The U.S. National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.

The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.

At issue is the U.S. policy on so-called “zero-days,” the serious software flaws that are of great value to both hackers and spies because no one knows about them. The term zero-day comes from the amount of warning users get to patch their machines protectively; a two-day flaw is less dangerous because it emerges two days after a patch is available.

The best-known use of zero-days was in Stuxnet, the attack virus developed by the NSA and its Israeli counterpart to infiltrate the Iranian nuclear program and sabotage centrifuges that were enriching uranium.

Read the Full Article: Source – Reuters
Browsing Privacy: (Reuters) – NSA says how often, not when, it discloses software flaws

source not found