Category Archives: NSA

U.S. Discloses Zero-Day Exploitation Practices

The U.S. government acknowledged that it uses zero-day bugs not only for espionage and intelligence gathering, but also for law enforcement.  What else it uses them for is still unknown.

Last November, the government released a document titled Vulnerabilities Equities Process.  This policy describes the policy, dating back to 2010, that allows agencies to decide whether to tell vendors about bugs they know about or use them as they see fit.

The document was redacted as the government claimed that confirming what everyone already knows – that they don’t always report bugs that they know about – would damage national security.  Not sure how that could possibly be, but that is what they claimed.

The government has removed some of those redactions and thereby confirmed what everyone already knew – that the government uses zero-day exploits so that the FBI and other agencies can hack into U.S. citizen’s computers, hopefully with appropriate oversight – although the oversight process, if it exists, is still unknown.

The document says that there is a group within the government that reviews zero-days and decides how they will be handled and to whom they will be distributed.  The NSA, not surprisingly, is in charge of this group.

Before we beat up the U.S. government too much, likely every other government on the planet does the same thing – likely with similar rules of engagement.

Still, this release of information does eliminate the question about whether “We’re from the government, we’re here to help you.”

Not always.

Facebooktwitterredditlinkedinmailby feather

Should We Compromise Security For Preventing Terrorism

After the Paris attacks, politicians have been falling all over themselves trying to be more anti-terrorist than the other.  Prior to the attacks, the odds of the CISA bill in Congress were dicey.  Now the odds are pretty high, even though that bill will do almost zero in terms of preventing terrorism.

One of the big issues is encryption.  Web site encryption (like HTTPS: or SSL/TLS) is really not an issue because the government cracked that years ago.  It takes them a little effort, but it doesn’t really stop them.

A bigger problem is encrypted phones – iPhones and android  – that Apple and Google do not have the keys to decrypt.  This means that the gov has to get a judge to issue a subpoena and then go to the owner, assuming the owner hasn’t been killed, say by a drone strike, and get them to comply.  If the owner is dead or not in the U.S., that is hard to do.  Hence, the government would like to have a secure back door.

However, secure and back door cannot exist in the same sentence.  You can have either one – just not both.  Many noted cryptographers and computer scientists signed a letter to Congress recently stating this, so it is not just me who thinks this is not possible.

Assuming the government or many private companies had a skeleton key to get in (and there would need to be tens of thousands of these keys given the number of software vendors out there) – given the number of breaches of both government systems and private company systems – do you really think that we could keep a skeleton key private for many years.  I don’t think so.  And, wherever those tens of thousands of keys are stored would be a super hot target for hackers.

Then you have the applications to deal with.  They are thousands, if not hundreds of thousands of applications.  Many written by one-person companies in some country like Ukraine or China.

Assuming the government required a back door, do you really think a developer in China would really care?  I didn’t think so.  Do you really think that you could stop a terrorist from getting that software from China or some other country?  No again.

So let’s look at the real world.

According to police reports and the Wired article, police have found cell phones next to dead terrorists – like the ones who blew themselves up in Paris – and in trash cans.  Are these phones encrypted with impenetrable encryption?  No, they are not encrypted at all.

Sure, some terrorists are using software like Telegram that is encrypted.  What we have to be VERY careful about is which software is really secure and which software only pretends to be secure.  The article gives some examples.  If you believe the FBI or NSA is going to tell you which software fits in which category, then I have a bridge for sale, just for you, in Brooklyn.

Once the feds find a phone, they can go to the carrier and get the call log from the carrier side.  That gives you text messages, phone numbers, web sites visited, etc.  Is this perfect?  No, it is not.  They used these facts in Paris to launch the second raid – the one in Saint-Denis – where they killed the mastermind of the first attack.  And, while they have not said this publicly, this is likely how they captured the terrorists in Belgium.

