Tag Archives: NSA

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather

NSA’s Optic Nerve Could Make You Go Blind

GCHQ, the British version of the NSA created a program around 2008 that hacked into Yahoo’s network and captured stills of video chats being conducted by Yahoo users.  So as not to overload GCHQ’s servers, the software only stored one image per video session every 5 minutes.  Still, in a 6 month period, they captured images from 1.8 million Yahoo user’s accounts.

The plan was to use the data to test image recognition software so that they could find images of people LIKE the person they were looking for.

Yahoo said that they were not cooperating in this program.

GCHQ that they had no way to filter out the images of UK or US citizens – they just stored that data along with all the other images.

But there was a problem that they had not counted on.

Lots of people use chat sessions to share “undesirable body parts” to the person on the other end – in other words, nude selfies.

What’s more, they had no way to filter these images out and did not try to.

Which, apparently, was perfectly fine with GCHQ analysts.  Rumor has it that there was significant “sharing” of these undesirable images.  Apparently, while GCHQ brass thought the images to be undesirable, the GCHQ staff found them quite desirable.  The brass told the staff that sharing undesirable pictures could result in discipline.  It is not clear if anyone was ever disciplined for that.

The program started in 2008 and through 2010 collected images without regard to whether they had any intelligence value.  In Snowden documents, it was revealed that the program was still active in 2012.  Whether this program or a similar one still exists is unknown, so maybe you should keep your clothes on while video chatting.

When the Guardian asked the NSA about the program, they had no comment.

In addition, unlike the NSA’s requirement to minimize the capture of data (or undesirable body parts) of U.S. citizens, GCHQ has no such restriction regarding U.K. citizens.  The NSA said that they did not ask GCHQ to collect data that the NSA could not legally collect themselves.  It did not say if they accepted those images if they were made available.

The NSA also did not say if they had any similar programs – of course, I would not expect them to answer that question.

Yahoo was not the only target;  apparently video from Microsoft Xbox game consoles was also targeted.

Likely none of these activities is illegal, but people may want to reconsider, if they care, what body parts, desirable or not, they expose on webcam sessions going forward.

Information for this post came from The Guardian.

 

 

Facebooktwitterredditlinkedinmailby feather

The NSA-Kaspersky Story Gets Even Stranger

In case you didn’t know whom or what to believe in the battle between Gene Kaspersky and the U.S. Government, it just got a little weirder.

You probably remember that the DoD told its people to remove Kaspersky’s software from it’s machines.  They didn’t say why.  But, no matter how this story plays out, that decision was the right decision.

Later it came out that an NSA employee was developing NSA  malware to replace malware that Snowden exposed; he removed that classified software from NSA facilities and took it home.  It was then thought that the software was compromised to the Ruskies because that employee had Kaspersky software on his computer and Kaspersky was working for the FSB.

Fast forward the story and Gene Kaspersky is fighting for his company’s very existence.  Never mind the fact that if the employee had followed both policy and the law, we would not be having this conversation.

Kaspersky has now revealed some more information about the situation.  Whether you believe him or not is up to you.  Our gov is being totally radio-silent on the situation, which likely means that it is at least, mostly accurate.  Probably.  No guarantee.

  1.  The NSA employee was running the Kaspersky software on his home computer.
  2. The employee had intentionally turned on the feature called Kaspersky Security Network, which, by design, forwards suspicious malicious software to Kaspersky’s labs for analysis.
  3. The employee disabled the Kaspersky software.  BECAUSE:
  4. The employee downloaded pirated software
  5. After the employee’s computer was infected, the employee turned the anti-virus software back on.
  6. When turned back on, the Kaspersky software scanned his computer and detected the new NSA malware as a variant of the Equation Group software that Snowden disclosed.  Since it was unknown and he had intentionally turned on the security network feature of Kaspersky’s software, it sent the malware (the software that he was developing) to Kaspersky’s labs for analysis.
  7. This LIKELY ties back to a 2015 breach of Kaspersky’s network (probably by the FSB) which has been well covered in the media.
  8. ALTERNATIVELY, the pirated software that he downloaded allegedly had a back door in it and if that is true, the Russian FSB could have stolen anything on his computer.

There are probably a bunch of potential variants here, but it seems reasonable that all of this could have easily happened if the alleged scenario happened.

AND NONE OF WHICH WOULD HAVE HAPPENED IF THE NSA COULD GET IT EMPLOYEES TO FOLLOW THE LAW.

HUMAN BEINGS, ONE MORE TIME, ARE THE WEAK LINK IN THE CHAIN.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Bill Aims to Remove Fox From Hen House Guard Duty

The NSA has two roles in life – OFFENSIVE cyber and DEFENSIVE cyber.  The NSA spends, according to some estimates, 90% of its cyber budget on offensive cyber.

NSA, in its alter ego Cyber Command, is charged with defensive cyber.

What this means is that when NSA finds a bug like the one that was exploited in WannaCry, it has to make a decision as to whether it should disclose it to the vendor (and further its defensive mission) and therefore not be able to use it to further its offensive mission or keep it secret and be able to continue to use it.

The only problem is what happens if someone else discovers the bug and uses it against American companies. That is the conundrum.

Under President Obama the intelligence community was supposed to use something called the vulnerabilities equities process to decide whether to disclose or keep secret any vulnerabilities that they find.  That process was voluntary.  After WannaCry, Congress is kind of wondering whether the process is not working.

The bill, called the PATCH (Protecting our Ability To Counter Hacking) Act, is designed to take the control of the decision making process away from the NSA exclusively and create a review board including the FBI, Homeland Security, CIA, Director of National Intelligence, Commerce and NSA.  State, Treasury, Energy and the FTC would be involved when needed.  Homeland Security will chair the board.

