Tag Archives: NSA

Security News Bites for the Week Ending July 28, 2017

Zip Slip Vulnerability Affects Thousands of Projects

Researchers discovered a flaw in almost all zip-style file decompressors – RAR, TAR, 7ZIP-APK and others.

The problem is caused by a very old attack vector called directory traversal that these libraries do not handle correctly.

The decompressor libraries were likely downloaded from places like Github and Stack Overflow and developers used them in thousands of projects used by millions of users without a clue that the vulnerability has existed for years, maybe decades.

And, likely, most of those developers are completely blind to the fact their their software  is vulnerable due to a software supply chain issue – assuming they are even still involved with those software projects.

Software supply chain is the Achilles heel of the entire industry and the industry is not doing much to fix it.  (Source: Bleeping Computer)

NSA Forms Group to Counter Russian Threat in Cyberspace

In what would appear to be a difference of opinion with his boss, the head of the NSA has created a special task force to address Russian threats in cyberspace.  The Washington Post reported that the NSA and its sister Cybercom will collaborate against Russian threats to the security of the U.S. midterm elections – a threat which his boss, the President, has said does not exist any more, if it ever did.  The President has called the threat fake news many times.  It would appear that General Nakasone has a difference of opinion with his boss.  Source: Bloomberg

Level One Robotics Leaves Tens of Thousand of Sensitive Docs Unprotected

Canadian robotics vendor Level One is the most recent vendor to leave tens of thousands of sensitive documents – apparently including non disclosure agreements – belonging to multiple automakers including Tesla, Toyota and Volkswagen – unprotected online.  The material includes documents from over 100 companies and includes blueprints, factory schematics and other materials.

The data was found by Chris Vickery of Upgard.  Chris has found dozens of unprotected data sets just in recent months, usually on Amazon.  Chris DOES NO HACKING.  All he does is walk around the digital neighborhood jiggling doorknobs, looking for ones that are unlocked.  In this case, the material was an unprotected backup – 157 gigabytes of data made up of over 47,000 files. If hackers found it before Chris did, and they may have, they are likely celebrating.  That quantity of data on the design of cars and car assembly could give them a significant advantage in hacking into automobiles from a wide range of companies.  Source: NY Times

Federal Officials Tell WSJ That Ruskies Have Already Hacked the US Power Grid

The Department of Homeland Security reported Monday that hackers, working for Russia, hacked into the US power grid as early as 2013 and are likely still inside the grid with the ability to turn off the lights.  DHS says there were likely  hundreds of victims and one of the attack vectors is by compromising trusted vendors of the power companies (third party vendor cyber risk management).  Homeland Security said that some of the power companies don’t know that they have been hacked (why not – don’t their telephones work?).  Maybe that will be a topic of discussion when Putin visits President Trump in the White House this fall.  For all businesses, if you do not have an aggressive vendor cyber risk management program already, now is the time.  Source: CNET

Russian Hackers Attack Senator Claire McCaskill

Reports have surfaced today that Russian intelligence agency GRU attacked the re-election campaign of Senator Claire McCaskill of Missouri.  The Senator says that the attack was not successful.  McCaskill is a vocal opponent of Russia.  This is happening as the President continues to say that Russia is not hacking us and before the campaign season really warms up.  Source: The Daily Beast

Facebooktwitterredditlinkedinmailby feather

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather

NSA’s Optic Nerve Could Make You Go Blind

GCHQ, the British version of the NSA created a program around 2008 that hacked into Yahoo’s network and captured stills of video chats being conducted by Yahoo users.  So as not to overload GCHQ’s servers, the software only stored one image per video session every 5 minutes.  Still, in a 6 month period, they captured images from 1.8 million Yahoo user’s accounts.

The plan was to use the data to test image recognition software so that they could find images of people LIKE the person they were looking for.

Yahoo said that they were not cooperating in this program.

GCHQ that they had no way to filter out the images of UK or US citizens – they just stored that data along with all the other images.

