Flame is written by the Israelis.

      If Flame is Israeli, then the idea that the U.S. is planting spies in Microsoft is not the "logical conclusion" of the facts at all. So does this mean that the Mossad has penetrated Microsoft? Well, I suppose it's possible. It would antagonize the U.S. to learn that our ally has spies in our corporations, but it's also been alleged that Israel has moles in the Pentagon, so it wouldn't be entirely surprising, either.

    9. Re:Ockham's razor by dnahelicase · · Score: 4, Insightful

      >

      It would take a good team, and time, but no need to have a mole. I would not be surprised if the US Government had moles in MS, but if they did it would primarily be for reasons other than Stuxnet and Flame, or any other computer espionage program.

      I would be surprised if the US doesn't have "spies" within Microsoft. Microsoft is huge, and hugely important in how the world handles data. I would be shocked if the US, China, India, Russia, and several other countries didn't have "spies" somewhere in Microsoft.

  2. They don't need them... by Anonymous Coward · · Score: 4, Insightful

    The US Government has licenses for the Windows source code. Nothing we've seen those virii do have required anything more than that.

    1. Re:They don't need them... by Gr33nJ3ll0 · · Score: 5, Insightful

      In this case the article is talking about MS CERTIFICATES, so having access to the source code is irrelevant.

  3. Wouldn't surprise me. by Anonymous Coward · · Score: 5, Insightful

    What would surprise me, is if the US thinks they're the only one.

  4. not only operating systems by fluffythedestroyer · · Score: 3, Insightful

    dont forget security companies and firms... and yes it does make lots of sense.

    1. Re:not only operating systems by Anonymous Coward · · Score: 3, Interesting

      Don't forget that the US Department of Homeland Security maintains a giant list of security flaws. It's called the Common Vulnerabilities Enumeration.

      Check the fine print at the bottom of the page: "CVE is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security."

      So that means the government doesn't even need to go looking for holes - security companies send them to the government directly to be listed!

      No mole required, just a "friendly" email informing them that they're going to keep silent for a bit and "forgetting" to post the alert publicly.

  5. Why would the US government need moles? by Apharmd · · Score: 4, Insightful

    I doubt Microsoft would balk at any requests at access. These are, after all, matters of national security, and are therefore paramount over all other concerns. No decent American (ahem) company could refuse.

    1. Re:Why would the US government need moles? by fuzzyfuzzyfungus · · Score: 4, Insightful

      As long as it doesn't pertain to any matter regarding the possibility of tax liability, of course.

      There are just some sacrifices that are too great to bear...

  6. When did /. become Infowars? by cpu6502 · · Score: 4, Informative

    They THINK there MIGHT be moles inside Microsoft. ("Definitive proof!" says Alex on his radio show.) That's nice. I think their might be moles inside everybody's backyards..... I haven't actually seen any, but let's publish it anyway and scare everyone.

    1. Publish some random guy
    2. Spin it to make it sound factual "evidence"
    3. $profit$

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
  7. You might as well title this differently by Anonymous Coward · · Score: 3, Insightful

    "Foreign government officials could be working under cover at Microsoft".

    Since many/much of the actual development is overseas anyway.

  8. Go full Tin-foil Hat! by treerex · · Score: 3, Funny

    Let's not beat around the bush! I say Microsoft has known USG agents working on the systems intentionally putting holes in the OS that can then be leveraged for zero-day attacks against other governments. Balmer is in cahoots I say! CAHOOTS!

  9. Sigh. by Sycraft-fu · · Score: 4, Informative

    You don't need a big gun to get the MS source code. It isn't some big fucking secret like all the ./ers seem to think. It isn't GPL, but plenty of institutions have copies. Basically any government that uses Windows does, huge surprise there. Also a lot of research universities. One such university I know that has it is ASU. Then there are copies in the hands of partners for better debugging/integration of their products.

    Just because the source isn't on Sourceforge, doesn't mean it is some massive secret. A bit of Google would get you http://www.microsoft.com/en-us/sharedsource/default.aspx which is MS's page on their source sharing.

  10. No. by Anonymous Coward · · Score: 3, Informative

    Read more about what actually happened. Microsoft was using some keys with md5 hashing that weren't properly set to prohibit their use for code signing and those keys were signed by the Microsoft root. Using a collision attack they created a copy of a signed key and used that to sign their code.

    Brief Explanation:
    http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

    Detailed Explanation:
    http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx

    Hotfix MS just published to speed up the revocation process:
    http://blogs.technet.com/b/pki/archive/2012/06/12/announcing-the-automated-updater-of-untrustworthy-certificates-and-keys.aspx

    http://support.microsoft.com/kb/2677070

  11. Re:Doesn't really make sense to me by quarkscat · · Score: 3, Interesting

    Imagine a government with access to a complex OS source code. Then imagine that they get data on all manner of security holes as they are discovered. Imagine also that this government has access to OS security update certifications. Finally, imagine that this same government has the ability to hack into server DNS tables to route targeted users to their alternative 'security updates'.

    The penetration of any software company by undercover government operatives would hardly be surprising, but entirely unnecessary. Microsoft would hardly be alone as a target of such espionage -- every software company would be vulnerable, including OSS. There is also the issue with 'backdoors' hard-wired into computer hardware, including especially telecom systems. IIRC, this became an issue recently with news of backdoors alleged to exist in VLSI circuits manufactured in China. Older news alleged that Israel also puts backdoors into the telecom hardware they sell & ship, including to the USA government.

    If virtually every government does such spying, including upon their own citizens, and any number of software & hardware companies do the same with their customers, any cautious user of such technology should be aware of the potential security breaches they expose themselves to every time they connect to the internet, or open their front door for that matter. Redundancy & breadth of security beats security through obscurity any day.

    The phrases of the day are, "Trust no one", "Security in depth", and "If it can't be accessed remotely, it's more secure & less vulnerable". At that point, physical security & Tempest-hardening secure your valuable data. The rhetorical question is, "How valuable is your data if you cannot readily access it?" I found it humorous that the USA government recently wanted reporters to write their news stories on government-supplied computers, if only to avoid unwanted data leaks & stop potential whistleblowers in their tracks.

    Trust the USA government, or any government, or any corporation with an agenda? Why take that risk unmitigated? And who in Hades would put vulnerable sensitive SCADA systems in close proximity to the Internet except an idiot?

  12. Re:Didn't the NSA offer to help 'secure' Linux? by Bert64 · · Score: 3, Insightful

    If you are sufficiently concerned about it, then you can inspect the sourcecode of linux and/or remove the parts you don't want...
    You can't do that with windows.

    If you're a national government, then you certainly have the resources to inspect linux, and you'd be foolish not to inspect the software you use for critical infrastructure.

    Even if you can't or won't inspect the linux source, you at least gain some assurance from the fact that many independent people with differing goals are able to see the source. Again, this is something windows simply doesn't provide.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!