That does not mean that the spies are going reveal every bug they find, but it may mean that the review process will be more balanced.

Since this bill was just introduced, it has a long way to go before it may become a law.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

The Insider Threat – At The NSA!

nsa-fort-meade
Photo from Flickr; Courtesy Fort Meade public affairs office

Some of you probably remember Edward Snowden (just kidding!).  Snowden was a Booz, Allen, Hamilton employee, on contract to the NSA.  Well now there is another Snowden at Booz.

Booz has annual revenue in excess of $5 billion and has contracts all over the federal government.

Earlier this month, the feds arrested Harold Thomas Martin III, another Booz employee assigned to the NSA.  Remember that package of cyber exploits that hit the dark web a couple of months ago that was thought be be an NSA toolkit lost in the wild?  Well, the feds are saying that was the work of Martin.  Earlier this month they arrested Martin and charged him with theft of government property and unauthorized removal and retention of classified materials.

If that was all, it would be an interesting story, but not news worthy.

As the story unfolds, the feds are now saying that they have found 50,000,000,000,000 bytes of stolen data in his house and car;  most of it out in the open (all though, I am not sure that makes much of a difference under the circumstances).   If you are not sure how to read a number with that many zeros, it is 50,000 gigabytes or 50 terabytes.

The 50,000 gigabyte number, the court filings say, is a conservative number, so it is likely more.

If we were talking about Netflix standard definition movies to compare with, streaming 24 hours a day, 7 days a week, that much data represents watching Netflix, non-stop for almost 6 years.  If the movies were HD, it only represents 2-3 years of 24×7 watching.

Martin, who lives in Glen Burnie, MD, near NSA HQ, has apparently been taking this data since 1996.  That makes it one of the longest running undetected cases of espionage ever.

Unlike Snowden however, it appears, so far, that he didn’t have a goal to release this data or sell it to the Ruskies, but rather, he was hoarding it.  AT LEAST, THAT IS WHAT THEY ARE SAYING NOW.

For the NSA, this is another huge black eye.

For Booz, Allen, Hamilton, it (hopefully) makes government customers leery of their ability to protect classified customer information.  First Snowden and now Martin.

For average citizens, it should make them skeptical of the government’s claims that information that is shared with them can realistically be protected.  Certainly it should call into question the government’s ability – or for that matter anyone’s ability – to keep millions of encryption keys secret.

This is the downside of the digital world.  If he had to carry those 50,000 gigabytes of data out in paper, it would represent 25 billion pages of text – definitely harder to steal and even harder to store.

It also points to the insider threat problem at most companies – who are likely not as secure as the NSA.

This is likely not the end of this story.  All I can say is holy cow!

Information for this post came from The Washington Post and USA Today.

Facebooktwitterredditlinkedinmailby feather

CERT Releases Threat Advisory On Firewalls

Last month a hacker group known as The Shadow Brokers released a series of exploits that they said belong to an NSA contractor that has been call the Equation Group.

Whether the Equation Group is real and whether they are a vendor of exploits to the NSA or not is really not terribly relevant in the big picture.

What is relevant is that they released a whole bunch of exploits that are being used – and likely, at least some of them have been used for a while – to silently break into corporate networks.  And probably government networks too.  The Exploits attack Cisco, Juniper, Fortinet and Topsec (A Chinese company) firewalls, among other network hardware.

The problem here is one that people have been talking about since US Cybercom was created.  That problem is that the same group of people who are responsible for hacking people (the NSA) is also responsible for protecting people from hackers and that is a battle that they cannot deal with.  When the NSA / Cybercom finds a vulnerability, they have to decide if they are going to tell the manufacturer so that they can fix it, or keep it to themselves to that they can use it until someone else finds it and tells the manufacturer.

The problem with that philosophy is that given the NSA was able to find it, it is likely that the Chinese or Russians were able to find it also.  And the Chinese are unlikely to tell Cisco or Fortinet about their bug, so as long as the NSA keeps it secret, our adversaries, if they know about the bug, are using it against American companies as well.

The President issued a directive explaining the rules of engagement surrounding this issue, but the rules say that the NSA can keep it secret and not tell the manufacturer if they think the bug has intelligence value to them.

So here we have a group of anti-hackers (The Shadow Brokers) that released a whole trove of bugs converted to attacks, which is good for users because now the bugs will eventually be fixed, but in the mean time, until they get fixed, the hackers can use them to attack you and me.

The advisory goes into some detail on the attacks that were disclosed, including ones against the Cisco ASA firewalls, a very popular corporate firewall.

The alert makes a couple of very useful suggestions:

  1. Segregate your network.  What this means is that you want to isolate your network into separate domains so that an attacker doesn’t have the run of the house once they break thru the front door.  It provides suggestions on how to do that.
  2. Limit “lateral” communications.  What this means is that you want to limit peer to peer computers from talking to each other unless there is a business reason to do that.
  3. Harden network devices.  This means, on firewalls and such, encrypt all traffic, use robust passwords, restrict physical access and other suggestions described in the alert.
  4. Secure access to firewalls and switches.
  5. Perform out of band management.  This would stop an attacker from being able to get to certain resources.
  6. Validate the integrity of the hardware and software.

The alert goes into a lot more detail, but given that we have strong reason to believe that the NSA and probably other intelligence agencies have been using these attacks in the wild and NOW, these attacks are know to every hacker on the planet, it is critical that companies protect themselves.

 

The CERT advisory can be found here.

A Wired article on the issue can be found here.

[TAG:ALERT]

[TARG:TIP]

Facebooktwitterredditlinkedinmailby feather