Mediaboss Marketing

from the build-them-or-we'll-just-build-our-own dept

It's been more than a half-decade since it made headlines, but the NSA's hardware manipulation programs never went away. These programs -- exposed by the Snowden leaks -- involved the NSA compromising network hardware, either through interception of physical shipments or by the injection of malicious code.

One major manufacturer -- Cisco -- was righteously angered when leaked documents showed some of its hardware being "interdicted" by NSA personnel. It went directly to Congress to complain. The complaint changed nothing. (Cisco, however, changed its shipping processes.) But even though the furor has died down, these programs continue pretty much unhindered by Congressional oversight or public outcry.

One legislator hasn't forgotten about the NSA's hardware-focused efforts. Senator Ron Wyden is still demanding the NSA answer questions about these programs and give him details about "backdoors" in private companies' computer equipment. The DOJ and FBI may be making a lot of noise about encryption backdoor mandates, but one federal agency is doing something about it. And it has been for years.

Not only has the NSA installed its own backdoors in intercepted devices, it has been working with tech companies to develop special access options in networking equipment. This allows the agency to more easily slurp up communications and internet traffic in bulk. Senator Wyden wants answers.

The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.

Secret encryption back doors are a threat to national security and the safety of our families its only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security, Wyden told Reuters. The government shouldnt have any role in planting secret back doors in encryption technology used by Americans.

No one knows what's in the guidelines and whether they forbid the NSA from backdooring hardware or software sold to US buyers. All the NSA is willing to say is it's trying to patch things up with domestic tech vendors by, um, giving them more stuff to patch up.

The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws.

This is a welcome change after years of exploit hoarding. But there's no reason to believe the NSA isn't holding useful flaws back until they've outlived their exploitability. As for the built-in backdoors, the NSA refuses to provide any details. It won't even answer to its oversight. And if it won't do that, it really needs to stop saying things about "robust oversight" every time more surveillance abuses by the agency are exposed.

There's more to this than potential domestic surveillance. Any flaw deliberately introduced in hardware and software can be exploited by anyone who discovers it, not just the agency that requested it. The threat isn't theoretical. It's already happened. In 2015, it was discovered that malicious hackers had exploited what appeared to be a built-in flaw to intercept and decrypt VPN traffic running through Juniper routers. This appeared to be a byproduct of the NSA's "Tailored Access Operations." While Juniper has never acknowledged building a backdoor for the NSA, the circumstantial evidence points in No Such Agency's direction.

[Juniper] acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC [Dual Elliptic Curve] as part of a customer requirement, according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.

This is the danger of relying on deliberately introduced flaws to gather intelligence or obtain evidence. Broken is broken and broken tools are toys for malicious individuals, which includes state-sponsored hackers deployed by this nation's enemies. It's kind of shitty to claim you're in the national security business when you're out there asking companies to add more attack vectors to their products.

Thank you for reading this Techdirt post. With so many things competing for everyones attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise and every little bit helps. Thank you.

The Techdirt Team

Filed Under: 4th amendment, backdoors, nsa, ron wyden, surveillanceCompanies: cisco, juniper

Read more from the original source:
Senator Wyden Wants To Know If The NSA Is Still Demanding Tech Companies Build Backdoors Into Their Products - Techdirt

The US National Security Agency (NSA) published a report detailing the top 25 vulnerabilities currently being exploited by Chinese state-sponsored hacking groups. The NSA said that the bugs exist in web services or remote access tools.

The vulnerabilities are directly accessible from the Internet and can act as gateways to organizations internal networks, according to the NSA. Apart from the Chinese hackers, other state-sponsored threat actors from Russia and Iran had also exploited some of these top vulnerabilities to compromise computer systems.

The NSA considered the Chinese malicious cyber activity to be among the greatest risks facing the US Defense Industrial Base (DIB), the US National Security Systems (NSS), and the Department of Defense (DoD) information networks. Thus, the federal agency urges organizations in the public and private sectors to patch their systems.

