Supervisor: secret services were careless in hacking operations

The Dutch secret services have not been sufficiently clear about the use of an undiscovered security hole during hacking operations. Because the use of these so-called ‘zero days‘ If there are risks, for example if they leak out and are also used by others, the services must report the use of such vulnerabilities to the Testing Committee for Deployment Powers (TIB). Prior to intelligence operations, this supervisor assesses whether the risks of a hack are acceptable, but for this it depends on information provided by the services.

However, reporting the undiscovered security holes was not always done with care, is in the annual report published on Friday of the TIB. It was not until mid-2021 that the leadership of the AIVD and the MIVD informed the supervisor about the use of a zero day in ‘a number of’ hacking operations since May 2018. In one case, one of the services informed the supervisor in advance that it had ‘no visibility’. have in the way that would be hacked. “It turned out afterwards that the service in question knew in advance how to hack with the unknown vulnerability. Moreover, it turned out to have been exploited unencrypted,” writes the TIB after its own investigation into the hacks carried out by the services.

An undiscovered flaw in logging tool Log4j could have major consequences for software systems worldwide by the end of 2021. “Log4J is like sugar. It’s in everything.”

Have a good zero day prefer to keep the services to themselves. As long as only they know about the security hole, it is an easy and exclusive entrance to computer systems. That balance changes if a zero day does leak: then countless systems are suddenly vulnerable until the gap is closed.

Hackers also know where to find the zero days: when at the end of last year an undiscovered flaw in the popular software Log4j threatened to create holes in the security of many thousands of computer systems worldwide, they immediately tried to penetrate vulnerable computers on a large scale. Another intelligence service or hacker group can also track down the zero days itself and add it to its own arsenal through careless use. “Then it can be used against you like a boomerang,” said TIB chairman Mariëtte Moussault in a recent interview with NRC

According to the services, the technical risks of the hacks are sufficiently accounted for to the regulator, despite not mentioning the zero day. The TIB says in the annual report that it would not have approved the hack in question “if it would have been aware of the relevant facts and circumstances that were already known to the service at that time”.

paint black

Details of the hack where this particular zero day was deployed remain unknown, as is common in the state secret domain of the agencies and their regulators. This time, however, even certain passages on the matter in the TIB’s annual report have been painted black by order of the intelligence services.

Also in the chapters on intercepting large amounts of internet traffic (‘dragging’) and ‘strategic hacking’ passages have been made illegible. The requests for the latter hacking operations – according to the services necessary to detect ‘unknown threats’ by, for example, already occupying a key position in a network – were ‘very far-reaching’ in 2021 and were therefore rejected by the regulator.

In any case, the TIB rejected many more applications from the services last year, because the proposed operations were not proportional and, for example, collected much more data than the regulator deemed necessary. It concerned 54 of the more than three thousand requests. In 2020, thirteen applications were ‘non-proportional’. In a rejected request to collect internet data from the cable on a large scale, the services wanted to collect six to eight times more data than in an earlier request, according to the regulator, “while important guarantees expired”.

The possibilities for strategic hacking and wiretapping internet traffic will be greatly expanded as a result of a new bill. Testing the technical risks in a hack and reporting a zero day are no longer applicable. About the black-lacquered passages, the TIB writes in its annual report: “It is precisely with these special powers that clarity about the scope and impact is important. […]† However, the Minister of the Interior and Kingdom Relations and the Minister of Defense are of the opinion that the few passages provide too much insight into the working methods of the services and are therefore a state secret.”

NRC spoke to TIB chairman Moussault about the new law. Read the interview here: ‘Rather paint it off than write it down’

ttn-32