Category Archives: NSA

NSA Publishes Cloud Security Risk Mitigation Guide

Maybe this is the NEW AND IMPROVED NSA.

From the NSA document:

This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities) that encompass the vast majority of known vulnerabilities. Cloud customers have a critical role in mitigating misconfiguration and poor access control, but can also take actions to protect cloud resources from the exploitation of shared tenancy and supply chain vulnerabilities. Descriptions of each vulnerability class along with the most effective mitigations are provided to help organizations lock down their cloud resources. By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities

The document goes on to talk about the components of cloud computing and the basic tenants of cloud security such as:

  • Cloud encryption
  • Key management
  • Shared security responsibilities
  • Who the threat actors are
  • Vulnerabilities and mitigations
  • and a dozen reference documents

The vulnerabilities and mitigations section is especially good.

Even though it is a bit techie and managers may not  understand every detail, I recommend this for managers too.  It helps them understand what their team is up against.

Read the NSA manifesto here


Between Snowden and Shadow Broker, NSA has a Problem

The NSA hasn’t had a great few years.  And it isn’t getting any better.

First it was Snowden and dumping documents on seemingly a weekly basis.  There were two schools of thought regarding Snowden.  Some said he was a hero for disclosing illegal government actions  Others said that he was a traitor for disclosing national security secrets.  The leaks seem to have stopped at this point.  For now!

There are a couple of important distinctions about Snowden.  First, we know who he is and where he is.  Second, he disclosed documentation.  Directions.  Information.

The second major breach is the Shadow Brokers.  Where Snowden leaked documents, Shadow Brokers leaked tools.  Going back to those distinctions, we do not know WHO the Shadow Brokers are or WHERE they are.  These tools are now available on the open market and while some of the flaws these tools exploited have been patched, it doesn’t mean that people have applied those patches.  Remember the WannaCry infection that cost Fedex $300 million and Merck $600 million – so far?  Yup.  One of those tools that was released.  And for which there were patches issued but not applied.  And that was only ONE of the tools.

The New York Times ran a great article on the issue yesterday (see link below) that talks about how these breaches have affected the NSA (and the CIA with its own leaks).

The problem is that with so many employees and contractors, and the ease with which someone can sneak out a gigabyte of data on a device the size of your finger tip, it is a hard problem.

So they have been conducting witch hunts.  Given that they don’t know who or how many bad guys there are, they really don’t have much of a choice, but that certainly doesn’t improve morale.

One of the guys the Times interviewed for the article was a former TAO operative.  TAO is the NSA’s most elite group of hackers.  He said that Shadow Broker had details that even most of his fellow NSA employees didn’t have, so exactly how big is this leak anyway?  And is the leaker still there?  Is the leaker an insider?  Or have the Ruskies totally penetrated the NSA?

And, of course, the NSA has to start over finding new bugs in systems since the vendors have, in many cases, patched the bugs that the NSA tools used.  Then we have that NSA developer in Vietnam who took homework and ultimately fed it to the Ruskies – not on purpose, but the effect is the same.

It just hasn’t been a good couple of years for the NSA or the intelligence community.  On the other hand, as we hear more about the hacking of the elections last year, the Russians seem to be doing pretty well.

One last thought before I wrap this up.

The government, many years ago, decided that OFFENSIVE security was much more important than DEFENSIVE security.  This is why the NSA hordes security vulnerabilities instead of telling the vendors to fix them.  Maybe that is an idea that needs to change.  It certainly does not seem to be working out very well for the American citizens and businesses.

Until that happens, you are pretty much on your own.  Just sayin’.

Information for this post came from a great article in the New York Times.

CERT Releases Threat Advisory On Firewalls

Last month a hacker group known as The Shadow Brokers released a series of exploits that they said belong to an NSA contractor that has been call the Equation Group.

Whether the Equation Group is real and whether they are a vendor of exploits to the NSA or not is really not terribly relevant in the big picture.

