Archive for the ‘NSA’ Category

NSA Year in Review: Election Security, Cybersecurity, and More – HSToday

The pandemic affected everyone this year, but our mission didnt slow down. As our Director, GEN Paul Nakasone said, we are one team, and each of us contributes our unique expertise to a mission that is all the more critical in times of crisis.

Throughout 2020, our workforce contributed our expertise in many ways:

NSA worked to secure our elections

The security of the2020 Presidential electionwas NSAs top priority in 2020. We were part of the Whole-of-Government effort to identify and counter foreign interference and malign influence threats to the 2020 U.S. elections. NSA generated vital insights and shared them with partner agencies like U.S. Cyber Command, the Department of Homeland Security and the Federal Bureau of Investigation.Our efforts strived to assure all audiences, and most importantly, the American public, that NSA, USCYBERCOM, and other U.S. government partners together protected the U.S. elections from foreign interference and influence campaigns.

NSA shared cybersecurity guidance and advisories

MarylandGovernor Hoganrecognized our cybersecurity expertise to keepCOVID-19 research protectedas part of the U.S. Government-wide Operation Warp Speed (OWS). In addition to our support to OWS, as the pandemic shifted the workplace to home, NSA helped teleworkerswork from home safely,secure their home office, and evenlimit their mobile device exposurethanks to guidance developed by our Cybersecurity mission.

NSA continued our steady provision ofcybersecurity advicefor the Department of Defense, National Security Systems and the Defense Industrial Base. These specificadvisories and guidancealso helped system administrators and other cyber specialists across the cybersecurity field by providing information that was timely, relevant, and actionable throughout the year.

NSA drove innovative solutions

While the world faced new challenges this year, we didnt stop creating solutions. We contributed to the evolution of5G, were involved in how to keep theInternet of Thingssecure, planned for the future of national security when applyingquantumcomputing, we developed aQuBIT Collaboratory, and stood up theCenter for Cybersecurity Standards.

NSA invested in our nations future

We look forward to starting the New Year and the future looks bright, thanks to our investments in the future. TheOnRamp II programprovides the scholarships for students who will be developing the newest solutions to keep our nation safe. NSA worked in partnership with the DoD Office of Small Business Programs and created theCybersecurity Education Diversity Initiativeto assist minority serving institutions. This allows Historically Black Colleges and Universities with no existing cybersecurity program to obtain access to and educational resources from designated National Centers of Academic Excellence in Cybersecurity Institutions. We were pleased to announce that theU.S. Naval Academyreceived its designation as an NSA Center of Academic Excellence in Cyber Operations to develop new cyber warriors.

NSA personnel recognized for excellence

While many NSA personnel serve in silence, several of our staff and former personnel were publicly recognized this year for their dedication to our nations security. Former NSA Executive DirectorHarry Cokerwas recognized by the Intelligence Community for his commitment to improving diversity, equality, and inclusion.MSgt Frances Dupris,Dr. Ahmad Ridley,LaNaia JonesandJanelle Romanowere recognized for showing the importance of STEM education and career development. OurTech Transfer Teamwas recognized by the DoD for creating an efficient process for releasing NSA-developed capabilities to the open-source software community.

For more details on our efforts to protect our nation and secure our future, check out our Twitter,@NSAGov, throughout the month.

Read more at NSA

(Visited 60 times, 6 visits today)

Read the original post:
NSA Year in Review: Election Security, Cybersecurity, and More - HSToday

VMware Flaw Used To Hit Choice Targets In SolarWinds Hack: Report – CRN

A VMware vulnerability that allowed access to protected data and federated authentication abuse was used by the SolarWinds hackers to attack high-value targets, KrebsOnSecurity reported.

The U.S. National Security Agency (NSA) warned on Dec. 7 that a flaw in the software of Palo Alto, Calif.-based VMware was being used by Russian hackers to impersonate legitimate users on breached networks. In order to exploit this vulnerability, the NSA said hackers would need to be on the targets internal network, which KrebsOnSecurity pointed out would have been the case in the SolarWinds hack.

VMware told CRN that it has received no notification or indication that this vulnerability was used in conjunction with the SolarWinds supply chain compromise. After being tipped off to the flaw by the NSA, VMware released a software update Dec. 3 to plug the security hole.

