Category Archives: NSA

Security News for the Week Ending July 2, 2021

WD NAS Devices Are Being Wiped Worldwide

The downside of using computers beyond their end of support is that you can get hacked and all of your data can get wiped. This is what has happened to many WD My Book owners. Western Digital stopped patching them in 2015 and hackers have figured out how to remotely execute a factory reset, wiping all the data. The second thing not to do is to not have offline backups, which, apparently, a lot of these Western Digital owners also did not have. The result is many sad Western Digital owners. It does not appear that Western Digital’s own servers were hacked. Users, at this point, are just outta luck if they did not make backups. Credit: Bleeping Computer

As if this wasn’t bad enough, there is now a second zero-day way to wipe the devices. Credit: Metacurity

Pentagon Official Accused of Disclosing Classified Information

Katie Arrington, a political appointee in the DoD’s office of acquisition and sustainment and who acted as A&S’s CISO was suspended and her security clearance deactivated after being accused of unauthorized disclosure of classified information. Rumors had been that she was walked out of the Pentagon several months ago, but no announcement was made until this week. If true, she could wind up in jail. Credit: Newsweek

Politics ‘R’ Us – CISA Don’t Need No Stinkin’ Director

CISA, the Cybersecurity and Infrastructure Security Agency, part of DHS, has been without a director since ex-president Trump fired Chris Krebs last year for saying that there was no massive election fraud. President Biden nominated Jen Easterly, a graduate of West Point and Oxford, an Army Lt. Colonel and long time intelligence and NSA official, however the Senate has not voted on her confirmation. The arcane Senate rules allow any Senator to put a hold on anything for any reason. In this case, Senator Rick Scott decided that since Kamala Harris had not visited the southern border, something he thinks is important, that the Senate should not vote on the nomination of Easterly to head DHS. This has nothing to do with Easterly or security, just some Senator on a power trip. It appears that maybe next week, after DHS has not had a director for more than 6 months, during which time a major oil pipeline was shut down due to a ransomware attack, the Russians compromised a number of federal agencies twice – once via SolarWinds and again using Microsoft Exchange, and numerous other attacks, Scott may decide to stop being a dictator and allow the Senate to vote on Easterly’s appointment. The political process is very messy. Credit: ZDNet

Microsoft Testifies it Gets 10 Info Demands a Day from the Feds

Microsoft testified this week that it gets 7-10 secrecy orders every single day from the feds, demanding that they turn over customer information and not notify the customer that their information has been targeted. Since these orders are secret and often stay that way forever, cloud service customers have no way of knowing if their personal and/or sensitive information is in the hands of the government, for some unknown purpose, under likely poor security (the FBI just told Congress that it needs millions and millions of more dollars in order to protect their systems, so it is reasonable to assume that at least some FBI systems have been compromised and data stolen. We know, for example, that the Department of Justice was a victim of the SolarWinds attack). This may mean that companies that use the cloud (which is almost everyone) may need to take more security measures than they are taking – at least for sensitive data. Credit: The Register

Is Russia More Tech-Savvy Than the US?

Russia’s main military intelligence unit, called, among other names, APT28, Fancy Bear and Iron Twilight, is using cloud containers (Kubernetes) to massively scale brute force attacks against American and European businesses targeting government, military, defense contractors, energy companies, education, logistics, law firms, media, politics and think tanks. Does that leave anyone out? After they use these brute force attacks to get login information, they use those credentials to move around inside the company and steal information, often undetected. The feds (NSA, CISA, FBI and the UK’s NCSC) publicly warned businesses this week. That means that businesses need to up their security game if they want to protect their systems and information. Credit: The Hacker News

NSA Shares Guidance in Securing Voice and Video Communications

I am sure that most of you reading this have not been on a conference call or video call in the last year, so this advice is not relevant to you, but for the rest of us, the NSA has a few tips on how to better protect yourself when you are collaborating online. The NSA suggests (and I bet they know) that since these online communications solutions are tightly integrated with the rest of your IT, compromising the communications, well, it compromises everything else.

They point out that, at the very least, compromise of these systems gives the attackers high definition audio and video of whatever you are discussing. At the very least. At the most, it gives them access to your entire IT infrastructure.

Here are the agency’s high level recommendations. Some are simple to do; some are more complex and may only apply to high-end in-house systems, but the first one, while causing your network team to groan, is super important.

