Category Archives: NSA

By Ms. Smith, Network World | May 31, 2017 8:54 AM PT

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

The idea of crowdfunding to raise enough money to buy NSA-linked hacking tools from the Shadow Brokers is picking up steam and making some people steam.

The price tag for getting hold of stolen Equation Group hacking tools is 100 Zcash. When I started the article about the Shadow Brokers revealing details about its June dump of the month subscription service, the cost of 100 Zcash was equal to $22,779. By the time I finished writing, it was equal to $23,251. As I start this article, 100 Zcash is equal to $24,128. By tomorrow, the first day to subscribe to the Shadow Brokers monthly dump service, Zcash will likely cost even more dollars. If you dont have that kind of money, but want to partake in the spoils of the June dump, then maybe crowdfunding is the way to go?

At least that is what Hacker Houses Matthew Hickey and a security researcher gong by x0rz have proposed as the solution. They formed a Shadow Brokers Response Team, which a goal of creating open and transparent crowd-funded analysis of leaked NSA tools and launched a Patreon campaign to raise $25,000.

The campaign, dubbed a harm reduction exercise, states:

This patreon is a chance for those who may not have large budgets (SME, startups and individuals) in the ethical hacking and whitehat community to pool resources and buy a subscription for the new monthly released data.

Their hope is that by purchasing the stolen data and analyzing it, another attack like WannaCry can be prevented. But, oh my, some security experts are vehemently opposed to the idea and likened the crowdfunding effort to enabling cyberterrorists, negotiating with terrorists, or funding evil.

The Shadow Brokers did not reveal what data the group might dump in June, claimed to be undecided about it, but when first announcing the monthly dump subscription service, they said the dump could be:

The Patreon reads:

As a harm reduction exercise it is important that any compromised parties are notified, vulnerabilities in possession of criminals are patched and tools are assessed for capabilities. We will release any and all information obtained from this once we have assessed and notified vendors of any potential 0days.

We believe it is in the greater good to obtain these exploits and mitigate the risk presented by them, the campaign adds.

The campaign launched yesterday and thus far has 24 patrons with a crowdfunded total of $2,225. The goal is to raise $25,000. If that goal is not met, the bitcoin funds will be donated to a to a charitable organization campaigning for human and/or digital rights. Patreon subscribers will be refunded if the platform allows it (or we will not post to prevent a charge). We will split whatever maybe left over from this evenly between EDRI and the EFF. If you had money to spend on an exploit auction like this, giving it to charity should not be too objectionable for you.

Of course, the Shadow Brokers might be playing everyone and not have anything left to dump. Conversely, the group might still have powerful NSA Equation Group-developed exploits. The NSA could just step up and tell all affected parties how it was exploiting their products, as it allegedly did when it told Microsoft, so the patches can be developed and deployed before the exploits are in the public domain. But lets get real; thats highly unlikely to happen.

Nevertheless, the Patreon floats the idea:

If the NSA are willing to inform us about what it is they have lost, the capabilities and vulnerabilities it has exploits for - so that we can make informed decisions to defend our networks then we will withdraw from this option. We need accurate guidance to be able to defend our networks and so far that guidance is not forthcoming from anywhere else.

While some people view pooled funding resources as a way to give the Shadow Brokers the least amount yet still get hold of the dump to get things patched, others are adamant that giving the group any money is morally wrong.

At the time of publishing, 100 ZEC (Zcash) had slightly decreased from $24,128 at the time I started the article to $23,662. If you dont have that to spare for the June data dump monthly subscription, will you join the crowdfunding campaign?

Read more here:
Crowdfunding campaign to buy stolen NSA hacking tools from Shadow Brokers - Network World

A hacker group with suspected ties to the Vietnamese government appears to be researching a leaked National Security Agency tool codenamed ODDJOB, based on documents uploaded to the repository VirusTotal andtied to a source already identified as OceanLotus group, otherwise known as APT32.

