Category Archives: NSA

CERT Releases Threat Advisory On Firewalls

Last month a hacker group known as The Shadow Brokers released a series of exploits that they said belong to an NSA contractor that has been call the Equation Group.

Whether the Equation Group is real and whether they are a vendor of exploits to the NSA or not is really not terribly relevant in the big picture.

What is relevant is that they released a whole bunch of exploits that are being used – and likely, at least some of them have been used for a while – to silently break into corporate networks.  And probably government networks too.  The Exploits attack Cisco, Juniper, Fortinet and Topsec (A Chinese company) firewalls, among other network hardware.

The problem here is one that people have been talking about since US Cybercom was created.  That problem is that the same group of people who are responsible for hacking people (the NSA) is also responsible for protecting people from hackers and that is a battle that they cannot deal with.  When the NSA / Cybercom finds a vulnerability, they have to decide if they are going to tell the manufacturer so that they can fix it, or keep it to themselves to that they can use it until someone else finds it and tells the manufacturer.

The problem with that philosophy is that given the NSA was able to find it, it is likely that the Chinese or Russians were able to find it also.  And the Chinese are unlikely to tell Cisco or Fortinet about their bug, so as long as the NSA keeps it secret, our adversaries, if they know about the bug, are using it against American companies as well.

The President issued a directive explaining the rules of engagement surrounding this issue, but the rules say that the NSA can keep it secret and not tell the manufacturer if they think the bug has intelligence value to them.

So here we have a group of anti-hackers (The Shadow Brokers) that released a whole trove of bugs converted to attacks, which is good for users because now the bugs will eventually be fixed, but in the mean time, until they get fixed, the hackers can use them to attack you and me.

The advisory goes into some detail on the attacks that were disclosed, including ones against the Cisco ASA firewalls, a very popular corporate firewall.

The alert makes a couple of very useful suggestions:

  1. Segregate your network.  What this means is that you want to isolate your network into separate domains so that an attacker doesn’t have the run of the house once they break thru the front door.  It provides suggestions on how to do that.
  2. Limit “lateral” communications.  What this means is that you want to limit peer to peer computers from talking to each other unless there is a business reason to do that.
  3. Harden network devices.  This means, on firewalls and such, encrypt all traffic, use robust passwords, restrict physical access and other suggestions described in the alert.
  4. Secure access to firewalls and switches.
  5. Perform out of band management.  This would stop an attacker from being able to get to certain resources.
  6. Validate the integrity of the hardware and software.

The alert goes into a lot more detail, but given that we have strong reason to believe that the NSA and probably other intelligence agencies have been using these attacks in the wild and NOW, these attacks are know to every hacker on the planet, it is critical that companies protect themselves.

 

The CERT advisory can be found here.

A Wired article on the issue can be found here.

[TAG:ALERT]

[TARG:TIP]

Facebooktwitterredditlinkedinmailby feather

NSA Hack Appears Real – Sort Of

Last week a group of hackers called Shadow Brokers claimed to have a group of NSA hacker tools available for sale on the dark web.  The tools were supposedly stolen from the Equation Group which has been loosely linked to the NSA.

If all of this is true, then the reality is that the NSA wasn’t hacked but rather a possible NSA vendor was hacked.

The newest files that were made available by the sellers to validate their claim were dated in 2013, around the time of the Snowden breach.

Some of the exploits targeted routers and firewalls from every major vendor – Cisco, Fortinet, Juniper and Topsec (Chinese).  The initial request said that if they got 1 million bitcoins (or around a half billion dollars), they would release all the code publicly.   The hackers, in broken English, said “If electronic data go bye bye where leave Wealthy Elites?” .  Certainly if all of this true, they could wreak some havoc.

Snowden Tweeted that the hack may have been of a staging server that was abandoned, possibly after his release of documents, and someone either forgot about it or got sloppy and did not wipe it.  That seems a whole lot more plausible than hacking the NSA itself.  Still, the tools would be very interesting.

Snowden suggests that whoever released these tools (Russia) did so as a warning to the U.S. that if they tried to tie the DNC hack to the Russians, they would fight back and expose U.S. hacks of other countries, likely countries friendly to the U.S., causing diplomatic problems.

This winds up being a chess game as everyone hacks everyone else, whether they are friends or not.

The Intercept (Glen Greenwald who broke the original Snowden story), says that the tools are genuine NSA.  That does not mean, however, that the release is the result of a hack of the NSA, only a hack of someone who had a copy of the tools for whatever reason – possibly because they developed them for the NSA.