The NSA noted that all the top vulnerabilities exploited by Chinese hackers are well known and have existing patches. Many top vulnerabilities were incorporated into various exploit kits used by ransomware gangs, state-sponsored hackers, and malware groups.

Earlier, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint alert on cybercriminal gangs using vulnerability chaining to compromise election systems using Zerologon and VPN vulnerabilities. Top vulnerabilities exploited by Chinese hackers include:

According to Jayant Shukla, CTO and Co-founder of K2 Cyber Security, keeping software updated is the surest method of preventing Chinese hackers from exploiting any of the top vulnerabilities.

For organizations that cant keep up to date or dont have the resources to keep their software up to date, they should look into virtual patching solutions that protect the application, like the ones offered by RASP (Runtime Application Self-Protection) solutions, which are now mandated by the latest version of the NIST SP800-53 Revision 5 Security and Privacy Framework. RASP solutions also protect the organization against new and unpatched vulnerabilities.

Chlo Messdaghi, VP of Strategy at Point3 Security, says that affiliated and independent Chinese hackers were actively trying to exploit the top vulnerabilities for self-gain.

Chinese attackers could be [a] nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies in other words, to steal and use for their own gain.

Apart from NSAs top vulnerabilities, Chinese hackers would not hesitate to exploit any existing vulnerability to compromise the United States computer systems. They could use vulnerability chaining to increase the lethality of their attacks by combining several vulnerabilities to weaken the system further and create a foothold.

Chinas Foreign Ministry protested the US agencys accusation of international cyber espionage. In return, Beijings government labeled the US as an empire of hacking, citing various cyberespionage programs such as PRISM. The program was the largest cyber espionage campaign, which was exposed by Snowden.

Zhao Lijian, Chinese Foreign Ministry spokesman, added that the US had a natural advantage in exploiting vulnerabilities because of its leading role in software and hardware development. Lijian also noted that the US and The Five Eyes group members had demanded backdoors on various apps such as WhatsApp to allow spying. WhatsApp uses an end-to-end encryption algorithm to prevent the interception of communication by third parties.

NSA listed the 25 top vulnerabilities exploited by Chinese #hackers. Beijing accused the US of being an 'empire of hacking'. #cybersecurity #respectdataClick to Tweet

Cyber espionage counter accusations are common between the US and China. Chinese cybersecurity company, Qihoo 360, had accused the CIA of conducting an 11-year cyber espionage campaign against Chinese airlines. The US cybersecurity firm Symantec also reported that Chinese hackers had stolen NSAs hacking tools and used them against US allies.

See the rest here:
NSA Publishes List of 25 Top Vulnerabilities Exploited by Chinese Hackers; Beijing Calls Us an Empire o ... - CPO Magazine

By: Express News Service | Lucknow | Updated: October 31, 2020 7:40:15 amThe Badaun police has invoked National Security Act (NSA) against 11 people arrested on charges of cow slaughtering on October 8. (Representational/File)

The Badaun police has invoked National Security Act (NSA) against 11 people arrested on charges of cow slaughtering on October 8. The accused, aged between 25 and 50 years, are lodged in the Badaun district jail.

Police sent its report to the district magistrate and on completion of due procedure, the DM has invoked NSA against the 11 accused, said Praveen Singh Chauhan, Additional Superintendent of Police, Badaun.

Read| UP cow slaughter law is being misused against innocent: Allahabad HC

Among those arrested, nine of them are residents of Gurupuri Chandan village, while two others are from neighbouring Dalmai village. Three of the accused are migrant labourers who had returned to their native places after the nationwide lockdown was enforced, said police.

Nine persons had no criminal record and were arrested for the first time, said Rajeev Kumar, Station House Officer, Beenawar police station.

According to police, on October 8, they had received an information that some people were involved in cow slaughtering at Gurupuri Chandan village. A police team rushed to the spot and caught the accused. They recovered 200 kg meat, skin, body parts and also weapons used for slaughtering cows from the spot, said Kumar. He added that a veterinary doctor was called on the spot and he had identified the meat as beef.

Later, an FIR was lodged and police arrested all the 11 accused, said Kumar.

The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest India News, download Indian Express App.