All that being said would the feds love all the traffic to be unencrypted? Sure.  Does that mean they are going blind, like they have claimed?  Nope.  Not even close.

In talking with a friend who used to be high up in one of the three letter agencies, he said that he has been warning them for 10 years that this is going to be a problem and they better plan for it.  How much planning they have done is classified – and needs to remain that way.

Creating the smoke screen that they are going blind is a great way to lull terrorists into a false sense of security – right up until the moment the drone strike happens.  If you don’t think that they are doing this on purpose, I recommend you rethink your position.

In talking with another very high ranking former DHS executive about whether we should weaken the crypto, he is very emphatic that the answer is no.

This is basically a repeat of the crypto wars of the 1990s when the FBI tried to force everyone to use a compromised crypto chip (called Clipper).  The concept didn’t work then.  Now, there is software being developed in every country in the world and if the NSA or FBI thinks that they can put the genie back in the bottle, they are fooling themselves.

I recommend reading the Wired article – it will provide a different perspective on the situation.

Information for this article came from Wired.

Facebooktwitterredditlinkedinmailby feather

How The NSA Broke Trillions Of Encrypted Connections

Encryption can be very secure.  Or Not.  It depends on how it is implemented.  Apparently, at least according to some sources, most of the Internet has gotten it wrong.  That’s not very comforting.

The rules of who people are protecting themselves from has changed from just a few years ago.  Now we are talking about nation states and extremely well funded hackers.

Here is the flaw.  The most common form of encryption is what is behind HTTPS,  VPNs and SSH.  Part of that protocol is to exchange keys between the sender and the recipient and is called Diffie Hellman or DH.   Those keys secure the communications used in eCommerce (such as Amazon) or your bank (such as Chase or Citi).

Apparently, most common DH implementations use one of two 1,024 bit prime numbers as part of the process.

Cracking one of these numbers would allow the NSA to decrypt two thirds of the VPN connections and one quarter of the SSH sessions around the world.

Cracking the second of these numbers would give the NSA access to 20% of the top 1 million web site.

According to the article, it would likely have taken the NSA a year and a few hundred million dollars.  Given the payback, this is a no brainer.

Obviously, the NSA is not confirming this, but this is what researchers think.

The solution is either to increase the size of the numbers that the web site is using (from 1,024 bits to either 2,048 bits or 4,096 bits), which makes the computation required to crack the keys out of reach of the NSA or at least change the software to not use one of these standard primes.

Some web sites (I just checked Google and Facebook) have already upgraded to more secure solutions.  Hopefully, they are not using “standard” numbers, but that leaves tens of millions of web sites and VPNs still susceptible.  Hopefully, many of these are in the Mideast!

VPN and SSH administrators can control their key size, making the encryption much more difficult to crack – but they must do that;  the users usually cannot do that themselves.  For users of web sites, the web site has to make the change.  All the user can do is complain and hope they fix it.

Which is why security IMPLEMENTERs have to be so careful.

Information for this post came from Reddit and The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Former Director Of The NSA Says NO! To Encryption Back Doors

Former NSA director Michael Hayden says that he would not support [FBI] Director [James] Comey’s demands for access, according to a story by Motherboard.

This goes against the “wishes” of the current FBi director and head of the NSA.  It is clear to me that if everything is transmitted unencrypted, with weak encryption or with encryption back doors it makes the life of law enforcement easier.

In documents released by Edward Snowden, it is revealed that the U.S. spied on the Greek Prime Minister using “secure” back doors baked into phone switches that the U.S. government forced manufacturers to install as part of the CALEA law.

My guess is that former NSA Director Hayden is aware of many more events where the NSA made use of supposedly secure back doors where that use has not been revealed.

The reality is that there is no such thing as a secure back door.  In fact, the only true secret is one where the person has told no one.  Even that can be de-secre-fied with non-torture such as waterboarding.