A manual that had not been previously released by Snowden refers to tagging the NSA’s use of a particular malware program with the string “ace02468bdf13579” .  Guess what – that string appears in the released code of one tool called SECONDDATE.  Since the manual was not public until now, there would be no way for copycats to inject that string if it was not put there by NSA operatives.

If these tools were really in the possession of Russia, how long have they had them (years, possibly) and have they used them against Western organizations.  Tools don’t know who the good guys and the bad guys are – they just work if they are coded right.

This could mean that the sellers may have used them and, possibly, some of the holes may have been  coincidentally patched making the tools less useful (since not everyone applies patches).

Apparently, according to documentation released, SECONDDATE intercepts web requests and redirects them to an NSA controlled server, where the server replies with malware, infecting the requestor.  Believe it or not, this is definitely possible, no question about it.  In fact, some known attacks have used this technique.  Again according to documents, this tool was used to spy on Pakistan and Lebanon.  According to this manual, agents had to use the string above to avoid reinfection of target systems.  That string appears 14 times in the files that Shadow Broker released.

The Intercept article goes into detail on a number of other tools that were released.

What we think we know is that these tools were likely connected to NSA activities, but we have no idea how they were gotten.  We know that they are years old and date to the time of the Snowden leaks.  We also know that, based on the limited set of tools that were released, the NSA has some neat stuff.

If the attackers do eventually release all of the code, it will likely identify more zero day exploits that the vendors can close, but as far as I can tell, there are way more where those came from, so don’t worry that the NSA is going to go out of business.  I guess that is good news/bad news.  Good news that the NSA will continue to have tools, even though they obviously don’t like it when their tools are exposed.  Bad news in that the we don’t know who had access to these tools, for how long, and whether or not other agents from non-friendly countries used them against us.

This story just gets wilder.

Information for this post came from Network World, The Intercept and Network World again.

Facebooktwitterredditlinkedinmailby feather

NSA Wants To Monitor Your Pacemaker

No, you don’t have to check your calendar, it is not April Fools Day and Yes, they really do want to do that.  Along with the rest of your medical devices.

Some of you may remember that when Dick Cheney was Veep, they modified his pacemaker so that the bad guys couldn’t take him out by manipulating it.

Pacemakers and other medical devices are really just a specialized version of Internet of Things (IoT) devices and, like them, their manufacturers are more concerned about FDA approval (or sales) than hackers.

Richard Ledgett, the NSA’s Deputy Director and chief operating officer spoke at the Defense One Tech Summit last month in Washington.  He said that they are looking at it from a theoretical point of view right now.  I think that means that they have not figured out how to exploit them yet.  He said that it would not be one of their core intelligence tools; rather it would be a niche kind of thing.

As I said, a pacemaker is just a specific instance of an IoT device and Ledgett said that they are looking at information from any Internet connected device.

James Clapper, the Director of National Intelligence,  said in a Senate hearing in February that devices connected to the Internet could be useful “for identification, surveillance, monitoring, location tracking and targeting for recruitment, or to gain access to networks or user credentials.”

That seems like a pretty good list of uses to me.  They are going to need to figure out exactly how to exploit them, but it sounds like they are already working on the problem.

To be clear, that is their job and as long as they don’t break the law, it certainly is a legitimate way to gain intelligence.

As long as IoT device manufacturers don’t improve the security of their devices, it may not be a very difficult task to hack them.

Unfortunately, that means, not only the NSA, but the Chinese and North Koreans can hack them, not to mention commercial hackers who might, as they did in Ukraine last December, when they took over the electric delivery system and turned off the power and heat in the middle of the Ukraine winter. Those hackers were only interested in damaging the infrastructure.  What if, instead, they decided turn off the electricity or water in a city until a ransom is paid or some other demand is met?  While I am less concerned about the NSA doing that – at least in the US – I am less confident that the North Koreans or other commercial hackers will play by the rules, whatever the rules are these days.

Information for this post came from The Verge.

Facebooktwitterredditlinkedinmailby feather

NSA Refused Clinton A Secure Blackberry

THIS IS NOT A POLITICAL POST.  But the story does have, I think, an extremely important message to all corporate I.T. and security people.

Here is the Clinton story. Judicial Watch, the conservative PAC that has been driving the Clinton email investigation got some documents under a Freedom of Information Act request that are enlightening.

Apparently, Clinton was not a computer user, but someone gave her a Blackberry and, after a while, she became addicted to it.

