Mediaboss Marketing

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drives daily audio interviews onApple PodcastsorPodcastOne.

Tom Temin: Mr. Ziring, good to have you on.

Neal Ziring:Thanks, Tom, its good to be here.

Tom Temin: Is it correct to say that even the NSA does have people teleworking? I know a lot of people need to be in the SCIFs and so forth in the intelligence community, but you do have some teleworking going on also?

Neal Ziring:Well, I cant go into detail on that, Tom. But you know, were having to react to this crisis like everyone else, and both ourselves and everyone across the national security community that we serve is trying their best to keep their workforce safe while continuing to do their vital national security missions. And collaboration is always a part of that.

Tom Temin: Sure. So lots of federal agencies from the least secure to the most secure are using all kinds of collaboration tools. Give us what are the big security requirements and considerations for these types of tools?

Neal Ziring:Sure, you know, we were watching this, we were supporting all sorts of DoD workforce efforts. And we noticed there was a vacuum in terms of guidance to help people use collaboration services securely. So, you know, we have a great deal of deep expertise here in our workforce on this. So we put together what we thought were core requirements that individuals who maybe were suddenly trying to work from home or from some remote location could pick up and use to choose a collaboration service that would meet their own security needs. For example, does it use good encryption? Does it have ability to use multi factor authentication, can the user see and control who connects? These are all very important requirements for selecting a service that youre going to use for government work.

Tom Temin: Because you have a list of about seven cybersecurity aspects of these encryption, two different levels of encryption and so on, and theres a yes or no according to each one are there any particular characteristics that if they get a no at, that product would be just simply ruled out all together?

Neal Ziring:Well, we didnt want to go there. We didnt want to be prescriptive because the needs of different agencies vary widely. We wanted to inform folks across the national security spectrum of which requirements they should consider. I dont think any of them are sort of showstoppers in that sense. Theyre all reasonably important, and theyre going to vary between different folks. For example, there are some folks in DoD I know where the authentication is a very important concern for them. So for them, criterion number three use a multi-factor authentication will be vital. And we just wanted to inform them and have a representative list of products its not a comprehensive list showing what they should consider and what they should ask of the products that they start to use.

Tom Temin: Basically, it looks like the only thing that doesnt encrypt or use multi factor authentication or do anything is plain old SMS text, which is not really a brand, but thats what everybodys got on their phones.

Neal Ziring:Yeah, we threw that in as a comparison. Were really hoping people will choose to use more secure means than their SMS.

Tom Temin: And then coming up with the list and the different ratings for the different yes or no answers on the different aspects of security on these products, did you just get that from the product literature? Or did you test them?

Neal Ziring:For the most part, we got it from the product literature, because we noticed this vacuum. We had received multiple sort of time sensitive requests from customers across Dod and other national security establishments saying, Hey, we need some help here. So we got together a team of folks. We did some testing and a whole lot of reading of product literature under conditions emulating what a teleworking user would face. And then we put these together and we invite the folks who maintain these systems, if they spot an inaccuracy in what weve published then they can write to us, and we will correct it. Weve already gone through one round of revision.

Tom Temin: Got it. Were speaking with Neal Ziring, the technical director of the Cybersecurity Directorate at the National Security Agency. And have you heard from any agencies that said, Hey, this happened to us with this particular product, you better be aware of that potential?

Neal Ziring:No, we havent received reports of actual incidents. We have had several national security organizations write to us and say the guidance is helpful and asking additional technical questions. Thats pretty standard for us.

Tom Temin: Sure. And I have a question about these products, too. Suppose someone in a national security situation is teleworking and collaborating over these and lets postulate that no data is being exchanged. Say no documents or something would be exchanged back and forth in that manner. Because it may be against the rules, and depending on the sensitivity of the data, but people are talking. If they were to be talking about something that could be classified or make a reference is one of the issues that voice could be somehow obtained by a third party thats not authorized?

Neal Ziring:Yeah, thats certainly a concern for this category of product, right. Now, we do caution folks to think about what theyre saying over these systems. These are unclassified systems. And so they shouldnt be talking classified over them in any case. But yeah, thats why criterion number one is important, for example, right? Is this something that employs encryption, so that if theres somebody who can see that traffic, then theyre not going to see anything but ciphertext. Thats a very important part of selecting a secure collaboration service.

Tom Temin: Let me ask you this. If you could design a ideal product in terms of cybersecurity for collaboration, what would it look like?