What is relevant is that they released a whole bunch of exploits that are being used – and likely, at least some of them have been used for a while – to silently break into corporate networks.  And probably government networks too.  The Exploits attack Cisco, Juniper, Fortinet and Topsec (A Chinese company) firewalls, among other network hardware.

The problem here is one that people have been talking about since US Cybercom was created.  That problem is that the same group of people who are responsible for hacking people (the NSA) is also responsible for protecting people from hackers and that is a battle that they cannot deal with.  When the NSA / Cybercom finds a vulnerability, they have to decide if they are going to tell the manufacturer so that they can fix it, or keep it to themselves to that they can use it until someone else finds it and tells the manufacturer.

The problem with that philosophy is that given the NSA was able to find it, it is likely that the Chinese or Russians were able to find it also.  And the Chinese are unlikely to tell Cisco or Fortinet about their bug, so as long as the NSA keeps it secret, our adversaries, if they know about the bug, are using it against American companies as well.

The President issued a directive explaining the rules of engagement surrounding this issue, but the rules say that the NSA can keep it secret and not tell the manufacturer if they think the bug has intelligence value to them.

So here we have a group of anti-hackers (The Shadow Brokers) that released a whole trove of bugs converted to attacks, which is good for users because now the bugs will eventually be fixed, but in the mean time, until they get fixed, the hackers can use them to attack you and me.

The advisory goes into some detail on the attacks that were disclosed, including ones against the Cisco ASA firewalls, a very popular corporate firewall.

The alert makes a couple of very useful suggestions:

  1. Segregate your network.  What this means is that you want to isolate your network into separate domains so that an attacker doesn’t have the run of the house once they break thru the front door.  It provides suggestions on how to do that.
  2. Limit “lateral” communications.  What this means is that you want to limit peer to peer computers from talking to each other unless there is a business reason to do that.
  3. Harden network devices.  This means, on firewalls and such, encrypt all traffic, use robust passwords, restrict physical access and other suggestions described in the alert.
  4. Secure access to firewalls and switches.
  5. Perform out of band management.  This would stop an attacker from being able to get to certain resources.
  6. Validate the integrity of the hardware and software.

The alert goes into a lot more detail, but given that we have strong reason to believe that the NSA and probably other intelligence agencies have been using these attacks in the wild and NOW, these attacks are know to every hacker on the planet, it is critical that companies protect themselves.


The CERT advisory can be found here.

A Wired article on the issue can be found here.



NSA Hack Appears Real – Sort Of

Last week a group of hackers called Shadow Brokers claimed to have a group of NSA hacker tools available for sale on the dark web.  The tools were supposedly stolen from the Equation Group which has been loosely linked to the NSA.

If all of this is true, then the reality is that the NSA wasn’t hacked but rather a possible NSA vendor was hacked.

The newest files that were made available by the sellers to validate their claim were dated in 2013, around the time of the Snowden breach.

Some of the exploits targeted routers and firewalls from every major vendor – Cisco, Fortinet, Juniper and Topsec (Chinese).  The initial request said that if they got 1 million bitcoins (or around a half billion dollars), they would release all the code publicly.   The hackers, in broken English, said “If electronic data go bye bye where leave Wealthy Elites?” .  Certainly if all of this true, they could wreak some havoc.

Snowden Tweeted that the hack may have been of a staging server that was abandoned, possibly after his release of documents, and someone either forgot about it or got sloppy and did not wipe it.  That seems a whole lot more plausible than hacking the NSA itself.  Still, the tools would be very interesting.

Snowden suggests that whoever released these tools (Russia) did so as a warning to the U.S. that if they tried to tie the DNC hack to the Russians, they would fight back and expose U.S. hacks of other countries, likely countries friendly to the U.S., causing diplomatic problems.

This winds up being a chess game as everyone hacks everyone else, whether they are friends or not.

The Intercept (Glen Greenwald who broke the original Snowden story), says that the tools are genuine NSA.  That does not mean, however, that the release is the result of a hack of the NSA, only a hack of someone who had a copy of the tools for whatever reason – possibly because they developed them for the NSA.