[Related: SolarWinds Hack Compromised 40-plus Microsoft Customers]

While some of VMwares own networks used vulnerable versions of SolarWinds Orion network monitoring platform, the company told CRN that an investigation has thus far revealed no evidence of exploitation. VMwares stock is down $7.47 (5.04 percent) to $140.63 per share since the KrebsOnSecurity report came out just after 1:30 p.m. ET Friday.

While we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation, VMware said in a statement. This has also been confirmed by SolarWinds own investigation to date.

The NSA advisory came less than 24 hours before FireEye disclosed that it had suffered a security breach designed to gain information on some of the companys government customers. SolarWinds said its CEO Kevin Thompson was told Saturday by a FireEye executive of the Orion backdoor, and soon discovered it had been the victim of a cyberattack that impact both Orion tools as well as its internal systems.

The only private-sector organizations flagged as having been compromised via SolarWinds are FireEye and Microsoft, with Reuters reporting the latter Thursday. Reuters also alleged that Microsofts own products were then used by Russian government hackers to further the attacks on other victims.

Microsoft told CRN Thursday the sources for the Reuters report are misinformed or misinterpreting their information, but acknowledged the software giant had detected malicious SolarWinds binaries in its environment. The U.S. government said Thursday it has evidence of additional initial access vectors beyond SolarWinds Orion, but noted those other intrusion methods are still being investigated.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Thursday it had observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.

One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.

Similarly, the NSAs Dec. 7 report said exploiting the VMware Access and VMware Identity Manager products via led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.

Microsoft ADFS can be used to federate identities with VMware Identity Manager, the NSA wrote in a cybersecurity advisory issued yesterday. By abusing the federated authentication, the NSA said the hackers can abuse the trust established across the integrated components.

Adversaries target products like VMware Identity Manager to gain access to cloud services such as Microsoft Office 365, the NSA wrote yesterday. Once access is gained, the NSA said the hackers can monitor or exfiltrate emails and documents stored in Microsoft Office 365 environments.

Go here to see the original:
VMware Flaw Used To Hit Choice Targets In SolarWinds Hack: Report - CRN

NSA Warns of Hacking Tactics That Target Cloud Resources – BankInfoSecurity.com

3rd Party Risk Management , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks

The U.S. National Security Agency has issued a warning about two hacking techniques that could allow threat actors to access cloud resources by bypassing authentication mechanisms.

See Also: The SASE Model: A New Approach to Security

The warning comes after a week's worth of revelations over the SolarWinds breach that has affected government agencies as well as corporations, including Microsoft, FireEye, Intel and Nvida (see: SolarWinds Hack: Lawmakers Demand Answers).

Secretary of State Mike Pompeo, commenting on the breach, said in a Friday evening radio interview that "the Russians engaged in this activity."

"I can't say much more as we're still unpacking precisely what it is, and I'm sure some of it will remain classified," Pompeo said, according to a transcript provided by the State Department. "But suffice it to say there was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well. This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity."

In a pair of tweets on Saturday, President Donald Trump appeared to question whether Russia was involved in the hacking operation and opened up the possibility that China may have played a role (see: President Trump Downplays Impact of SolarWinds Breach).

"The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted. "Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."

The NSA advisory does not specify whether the nation-state hackers behind the SolarWinds breach used these same tactics, techniques and procedures to compromise various networks and gain additional privileges, but the advisory notes threat actors could use these methods to steal credentials and maintain persistent access.

"Initial access can be established through a number of means, including known and unknown vulnerabilities," according to the NSA alert. "The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access."

The NSA adds these particular tactics and methods described in the alert are not new and have been used by threat actors since 2017.

The two techniques described by NSA involve hacking of cloud resources using either compromised authentication tokens or through compromised system administration accounts in the Microsoft Azure platform. The agency adds, however, that these techniques can be replicated in other cloud platforms as well.

The NSA notes that its latest alert builds on a previous warning about techniques that Russian-linked hackers were using to exploit a vulnerability in several VMware products. The company has since issued a fix for this bug, and users are encouraged to apply it as soon as possible (see: NSA: Russian Hackers Exploiting VMware Vulnerability).