But, the seventh floor at Foggy Bottom (State Department HQ, mahogany row) was a wireless free zone for security reasons, so she had to leave her Blackberry in a locker outside, just like the rest of us do when we enter a SCIF or high security area.  The effect of that was that she would be without email access for hours at a time and would run outside on breaks to check her email.

In fact, they crafted an office for her, outside the SCIF, so that she could go read her emails a couple of times a day.

In an effort to solve this problem. Donald Reid, the State Department’s coordinator for security infrastructure said that he repeatedly asked the NSA what their solution was for the President’s Blackberry addiction and was “politely told to shut up and color“.  Great quote.  Probably not for the NSA, but I like it.

So  what did Clinton do?  She did what every executive will do in the face of being told no.  She told them to F@#$ Off and used her own Blackberry, insecure as it was.

NSA did have a secure phone, called a SME-PED.  SME-PED stands for Secure Mobile Environment Portable Electronic Device.  Think about holding a brick up to your face and talking into the brick.  People that I know who have one call it a Franken-phone.  It was a horrible device and never accepted in the military – except when forced on low ranking soldiers.  I recall many stories of military brass asking their keepers to borrow their personal phone to make calls, the SME-PED was so bad.

SME-PED

Not only were SME-PEDs horrible to use, they cost, according to Ars, almost $5,000, which, to spend on the SoS, is not a big deal.  On top of it, according to some special ops folks who showed me one (but wouldn’t let me touch it even though I had a clearance – I didn’t have a need to know), the rules for handling it were unworkable also.  You basically had to treat it like the classified information it contained.

Condaleeza Rice, Clinton’s predecessor in the Secretary of State position had received waivers for her and her staff to use their own Blackberrys.  But now, under the new administration, they wanted Clinton to use this brick, the SME-PED.

The SME-PED was only cleared to store information classified at the SECRET level, not TOP-SECRET or Compartmented information, so even if she used one, it would not be able to store the information that people are now complaining they have found some instances of, unmarked and classified after the fact, on her Blackberry.

All that was background.  Here is the important part and if you don’t already know this, you should.

IF YOU (I.T. OR SECURITY) TELL PEOPLE IN YOUR ORGANIZATION THAT THEY CAN’T DO SOMETHING THEY THINK IS IMPORTANT, FOR SECURITY REASONS, THEY WILL DO IT ANYWAY IF THEY THINK THEY CAN GET AWAY WITH IT.

I have been having the conversation with a friend of mine in the DoD who keeps saying that if he did what Clinton is accused of doing that he would get fired and likely brought up on charges.  And I have no doubt that he is right.

But, executives have different rules.  Colin Powell used his personal email.  he said the State Department computers were totally unusable.   Condi Rice and her entire staff used Blackberrys.  No one got in trouble for doing that.  You could counter that Rice got permission to do that – Powell did not – but Clinton asked for permission and was told to shut up and color.  My friend points to General Patraeus who didn’t risk having his emails compromised;  he willing gave them to his mistress.  There is no question about whether his emails were compromised, we know they were.  And, he was the Director of the Central Intelligence Agency.  Should he, kind of, know better?  Not to mention, having a mistress is kind of a violation of military rules.

What happened to the General?  Well, he had to retire.  Sadness.  He was ordered to pay a $100,000 fine and serve two years probation.  Granted, this was much more serious penalty than the 100 hours of community service that Sandy Berger got for removing classified documents from the National Archives, but he didn’t give them to his mistress.

According to CBS, the Pentagon considered retroactively removing one of General Patraeus’ stars (demoting him), but decided not to because he apologized.

So, apparently, if you are Brass and you break the law, violate the Uniform Code of Military Justice and give classified documents to your mistress, but say you are sorry, then we are good?  He doesn’t have to forfeit his pension of $230,000+ a year.  And, of course, he has a private sector “consulting” job working for KKR making seven figures a year (see here).

None of this is unusual, but the point is, DON’T TELL PEOPLE THEY CAN’T;  THEY WILL THUMB THEIR NOSE AT YOU AND DO IT ANYWAY.

Just my two cents.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

U.S. Discloses Zero-Day Exploitation Practices

The U.S. government acknowledged that it uses zero-day bugs not only for espionage and intelligence gathering, but also for law enforcement.  What else it uses them for is still unknown.

Last November, the government released a document titled Vulnerabilities Equities Process.  This policy describes the policy, dating back to 2010, that allows agencies to decide whether to tell vendors about bugs they know about or use them as they see fit.