But there was a problem that they had not counted on.

Lots of people use chat sessions to share “undesirable body parts” to the person on the other end – in other words, nude selfies.

What’s more, they had no way to filter these images out and did not try to.

Which, apparently, was perfectly fine with GCHQ analysts.  Rumor has it that there was significant “sharing” of these undesirable images.  Apparently, while GCHQ brass thought the images to be undesirable, the GCHQ staff found them quite desirable.  The brass told the staff that sharing undesirable pictures could result in discipline.  It is not clear if anyone was ever disciplined for that.

The program started in 2008 and through 2010 collected images without regard to whether they had any intelligence value.  In Snowden documents, it was revealed that the program was still active in 2012.  Whether this program or a similar one still exists is unknown, so maybe you should keep your clothes on while video chatting.

When the Guardian asked the NSA about the program, they had no comment.

In addition, unlike the NSA’s requirement to minimize the capture of data (or undesirable body parts) of U.S. citizens, GCHQ has no such restriction regarding U.K. citizens.  The NSA said that they did not ask GCHQ to collect data that the NSA could not legally collect themselves.  It did not say if they accepted those images if they were made available.

The NSA also did not say if they had any similar programs – of course, I would not expect them to answer that question.

Yahoo was not the only target;  apparently video from Microsoft Xbox game consoles was also targeted.

Likely none of these activities is illegal, but people may want to reconsider, if they care, what body parts, desirable or not, they expose on webcam sessions going forward.

Information for this post came from The Guardian.

 

 

Facebooktwitterredditlinkedinmailby feather

The NSA-Kaspersky Story Gets Even Stranger

In case you didn’t know whom or what to believe in the battle between Gene Kaspersky and the U.S. Government, it just got a little weirder.

You probably remember that the DoD told its people to remove Kaspersky’s software from it’s machines.  They didn’t say why.  But, no matter how this story plays out, that decision was the right decision.

Later it came out that an NSA employee was developing NSA  malware to replace malware that Snowden exposed; he removed that classified software from NSA facilities and took it home.  It was then thought that the software was compromised to the Ruskies because that employee had Kaspersky software on his computer and Kaspersky was working for the FSB.

Fast forward the story and Gene Kaspersky is fighting for his company’s very existence.  Never mind the fact that if the employee had followed both policy and the law, we would not be having this conversation.

Kaspersky has now revealed some more information about the situation.  Whether you believe him or not is up to you.  Our gov is being totally radio-silent on the situation, which likely means that it is at least, mostly accurate.  Probably.  No guarantee.

  1.  The NSA employee was running the Kaspersky software on his home computer.
  2. The employee had intentionally turned on the feature called Kaspersky Security Network, which, by design, forwards suspicious malicious software to Kaspersky’s labs for analysis.
  3. The employee disabled the Kaspersky software.  BECAUSE:
  4. The employee downloaded pirated software
  5. After the employee’s computer was infected, the employee turned the anti-virus software back on.
  6. When turned back on, the Kaspersky software scanned his computer and detected the new NSA malware as a variant of the Equation Group software that Snowden disclosed.  Since it was unknown and he had intentionally turned on the security network feature of Kaspersky’s software, it sent the malware (the software that he was developing) to Kaspersky’s labs for analysis.
  7. This LIKELY ties back to a 2015 breach of Kaspersky’s network (probably by the FSB) which has been well covered in the media.
  8. ALTERNATIVELY, the pirated software that he downloaded allegedly had a back door in it and if that is true, the Russian FSB could have stolen anything on his computer.

There are probably a bunch of potential variants here, but it seems reasonable that all of this could have easily happened if the alleged scenario happened.

AND NONE OF WHICH WOULD HAVE HAPPENED IF THE NSA COULD GET IT EMPLOYEES TO FOLLOW THE LAW.

