The NSA doesn't need "zero-days" to get into your data, they'll just wait ... and wait and wait.
A top official at the National Security Agency has been spilling the beans on how they hack into your system, as we reported recently, and also described ways to avoid it. But there’s another interesting tidbit in all this: contrary to popular opinion, the NSA doesn’t rely on “zero-days” to hack, they’re just super patient.
Rob Joyce, the chief of NSA’s secretive Tailored Access Operations (TAO) cell, spoke at a security conference in San Francisco about how the NSA goes about its business, while also providing some tips on how to make their job more difficult.
What is a zero-day exploit? It refers to a previously undisclosed computer-software vulnerability that hackers are able to exploit, gaining access to a network. It is called “zero-day” because the software’s author has zero days to figure out how to patch up the flaw after it becomes known. This allows quick and easy access, albeit temporary, for hackers.
But although the popular opinion was that the NSA was relying on this method to hack, that’s not the case, Joyce said at the conference.
“I think a lot of people think the nation states, they’re running on this engine of zero-days,” Joyce said according to an Engadget report. “You go out with your master skeleton key and unlock the door and you’re in. It’s not that. Take these big, corporate networks, these large networks, any large network — I will tell you that persistence and focus will get you in, will achieve that exploitation, without the zero-days.”
Instead, the NSA is like a predator, lying in wait and being patient and persistent until a more solid opening presents itself. This allows the NSA more time to root around in a network for the data it wants before it is kicked out.
It just goes to show you can never be certain when it comes to the NSA, and the importance of taking extra security measures to keep people out.