A classified user manual for ODDJOB was originally published on April 14 by a mysterious group, known for sharing NSA documents, named the Shadow Brokers. A copy of this same document was then uploaded April 17 to VirusTotal along with other malicious email attachments by OceanLotus. Multiple U.S. cybersecurity firms say OceanLotus is aligned with the interests of the Vietnamese government.

The specific version of the manual uploaded by OceanLotus was not weaponized, meaning it didnt carry malware that could be used to convert the harmless PDF to a phishing lure.

ODDJOB is a high-quality, masterfully engineered digital weapon believed to have been once used to help U.S. spies collect intelligence stored on machines running older versions of Microsoft Windows. Details on this backdoor implant are scarce at the moment. The operational computer code behind ODDJOB was not released by the ShadowBrokers.

OceanLotus apparent interest in the ODDJOB manual underscores the efforts now being made by nation-backed hacking groups to better understand, and potentially reuse, leaked NSA capabilities a fear perhaps already realized with the WannaCry ransomware campaign.

When ODDJOB is deployed against a target computer it attempts to obscure network traffic by appearing to be the Microsoft Background Intelligence Transfer Services, or BITS, which is typically used by Windows Update to apply a patch to a computer.

As of Thursday afternoon, the related file uploaded to VirusTotal remained in plain view.

The manual was first made public by the Shadow Brokers in April, but interest in this document by nation-states was previously unreported.

CyberScoop first reported Wednesday that OceanLotus was likely behinda cyber-espionage operation aimed at the Philippines government; a campaign which similarly saw sensitive documents be uploaded to VirusTotal. The reason for why these documents are being uploaded to a public forum remains unclear.

In addition to the ODDJOB manual, the aforementioned file dump includes, among other documents, an apparently leaked transcript of a phone conversation between U.S. President Donald Trump and Philippines President Rodrigo Duterte,briefing notes for a call between Philippine government officials and a U.S. senator, and internal documents tied to the Philippine National Security Council.

OceanLotus has been known to conduct missions against valuable corporations, foreign governments, dissidents and domestic journalists since at least 2014, according to research conducted by FireEye.

Read more:
Vietnamese hackers appear to be researching an NSA backdoor tool - CyberScoop

A group of suspected National Security Agency (NSA) leakers known as the ShadowBrokers on Tuesday announced more details of its monthly subscription service to provide remaining documents from its NSA cache.

The group has been releasing files that appear to have been pilfered from the NSA in 2013 since last summer most notably releasing a suite of Windows hacking tools that were subsequently used in the WannaCry ransomware that induced a global panic earlier this month.

The ShadowBrokers on Tuesday posted instructions on how to join a "Wine of the Month" club for new NSA leaks. In the post, the group said interested parties should send 100 ZCash coins a digital currency akin to bitcoin to sign up for the service. Enrollment will begin June 1 and end June 30.

"Q: Is Zcash safe and reliable?

"[Explitive] no! If you caring about loosing $20k+ Euro then not being for you. Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing 'the game' is involving risks."

The post is written in the ShadowBrokers's trademark inconsistent broken English, widely believed to be an attempt to conceal the group's identity.

Little is known about the ShadowBrokers, including whether it is a group or an individual, as well as whether it is hackers or NSA insiders leaking files. It first appeared in August trying to auction the complete set of tools, releasing an initial leak purportedly to drum up interest in the sale.

It returned in April to leak Windows tools in what the Brokers said was a protest of President Trump abandoning his hard-right positions for a more centrist view.

In an apparent attempt to capitalize on the notorietyof WannaCry, the ShadowBrokers announced its monthly leaking service just after WannaCry warranted international headlines.

The leaked documents appear to be at least in part genuine NSA documents. One of the hacking tools releasedby the group contained an identification code mentioned in a previously unreleased Edward Snowden file.

The ShadowBrokers claim it will not announce the contents of the monthlyleaks in advance.

"Q: What is going to be in the next dump?" ask the Brokers in the Monday post.

"TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers previous posts... Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers first. This is being wrong question. Question to be asking 'Can my organization afford not to be first to get access to theshadowbrokers dumps?'"

