Mediaboss Marketing

Geopolitical borders have softened in various ways thanks to the prevalence of the Internet. An email sent by an American could cross multiple international borders before being received by another American. A recent study by the Century Foundation revealed that the National Security Agency (NSA) reportedly utilizes various traffic shaping techniques to survey and store American communications.

Internet traffic does not travel along the shortest route, but instead favors the fastest, least congested, or least expensive course. Data from various countries is backed up in data centers around the world. Sharon Goldberg of the Century Foundation noted, An email sent from San Jose to New York may be routed through Internet devices located in Frankfurt, or be backed up on computers located in Ireland. The NSA could potentially reroute Internet communications to gather information.

The NSA is responsible for monitoring and processing data for foreign intelligence and counterintelligence purposes. American citizens are generally protected by the 4th Amendment and the rules of the Foreign Intelligence Surveillance (FISA) Court. Executive Order 12333, however, allows the collection, retention, and dissemination of information, obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation or incidentally obtained information that may indicate involvement in activities that may violate federal, state, local or foreign laws.

It is important to note that this study was largely speculation. An NSA spokesperson remarked, We do not comment on speculation about foreign intelligence activities; however, as we have said before, the National Security Agency does not undertake any foreign intelligence activity that would circumvent US laws or privacy protections.

Read more:
Snowden Leak Reveals NSA Traffic Shaping Tech That Diverts US Internet Routing For Spying - Hot Hardware

Should the NSA stop hacking computers out of concern that bad guys could steal its tools and use them for their own nefarious purposes?

Wikimedia Commons

Theres a moment in Dr. Strangelove, Stanley Kubricks dark Cold War comic masterpiece, when President Merkin Muffley (played by Peter Sellers) learns that an insane general has exploited a loophole in the militarys command-control system and launched a nuclear attack on Russia. Muffley turns angrily to Air Force Gen. Buck Turgidson (played by George C. Scott) and says, When you instituted the human reliability tests, you assured me there was no possibility of such a thing ever occurring. Turgidson gulps and replies, I dont think its quite fair to condemn a whole program because of a single slip-up.

The National Security Agency currently finds itself in a similar situation.

One of the NSAs beyondtop secret hacking tools has been stolen. And while the ensuing damage falls far short of an unauthorized nuclear strike, the thieves have wreaked cybermayhem around the world.

The mayhem was committed by a group called the Shadow Brokers, which in April announced that it had acquired the NSA tool (known as Eternal Blue) and published its exploit code online for any and all hackers to copy.* In May, some entitywidely believed to be North Koreansused the the exploit code to develop some malware, which became known as WannaCry, and launched a massive ransomware attack, which shut down 200,000 computers, including those of many hospitals and other critical facilities.

Then on June 27 came this latest attack, which was launched by the Shadow Brokers themselves. This struck some security analysts as odd, for two reasons. First, the Shadow Brokers are believed to be members ofor criminal hackers affiliated witha Russian intelligence agency, and Russians tend not to hack for mere cash. Second, the attack was slipshod: The ransoms were to be paid to a single email address, which security experts shut down in short order. If the Russians had decided to indulge in this mischief for money, it was a shock that they did it so poorly.

Now, however, several cybersecurity analysts are convinced that the ransomware was a brief ploy to distract attention from a devastating cyberattack on the infrastructure of Ukraine, through a prominent but vulnerable financial server.

Jake Williams, founder of Rendition InfoSec LLC (and a former NSA analyst), told me on Thursday, two days after the attack, The ransomware was a cover for disrupting Ukraine; we have very high confidence of that. This disruptive attack shut down computers running Ukrainian banks, metro systems, and government ministries. The virus then spread to factories, ports, and other facilities in 60 countriesthough Williams says its unclear whether this rippling effect was deliberate. (Because computers are connected to overlapping networks, malware sometimes infects systems far beyond a hackers intended targets.)

By the way, the attack left the ransomware victims, marginal as they were, completely screwed. Once the email address was disconnected, those who wanted to pay ransom had no place to send their bitcoins. Their computers remain frozen. Unless they had back-up drives, their files and data are irretrievable.

