#RSS Podcasts E-BUSINESS | TECHNOLOGY | CRM | LINUX | ECTNEWS.COM Welcome Guest | Sign In TechNewsWorld.com [260x40-tnw.gif] Search ____________________ Cybersecurity * Computing + Applications + Data Management + Hardware o Chips o Personal Computers o Servers + Operating Systems * Internet + Internet of Things + Online Entertainment + Search Tech + Social Networking + Web Apps * IT + Developers + IT Leadership + Network Management * Mobile Tech + Mobile Apps + Smartphones + Tablets + Wearable Tech + Wireless Networking * Reviews * Security + Cybersecurity + Hacking + Malware + Privacy * Technology + Audio/Video + Emerging Tech o Virtual Reality + Gaming + Home Tech + How-To + Photography + Science o Health o Space + Tech Buzz + Tech Law + Transportation * Tech Blog * Reader Services + Account Management + Discussion + News Alerts + Newsletters + Reader Surveys + RSS / XML Headline Feeds + Search ECT News Network + + ECT News Network Map o CRM Buyer Site Map o E-Commerce Times Site Map o LinuxInsider Site Map o TechNewsWorld Site Map * | * Software Buyers Guide January 22, 2016 01:14:46 PM PST TechNewsWorld > Security > Cybersecurity | Next Article in Cybersecurity NSA Keeps Some Security Bugs Under Its Hat By David Jones Nov 10, 2015 5:00 AM PT The U.S. National Security Agency is getting a collective side-eye after posting what it characterized as proactive information: the fact that it discloses 91 percent of security vulnerabilities that pass through its internal review process. NSA Keeps Some Security Bugs Under Its Hat While the agency appears pleased with its newfound transparency, it's being called out en masse for the things it's not reporting -- primarily, the other 9 percent of vulnerabilities. In fact, the NSA's revelations have raised far more questions than they've answered. The disclosures came late last month in an infographic touting the way the agency's security bug reporting practices. Disclosing vulnerabilities usually makes sense, it reads, "but there are legitimate pros and cons to the decision to disclose vulnerabilities, and the tradeoffs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences." The NSA historically has leaned in favor of disclosure, and withholds information only if the information may be necessary to collect crucial foreign intelligence used to stop a terrorist attack, prevent the theft of intellectual property, or use the information to uncover even greater vulnerabilities, it said. What's Left Unsaid However, what often is done with the information not disclosed is that the government leaves the unknowing party in the dark and then exploits the vulnerability for its own purposes, critics have charged. By withholding information about the remaining 9 percent, the NSA has chosen not to notify the party best situated to fix the security flaw, said Jennifer Stisa Granick, director of civil liberties at the Stanford Center for the Internet and Society. "They do this to enable intelligence agents to exploit these flaws for surveillance or to use them as weapons, as with Stuxnet," she told TechNewsWorld. "As for the remaining 91 percent, it is not clear whether the NSA uses a subset of those vulnerabilities before it discloses them. In the case of Stuxnet, the U.S. and Israel used the information to create a backdoor attack on industrial control systems in Iran, as part of an effort to disrupt suspected uranium enrichment programs being developed in that country. Timing of the Matter The timing of the infographic's publication is another issue that has raised questions. The Electronic Frontier Foundation last year filed suit to force the federal government to disclose the so-called Vulnerabilities Equities Process, which is used by the FBI, NSA and other agencies to determine whether to disclose vulnerabilities to various software developers or other entities, or to use those very vulnerabilities to carry out its own operation. The massive Heartbleed bug discovered last year left millions of computer users vulnerable. Disclosures by former NSA contractor Edward Snowden, EFF and a number of other privacy advocates raised serious questions about whether the agency allowed that open