Originally posted here:
NSA leakers begin sign-ups for monthly leak subscription service - The Hill

Some questions, admiral.

The effects of this months global ransomware attackseem to be fading, fortunately.But a crucial question the incidentraisedis only getting more urgent. When it comes to online security, the U.S. governments priorities -- preventing terrorism and protecting cyberspace-- are in permanent tension.Is there a way to resolve it?

The National Security Agency routinely seeks out flaws in common software and builds tools, known as exploits, to take advantage of them. Doing so is an essential part of the agencys mission of spying on terrorists and foreign adversaries, yet it comes with grave risks.

The latest attack --still evolving-- is an example. Researchers say it takes advantage ofa stolen NSA tool to exploit a flaw in some versions of Windows. Microsoft Corp.hassuggestedthat the NSA knewof the flaw for some time, yet didnt disclose it until the theft.

That may sound unnerving. Windows is ubiquitous, and governments are generally expected to respect online security, not undermine it. Microsoft is understandably unhappy. Worse, the initial attack crippled everything from banks to hospitals. Its fair to say that lives were at risk.

So why keep such a harmful vulnerability secret? Simple:Exploiting it proved hugely effective in swooping up intelligence -- like fishing with dynamite, as one former NSA employeeput it.

Deciding whether such intelligenceis worth the risk isa fraught and secretive process. When a significant new flaw is found by a federal agency, its shared among experts from the intelligence, defense and cybersecurity bureaucracies (among others), who debate whether to disclose or exploit it, according tonine criteria. A review board then makes a final decision. In almost all cases involving a product made or used in the U.S. -- more than 90 percent, according to the NSA -- the flaws are disclosed.

Although its an imperfect process, a better way isnt obvious. Simply disclosing all vulnerabilities, as some activistsdemand, would be nuts. Intelligence would dry up, investigations would be hobbled, and the Pentagon would lose crucial insight into foreign militaries, for starters. Other countries would continue exploiting such flaws to their advantage. To echo a Cold Warlocution, it would amount to unilateral disarmament.

Likewise, Microsoft hasproposeda digital Geneva Convention, or a global agreement to disclose flaws. But the worst actors online -- thieves, gangsters,North Korea-- would hardly feel constrained by such a protocol, while the restraints put in place could well eliminate crucial methods of tracking them.

Clear thinking from leading voices in business, economics, politics, foreign affairs, culture, and more.

Share the View

Abetter approachis to improve the current system. One problem is that the secrecy required makes it hard to know how well the stated criteria for retaining vulnerabilities are being followed. Reporting the total number found and disclosed each year might offer some reassurance to tech companies and the public, without divulging anything sensitive. Periodic audits of those that have been retained could help ensure that agencies arent hoarding dangerous stuff thats no longer useful. Most important, though, is to better secure these flaws -- and the tools meant to exploit them -- whilehaving a strategy tomitigate the risks if theyre once again leaked.

Failing that, the public may quickly lose confidence in this process. And that may be the biggest risk of all.

--Editors: Timothy Lavin, Michael Newman.

To contact the senior editor responsible for Bloomberg Views editorials: David Shipley at davidshipley@bloomberg.net.

Excerpt from:
Ransomware and the NSA - Bloomberg

In my last column, I broke the news that Admiral Mike Rogers, the director of the National Security Agency, reportedly explained to his workforce last week that he had declined to assist President Donald Trump in his efforts to undermine the FBI and its counterintelligence investigation of the White House. As Rogers is said to have explained to agency personnel, There is no question that we have evidence of election involvement and questionable contacts with the Russians.

On this basis, Admiral Rogers confirmed the existence of highly classified signals intelligence which establishes some sort of collusion between Team Trump and the Kremlin during the 2016 election campaign. However, now that the Justice Department has appointed Robert Mueller special counsel charged with running the Russia investigation, NSA is apparently pulling out all the stops to track down any additional evidence which might be relevant to the expanded inquiry into KremlinGate.