The article goes on to suggest that under Director Hayden’s watch, the NSA was able to retrieve data that they wanted even though they didn’t have a crypto back door.  Hayden remembers the failed crypto wars of the 1990s and does not want to repeat that.

Director Hayden, speaking on a panel at the Council on Foreign Relations in New York said that the U.S. is better served by stronger encryption rather than baking in weaker encryption.

My suspicion is that this is a professional opinion, not a personal one – meaning that his agency was able to get around weaker encryption used by foreign countries with relative ease.

And, that also means that if we can do that, so can many counties including China, Russia, Iran and Israel, among others.  Director Hayden is smart enough to know that we are better off making it harder for other people than making easier for both them and us.

Whether this means that encryption is easy to get around by a local rural Sheriff’s department – it probably does not.  What it probably means is that, when it comes to national security, while encryption slows down the NSA in some cases, it probably rarely stops them.

For example, if they wanted to target someone, all they would need to do is exploit one of the many zero day security holes that they know about but have not reported and use it to take over the target’s computer.  At that point, for the most part, encryption is irrelevant because the data is decrypted in the memory of the computer so that it can show it to you.

My speculation is that, as a former NSA Director as opposed to a current one, Hayden has less reasons to lie.

One simple reason for Director Comey and Admiral Rogers to complain about encryption is that even though they assume that they are not going to get a back door, it is a great excuse if they miss something – which they will.  They will say that encryption is the reason they missed it – even if that is not strictly true.

My two cents.

 

Information for this post came from Network World.

Facebooktwitterredditlinkedinmailby feather

Is your encryption secure? – Sure, just like flying pigs (keep reading)

Der Spiegel wrote an article on efforts by the NSA and GCHQ (their British equivalent) to crack encryption of various sorts.

Take the article at what it is worth;  it is based on documents that Snowden released, so it is a little bit old.

I apologize that this post is pretty long, but there is a lot of information in the article and I think it is useful to understand what the state of the art is.  If you think the NSA is, in any way, trying to accomplish different goals than say the Russian FSB, then you are wrong. They are likely ahead of the hacker community only because they have a $10 billion annual budget.

For most people, keeping the NSA out is not your goal, but if the NSA figures out a sneaky way to break something, it is likely that, at some point, a hacker may figure it out too.  If the NSA has to spend a million dollars to crack something, that is probably out of the realm of possibility of the hackers – until next year when it costs a quarter of that.  Unless, of course, that hacker works for an unfriendly government.

The Cliff Notes version goes like this.  If you want a longer version, read the article :).  When I refer to the NSA below, I really mean all the NSA like agencies in every country, friendly or not.