This alert describes two scenarios where the attackers have already compromised the local network and have gained access to the authentication mechanisms that are used to access cloud resources.

In the first scenario, the threat actors begin by compromising on-premises components of federated single sign-on authentication systems that use a single identification and password to log into several systems, the advisory notes.

The attackers then steal credentials or private keys that are used to sign Security Assertion Markup Language, or SAML, tokens used for authentication and authorization between cloud service providers and its tenants or users, the NSA notes.

"Using the private keys, the actors then forge trusted authentication tokens to access cloud resources," according to the NSA alert. "If the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens."

In the second scenario, the threat actors use compromised administrator accounts to assign credentials to cloud application services. The actors then call for the applications' credentials to gain automated access to cloud resources, the advisory adds.

The NSA adds that attacks against the cloud infrastructure do not use vulnerabilities in the cloud components, but instead manipulate the "trust" needed for performing authentication, assigned privileges and the SAML tokens.

"If any of these components is compromised, then the trust in the federated identity system can be abused for unauthorized access," the advisory notes.

Brendan O'Connor, CEO and co-founder of security firm AppOmni, notes the tactics described by NSA particularly make third-party apps that connect to cloud services more susceptible to attacks, especially with more organizations now working remotely due to the COVID-19 pandemic.

"It's not that our premise tools have failed, but the data has moved to where they can't see it," O'Connor tells Information Security Media Group. "Getting visibility into what third-party applications are already connected to your cloud applications should be one of the top priorities for security teams."

Because the attacks mainly take advantage of Security Assertion Markup Language in cloud platforms, the NSA recommends several steps that cloud service providers and users can adopt to prevent breaches using the scenarios described in the alert. These mitigation methods include:

The NSA also recommends auditing of the tokens to identify any disparities in their activities. This can be done by either auditing the creation and use of service principal credentials or by auditing the assignment of credentials to applications that allow for non-interactive sign-in by the application.

While the mitigation strategies described by the NSA are meant to provide guidance for the National Security System, Department of Defense, and Defense Industrial Base network administrators, these methods can be applied to any network.

Managing Editor Scott Ferguson contributed to this report.

See the article here:
NSA Warns of Hacking Tactics That Target Cloud Resources - BankInfoSecurity.com

No, the United States Does Not Spend Too Much on Cyber Offense – Council on Foreign Relations

In the wake of the SolarWinds incident, critics have pointed to budget and personnel imbalances between offensive and defensive missions. As Alex Stamos pointed out in the Washington Post, the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security has only 2,200 employees for a mission that includes protecting all sixteen critical infrastructure sectors and all federal agencies while the National Security Agency (NSA) alone has more than 40,000 employees. The Department of Defenses (DOD) Cyber Command has over 12,000 personnel, including 6,000 military members.

While total spending on cyber missions at NSA is classified, what is known about federal spending suggests priorities skewed toward offense. As Jason Healey pointed out last spring, the DODs cybersecurity budget is significantly larger than the cybersecurity budgets of all civilian components combined. The federal government spends more than half a billion dollars per year on the headquarters elements of Cyber Command alone and only $400 million on cyber diplomacy at the State department. All of CISAs budget adds up to about half of what DOD spends on just offensive cyber operations.

More on:

Cybersecurity

U.S. Department of Defense

Homeland Security

Defense and Security

The SolarWinds disaster clearly indicates that CISA and federal agencies will need more money in order to develop the capabilities necessary to detect and contain adversaries as capable as Russias Foreign Intelligence Service. Additional funds are also badly needed to scale out efforts to coordinate with the private sector, fund research that the market will not support, and bolster the security of critical infrastructure. That funding, however, should not come out of the current budgets or future budget growth on the offensive side of the equation.

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.2-4 times weekly.

Since cybersecurity first became an issue of national import, cyber policy has been predicated on the idea of a public-private partnership, a term that is now nauseating to much of the community. Yet the phrase captures the reality that the federal government, unlike in other domains, does not assume ultimate responsibility for the security of systems it does not own or operate, including critical infrastructure. In terms of dollars and cents, what this means is that total spending on U.S. cybersecurity is actually heavily skewed toward defense not offense because all the cybersecurity spending in the private sector goes in the defense column.