Specifically, last week NSA is believed to have sent out an unprecedented order to the Directorate of Operations, the agencys largest unit. The DO, as insiders term it, manages all of NSAs SIGINT assets worldwide, making it the most important spy operation on earth. The email sent to every person assigned to the DO came from the Office of General Counsel, the NSAs in-house lawyers, and it was something seldom seen at the agencya preservation order.

Such an order would have charged every DO official, from junior analysts to senior managers, with finding any references to individuals involved in KremlinGate, especially high-ranking Americansand preserving those records for Federal investigators. This would include intercepted phone calls and any transcripts of them, emails, online chats, faxesanything the agency might have picked up last year.

At the request of NSA officials, I will not name the specific individuals that DO personnel have been told to be on the lookout for in SIGINT intercepts, but one could fairly surmise that the list includes virtually all key members of Team Trump.

There are several possible ways such individuals can come up in raw SIGINT. First, they might be the people talking or chatting: in other words, first-person intercept. If NSA has a relevant top-secret warrant issued by the Foreign Intelligence Surveillance Court, such intelligence collection is perfectly legalas well as highly classified.

Second, someone might recount a conversation with one of the individuals the DO is interested in. This seems to be the scenario behind the recent sensational story about how Jared Kushnerthe presidents son-in-law, all-purpose adviser, and former publisher of Observeris said to have asked Sergei Kislyak, Russias ambassador in Washington, to use his embassys secure communications to talk to Moscow. NSA reportedly intercepted a conversation between Kislyak and the Kremlin in which the ambassador relayed Kushners request to his bosses back home.

Third is a kind of intercept which NSA terms reflections, meaning that none of the individuals on the DOs list are involved, but one or more of them are being discussed by third parties. For instance, this could be a conversation between foreign officials about Team Trump and its mounting Russia problems. If the people discussing it are VIPs, their opinions may have intelligence value for policymakers in Washingtoneven if their conversation may shed no new investigative light on KremlinGate.

An example: if NSA intercepts a conversation in which senior diplomats from Middle Eastern countries are chatting about Trumps relationship with Moscow, that could be an important reflection of how their countries leaderships view the situation in Washington. If one of those Middle Eastern countries is a close ally (or avowed enemy) of the United States, their views of KremlinGate would be of interest to high-ranking American officials, even if the conversation is based on no more than press reports and office gossip.

The DO is divided into offices which focus on a specific country or region (e.g. China, the Middle East) or on a defined problem set (e.g. counterterrorism, counterintelligence). Months ago, the DOs Russia shop is said to have received a preservation order from the agencys lawyersno surprise, given what that office does. Now such an order has reportedly been passed to the whole DO, including offices which have nothing to do with Russia. This demonstrates the agencys serious intent to provide investigators with any evidence which may shed additional light on KremlinGate.

That said, NSA may have another motive in issuing this DO-wide order. Such motive is the Intelligence Communitys venerable tradition of self-preservation, what spy-veterans term CYA. As Trumps Russia problems have heated up, his fans and media allies have made increasingly serious accusations of malfeasance by NSA and other spy agencies under President Obama. Some of these wild charges have been ludicrous, merely lies created by Kremlin disinformation outlets, then parroted by right-wing media in America.

That media has lavished particular attention on the issue of SIGINT unmasking, meaning the process of how NSA responds to high-level requests to reveal the name of any American who appears in an intelligence report (normally those names are redacted; for an explanation of how this complex issue really works, see this). Although theres no evidence of any systematic abuse of unmasking by President Obama, this hasnt halted the increasingly shrill accusations.

The Kremlin has tried to smear NSA for years, and that clandestine campaign got a big boost with the defection of Edward Snowden to Moscow almost four years ago. As Ive explained, discrediting NSA and its global intelligence partnerships played a key role in Russias interference in our election last year. In order to counter pervasive lies about the agency and its mission, the reported preservation order includes collecting all customer requests for unmaskings, plus records of which agency analysts accessed the information and when, exactly: in other words, complete data trails of all incidents of SIGINT unmasking in 2016.