  • Sustained (meaning, I assume, ongoing) Skype data collection began in February 2011, according to an NSA training document.  In the fall of 2011, the code crackers declared their mission accomplished.
  • Since that same time (February 2011), Skype has been under order from the secret U.S. FISA court to not only supply information to the NSA, but also to make itself accessible as a source of data for the agency.  Whatever that exactly means is unclear, but it is likely not good for your privacy.
  • The NSA considers all use of encryption (except by them, I assume) a threat to their mission and it likely is.  If they cannot snoop, what use are they?  If people start using high quality encryption, they will make the snoop’s jobs that much harder.  But not impossible.
  • If you look in the dictionary for the word “packrat”, it will say, “see U.S. NSA”.  They horde data like you would not believe.  In fact, the rules that govern how long the NSA can keep data exclude encrypted data.  That they can keep forever.  So, if they ever figure out how to decrypt something, they can go back and look at the stuff that they have in inventory and figure out how much of that they can now decrypt and analyze.
  • In the leaked Snowden documents was a presentation from 2012 talking about NSA successes and failures regarding crypto.  Apparently, they categorize crypto into 5 levels from trivial to catastrophic.
  • Monitoring a document’s path through the Internet is considered trivial.
  • Recording Facebook chats is considered minor.
  • Decrypting mail sent via the Russian mail service Mail.ru is considered moderate.
  • The mail service Zoho and TOR are considered major problems (level 4).
  • Truecrypt also causes them major problems as does OTR, the encrypted IM protocol.  The Truecrypt project mysteriously shut down last year with no explanation.  Was it because the NSA was pressuring them?  No one knows or if they do, they are not talking.
  • It seems clear that open source software, while it probably contains as many weaknesses and bugs as closed source software, is much harder for organizations like the NSA to compromise because people CAN look at the source code.  Most people don’t have the skills, but there are enough geeks out there that obvious back doors in the code will likely be outed.  With Microsoft or Apple, that check and balance does not exist.
  • Things become catastrophic for the NSA at level 5.  The IM system CSpace and the VoIP protocol ZRTP (the Z stands for Phil Zimmerman for those of you who know of him) are or were level 5.  ZRTP is used by Redphone, an open source, encrypted, VoIP solution.
  • Apparently PGP, although it is 20 years old, also lands in the NSA’s category 5.
  • Cracking VPNs is also high on the NSA’s list. The Der Spiegel article doesn’t go into a lot of detail here other than to say that the NSA  has a lot of people working on it.  They were processing 1,000 VPN decrypt requests an hour in 2009 and expected to process 100,000 per hour by the end of 2011.  Their plan, according to Der Spiegel, was to be able to decrypt 20% of these  – i.e. 20,000 VPN connections per hour.  That was in 2011.  This is almost 2015.  You do the math.
  • The older VPN protocol PPTP is reported to be easy for them to crack while IPSEC seems to be harder.
  • SSL or it’s web nickname HTTPS is apparently no problem for them at all.  According to an NSA document, they planned to crack 10 million SSL connections a day by 2012.
  • Britian’s GCHQ has a database called FLYING PIG that catalogs SSL and TLS activity and produces weekly trend reports.  The number of cataloged SSL connections in FLYING PIG for just one week for the top 40 sites was in the billions.  This is a big database, apparently.
  • The NSA Claims that it can sometimes decrypt SSH sessions (I assume this is due to the user’s choice of bad cryptographic keys).  SSH is often used by admins to remotely access servers.
  • NSA participates in the standards processes to actively weaken cryptographic standards – even though this ultimately hurts U.S. businesses;  it also furthers the NSA’s mission.
  • The NSA steals cryptographic keys whenever possible.  Why do things the hard way when the simple way is an option.

While most hackers are not as smart or well funded as the NSA or the British GCHQ, sometimes luck is on their side.  Other, less friendly governments (think IRAN for example), might be willing to spend hundreds of millions of dollars to mess with the U.S. and since the don’t have to pay their scientists very much (the alternative to working for those governments might be being dead), their money likely goes further.

Would Iran or someone like them enjoy taking down the northeast power grid and darken the U.S from Boston to Virginia.  To quote a former vice presidential candidate – You betcha.  If they could damage the grid so that it took longer to get the lights back on (see the item from the other day on the attack on the German steel plant) would that be an extra benefit. You betcha.

So while I am using the NSA as an example, you could just as easily replace that with Iran, or Russia or China.

Being prepared is probably a good plan.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Another Nation State Sponsored Trojan?

ars technica reported yesterday on a very sophisticated trojan that has been around, they say, since 2008, went dark in 2011 and came back in 2013.

The trojan is comprised of 5 stages, all but the first of which is encrypted and is serially decrypted to avoid detection.

The interesting part about it is that it apparently is a framework with plugins to attack everything from your keyboard to your mouse to a radio base station.  The link above has more details and a graphic showing the architecture of this thing.  It seems to be very sophisticated.

Supposedly, there have only been around 100 known infections – but do we really know? – mostly inside ISPs.  Symantec suggests that this was done not to spy on the ISP, but rather on their customers.

Now that the cat is out of the bag, I am sure we will hear more in the coming days.  This could be another Stuxnet.

Mitch

Facebooktwitterredditlinkedinmailby feather