For a homeowner the only thing worse than coming home to find your house broken into is to discover the burglars broke your door lock and left the door wide open — inviting others to join in pillaging your property. A report released the day before yesterday by Kaspersky Labs shows that the U.S. military have taken things to a new low in that regard. Read on.
Equation: The Death Star of the Malware Galaxy documents how elements of the National Security Agency (NSA), a wholly owned subsidiary of the U.S. Department of Defense, broke open the back doors of hard drives everywhere to further their efforts to monitor everyone.
Their primary crowbar of choice is malware that irretrievably embeds itself hard drive firmware to make it possible for the agency’s software to survey systems and phone home with their results. In effect what they’ve done is create a burglar’s dream, an unfixable broken lock. They seem to have done so without regard to the damage that could result to the property of their targets, who happen to be you, me and everyone else in the world. They are the dirty tramps of the black hat world, wrecking your home and leaving it wide open to further infiltration and destruction from environmental onslaught. If one day your hard drive fails and takes with it the precious photos of your children growing up, it may very well turn out that you have the Equation group to thank.
The worst part about this is that as a U.S. citizen who is among the subgroup that actually pays a significant part of my income in taxes, I am paying for this. That’s right, I’m paying my government to weaken the security of my systems, and possibly shorten the useful life of its components.
As I’ve said before in more places than I’d like to recall, the first priority of our military should be to defend its citizens. The whole “best defense is a strong offense” meme doesn’t translate into the modern world of computers any more than it does to modern naval warfare. The best defense is to effectively prevent or repel attacks. In computer security terms you do that by auditing code, developing and enforcing strong access controls, and educating users on how to avoid infiltration through mechanisms like encrypted connections. If the US military spent even a fraction of the hundreds of billions of dollars shoveled at them for “cyber” defense on promoting those kinds of defensive measures, we might actually have something to show for it now other than the quick exit to private consulting by the generals and admirals who have so mismanaged things so far.