Its not yet clear how the Shadow Brokers obtained the hacking tool. One cybersecurity specialist involved in the probe told me that, at first, he and others figured that the theft had to be an inside job, committed by a second Snowden, but the forensics showed otherwise. One possibility, he now speculates, is that an unnamed NSA contractor, who was arrested last year for taking home files, either passed them onto the Russians or was hacked by the Russians himself. The other possibility is that the Russians hacked into classified NSA files. Its a toss-up which theory is more disturbing; the upshot of both is, it could happen again.

So should the NSA stop hacking computers out of concern that bad guys could steal its tools and use them for their own nefarious purposes? This remedy is probably unreasonable. After all, spy agencies spy, and the NSA spies by intercepting communications, including digital communications, and some of that involves hacking. In other words, the cyber equivalent of Gen. Turgidson would have a point if he told an angry superior its unfair to condemn a whole program for a single slip-up.

It may be time to view surfing the internet on computers as similar to the way we view driving cars on the highway.

Besides, the NSA doesnt do very many hacks of the sort that the Shadow Brokers stolehacks that involve zero-day exploits, the discovery and use of vulnerabilities (in software, hardware, servers, networks, and so forth) that no one has previously discovered. Zero-day exploits were once the crown jewels of the NSAs signals-intelligence shops. But theyre harder to come by now. Software companies continually test their products for security gaps and patch them right away. Hundreds of firms, many created by former intelligence analysts, specialize in finding zero-day vulnerabilities in commercial productsthen alerting the companies for handsome fees. Often, by the time the NSA develops an exploit for a zero-day vulnerability, someone in the private sector has also found it and already developed a patch.

More and more, in recent years, the NSA chooses to tell companies about a problem and even help them fix it. This trend accelerated in December 2013, when a five-member commission, appointed by President Obama in the wake of the Snowden revelations, wrote a 300-page report proposing 46 reforms for U.S. intelligence agencies. One proposal was to bar the government from doing anything to subvert, undermine, weaken, or make vulnerable generally available commercial software. Specifically, if NSA analysts found a zero-day exploit, they should be required to patch the hole at once, except in rare instances when the government could briefly authorize the exploit for high-priority intelligence collection, though, even then, only after approval not by the NSA directorwho, in the past, made such decisionsbut rather in a senior interagency review involving all appropriate departments.

Obama approved this recommendation, and as a result his White House cybersecurity chief, Michael Daniel, drafted a list of questions that this senior review panel must ask before letting the NSA exploit, rather than patch, the zero-day discovery. The questions: Would this vulnerability, if left unpatched, pose risks to our own societys infrastructure? If adversaries or crime groups knew about the vulnerability, how much harm could they inflict? How badly do we need the intelligence that the exploit would provide? Are there other ways to get this intelligence? Could we exploit the vulnerability for just a short period of time, then disclose and patch it?

A 2016 article in Bloomberg News reported that, due in part to this new review process, the NSA keepsand exploits for offensive purposesonly about two of the roughly 100 zero-day vulnerabilities it finds in the course of a year.

The vulnerability exploited in the May ransomware attack was one of those zero-days that the NSA kept for a while. (It is not known for how long or what adversaries it allowed us to hack.) The vulnerability was in a Microsoft operating system. In March, the government notified Microsoft of the security gap. Microsoft quickly devised a patch and alerted users to install the software upgrade. Some users did; others didnt. The North Koreans were able to hack into the systems of those who didnt. Thats how the vast majority of hacks happenthrough carelessness.

It may be time to view surfing the internet on computers as similar to the way we view driving cars on the highway. Both are necessary for modern life, and both advance freedoms, but they also carry responsibilities and can do great harm if misused. It would be excessive to require the equivalent of drivers licenses to go online; a government that can take away such licenses for poor digital hygiene could also take them away for impertinent political speech. But its not outrageous to impose regulations on product liability, holding vendors responsible for malware-infected devices, just as car companies are for malfunctioning brakes. Its not outrageous to force government agencies and companies engaged in critical infrastructure (transportation, energy, finance, and so forth) to meet minimal cybersecurity standards or to hit them with heavy fines if they dont. Its not outrageous to require companies to program their computers or software to shut down if users dont change or randomize their passwords or if they dont install software upgrades after a certain amount of time. Or if this goes too far, the government could require companies to program their computers or software to emit a loud noise or flash a bright light on the screen until the users take these precautionsin much the same way that drivers hear ding-ding-ding until they fasten their seatbelts.