An undertaking of this size and scope has never happened in NSAs 65-year history. Although preservation orders have been issued previously, never has the entire DO been told to search all its databases for SIGINT on named individuals, then preserve anything thats discovered. KremlinGate is a unique event in our nations history, with accusations of nefarious meddling by hostile intelligence agencies in our democracy, and its bringing about unprecedented developments in our spy agencies too.

Given the complex nature of SIGINTsuch a DO preservation order will require thousands of analysts to reexamine at least hundreds of thousands of intercepted communicationsit seems likely that some relevant information will be uncovered. Although the public may not learn of new evidence anytime soon, we can rest assured that anything pertinent to the KremlinGate inquiry will be shared with the FBI and Bob Muellers investigators without delay.

John Schindler is a security expert and former National Security Agency analyst and counterintelligence officer. A specialist in espionage and terrorism, hes also been a Navy officer and a War College professor. Hes published four books and is on Twitter at @20committee.

Excerpt from:
NSA in Unprecedented Hunt for KremlinGate Evidence | Observer - Observer

There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims access to their computers until they pay a fee. Then there are the users who didnt install the Windows security patch that would have prevented an attack. A small portion of the blame falls on Microsoft, which wrote the insecure code in the first place. One could certainly condemn the Shadow Brokers, a group of hackers with links to Russia who stole and published the National Security Agency attack tools that included the exploit code used in the ransomware. But before all of this, there was the NSA, which found the vulnerability years ago and decided to exploit it rather than disclose it.

All software contains bugs or errors in the code. Some of these bugs have security implications, granting an attacker unauthorized access to or control of a computer. These vulnerabilities are rampant in the software we all use. A piece of software as large and complex as Microsoft Windows will contain hundreds of them, maybe more. These vulnerabilities have obvious criminal uses that can be neutralized if patched. Modern software is patched all the timeeither on a fixed schedule, such as once a month with Microsoft, or whenever required, as with the Chrome browser.

When the U.S. government discovers a vulnerability in a piece of software, however, it decides between two competing equities. It can keep it secret and use it offensively, to gather foreign intelligence, help execute search warrants, or deliver malware. Or it can alert the software vendor and see that the vulnerability is patched, protecting the countryand, for that matter, the worldfrom similar attacks by foreign governments and cybercriminals. Its an either-or choice. As former U.S. Assistant Attorney General Jack Goldsmith has said, Every offensive weapon is a (potential)

See original here:
Why the NSA Makes Us More Vulnerable to Cyberattacks The Lessons of WannaCry - Foreign Affairs

Recode

Secret court rebukes NSA for 5-year illegal surveillance of US citizens Miami Herald Parts of the ruling were redacted, including sections that give an indication of the extent of the illegal surveillance, which the NSA told the court in a Jan. 3 notice was partly the fault of human error and system design issues rather than ... The nation's top tech companies are asking Congress to reform a key NSA surveillance programRecode Tech giants to Congress: Please change how NSA spies on peopleCNET Facebook, Google (but not Apple) join in asking Congress to reform government surveillance programSilicon Valley Business Journal The Register all 17 news articles »

More:
Secret court rebukes NSA for 5-year illegal surveillance of US citizens - Miami Herald

In a letter sent today to House lawmakers, major tech companies asked for reforms to a legal authority underpinning controversial National Security Agency programs.

Section 702 is set to expire at the end of the year

Section 702 of the FISA Amendments Act, which is set to expire at the end of this year, is the legal basis for NSA programs that broadly sweep up electronic communications. The programs are meant to target non-US citizens overseas, although critics have long charged that Americans are unnecessarily caught up in the net. Section 702 is used to authorize the controversial PRISM program, which the NSA uses to collect information from tech companies.

The letter, signed by companies including Amazon, Facebook, Google, Twitter, and Uber, requests that lawmakers consider changes before reauthorizing 702, such as increasing transparency and oversight, as well as narrowing the amount of information collected under such programs. The companies also asked for more leeway in disclosing national security demands.

