Black Hat: Exploit Farming
Thu, Aug 02, 2012 by Andrew Conway
My alma mater, Cambridge University, has made significant contributions to military intelligence over the years. Cambridge graduate Alan Turing helped to break the Enigma code, and during and after WWII a group of Cambridge graduates acting as sleeper agents performed one of the must successful infiltrations of an intelligence agency ever. Unfortunately they infiltrated British Intelligence on behalf of the KGB… Which just goes to show that the people you think are the brightest and most trustworthy may in fact be trapped into working for the dark side because of one bad decision made in their college years.
A panel of security experts at Black Hat discussed, among other things, the idea of “exploit farming.” The military and commercial value of being the only party to know about an exploit is potentially immense, enough that it would be worth planting bright young engineers as sleeper agents in major operating system and networking companies. Then in a few years when they are in a position to do so, get them to introduce a few lines of code to deliberately introduce a vulnerability. “Hey, kid, I’ll pay off your student loan debt, and all you have to do is go to work for Microsoft and in a few years add a couple of lines of code for me.”
This raises the possibility of state sponsored exploit farming. An unscrupulous foreign power could take their best Computer Science graduates and send them to the US with a scholarship to get an advanced degree, and instructions to stay on and find a job with Cisco, Microsoft, RSA, Google, Apple, Adobe or any other major infrastructure company. As they work their way up to greater responsibilities, greater demands would be made of them. First, copies of critical source code, then perhaps introducing spyware into the corporate network, and finally corrupting the code itself by introducing vulnerabilities for the foreign power to exploit.
Of course, the country best positioned to play that game is the country where all the major operating systems are developed. There’s no need to plant agents, you can go straight to the top. I don’t think it’s likely that the US Government would pressure Microsoft to deliberately introduce vulnerabilities into Windows to be used against foreign competitors, but I do think that they might ask for advance notification the moment MS is aware of a bug, before the fix is pushed out. What happens to that information within the hands of Uncle Sam is anybody’s guess, but if I’m smart enough to think of using it for espionage, I’m pretty sure that someone in the government is as well.
It’s worth noting that the governments of China, Russia, North Korea and Cuba are concerned enough about this possibility (or maybe just about paying license fees to Redmond) that they are all developing their own national operating systems based on… wait for it… Linux! That’s an operating system put together by an international group of hackers with the kernel in the hands of a man with a cavalier attitude towards security. A few years back Linus Torvalds said, “I refuse to bother with the whole security circus.” Linus, do you realize that by not prioritizing security vulnerabilities in Linux you are putting the national information security policies of China, Russia, North Korea and Cuba at risk?
A couple of years after Mr Torvalds made this statement he was granted US Citizenship. Wait a minute… you don’t think? No, it couldn’t be.