Neal Ziring:Oh, I think it would, it would look a lot Like some of the commercial products that are out there, now, theres some really good ones. It should implement strong encryption, and that encryption should meet published encryption standards. It should support multi-factor authentication. A really important aspect is transparency, the service should let you see who is connected, see where its connecting through. Allow you to see what data you have stored in the service and delete it. And also whether the service provider is going to be sharing data about you or your usage with any third parties. Thats a concern as well.

Tom Temin: And one of the criteria is whether the source code is shared, the public source code is shared. What is the consideration there? Why is that important?

Neal Ziring:Yeah, that is that is criterion number seven. And thats an aspect of transparency, right that lets reviewers or potentially someone like NSA, examine how the product is implementing its security and see that that is being done correctly.

Tom Temin: Theres probably some good guidance for the vendors. Theres one here called Signal which Im not familiar with, but it gets yess on all of the criteria, except FedRAMP. It seems like that company ought to go for its FedRAMP certification.

Neal Ziring:Well, I would encourage any companies that want to provide service of this kind to the federal government to consider FedRAMP. I was there when they started FedRAMP. I think its a great program. FedRAMP is important because in gaining a FedRAMP certification, a company needs to thoroughly document how their security works and how its provided. And then the federal government can have more faith or more assurance when theyre utilizing that service.

Tom Temin: With respect to video, does video add cybersecurity risk in general to the use of these products?

Neal Ziring:I dont think it adds risks in and of itself. For some of the products, using video may affect whether you get to use encryption or not. So thats an important consideration but no, otherwise, go ahead and do the video. Its fine.

Tom Temin: All right. Neal Ziring is technical director of the Cybersecurity Directorate at the National Security Agency. Thanks so much for joining me.

Neal Ziring:Thank you, Tom.

Continue reading here:
Choosing a safe conferencing tool in the era of mass telework - Federal News Network

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

Here's a sample of Moscow's exploit code, according to the NSA, which is sent to a vulnerable server to hijack it we've censored parts of it to avoid tripping any filters:

"The Russian actors, part of the General Staff Main Intelligence Directorates (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attackers dream access as long as that network is using an unpatched version of Exim MTA," the NSA said.

In this case, miscreants, linked to the military-backed Sandworm operation, exploit improper validation of the recipient's address in Exim's deliver_message() function in /src/deliver.c to inject and execute a shell command, which downloads and runs another script to commandeer the server. An in-depth technical description of the programming blunder can be found here by Qualys, which found and reported the flaw last year.

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

The NSA did not say who exactly was being targeted, though we can imagine the Russian military takes an interest in probing foreign government agencies and vital industries. GRU hackers have also previously targeted energy utilities, by some reports.

The Sandworm hacking group has also previously been linked to attacks on a research lab in Britain, and the nation's Foreign Office.

The exploit of CVE-2019-10149 by the Sandworm crew has been on-going since August, the NSA said. Fortunately, there has also been a fix out for this bug for nearly a year the flaw was introduced in Exim 4.87 and patched back in June of 2019.

Updating Exim to version 4.93 or later will close off the vulnerability. While admins can download the update, using your Linux distro's package manager will be the easiest way to get the fix, if for some reason you don't already have it.

Admins are also advised to keep a close eye on their servers to check for suspicious activity, such as new accounts being added or security settings being changed.

"Routinely verifying no unauthorized system modifications, such as additional accounts and SSH keys, have occurred can help detect a compromise," noted the NSA. "To detect these modifications, administrators can use file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the system.

"If an MTA DMZ was configured in a least access model, for example to deny by default MTA initiated outbound traffic destined for port 80/443 on the internet while only permitting traffic initiated from an MTA to necessary hosts on port 80/443, the actors method of using CVE-2019-10149 would have been mitigated."

Sponsored: How to simplify data protection on Amazon Web Services

See the article here:
It's not every day the NSA publicly warns of attacks by Kremlin hackers so take this critical Exim flaw seriously - The Register

Its has been nearly a year to the day since information about a serious vulnerability in the Exim mail transfer agent thats included in many Linux distributions was released, and nearly a week since the NSA warned that Russian attackers are systematically exploiting the bug, but there are still several hundred thousand servers online running vulnerable versions of the MTA.