Last month, the NSA said it would halt 702 collections that simply mention foreign intelligence targets, a process that has been the subject of major criticism. The letter also requests that those changes to the process be codified by law.

The companies write that the letter is meant to express our support for reforms to Section 702 that would maintain its utility to the U.S. intelligence community while increasing the programs privacy protections and transparency.

Link:
Facebook, Google, and other tech companies ask lawmakers to ... - The Verge

Facebook, Google, Microsoft and a host of tech companies asked Congress on Friday to reform a government surveillance program that allows the National Security Agency to collect emails and other digital communications of foreigners outside the United States.

The requests came in the form of a letter to Republican Rep. Bob Goodlatte, a Virginia lawmaker whos overseeing the debate in the House of Representatives to reauthorize a program, known as Section 702, which will expire at the end of the year without action by Capitol Hill.

In their note, the tech companies asked lawmakers for a number of changes to the law particularly to ensure that Americans data isnt swept up in the fray. Meanwhile, they endorsed the need for new transparency measures, including the ability to share with their customers more information about the government surveillance requests they receive.

Signing the note are companies like Airbnb, Amazon, Cisco, Dropbox, Facebook, Google, LinkedIn, Lyft, Microsoft and Uber.

Absent, however, is Apple, which previously has joined with its tech counterparts in pushing for limits in government surveillance programs. A spokesman did not immediately respond to a request for comment Friday.

Section 702 is one of a number of U.S. surveillance authorities that had been the subject of great scrutiny and debate in the aftermath of Edward Snowdens surveillance leaks. The disclosures have also caused years of heartburn for Silicon Valley, which has faced an onslaught of criticism from international customers who feel the tech industry is too close to the U.S. government. Many top tech companies even banded together in a lobbying group that pushed for surveillance reforms in 2013.

As the fight over the NSAs powers returns to Congress, however, the Trump administration has urged lawmakers to keep Section 702 in its exact, current form.

Earlier this month, the NSA on its own terminated a piece of its program that essentially allowed the agency to collect Americans emails and texts if those communications contained key words related to foreigners that already are targeted for government surveillance.

To that end, the tech companies writing Congress today said Congress should formally outlaw that practice, known as about collection, as part of its new legislation, to ensure it cant come back.

Otherwise, the governments Section 702 program isnt supposed to target Americans. But their communications still are lapped up in the bunch, sometimes incidentally, including cases in which an American is communicating directly with a non-U.S. person who is the subject of NSA scrutiny. Despite calls from the likes of Sen. Ron Wyden, D-Ore., the agency has never disclosed the total number of Americans affected by such a program.

In response, the tech industry asked Congress to put in place judicial oversight for government queries for U.S. citizens data. And they asked House lawmakers to rethink other portions of the law to reduce the likelihood of collecting information about non-U.S. persons who are not suspected of wrongdoing.

Visit link:
The nation's top tech companies are asking Congress to reform a key NSA surveillance program - Recode

Former head of the National Security Agency (NSA) Michael Hayden on Saturday said White House adviser and President Trump's son-in-law Jared Kushner is naive and ignorant if reports that he sought to create a secure communication channel with Russia are true.

Well, Michael, right now, Im going with naivet and thats not particularly very comforting for me, Hayden told CNNs Michael Smerconish.

I mean what manner of ignorance, chaos, hubris, suspicion, contempt would you have to have to think that doing this with the Russian ambassador was a good or appropriate idea?

The former head of the NSA and CIA said Kushners reported action says a lot about both the presidential campaign and the state of American society.

It says an awful lot about the campaign, Michael, said Hayden.

It says an awful lot about us as a society that we could actually harbor those kinds of feelings that the organs of the state would be used by my predecessor to come after me or to intercept my communications or to disrupt my administration in a way that made it seem legitimate to me to use the secure communications facilities of a foreign power.

Hayden added that while it is possible Russia could be engaging in a disinformation campaign, regarding the communications, his instincts say no.

View post:
Ex-NSA head on Kushner: Ignorance, Chaos, Hubris | TheHill - The Hill (blog)