Security

Microsoft Revealing Software Security Flaws to US Government

By David Gilbert on June 14, 2013 6:26 AM EDT 0

The US government is being informed highly-sensitive security flaws in Microsoft software by the company itself, before it issues fixes for them.

As part of a wide-ranging and top secret programme Microsoft and thousands of other companies reveal sensitive information to US intelligence agencies.
As part of a wide-ranging and top secret programme Microsoft and thousands of other companies reveal sensitive information to US intelligence agencies.

The highly covert programme allows US intelligence agencies and cyber-warfare units to better protect their own systems, but more importantly hands them a huge advantage in the rapidly expanding cyber-espionage world giving them the ability to more easily infiltrate the networks of their targets.

Like Us on Facebook

The news comes from Bloomberg which cites four people familiar with the programme, and comes in the same week as National Security Agency (NSA) whistleblower Edward Snowden revealed details of a covert programme called Prism which potentially allows intelligence operatives access to a huge amounts of personal information stored by companies like Google, Facebook, Skype and Microsoft.

The sources speaking to Bloomberg say Microsoft is just one of "thousands of technology, finance, manufacturing companies" who are working closely with the US national security agencies and giving them hugely sensitive information, some of which is never made public.

The deal is a two-way street with the so-called "trusted partners" getting access to classified intelligence from the US government in return for their cooperation.

Flame

In recent years a number of high-profile cyber-weapons developed by the US government under it secretive Olympic Games programme have been uncovered, including Stuxnet which attacked the Iranian nuclear facility at Natanz.

Last year another powerful cyber-weapon was discovered, called Flame, which was able to spread through infected systems by creating what looked like valid Microsoft certificates.

At the time there was a lot of discussion about how those behind Flame had managed to crack what is seen as one of the crown jewels of the technology world, with many believing that huge supercomputers were used to crack the cryptographic code needed to create this seemingly-valid certificates.

This revelation however seems to shed new light on how the powerful malware was created and could implicate Microsoft in aiding the US government's development of Flame.

Don't ask

However officials told Bloomberg that Microsoft isn't told or doesn't ask how these early alerts are used by the agencies involved. Microsoft's director of communications Frank Shaw said the releases occur in cooperation with multiple agencies and are designed to be give government "an early start" on risk assessment and mitigation.

Despite widespread belief that the US government developed Stuxnet and Flame - in partnership with Israel - it has never publicly taken credit for the malware.

Two US officials told Bloomberg that Microsoft and other software and internet companies were aware that revealing the bugs to agencies like the Central Intelligence Agency (CIA), the Federal Bureau of Investigations (FBI) and NSA before telling anyone else allowed the US to exploit vulnerabilities in software sold to foreign governments.

Motivation

The deals struck between the companies involved and the US government are highly secretive and usually only a small handful of people within the company know about them with deals typically brokered directly with the CEO.

While companies are motivated by a sense of patriotism and a desire to help protect the national defences, they are also looking to advance their own causes, with access to classified information highly valued.

According to the sources speaking to Bloomberg, the programme allows the US government to circumvent oversight by the Foreign Intelligence Surveillance Act because companies agree to give the US government direct access to facilities and data offshore which doesn't require a judge's order.

Angry denials

It means that only a small handful of lawyers and US intelligence officials monitor the amount of data being collected and suggests that there is a lot less oversight than the US government has claimed previously when defending the Prism leaks by Snowden last week.

It also calls into question the angry denials issued by all companies implicated in the Prism documents, including Microsoft, with the companies saying they have done nothing wrong and don't allow the US government unfettered access to their customers' personal information.

Following an intelligence briefing with security officials on Tuesday, Congresswoman Loretta Sanchez said what has been revealed in the media so far is "just the tip of the iceberg" adding "what we learned [at the meeting] is significantly more than what is out in the media today."

Sanchez is prohibited from revealing any more about what was told in intelligence briefings.

McAfee cooperation

Another company named by the sources was the Intel-owned security firm McAfee who is said to work regularly with the CIA, FBI and NSA and is said to be a valuable partner because of its broad view of the malicious threats which are out there at any given time.

The source said the public would be "surprised" by how much help the government seeks from McAfee.

The company denied handing over any customer data however, with chief technology officer Michael Fey saying: "We do not share any type of personal information with our government agency partners. McAfee's function is to provide security technology, education, and threat intelligence to governments. This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity."

Two-way street

The programme also works in favour of the companies involved with the government sometimes providing quick warnings about potential threats which could impact the company's bottom line.

In 2010 Google was attacked by hackers based in China. As a result Google's co-founder Sergey Brin was given highly sensitive government intelligence linking the attack to a specific unit of the People's Liberation Army, according to one of the people who is familiar with the government's investigation. Brin was given a temporary classified clearance to sit in on the briefing, the person said.

Join our conversation

mute
  • Print
  • 0
Most Popular
Most Discussed
Facebook Activity