The document was redacted as the government claimed that confirming what everyone already knows – that they don’t always report bugs that they know about – would damage national security.  Not sure how that could possibly be, but that is what they claimed.

The government has removed some of those redactions and thereby confirmed what everyone already knew – that the government uses zero-day exploits so that the FBI and other agencies can hack into U.S. citizen’s computers, hopefully with appropriate oversight – although the oversight process, if it exists, is still unknown.

The document says that there is a group within the government that reviews zero-days and decides how they will be handled and to whom they will be distributed.  The NSA, not surprisingly, is in charge of this group.

Before we beat up the U.S. government too much, likely every other government on the planet does the same thing – likely with similar rules of engagement.

Still, this release of information does eliminate the question about whether “We’re from the government, we’re here to help you.”

Not always.

Facebooktwitterredditlinkedinmailby feather

Should We Compromise Security For Preventing Terrorism

After the Paris attacks, politicians have been falling all over themselves trying to be more anti-terrorist than the other.  Prior to the attacks, the odds of the CISA bill in Congress were dicey.  Now the odds are pretty high, even though that bill will do almost zero in terms of preventing terrorism.

One of the big issues is encryption.  Web site encryption (like HTTPS: or SSL/TLS) is really not an issue because the government cracked that years ago.  It takes them a little effort, but it doesn’t really stop them.

A bigger problem is encrypted phones – iPhones and android  – that Apple and Google do not have the keys to decrypt.  This means that the gov has to get a judge to issue a subpoena and then go to the owner, assuming the owner hasn’t been killed, say by a drone strike, and get them to comply.  If the owner is dead or not in the U.S., that is hard to do.  Hence, the government would like to have a secure back door.

However, secure and back door cannot exist in the same sentence.  You can have either one – just not both.  Many noted cryptographers and computer scientists signed a letter to Congress recently stating this, so it is not just me who thinks this is not possible.

Assuming the government or many private companies had a skeleton key to get in (and there would need to be tens of thousands of these keys given the number of software vendors out there) – given the number of breaches of both government systems and private company systems – do you really think that we could keep a skeleton key private for many years.  I don’t think so.  And, wherever those tens of thousands of keys are stored would be a super hot target for hackers.

Then you have the applications to deal with.  They are thousands, if not hundreds of thousands of applications.  Many written by one-person companies in some country like Ukraine or China.

Assuming the government required a back door, do you really think a developer in China would really care?  I didn’t think so.  Do you really think that you could stop a terrorist from getting that software from China or some other country?  No again.

So let’s look at the real world.

According to police reports and the Wired article, police have found cell phones next to dead terrorists – like the ones who blew themselves up in Paris – and in trash cans.  Are these phones encrypted with impenetrable encryption?  No, they are not encrypted at all.

Sure, some terrorists are using software like Telegram that is encrypted.  What we have to be VERY careful about is which software is really secure and which software only pretends to be secure.  The article gives some examples.  If you believe the FBI or NSA is going to tell you which software fits in which category, then I have a bridge for sale, just for you, in Brooklyn.

Once the feds find a phone, they can go to the carrier and get the call log from the carrier side.  That gives you text messages, phone numbers, web sites visited, etc.  Is this perfect?  No, it is not.  They used these facts in Paris to launch the second raid – the one in Saint-Denis – where they killed the mastermind of the first attack.  And, while they have not said this publicly, this is likely how they captured the terrorists in Belgium.

All that being said would the feds love all the traffic to be unencrypted? Sure.  Does that mean they are going blind, like they have claimed?  Nope.  Not even close.

In talking with a friend who used to be high up in one of the three letter agencies, he said that he has been warning them for 10 years that this is going to be a problem and they better plan for it.  How much planning they have done is classified – and needs to remain that way.

Creating the smoke screen that they are going blind is a great way to lull terrorists into a false sense of security – right up until the moment the drone strike happens.  If you don’t think that they are doing this on purpose, I recommend you rethink your position.

In talking with another very high ranking former DHS executive about whether we should weaken the crypto, he is very emphatic that the answer is no.

This is basically a repeat of the crypto wars of the 1990s when the FBI tried to force everyone to use a compromised crypto chip (called Clipper).  The concept didn’t work then.  Now, there is software being developed in every country in the world and if the NSA or FBI thinks that they can put the genie back in the bottle, they are fooling themselves.

I recommend reading the Wired article – it will provide a different perspective on the situation.

Information for this article came from Wired.

Facebooktwitterredditlinkedinmailby feather