The vulnerability (CVE-2019-10149) affects several versions of Exim, from 4.87 through 4.91, and a fix has been available for the bug since June 2019. Researchers at Qualys discovered the flaw and reported it to the maintainers of Exim, who released a patched version and pushed it downstream to the Linux distributions that include the MTA. Exim runs a large portion of the mail servers online, so the target base is quite large, and almost immediately after that disclosure, attackers began exploiting the bug opportunistically. A worm designed to scan for vulnerable servers and then run an exploit to install a cryptocurrency miner.

There are two other serious flaws in Exim that were disclosed last year (CVE-2019-15846 and CVE-2019-16928), both of which can lead to remote code execution. Patches are available for both of those vulnerabilities, too, but, as with CVE-2019-10149, the updated versions have not been installed everywhere.

At the time the CVE-2019-10149 vulnerability was disclosed, there were about 3.5 million vulnerable servers and while the majority of those have been updated, data from RiskIQ shows that there are still around 900,000 vulnerable servers online every day. That number includes all of the servers that are vulnerable to any one of the three Exim flaws disclosed last year. The majority of those servers are running Exim 4.91 or 4.92. Exim 4.92.3 includes fixes for all of the vulnerabilities.

Last week, the NSA published an advisory warning that Russian threat actors known as the Sandworm team who are associated with the General Staff Main Intelligence Directorate military intelligence unit had been exploiting CVE-2019-10149 since at least August as part of a broad attack campaign.

The Russian actors, part of the General Staff Main Intelligence Directorates (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attackers dream access as long as that network is using an unpatched version of Exim MTA, the NSA advisory says.

The Sandworm team is very active and highly capable, and is known to use a variety of tools in its intrusions, including the BlackEnergy malware.

Go here to see the original:
Many Exim Servers Remain Vulnerable to Year-Old Flaw - Decipher

Former bureaucrat turned Jammu and Kashmir politician Shah Faesal is likely to be released after spending close to 10 months in detention since August 14, following the Union Territorys decision to revoke the Public Safety Act (PSA) slapped on him and two other senior politicians from the Peoples Democractic Party (PDP)- Sartaj Madani and Peer Mansoorleaving former chief minister of the erstwhile state of Jammu and Kashmir, Mehbooba Mufti among the few prominent leaders from the region who continue to be in detention after the abrogation of Article 370 and bifurcation of Jammu and Kashmir into two Union Territories in August last.

NC general secretary Ali Mohammad Sager and former J&K ministers, Nayeem Akthar and Hilal Akbar Lone also continue to be in detention. Former J&K chief ministers and National Conference leaders Omar Abdullah and his father Farooq Abdullah were released from detention earlier this year.

Shah Faesal was detained under the stringent for his anti-government social media posts and an alliance with former J&K legislator, engineer Shiekh Abdul Rashid, who was arrested in a terror funding case and is currently lodged in Tihar jail, according to a government dossier on the matter. Faesal had allied with Rashid for J&K assembly polls in June last year.

The HT Guide to Coronavirus COVID-19

Faesal was given a copy of the dossier carrying 27 pages of his social media posts, made in the last few years on February 15 this year by the authorities. Shah Faesal had a good following on social media and used it even to mobilise funds for his party-- the J&K Political Movement (JKPM).

Shah Faesal was first detained at the Delhi airport on August 14, 2019, after he reached the Capital from Srinagar and was sent back to Kashmir. In Srinagar, he was detained at the Centaur Hotel and later at the MLA hostel.

Read more here:
Shah Faesal and two other senior J&K politicians detentions under NSA revoked - Hindustan Times

Text Size:A- A+

New Delhi: Chinese foreign policy is set to become more assertive in the future, but it might still be premature to see the current muscle flexing by the Peoples Liberation Army (PLA) in the Himalayas as an indication of Chinas new assertive policy, said M.K. Narayanan, former national security advisor of India.

The most important thing is not to view every skirmish as the beginning of a new war, he said.

Former foreign secretary Vijay Gokhale also argued that the two informal summits between President Xi Jinping and Prime Minister Narendra Modi opened a communication line between the two leaders, and talking often will help prevent mishaps.

China doesnt want to overthrow the US-led global order, it just wants to capture the existing one and rule over it, said Gokhale.

The two were speaking at an online seminar Friday on COVID-19 & India-China Global Dynamics, organised by the Chennai International Centre, and were joined by Tanvi Madan of Brookings Institution, James Crabtree of Lee Kuan Yew School of Public Policy, and Ashwani Mahajan of Delhi University and national co-convener of Swadeshi Jagaran Manch.