Some of these ideas have been kicking around for decades, a few at high levels of government, but theyve been crushed by lobbyists and sometimes by senior economic advisers who warned that regulations would impede technical progress and harm the competitive status of American industries. Resistance came easy because many of these measures were expensive and the dangers they were meant to prevent seemed theoretical. They are no longer theoretical. The cyberattack scenarios laid out in government reports decades ago, dismissed by many as alarmist and science fiction, are now the stuff of front-page news stories.

Cyberthreats will never disappear; cybervulnerabilities will never be solved. They are embedded in the technology, as its developed in the 50 years since the invention of the internet. But the problems can be managed and mitigated. Either we take serious steps now, through a mix of regulations and market-driven incentivesor we wait until a cybercatastrophe, after which far more brutal solutions will be slammed down our throats at far greater cost by every measure.

*Correction, June 30, 2017: This article originally misstated that the NSA tool stolen by the Shadow Brokers was called WannaCry. It was called Eternal Blue, and its code was used to create WannaCry. (Return.)

See the rest here:
The NSA's inadvertent role in Petya, the cyberattack on Ukraine. - Slate Magazine

The Trump administration wants to make some of the National Security Agencys vast spying powers permanent. Thats a dangerous proposition, and Ill tell you why.

Since 9/11, Americans have been asked to sacrifice their freedoms on the altar of national security. Weve had our phone calls monitored, our emails read, our movements tracked, and our transactions documented.

Every second of every day, the American people are being spied on by the U.S. governments vast network of digital Peeping Toms, electronic eavesdroppers and robotic snoops.

These government snoops are constantly combing through and harvesting vast quantities of our communications.

They are conducting this mass surveillance without a warrant, thus violating the core principles of the Fourth Amendment which protects the privacy of all Americans.

PRISM and Upstream, two of the spying programs conducted under Section 702 of the Foreign Intelligence Surveillance Act, are set to expire at the end of this year.

Heres why they should be allowed to expire.

PRISM lets the NSA access emails, video chats, instant messages, and other content sent via Facebook, Google, Apple, and others.

Upstream lets the NSA worm its way into the internet backbone the cables and switches owned by private corporations like AT&T that make the internet into a global network and scan traffic for the communications of tens of thousands of individuals labeled targets.

Ask the NSA why its carrying out this warrantless surveillance on American citizens, and youll get the same Orwellian answer the government has been trotting out since 9/11 to justify its assaults on our civil liberties: to keep America safe.

Yet warrantless mass surveillance by the government and its corporate cohorts hasnt made America any safer. And it certainly isnt helping to preserve our freedoms.

Frankly, America will never be safe as long as the U.S. government is allowed to shred the Constitution.

Now the government wants us to believe that we have nothing to fear from its mass spying program because theyre only looking to get the bad guys who are overseas.

Dont believe it.

The governments definition of a bad guy is extraordinarily broad, and it results in the warrantless surveillance of innocent, law-abiding Americans on a staggering scale.

Under Section 702, the government collects and analyzes over 250 million internet communications every year. There are estimates that at least half of these contain information about U.S. residents, many of whom have done nothing wrong.

The government claims its spying on Americans is simply incidental, as though it were an accident but it fully intends to collect this information.

Indeed, this sensitive data is not destroyed after the NSA vacuums it up. Rather, the government has written its own internal rules called minimization procedures that allow spy agencies such as the NSA to retain Americans private communications for years.

Far from minimizing any invasion of privacy, the rules expressly allow government officials to read our emails and listen to our phone calls without a warrant the very kinds of violations that the Fourth Amendment was written to prohibit.

Finally, once this information collected illegally and without any probable cause is ingested into NSA servers, other government agencies can often search through the databases to make criminal cases against Americans that have nothing to do with terrorism or anything national security-related. One Justice Department lawyer called the database the FBIs Google.

In other words, the NSA, an unaccountable institution filled with unelected bureaucrats, operates a massive database that contains the intimate and personal communications of countless Americans.

Warrantless mass surveillance of American citizens is wrong, un-American, and unconstitutional.

Its time to let Section 702 expire or reform the law to ensure that millions and millions of Americans are not being victimized by a government that no longer respects its constitutional limits.