wound to fester for two years while it exploited the security hole, only to deny knowledge of it. The infographic happened to post the exact same day that government lawyers filed for summary judgment in the suit EFF brought regarding the VEP process, noted Andrew Crocker, staff attorney at EFF, although a direct connection cannot be established. There have been reports that the National Security Council and Department of Homeland Security are taking a more active role in making sure there is a strong movement in favor of disclosure, he told TechNewsWorld, "but we'd like to see more transparency, such as public reporting about how the process works," which is requested in the litigation, "as well as some way of understanding the volume, number of vulnerabilities the government handles, and even the budget devoted to it." Spit and Polish On the other hand, the timing may be no more than an effort to remove some tarnish from the agency's public image. "The NSA has in recent years struggled from a public relations perspective; one can imagine that they would prefer that the discussion be focused on the 91 percent of exploits that they do report, and the -- perhaps unexpected -- indication that they adhere to the principle of sunlight being the most effective disinfectant," observed GreatHorn CEO Kevin O'Brien. It's also significant that what the NSA is reporting -- or not reporting, as the case may be -- are vulnerabilities. "Software exploits of this kind -- unintentional issues that are researched and reported on -- are a different kind from the more sophisticated types of cyberattack that lead to large breaches," O'Brien told TechNewsWorld. For example, exploits of trust go after comparatively soft targets -- people -- rather than systems and software, he pointed out. "As a security professional, having the NSA allocating resources to finding these kinds of issues is comforting," O'Brien said. "They're a resource that, on many levels, has the best interests of United States and its national security in mind. Bluntly put, someone will find these exploits; I'd rather it be an agency which is aligned with our national security." The NSA may need to split its duties with a new security-related agency that can take the function of fixing vulnerabilities out of the hands of an entity that spends most of its time in the business of analyzing intelligence, suggested Kevin Krewell, principal analyst at Tirias Research. "The NSA is conflicted on security issues," he told TechNewsWorld. "On the one hand, it should be supporting more software security to protect the interests of the U.S.A. Yet on the other hand, security vulnerabilities are extremely important for their mission to gather information. NSA officials did not respond to our request to comment for this story. [end-enn.gif] __________________________________________________________________ David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times. __________________________________________________________________ [ccc-button.png] Get Permission to License or Reproduce this Article Print Email Reprints More by David Jones Facebook Twitter LinkedIn Google+ [navicon-stumbleupon_32x32.png] RSS [icon_mostpop_14x14roundcorner.png] Most Popular [icon_newsletter_16x12.png] Newsletters [icon_alert_14x14.png] News Alerts How do you rate YouTube vs. TV content? (*) TV is better -- YouTube's content doesn't compare. ( ) YouTube hands down -- it's original, while TV is stale. ( ) There's no comparison -- it's an apple vs. an orange. ( ) I watch and like plenty of both. ( ) With so many content choices, there's still very little that's good. ( ) I'm not tuned into either -- there are better things to do with my time! (BUTTON) Vote or See Results E-Commerce Times Consumer Advocates Push FCC on Broadband Privacy Rules Apple Stats Reflect Slow Slog Toward Diversification ESPN Boss Sees Significant Role for Sling TV Microsoft Cloud Rains Free Services on Nonprofits The Year of Connected and Self-Driving Cars Digital Ad Fraud Could Top $7 Billion in 2016 FTC Issues Regulatory Warning on Big Data Use Cook Slams Door on Backdoor Discussions CRM Buyer Cloud Research Demandware Teams With