Alongside DHSs 2,200 employees at CISA, the 6,000 cyber warriors in the Defense Department suggest an imbalance towards offense over defense until you recognize that only about 2,000 of these 6,000 are in units that carry out offensive cyber missions and these 2,000 people are the only people in the United States that are authorized to carry out offensive cyber operations. Even the NSAs 40,000 employees, only a fraction of which are focused on intelligence collection against adversary cyber operators, pale alongside the total cybersecurity workforce estimated at 750,000.

While estimates of total private sector spending in the United States range from $40 billion to $120 billion, even the lower end of that range is more than ten times the Pentagons budget for cyber operations and four times what data leaked from the Snowden disclosures suggested was the NSA's budget. Microsoft alone says that it spends $1 billion a year on cybersecurity, and JP Morgan also spends close to that amount.

No doubt CISA needs to grow several times over to carry out its mission, and other civilian agencies will need a large influx of funds to secure themselves, but relative percentages between defense and offense in the federal budget could look largely the same.

More on:

Cybersecurity

U.S. Department of Defense

Homeland Security

Defense and Security

Digital and Cyberspace Update

Digital and Cyberspace Policy program updates on cybersecurity, digital trade, internet governance, and online privacy.Bimonthly.

While the defense clearly failed, it is becoming increasingly clear that the intelligence community either failed to detect this campaign or lacked the ability to understand and communicate what they saw. Its also possible that the NSA supplied indications and warnings of the campaign to Cyber Command but offensive operators were spread too thin to engage and disrupt the activity. Either way, more spending, not less on offense, could be in the cards.

Read the original post:
No, the United States Does Not Spend Too Much on Cyber Offense - Council on Foreign Relations

Lawmakers press Trump to sign NDAA in the wake of massive hack – FCW.com

Cybersecurity

Lawmakers are urging President Donald Trump to walk back a threatened veto of the annual defense bill over non-defense policy issues because of the widespread, ongoing and potentially catastrophic hack of U.S. government and private sector systems.

The National Defense Authorization Act has a slate of cybersecurity provisions and its own cybersecurity section drawn from the recommendations of the Cyberspace Solarium Commission, including a measure to established a White House cybersecurity official whose job it would be to coordinate response in the event of emergencies like the SolarWinds hack.

"Given the recently revealed cyber hacks, it is more critical than ever that the President sign this bipartisan bill into law," Sen. Angus King (I-Maine) tweeted on Friday. King co-chairs the Solarium Commission.

Trump has threatened to veto the NDAA because it doesn't revoke liability protections for online platforms the Section 230 provision of the Communications Decency Act. Trump is also opposed to a measure to rename military bases that honor Confederate military leaders. Lawmakers from defense committees across both parties have urged Trump to sign the bill, which passed by large majorities in the House and Senate.

Separately, Sen. Mark Warner (D-Va.), the vice chairman of the Senate Select Committee on Intelligence, criticized Trump for "not taking this issue seriously enough."

"As we learn about the wider impact of this malign effort -- with the potential for wider compromise of critical global technology vendors and their products-- it is essential that we see an organized and concerted federal response," Warner said in an emailed statement. "It is extremely troubling that the President does not appear to be acknowledging, much less acting upon, the gravity of this situation."

NSA's mitigation guide

The National Security Administration released guidance on how to deny bad actors continued access to compromised systems by hardening identity and credential issuance and management. The Dec. 17 advisory does not mention SolarWinds by name but lays out guidance of how to prevent bad actors from generating tokens to provide access to cloud-based and on-premises systems, and how to detect abuse of credentials.

Microsoft President Brad Smith called the hack and its aftermath a "moment of reckoning" in a Dec. 17 blog post. "The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them," Smith wrote. He said that while espionage is a fact of like, the attacks used in the SolarWinds hack, "has put at risk the technology supply chain for the broader economy."

Smith noted that in terms of governmental response to the burgeoning threat, "one ready-made opportunity is to establish a national cybersecurity director as recommended by theSolarium Commissionand provided for in the National Defense Authorization Act."

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

See the rest here:
Lawmakers press Trump to sign NDAA in the wake of massive hack - FCW.com