A manual that had not been previously released by Snowden refers to tagging the NSA’s use of a particular malware program with the string “ace02468bdf13579” .  Guess what – that string appears in the released code of one tool called SECONDDATE.  Since the manual was not public until now, there would be no way for copycats to inject that string if it was not put there by NSA operatives.

If these tools were really in the possession of Russia, how long have they had them (years, possibly) and have they used them against Western organizations.  Tools don’t know who the good guys and the bad guys are – they just work if they are coded right.

This could mean that the sellers may have used them and, possibly, some of the holes may have been  coincidentally patched making the tools less useful (since not everyone applies patches).

Apparently, according to documentation released, SECONDDATE intercepts web requests and redirects them to an NSA controlled server, where the server replies with malware, infecting the requestor.  Believe it or not, this is definitely possible, no question about it.  In fact, some known attacks have used this technique.  Again according to documents, this tool was used to spy on Pakistan and Lebanon.  According to this manual, agents had to use the string above to avoid reinfection of target systems.  That string appears 14 times in the files that Shadow Broker released.

The Intercept article goes into detail on a number of other tools that were released.

What we think we know is that these tools were likely connected to NSA activities, but we have no idea how they were gotten.  We know that they are years old and date to the time of the Snowden leaks.  We also know that, based on the limited set of tools that were released, the NSA has some neat stuff.

If the attackers do eventually release all of the code, it will likely identify more zero day exploits that the vendors can close, but as far as I can tell, there are way more where those came from, so don’t worry that the NSA is going to go out of business.  I guess that is good news/bad news.  Good news that the NSA will continue to have tools, even though they obviously don’t like it when their tools are exposed.  Bad news in that the we don’t know who had access to these tools, for how long, and whether or not other agents from non-friendly countries used them against us.

This story just gets wilder.

Information for this post came from Network World, The Intercept and Network World again.

NSA Wants To Monitor Your Pacemaker

No, you don’t have to check your calendar, it is not April Fools Day and Yes, they really do want to do that.  Along with the rest of your medical devices.

Some of you may remember that when Dick Cheney was Veep, they modified his pacemaker so that the bad guys couldn’t take him out by manipulating it.

Pacemakers and other medical devices are really just a specialized version of Internet of Things (IoT) devices and, like them, their manufacturers are more concerned about FDA approval (or sales) than hackers.

Richard Ledgett, the NSA’s Deputy Director and chief operating officer spoke at the Defense One Tech Summit last month in Washington.  He said that they are looking at it from a theoretical point of view right now.  I think that means that they have not figured out how to exploit them yet.  He said that it would not be one of their core intelligence tools; rather it would be a niche kind of thing.

As I said, a pacemaker is just a specific instance of an IoT device and Ledgett said that they are looking at information from any Internet connected device.

James Clapper, the Director of National Intelligence,  said in a Senate hearing in February that devices connected to the Internet could be useful “for identification, surveillance, monitoring, location tracking and targeting for recruitment, or to gain access to networks or user credentials.”

That seems like a pretty good list of uses to me.  They are going to need to figure out exactly how to exploit them, but it sounds like they are already working on the problem.

To be clear, that is their job and as long as they don’t break the law, it certainly is a legitimate way to gain intelligence.

As long as IoT device manufacturers don’t improve the security of their devices, it may not be a very difficult task to hack them.

Unfortunately, that means, not only the NSA, but the Chinese and North Koreans can hack them, not to mention commercial hackers who might, as they did in Ukraine last December, when they took over the electric delivery system and turned off the power and heat in the middle of the Ukraine winter. Those hackers were only interested in damaging the infrastructure.  What if, instead, they decided turn off the electricity or water in a city until a ransom is paid or some other demand is met?  While I am less concerned about the NSA doing that – at least in the US – I am less confident that the North Koreans or other commercial hackers will play by the rules, whatever the rules are these days.

Information for this post came from The Verge.