The Indian Express (P) Ltd

Read the rest here:
UP: NSA invoked against 11 held for cow slaughter - The Indian Express

The security hole isnt expected to be plugged until the forthcoming Patch Tuesday bundle of security fixes

Googles Project Zero researchers have disclosed details about a zero-day vulnerability in Windows that they say is being exploited by attackers.

The memory-corruption flaw resides in the Windows Kernel Cryptography Driver (cng.sys) and, according to Google, constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).

The researchers also released proof-of-concept (PoC) code that theyd tested out on a recent version of Windows 10 (version 1903, 64-bit) and believe that the security bug could have been around since Windows 7, potentially meaning that all versions from Windows 7 through 10 could be affected.

Per media reports, the flaw is being exploited in conjunction with another zero-day, which is indexed as CVE-2020-15999 and affects FreeType, a widely used software development library that is also part of the Google Chrome web browser.

Google reported the discovery of the newly-found bug, which is tracked asCVE-2020-17087, to Microsoft, but since it found evidence of the loophole being exploited in the wild, it opted for a seven-day disclosure deadline.

Currently, the security loophole doesnt have a patch, but Project Zeros technical lead Ben Hawkes tweetedthat they do expect one to be released on November 10th, which coincides with the upcoming Patch Tuesday.

Microsoft, meanwhile, provided this statement toTechCrunch:

Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.

A company spokesperson also went to add that the attack seems to be quite limited and that there is no proof pointing to it being a widespread issue. The attacks are thought to be unrelated to the upcoming US presidential election.

Since the beginning of this year, Microsoft has disclosed and patched several severe bugs in Windows, including a pair of zero-days back in March and a vulnerabilityuncovered by the United States National Security Agency (NSA).

Read this article:
Google discloses Windows zeroday bug exploited in the wild - We Live Security

LOOKING ahead to lambing, the National Sheep Association has opened its popular Lambing List service for the 2020/2021 season.

The NSA Lambing List connects sheep farming members of the NSA who need assistance at lambing time with agricultural and veterinary students looking for a work experience placement as part of their studies, providing the perfect solution for both parties at what can be a very busy time of year.

Despite some uncertainties surrounding Covid-19 rules, it is expected that it will still be permissible for farmers to invite students on to farm to support work at lambing time, but to ensure both NSAs farming members and students using the Lambing List are kept as Covid safe as possible, new guidelines have been made available to users of the service to download from the NSA Next Generation website.

NSA communications officer, Katie James said: The NSA Lambing List has become the trusted method for many of our members to source extra lambing help over recent years and we are therefore pleased to be able to offer this service once again this year. Its a very simple but effective process we collate a list of NSA members looking for help at lambing time and produce an advert so students can approach them directly to ask for a placement.

NSA does recognise there may be some concerns inviting students on to farm as additional help this coming lambing season and hopes that our updated guidelines can offer some support with this, however, if members have any further concerns we would encourage them to contact us at NSA to discuss the issue.

Sheep farmers wanting to advertise on the list must complete a short application form at http://www.nationalsheep.org.uk/lambing-list providing brief details of their lambing system and the experience and position they can offer, including the provision of accommodation, meals and other details. Adverts are listed in the order they are submitted, so NSA members are encouraged to get adverts in as early as possible.

Sheep farmers who are interested in using the list but are not yet NSA members can find a membership application form at http://www.nationalsheep.org.uk/membership.

The service could not be simpler for students looking for a placement, with adverts split into regions to highlight positions available in different areas of the UK and overseas. The list can be found via the lambing and work experience pages at on the Next Generation web pages.

Ms James continued: This service is just one of the many membership benefits NSA offers as well as supporting agricultures next generation and the allied veterinary industry. Young people accessing the NSA Lambing List on the NSA Next Generation website will also find a host of online resources, packed with useful information on NSAs work to support young people.

For in-depth news and views on Scottish agriculture, see this Fridays issue of The Scottish Farmer or visit http://www.thescottishfarmer.co.uk

Read the rest here:
Lambing List unites farmers with student vets willing to help - HeraldScotland