HUMAN BEINGS, ONE MORE TIME, ARE THE WEAK LINK IN THE CHAIN.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Bill Aims to Remove Fox From Hen House Guard Duty

The NSA has two roles in life – OFFENSIVE cyber and DEFENSIVE cyber.  The NSA spends, according to some estimates, 90% of its cyber budget on offensive cyber.

NSA, in its alter ego Cyber Command, is charged with defensive cyber.

What this means is that when NSA finds a bug like the one that was exploited in WannaCry, it has to make a decision as to whether it should disclose it to the vendor (and further its defensive mission) and therefore not be able to use it to further its offensive mission or keep it secret and be able to continue to use it.

The only problem is what happens if someone else discovers the bug and uses it against American companies. That is the conundrum.

Under President Obama the intelligence community was supposed to use something called the vulnerabilities equities process to decide whether to disclose or keep secret any vulnerabilities that they find.  That process was voluntary.  After WannaCry, Congress is kind of wondering whether the process is not working.

The bill, called the PATCH (Protecting our Ability To Counter Hacking) Act, is designed to take the control of the decision making process away from the NSA exclusively and create a review board including the FBI, Homeland Security, CIA, Director of National Intelligence, Commerce and NSA.  State, Treasury, Energy and the FTC would be involved when needed.  Homeland Security will chair the board.

That does not mean that the spies are going reveal every bug they find, but it may mean that the review process will be more balanced.

Since this bill was just introduced, it has a long way to go before it may become a law.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

The Insider Threat – At The NSA!

nsa-fort-meade
Photo from Flickr; Courtesy Fort Meade public affairs office

Some of you probably remember Edward Snowden (just kidding!).  Snowden was a Booz, Allen, Hamilton employee, on contract to the NSA.  Well now there is another Snowden at Booz.

Booz has annual revenue in excess of $5 billion and has contracts all over the federal government.

Earlier this month, the feds arrested Harold Thomas Martin III, another Booz employee assigned to the NSA.  Remember that package of cyber exploits that hit the dark web a couple of months ago that was thought be be an NSA toolkit lost in the wild?  Well, the feds are saying that was the work of Martin.  Earlier this month they arrested Martin and charged him with theft of government property and unauthorized removal and retention of classified materials.

If that was all, it would be an interesting story, but not news worthy.

As the story unfolds, the feds are now saying that they have found 50,000,000,000,000 bytes of stolen data in his house and car;  most of it out in the open (all though, I am not sure that makes much of a difference under the circumstances).   If you are not sure how to read a number with that many zeros, it is 50,000 gigabytes or 50 terabytes.

The 50,000 gigabyte number, the court filings say, is a conservative number, so it is likely more.

If we were talking about Netflix standard definition movies to compare with, streaming 24 hours a day, 7 days a week, that much data represents watching Netflix, non-stop for almost 6 years.  If the movies were HD, it only represents 2-3 years of 24×7 watching.

Martin, who lives in Glen Burnie, MD, near NSA HQ, has apparently been taking this data since 1996.  That makes it one of the longest running undetected cases of espionage ever.

Unlike Snowden however, it appears, so far, that he didn’t have a goal to release this data or sell it to the Ruskies, but rather, he was hoarding it.  AT LEAST, THAT IS WHAT THEY ARE SAYING NOW.

For the NSA, this is another huge black eye.

For Booz, Allen, Hamilton, it (hopefully) makes government customers leery of their ability to protect classified customer information.  First Snowden and now Martin.

For average citizens, it should make them skeptical of the government’s claims that information that is shared with them can realistically be protected.  Certainly it should call into question the government’s ability – or for that matter anyone’s ability – to keep millions of encryption keys secret.

This is the downside of the digital world.  If he had to carry those 50,000 gigabytes of data out in paper, it would represent 25 billion pages of text – definitely harder to steal and even harder to store.

It also points to the insider threat problem at most companies – who are likely not as secure as the NSA.

This is likely not the end of this story.  All I can say is holy cow!

Information for this post came from The Washington Post and USA Today.

Facebooktwitterredditlinkedinmailby feather