Constitutional attorney John W. Whitehead, author of Battlefield America: The War on the American People, is the president of The Rutherford Institute, a civil liberties and human rights organization that is one of the plaintiffs in a lawsuit challenging Upstream surveillance under Section 702. Contact Whitehead at johnw@rutherford.org.

View post:
John W. Whitehead column: A dangerous proposition: Making the NSA's powers permanent - Richmond.com

Today Democratic Congressman Ted Lieu of California wrote to the NSA in an appeal for the agency to do anything in its power to stop the spread of the globalransomware (or potentially just disguised as ransomware) attack that began yesterday.

Lieu seeks to hold the NSA accountable for its leaked exploit, known as EternalBlue, which appears to have facilitated the malwares spread. Last month, the ransomware known as WannaCry also leveraged EternalBlue in order to spread between networked machines that have not been updated to protect them from the vulnerability, which Microsoft issued a patch for back in March (MS17-010).

Based on various reports, it appears these two global ransomware attacks likely occurred because the NSAs hacking tools were released to the public by an organization called the ShadowBrokers, Lieu wrote.

My first and urgent request is that if the NSA knows how to stop this global malware attack, or has information that can help stop the attack, then NSA should immediately disclose it. If the NSA has a kill switch for this new malware attack, the NSA should deploy it now.

Lieu went on to implore the spy agency to communicate more openly with major tech companies about the vulnerabilities that it discovers in their systems. In the case of EternalBlue, the NSA is believed to have known about the exploit for years. Naturally that makes one wonder what other massive exploits the agency has up its sleeve and how easily those could be exposed in a new Shadow Brokers leak.

Given the ongoing threat, I urge NSA to continue actively working with companies like Microsoft to notify them of software vulnerabilities of which the Agency is aware, Lieu said.I also urge the NSA to disclose to Microsoft and other entities what it knows that can help prevent future attacks based on malware created by the NSA.

Some things about yesterdays ransomware attack make it even nastier than its predecessor WannaCry. As IEEE Senior Member and Ulster University Cybersecurity Professor Kevin Curran explained to TechCrunch: One key difference from WannaCry is that Petya does not simply encrypt disk files but rather locks the entire disk so nothing can be executed. It does it by encrypting the filesystems master file table so the operating system cannot retrieve files.

The other big difference: WannaCry had a kill switch, even if it wasserendipitous.

It does seem to have the same deadly replication feature of WannaCry which enables it to spread quickly across an internal network infecting other machines, Curran said. It seems to also be finding passwords on each infected computer and using those to spread as well. There seems to be no kill switch on this occasion.

We reached out to the NSA with questions about its ability to stop the spread of the current ransomware and its perceived responsibility moving forward. You can read Lieus full letter, embedded below.

See the original post here:
In aftermath of Petya, congressman asks NSA to stop the attack if it knows how - TechCrunch

It is hard to imagine more fitting names for code-gone-bad than WannaCry and Eternal Blue. Those are just some of the computer coding vulnerabilities pilfered from the National Security Agencys super-secret stockpile that have been used in two separate global cyber attacks in recent weeks. An attack on Tuesday featuring Eternal Blue was the second of these to use stolen NSA cyber toolsdisrupting everything from radiation monitoring at Chernobyl to shipping operations in India. Fort Meades trove of coding weaknesses is designed to give the NSA an edge. Instead, its giving the NSA heartburn. And its not going away any time soon.

As with most intelligence headlines, the story is complicated, filled with good intentions and unintended consequences. Home to the nations codebreakers and cyber spies, the NSA is paid to intercept communications of foreign adversaries. One way is by hunting for hidden vulnerabilities in the computer code powering Microsoft Windows and and all sorts of other products and services that connect us to the digital world. Its a rich hunting ground. The rule of thumb is that one vulnerability can be found in about every 2,500 lines of code. Given that an Android phone uses 12 million lines of code, were talking a lot of vulnerabilities. Some are easy to find. Others are really hard. Companies are so worried about vulnerabilities that manyincluding Facebook and Microsoftpay bug bounties to anyone who finds one and tells the company about it before alerting the world. Bug bounties can stretch into the hundreds of thousands of dollars.

