Mediaboss Marketing

As protesters outraged over police killings of black people were met with police violence, AT&T took to Twitter on Sunday to say that the companys advocacy toward equality and inclusivity continues today and will for the future, adding that at AT&T we stand for equality and embrace freedom.

Verizon made a similar statement and went a step further by pledging to donate to the cause. The events unfolding across the country that are rooted in hate are contradictory with our beliefs as a company, read a statement from Verizon CEO Hans Vestberg released on Monday. Vestberg said that the companys foundation would donate a total of $10 million to seven social justice organizations. (The Verizon Foundations total charitable giving has been between $35 million and $65 million in recent years, according to tax documents.)

While the telecom companies side publicly with social justice activists, they are continuing their longstanding funding of a group that works to militarize local police, expand the use of warrantless surveillance, and promote policing policies that have disproportionately harsh impacts on communities of color.

Through their brands Verizon Connect and AT&T FirstNet, the companies are both platinum partners of the National Sheriffs Association (NSA), a lobbying group that describes itself as one of the largest U.S. law enforcement organizations. The two largest U.S. telcos are among the most prominent corporations that partner with NSA. Verizon is also one of NSAs three diamond partners, the groups top corporate partnership tier, entitling it to a private dinner with the NSA Executive Committee. This intimate setting will give you coveted time with the key policy makers within the organization, a brochure reads.

NSAs legislative priorities include making permanent a program that allows civilian law enforcement agencies to acquire weapons and equipment from the military that were designed for use on the battlefield. NSA encourages the codification of the 1033 Military Surplus Program that provides lifesaving gear and equipment for law enforcement, NSAs website states.

Under the Department of Defenses 1033 program, state and local police are able to obtain Mine-Resistant Ambush Protected Vehicles (MRAPs), grenade launchers, helicopters, unmanned aerial and ground vehicles, bayonets, and other weapons of war. State and local law enforcement currently hold $1.75 billion worth of military equipment that they acquired through the program.

Sludge is reader-supported and ad-free. If you appreciate our independent journalism, Become a member today.

In 2015, President Obama placed limits on the type of equipment that could be made available to police by an executive order, but President Trump reversed Obamas order in 2017, allowing controlled military weapons to continue flowing into police departments. Codifying the program would prevent a future president from ending the program without an act from Congress.

Police have used the military equipment they acquired through the 1033 program heavily against communities of color. In a 2014 report, the American Civil Liberties Union found that the military arsenals acquired by police are used largely in the so-called War on Drugs and that 54% of the people impacted by SWAT teams employing military equipment and tactics for executing search warrants were black or Latino, the ACLU found.

The National Sheriffs Association has spent more than $1.3 million on lobbying the government on issues including the codification of the 1033 Program since 2016, according to congressional records.

In 2012, Verizon outfitted a humvee that NSA acquired through the 1033 program with mobile technology. Wireless connectivity allows them to access records and manage paperwork in the eld, tap into video surveillance prior to arriving at a crime scene, communicate with dispatch and more, NSAs says on its website about the partnership.

NSAs legislative priorities also include opposing privacy advocates proposals for reforming the Electronic Communications Privacy Act (ECPA), a federal law that allows police to obtain domestic communications records from companies like AT&T and Verizon without a warrant. NSA recognizes the increasing threat that going dark has on their ability to effectively and efficiently obtain potentially life-saving digital materials, its website states. NSA describes ECPA as an essential piece of legislation that seeks to ensure that telecommunications companies properly work in collaboration with law enforcement. In its past lobbying on the issue, NSA urges lawmakers not to limit their access to communications data and questions whether the premise that its partnership with the telecoms invades peoples privacy.

Sign up to get our next investigations over email:

Through its Project Calso known as HemisphereAT&T maintains and analyzes billions of domestic and international call records that pass through its networks and makes information available without a court order to the Drug Enforcement Agency and other several law enforcement organizations.

During the 2016 protests against the Dakota Access Pipeline, NSA employed crisis communications consultants to create talking points to discredit protesters, including that many were out of state agitators with ties to George Soros, according to a report from MuckRock based on emails obtained through an open records request. NSA was also the central organizing vehicle which brought hundreds of out-of-state cops to Standing Rock, according to the report.

Sludge reached out to Verizon and AT&T about their partnerships with the National Sheriffs Association, but neither company responded by the time of publication.

Some members of Congress have recently renewed calls for Congress to pass legislation to repeal or amend the 1033 program. Since March 2019, a bipartisan bill to place restrictions on the program, the Stop Militarizing Law Enforcement Act, has been pending in Congress, but the House Armed Services Committee to which it has been referred has yet to act on it. The committee is chaired by Rep. Adam Smith (D-Wa.), a top recipient of campaign funding from the defense industry, which benefits from sales made under the 1033 program.

Several of the organizations that Verizon pledged to donate to, including The Leadership Conference on Human and Civil Rights, National Urban League, and NAACP, recently sent a letter to Congress calling for the end to the 1033 program, among other legislative measures addressing abusive police practices.

