US Used Zero-Day Exploits Before It Had Policies for Them

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/2015/03/us-used-zero-day-exploits-policies/

By Kim Zetter
Security
Wired.com
March 30, 2015

AROUND THE SAME time the US and Israel were already developing and 
unleashing Stuxnet on computers in Iran, using five zero-day exploits to 
get the digital weapon onto machines there, the government realized it 
needed a policy for how it should handle zero-day vulnerabilities, 
according to a new document obtained by the Electronic Frontier 
Foundation.

The document, found among a handful of heavily redacted pages released 
after the civil liberties group sued the Office of the Director of 
National Intelligence to obtain them, sheds light on the backstory behind 
the development of the government’s zero-day policy and offers some 
insight into the motivations for establishing it. What the documents don’t 
do, however, is provide support for the government’s assertions that it 
discloses the “vast majority” of zero-day vulnerabilities it discovers 
instead of keeping them secret and exploiting them.

“The level of transparency we have now is not enough,” says Andrew Crocker 
a legal fellow at EFF. “It doesn’t answer a lot of questions about how 
often the intelligence community is disclosing, whether they’re really 
following this process, and who is involved in making these decisions in 
the executive branch. More transparency is needed.”

The timeframe around the development of the policy does make clear, 
however, that the government was deploying zero-days to attack systems 
long before it had established a formal policy for their use.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/