Writing the Rules of Cyberwar

The NSA, which employs more mathematicians than any organization on Earth, has been collecting these vulnerabilities. The agency often shares the weaknesses they find with American manufacturers so they can be patched. But not always. As NSA Director Mike Rogers told a Stanford audience in 2014,the default setting is if we become aware of a vulnerability, we share it, but then added, There are some instances where we are not going to do that. Critics contend thats tantamount to saying, In most cases we administer our special snake bite anti-venom that saves the patient. But not always.

In this case, a shadowy group called the Shadow Brokers (really, you cant make these names up) posted part of the NSAs collection online, and now its O.K. Corral time in cyberspace. Tuesdays attacks are just the beginning. Once bad code is in the wild, it never really goes away. Generally speaking, the best approach is patching. But most of us are terrible about clicking on those updates, which means there are always victimslots of themfor cyber bad guys to shoot at.

WannaCry and Eternal Blue must be how folks inside the NSA are feeling these days. Americas secret-keepers are struggling to keep their secrets. For the National Security Agency, this new reality must hit especially hard. For years, the agency was so cloaked in secrecy, officials refused to acknowledge its existence. People inside the Beltway joked that NSA stood for No Such Agency. When I visited NSA headquarters shortly after the Snowden revelations, one public-affairs officer said the job used to entail watching the phones ring and not commenting to reporters.

Now, the NSA finds itself confronting two wicked problemsone technical, the other human. The technical problem boils down to this: Is it ever possible to design technologies to be secure against everyone who wants to breach them except the good guys? Many government officials say yes, or at least no, but In this view, weakening security just a smidge to give law-enforcement and intelligence officials an edge is worth it. Thats the basic idea behind the NSAs vulnerability collection: If we found a vulnerability, and we alone can use it, we get the advantage. Sounds good, except for the part about we alone can use it, which turns out to be, well, dead wrong.

Thats essentially what the FBI argued when it tried to force Apple to design a new way to breach its own products so that special agents could access the iPhone of Syed Rizwan Farook, the terrorist who, along with his wife, killed 14 people in San Bernardino. Law-enforcement and intelligence agencies always want an edge, and there is a public interest in letting them have it.

As former FBI Director James Comey put it, There will come a dayand it comes every day in this businesswhere it will matter a great deal to innocent people that we in law enforcement cant access certain types of data or information, even with legal authorization.

Many leading cryptographers (the geniuses who design secure communications systems) and some senior intelligence officials say that a technical backdoor for one is a backdoor for all. If theres a weakness in the security of a device or system, anyone can eventually exploit it. It may be hard, it may take time, it may take a team of crack hackers, but the math doesnt lie. Its nice to imagine that the FBI and NSA are the only ones who can exploit coding vulnerabilities for the good of the nation. Its also nice to imagine that Im the only person my teenage kids listen to. Nice isnt the same thing as true. Former NSA Director Mike Hayden publicly broke with many of his former colleagues last year. I disagree with Jim Comey, Hayden said. I know encryption represents a particular challenge for the FBI. ... But on balance, I actually think it creates greater security for the American nation than the alternative: a backdoor.

Hayden and others argue that digital security is good for everyone. If people dont trust their devices and systems, they just wont use them. And for all the talk that security improvements will lock out U.S. intelligence agencies, that hasnt happened in the 40 years of this raging debate. Thats right. 40 years. Back in 1976, during the first crypto war, one of my Stanford colleagues, Martin Hellman, nearly went to jail over this dispute. His crime: publishing his academic research that became the foundational technology used to protect electronic communications. Back then, some NSA officials feared that securing communications would make it harder for them to penetrate adversaries systems. They were right, of courseit did get harder. But instead of going dark, U.S. intelligence officials have been going smart, finding new ways to gather information about the capabilities and intentions of bad guys through electronic means.

The NSAs second wicked problem is humans. All the best security clearance procedures in the world cannot eliminate the risk of an insider threat. The digital era has supersized the damage that one person can inflict. Pre-internet, traitors had to sneak into files, snap pictures with hidden mini-cameras, and smuggle documents out of secure buildings in their pant legs or a tissue box. Edward Snowden could download millions of pages onto a thumb drive with some clicks and clever social engineering, all from the comfort of his own desktop.

There are no easy solutions to either the technical or human challenge the NSA now faces. Tuesdays global cyber attack is a sneak preview of the movie known as our lives forever after.

Talk about WannaCry.

Read the original:
The NSA Confronts a Problem of Its Own Making - The Atlantic