eBay on Omnichannel E-Commerce Solution The Top 20 CRM Blogs of 2015: Part 1 Vendor of the Future FordPass Aims to Engage Customers on Their Terms Taxpayer Advocate Blasts IRS' Planned Customer Service Revamp Loyalty and Engagement Amazon UK Lets Customers Pay in Installments ECT News Network on Twitter Tweets about "TechNewsWorld" LinuxInsider Snap-Happy Trojan Targets Linux Servers Zero-Day Flaw Puts Millions of Linux Machines, Android Devices at Risk Deepin Takes Linux to New Depths OpenSSH Flaw Could Leak Crypto Keys Dronecode Project Gets More Wind Beneath Its Wings Black Duck Intros Container Scanning Solus Project's Virtues Begin and End With Stability Hack Lets PS4 Run Linux SPONSOR SHOWCASE Marketers - Fill Your Sales Funnel Instantly [sales-funnel_60x60.jpg] Access millions of IT and business decision makers. Our full-service global marketing program delivers sales-ready leads. Learn more. CRM Software Buyer's Guide This free buyer's guide compares the best CRM software systems and allows you to request a price or demo for the system that best fits your needs. TechNewsWorld Headlines TechNewsWorld Facebook Opens Sports Stadium Brave Browser Promises to Defend Users' Privacy Chrome Browser to Blaze With Brotli GM Bug Program Gets Mixed Notices Child Laborers Mine for Cobalt Used in Tech Gadgets SpaceX Finds Silver Lining in Failed Sea Landing Ukraine Mounts Investigation of Kiev Airport Cyberattack Reading, Writing and Minecraft? Inside TechNewsWorld Applications * China Levels Antitrust Allegations Against Microsoft * Slack Energizes App Development With $80M Fund * Linux Mint Upgrade Sparkles Computing * Oculus VR Founder Laments Failure to Communicate on Pricing * Uber Settles With New York AG After 'Playing God' With Data * Iranian Cyberattack on American Dam Viewed As Rarity Data Management * MacKeeper Loses Control of User Data * Federal IT Opportunities: Steady Funding, Constant Challenges * Microsoft Hands Cloud Data Control to German Trustee Emerging Tech * Google's Self-Driving Cars Still Need Human Touch * Google Sharpens Its Virtual Reality Focus * Ford's Self-Driving Cars Brave Ice and Snow Exclusives * HP's Marten Mickos: Open Source Is Not a Business Model * Dan Allen and Sarah White: Documentation Dearth Dooms Open Source Projects * PredictionIO's Simon Chan on Machine Learning by Devs for Devs Hardware * Microsoft Prods Skylake Users to Take the Windows 10 Plunge * IDC: There's Hope on the PC Horizon * What the PC Industry Could Learn From the NRA Internet of Things * Sony Builds Smart Home Hub Into Ceiling Light * Samsung Places Fridge at Center of Smart Home * New Smart Cam Can Distinguish Between Cats, Cat Burglars and Cars IT Leadership * Apple Execs' Salaries Go Up as Stock Goes Down * Zuckerberg Resolves to Invent, Encourages Girls to Invent Too * Cook Rearranges Apple's Executive Suite Mobile Tech * WhatsApp Scraps Fee Model * Samsung Snaps Up Snapdragon 820 Chip Manufacturing Deal * Apple Loses Track of News App Traffic Science * Gadget Ogling: Baring Souls, Soaking Up Sound, and Tracking Babes * NASA Advances Mission to Protect Earth From Asteroids * Researchers May Have Licked Flaming Lithium-Ion Battery Problem Spotlight Features * In the Shadow of the Amazon Prime Juggernaut * The Future of Deliveries Will Be Driverless * Surprise Success: What to Do When Sales Go Through the Roof Tech Buzz * Time Warner Possibilities Put Glint in Apple's Eye * Behind the Scenes at CES * Gadget Ogling: Fitbit's Smartwatch, Super Home Movies, and Flying Machines Publications * E-Commerce Times * TechNewsWorld * LinuxInsider * CRM Buyer ECT News Network Newsletters * E-Commerce Minute * Tech News Flash * ECT News Network Weekly * Editor's Pick * Subscribe Reader Services * Account Management * Discussion * Linking Policy * Network Map * News Alerts * RSS / XML Feeds * Search ECT News Network Facebook Twitter LinkedIn Google+ [navicon-stumbleupon_20x20-gray.png] RSS Company Info * About * Advertising * Business Development * Careers * Contact * Permissions * Reprint Information Terms of Service | Privacy Policy | How To Advertise Copyright 1998-2016 ECT News Network, Inc. All Rights Reserved. Quantcast