  • Segment enterprise network using Virtual Local Area Networks (VLANs) to separate voice and video traffic from data traffic
  • Use access control lists and routing rules to limit access to devices across VLANs
  • Implement layer 2 protections and Address Resolution Protocol (ARP) and IP spoofing defenses
  • Protect PSTN gateways and Internet perimeters by authenticating all UC/VVoIP connections
  • Always keep software up-to-date to mitigate UC/VVoIP software vulnerabilities
  • Authenticate and encrypt signaling and media traffic to prevent impersonation and eavesdropping by malicious actors
  • Deploy session border controllers (SBCs) to monitor UC/VVoIP traffic and audit call data records (CDRs) using fraud detection solutions to prevent fraud
  • Maintain backups of software configurations and installations to ensure availability
  • Manage denial of service attacks using rate-limiting and limit the number of incoming calls to prevent UC/VVoIP server overloading
  • Use identification cards, biometrics, or other electronic means to control physical access to secure areas with network and UC/VVoIP infrastructure
  • Verify features and configurations for new (and potentially rogue) devices in a testbed before adding them to the network

For more detailed guidance, see the NSA information sheet.

The NSA, recently, has been much more forthcoming in the area of defensive security. While this is a good thing, it only helps if people actually use their guidance.

Security News for the Week Ending May 28, 2021

The UK Might Beat Us to Regulating MSPs

In the US, anyone can become a managed service provider. Unfortunately, customers may think that comes with security, but usually it does not. The UK is about to create a legally binding cybersecurity framework for managed service providers. This may be the first step at forcing businesses to formally assess the cyber risks of their supply chain. Needless to say, MSPs are not happy about the added cost and responsibility. This comes just as the US begins to force defense contractors to do the same thing. Credit: The Register

Section 230 Preempts FCRA

The law is kind of twisted. Section 230 of the Communications Decency Act shields Interactive Computer Services like Facebook from being sued for content they did not create. In this case, a person tried to sue a company that publishes aggregated data from credit bureaus (basically a version of a credit bureau) for not following the rules of the Fair Credit Reporting Act by correcting faulty data. The company’s defense was that they didn’t create the data, so you can’t sue them. Congress (or the Supremes) need to clean up this mess – and it is and has been a mess forever, but that ruling is just not right to the consumer. They have ZERO recourse, according to this court. Credit: Professor Eric Goldman

NSA Tells Defense Contractors – Don’t Connect IoT/IIoT to the Internet

NSA released a guide to protecting operational technology systems (what we call IoT or Industrial IoT), geared to the National Security System, the Defense Department and the Defense Industrial Base. It is, of course, applicable to anyone. They start with the obvious. An unconnected OT system is more secure than one connected to the Internet. It also provides guidance for protecting OT systems that are connected to the Internet. Whether you are required to follow this or not, if you have IoT systems, this is a good read. Credit: Nextgov

Expect Higher Prices (and Longer Wait Times) for Computers

As the worldwide chip shortage continues (and is expected to continue for at least the rest of this year), PC makers plan to pass on costs to buyers. This likely will continue as buyers have not reduced demand as a result of higher prices. Companies like Dell are reporting strong financial results. Inventory is, however, way down, so expect to take any system that is available or wait for a while. Vendors will likely move available parts to higher margin products, leaving lower end products “out of stock”. Credit: ZDNet

New Bluetooth Attack Affects 28 Chips Tested

A new Bluetooth impersonation attack, called BIAS, allows a malicious actor to establish a secure connection with the victim, without having to authenticate. This attack does NOT require user interaction. The researchers tested the attack against Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung and other chips. There is not a fix yet, but fixes are expected. Credit: The Hacker News

Is The NSA Still Putting Back Doors in Tech Products?

This is a bit like the old question “are you still beating your spouse?” In order to answer that you would have to admit that you had been doing it previously.

The NSA, as far as I know, hasn’t admitted to placing back doors in tech products but there is a lot of information that has leaked out over the years that seems to indicate that they did and possibly still do.

One example. The CIA and NSA, in partnership with German intelligence, actually OWNED the Swiss crypto hardware company Crypto AG. They sold backdoored crypo hardware (back when hardware was the only way to do that) to both our friends and our foes. Of course, no one knew that the intelligence community owned the company or that the crypto was defective. The company was shut down or sold in around 2015 when all encryption was done in software and the CIA and NSA no longer had the monopoly that Crypto AG once was, but the NSA and CIA had access to the supposedly secure communications of both our friends and enemies for decades.

Second example. Juniper has admitted that in 2015 someone inserted a back door – what they refer to as unauthorized code – into the Juniper operating system ScreenOS. Some sources say that the code goes back to 2008. Call unauthorized code a code word for back door.

Third example. The NSA paid RSA millions of dollars to use a particular pseudo random number generator called dual EC. The algorithm has a weakness making the numbers not so random and the NSA knew that and was able to leverage that to make crypto easily crackable. By them. Because they knew about this flaw. They even managed to get NIST, for whom the NSA was a technical advisor, to adopt Dual EC as a standard.

When Snowden released the documents that he did release, it became clear that the algorithm was fatally flawed. NIST says that they were duped – which is both possible and possibly a lie – and revoked the standard.