NSA Refused Clinton A Secure Blackberry

THIS IS NOT A POLITICAL POST.  But the story does have, I think, an extremely important message to all corporate I.T. and security people.

Here is the Clinton story. Judicial Watch, the conservative PAC that has been driving the Clinton email investigation got some documents under a Freedom of Information Act request that are enlightening.

Apparently, Clinton was not a computer user, but someone gave her a Blackberry and, after a while, she became addicted to it.

But, the seventh floor at Foggy Bottom (State Department HQ, mahogany row) was a wireless free zone for security reasons, so she had to leave her Blackberry in a locker outside, just like the rest of us do when we enter a SCIF or high security area.  The effect of that was that she would be without email access for hours at a time and would run outside on breaks to check her email.

In fact, they crafted an office for her, outside the SCIF, so that she could go read her emails a couple of times a day.

In an effort to solve this problem. Donald Reid, the State Department’s coordinator for security infrastructure said that he repeatedly asked the NSA what their solution was for the President’s Blackberry addiction and was “politely told to shut up and color“.  Great quote.  Probably not for the NSA, but I like it.

So  what did Clinton do?  She did what every executive will do in the face of being told no.  She told them to F@#$ Off and used her own Blackberry, insecure as it was.

NSA did have a secure phone, called a SME-PED.  SME-PED stands for Secure Mobile Environment Portable Electronic Device.  Think about holding a brick up to your face and talking into the brick.  People that I know who have one call it a Franken-phone.  It was a horrible device and never accepted in the military – except when forced on low ranking soldiers.  I recall many stories of military brass asking their keepers to borrow their personal phone to make calls, the SME-PED was so bad.


Not only were SME-PEDs horrible to use, they cost, according to Ars, almost $5,000, which, to spend on the SoS, is not a big deal.  On top of it, according to some special ops folks who showed me one (but wouldn’t let me touch it even though I had a clearance – I didn’t have a need to know), the rules for handling it were unworkable also.  You basically had to treat it like the classified information it contained.

Condaleeza Rice, Clinton’s predecessor in the Secretary of State position had received waivers for her and her staff to use their own Blackberrys.  But now, under the new administration, they wanted Clinton to use this brick, the SME-PED.

The SME-PED was only cleared to store information classified at the SECRET level, not TOP-SECRET or Compartmented information, so even if she used one, it would not be able to store the information that people are now complaining they have found some instances of, unmarked and classified after the fact, on her Blackberry.

All that was background.  Here is the important part and if you don’t already know this, you should.


I have been having the conversation with a friend of mine in the DoD who keeps saying that if he did what Clinton is accused of doing that he would get fired and likely brought up on charges.  And I have no doubt that he is right.

But, executives have different rules.  Colin Powell used his personal email.  he said the State Department computers were totally unusable.   Condi Rice and her entire staff used Blackberrys.  No one got in trouble for doing that.  You could counter that Rice got permission to do that – Powell did not – but Clinton asked for permission and was told to shut up and color.  My friend points to General Patraeus who didn’t risk having his emails compromised;  he willing gave them to his mistress.  There is no question about whether his emails were compromised, we know they were.  And, he was the Director of the Central Intelligence Agency.  Should he, kind of, know better?  Not to mention, having a mistress is kind of a violation of military rules.

What happened to the General?  Well, he had to retire.  Sadness.  He was ordered to pay a $100,000 fine and serve two years probation.  Granted, this was much more serious penalty than the 100 hours of community service that Sandy Berger got for removing classified documents from the National Archives, but he didn’t give them to his mistress.

According to CBS, the Pentagon considered retroactively removing one of General Patraeus’ stars (demoting him), but decided not to because he apologized.

So, apparently, if you are Brass and you break the law, violate the Uniform Code of Military Justice and give classified documents to your mistress, but say you are sorry, then we are good?  He doesn’t have to forfeit his pension of $230,000+ a year.  And, of course, he has a private sector “consulting” job working for KKR making seven figures a year (see here).


Just my two cents.

Information for this post came from Ars Technica.