Other than the India-China stand-off, the discussion covered the change in US global role in a post-Covid era, the underlying currents of Indo-Chinese relations, and the possible opportunities and challenges for India going ahead.

Talking about the ongoing stand-off, Crabtree remarked that it is a good metaphor for the general India-China relationship.

If you look at the past few years, you have two sides building infrastructure next to each other. They are testing each others boundaries. And such stand-offs are becoming a pattern in their relations now, said Crabtree.

Also read: China believes India wants Aksai Chin back. PLA has likely secured 40-60 sq km in Ladakh

Narayanan urged caution when looking at the current Indo-Chinese stand-off. What I say is a reflection of past history the most important thing is not to view every skirmish as the beginning of a new war, he said.

I was there in 1959, 60, 61, 62 the two sides try to play chess at the border but to use the term military stand-off is too much. As someone who has seen this situation developing over the past 50-60 years, we should see issue firmly and coolly, said Narayanan, who had also served as the chief of the Intelligence Bureau and Joint Intelligence Committee.

According to the former national security adviser (NSA) the key problem with the India-China border is that it is un-demarcated and undefined. It happens that we have our perception and China has their own. Every dynasty in China has drawn their own version of the maps, he said.

He also said that during his discussions with his Chinese counterparts, Narayanan did not sense that the Chinese are anxious about their border conflict with India. According to the former NSA, what makes China really anxious is Indias soft power.

China is worried that India has many civilisational advantages over them. They are unable to comprehend Indian soft power. China wants to dominate the Asian order but not through firing guns across the border, said Narayanan.

Also read: Chinese aggression in Ladakh also a message for domestic and external audience: Experts

Prime Minister Modi had come under sharp criticism for promoting a China reset following his informal summits with the Chinese President Xi Jinping at Wuhan and Mamallapuram. Critics note that China has continued with its border aggression despite those summits.

Crabtree said this clearly indicates a breakdown of the Wuhan consensus.

Former foreign secretary Gokhale, however, did not agree with the criticism, who argued that the informal summits created an important channel of communication between the two leaders.

The two summits might prevent a mishap from happening. They cant really resolve all long-standing problems, but they have helped manage them, said Gokhale.

Also read: Doklam to Galwan: Have Modi-Xi informal summits been more about optics than border peace?

Commenting on how the US might conceptualise its global role in the post-Covid era, Madan said a lot will depend on when and how US emerges from the pandemic.

It would take a while before we can see pandemics political and geopolitical impact on the US, according to Madan. The speed on recovery would have an effect on US economic choices also the resources it would have available for its foreign policy. This would determine what kind of regional or global role it wants to play, she added.

Most of the speakers agreed that China stands to gain in the post-Covid era.

The Chinese economy has a lot of structural problems, but as a place to do manufacturing in, China is still very hard to beat, said Crabtree.

Given that China has been able to recover from the pandemic faster than others, it will likely gain from its inclusion in Asian travel bubbles and increased trade, he added. Moreover, the backlash against China as we see in the West, doesnt really exist in the West, he said.

When talking about Chinas long-term ambitions, Gokhale dismissed the notion of China wanting to build a new world order what they refer to as the community of shared future of the mankind.

It has no central point, no theory, its a wooly idea, remarked Gokhale. We need to move away from the idea of Chinese wanting a new world order. They just want to take over the existing one and rule over it. Thats why they want their initiatives such as Belt and Road to be approved by the United Nations.

Also read: Why India wont take sides on US-China spat over Covid, despite skirmishes in Sikkim-Ladakh

Similar to the US, how India is able to leverage the opportunities in the post-Covid era will depend on what its recovery from the pandemic looks like, said Madan. And in terms of global supply chains moving to India, the speakers felt that a lot would depend on Indias ability to conduct a series of domestic reforms.

If they were a part of RCEP (Regional Comprehensive Economic Partnership), they could have taken relatively more advantage of the current situation, said Crabtree. Closing yourself doesnt help. Nobody thought that joining RCEP would be cost free for India, but neither was joining WTO for China.

Also read: Indias bargaining power with China and US will grow in post-Covid world

ThePrint is now on Telegram. For the best reports & opinion on politics, governance and more, subscribe to ThePrint on Telegram.

Subscribe to our YouTube channel.

View post:
Chinas muscle-flexing in Ladakh doesnt mean theres a war coming, says former NSA - ThePrint