But in the meantime some government other than ours figured out that there was a flaw in the Juniper software and kind of used the flaw against us. And others.

All that is background.

Senator Ron Wyden, a member of the Intelligence Committee has asked the NSA for a copy of a report they created after it became public that the NSA’s back door was being used against us. Wyden is opposed to back doors because it is hard even for the NSA to keep a secret a secret. For one thing, someone else might discover it accidentally.

Mysteriously, the NSA says that they cannot find that report.

Supposedly after the NSA’s hack got hacked the NSA changed its policy on inserting back doors into commercial products.

But, hmmm, they can’t seem to find that information. Maybe we should ask Snowden to look for it like Trump asked Russia to look for Clinton’s emails.

Rumor has it that for years the NSA intercepted equipment from vendors like Cisco while it was in transit and inserted “gifts”. They then put it back in the delivery stream and used the access they had to steal information.

Bottom line, we don’t really know what the NSA’s policy is about adding back doors to commercial products.

And the NSA is not saying.

You would think that if they were NOT doing it any more, they might be willing to say so, which leads me to assume that the new policy is “don’t get caught”.

You are going to have to figure this one out yourself.

NSA Publishes Cloud Security Risk Mitigation Guide

Maybe this is the NEW AND IMPROVED NSA.

From the NSA document:

This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities) that encompass the vast majority of known vulnerabilities. Cloud customers have a critical role in mitigating misconfiguration and poor access control, but can also take actions to protect cloud resources from the exploitation of shared tenancy and supply chain vulnerabilities. Descriptions of each vulnerability class along with the most effective mitigations are provided to help organizations lock down their cloud resources. By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities

The document goes on to talk about the components of cloud computing and the basic tenants of cloud security such as:

  • Cloud encryption
  • Key management
  • Shared security responsibilities
  • Who the threat actors are
  • Vulnerabilities and mitigations
  • and a dozen reference documents

The vulnerabilities and mitigations section is especially good.

Even though it is a bit techie and managers may not  understand every detail, I recommend this for managers too.  It helps them understand what their team is up against.

Read the NSA manifesto here

 

Between Snowden and Shadow Broker, NSA has a Problem

The NSA hasn’t had a great few years.  And it isn’t getting any better.

First it was Snowden and dumping documents on seemingly a weekly basis.  There were two schools of thought regarding Snowden.  Some said he was a hero for disclosing illegal government actions  Others said that he was a traitor for disclosing national security secrets.  The leaks seem to have stopped at this point.  For now!

There are a couple of important distinctions about Snowden.  First, we know who he is and where he is.  Second, he disclosed documentation.  Directions.  Information.

The second major breach is the Shadow Brokers.  Where Snowden leaked documents, Shadow Brokers leaked tools.  Going back to those distinctions, we do not know WHO the Shadow Brokers are or WHERE they are.  These tools are now available on the open market and while some of the flaws these tools exploited have been patched, it doesn’t mean that people have applied those patches.  Remember the WannaCry infection that cost Fedex $300 million and Merck $600 million – so far?  Yup.  One of those tools that was released.  And for which there were patches issued but not applied.  And that was only ONE of the tools.

The New York Times ran a great article on the issue yesterday (see link below) that talks about how these breaches have affected the NSA (and the CIA with its own leaks).

The problem is that with so many employees and contractors, and the ease with which someone can sneak out a gigabyte of data on a device the size of your finger tip, it is a hard problem.

So they have been conducting witch hunts.  Given that they don’t know who or how many bad guys there are, they really don’t have much of a choice, but that certainly doesn’t improve morale.

One of the guys the Times interviewed for the article was a former TAO operative.  TAO is the NSA’s most elite group of hackers.  He said that Shadow Broker had details that even most of his fellow NSA employees didn’t have, so exactly how big is this leak anyway?  And is the leaker still there?  Is the leaker an insider?  Or have the Ruskies totally penetrated the NSA?

And, of course, the NSA has to start over finding new bugs in systems since the vendors have, in many cases, patched the bugs that the NSA tools used.  Then we have that NSA developer in Vietnam who took homework and ultimately fed it to the Ruskies – not on purpose, but the effect is the same.

It just hasn’t been a good couple of years for the NSA or the intelligence community.  On the other hand, as we hear more about the hacking of the elections last year, the Russians seem to be doing pretty well.

One last thought before I wrap this up.

The government, many years ago, decided that OFFENSIVE security was much more important than DEFENSIVE security.  This is why the NSA hordes security vulnerabilities instead of telling the vendors to fix them.  Maybe that is an idea that needs to change.  It certainly does not seem to be working out very well for the American citizens and businesses.

Until that happens, you are pretty much on your own.  Just sayin’.

Information for this post came from a great article in the New York Times.