Read more from Sludge:

The Members of Congress Who Profit From War

Liberate Rally Organizers Worked to Criminalize Anti-Pipeline Protests

New House Foreign Affairs Chair Receives Money from Weapons Contractors He Oversees

Every day, the reporters at Sludge are relentlessly following the money to reveal the hidden networks and conflicts of interest that drive political corruption. We are 100% ad-free and reader supported, so were counting on our readers to help us continue calling out powerful politicians and lobbyists. If you appreciate the work we do, please consider becoming a member for $5 a month to support our investigative journalism. We cant do this work without your support.

Continued here:
Verizon and AT&T Partner With Pro-Police Militarization Lobbying Group - Sludge

So first off, remember the Unc0ver vulnerability/jailbreak from last week? In the 13.5.1 iOS release, the underlying flaw was fixed, closing the jailbreak. If you intend to jailbreak your iOS device, make sure not to install this update. That said, the normal warning applies: Be very careful about running out-of-date software.

An exploit in Apples web authentication protocol was fixed in the past week . Sign In With Apple is similar to OAuth, and allows using an Apple account to sign in to other sites and services. Under the hood, a JSON Web Token (JWT) gets generated and passed around, in order to confirm the users identity. In theory, this scheme even allows authentication without disclosing the users email address.

So what could go wrong? Apparently a simple request for a JWT thats signed with Apples public key will automatically be approved. Yeah, it was that bad. Any account linked to an Apple ID could be trivially compromised. It was fixed this past week, after being found and reported by [Bhavuk Jain].

So when someone posts an image on twitter, and warns everyone to *never* use it as your phone wallpaper, whats the logical thing to do? Apparently its only appropriate to immediately set it as your phones wallpaper, and then complain that it renders your phone unusable. So whats going on?

The image in question uses a special color-space that the Android UI isnt equipped to handle. That particular picture has a color value over 255, which is out of bounds, causing a crash in the UI. Once the Android UI has crashed, its impossible to change the wallpaper, leading to a crash loop. A few users were able to switch out their wallpapers in the few moments between crashes, but the surest way to clean up the mess is to manually remove the image using something like TWRP.

This vulnerability is one that keeps on giving. We talked about CVE-2019-10149 just about a year ago. This week, the NSA published a warning (PDF) that certain state actors are actively exploiting this Exim bug.

For a quick refresher, the Exim mail server is the most popular mail server on the net. CVE-2019-10149 is a clever exploit that tricks a vulnerable server into trying to send an email to a specially crafted address, hosted at a malicious mail server. When the target machine tries to send a bounceback message, the malicious server sends a byte every four minutes, forcing the connection to stay open for a week. This strategy ensures that the vulnerable code is hit. When the message is finally sent, the payload embedded in the email address is evaluated and executed.

The NSA warning specifies the Russian GRU as the culprit, acting under the name Sandworm. Theres likely quite the story behind how the current attacks were discovered to be of Russian origin. As none of the indicators of compromise are directly tied to the GRU, well just have to take the NSAs word for it, but of course theyre not going to make public how they get their counter-intel either.

In further GRU news, the UK has officially attributed to them a series of attacks on the country of Georgia. These attacks shut down the Georgian power grid, encrypted hard drives (ransomware), and directly damaged financial systems. And just last month, the German government attributed hacks on their parliament to one particular GRU officer: Dmitriy Badin.

Attributing cyber attacks to a particular actor is always tricky, especially when savvy foreign intelligence agencies which dont want to get caught are behind the work, but the fact that multiple government agencies are converging on the same conclusions is more persuasive. The German evidence, collected over five years and pointing to a particular agent, is particularly so.

Our final story comes from Sky News, who breaks the news that Westech International was hit with a ransomware attack. As you may have guessed, this sections title is Betteridges Law in action, albeit ironically.

So what really happened, and why is the nuclear secrets angle almost certainly bunk? First off, Westech isnt a huge engineering firm, and they havent worked on designing any nuclear weapons systems. Go to their website, and look at the contracts they have and services they offer. Telecommunications, maintenance, and logistics planning.

Secondly, we know that the ransomware attack hit the machines doing their payroll. Classified information is subject to a strict set of rules in the US. Its only to be kept and used in a Sensitive Compartmented Information Facility (SCIF). Computers containing classified information are never to be connected to the unsecure network. There is even a dedicated Secret Internet Protocol Router Network (SIPRNet) that is only for secure communications and only accessible from a SCIF. All this to say, if a ransomware attack can ex-filtrate data back to an attacker, then somebody royally messed up in a way that often leads to jail time. Its a long way from payroll to nuclear secrets.

[Andrew Dupuis] had an Arris Fiber Gateway provided by AT&T, and like many a hacker, he wasnt satisfied. Before we dive all the way into the rabbit-hole, we should point out that AT&T is charging $10 a month for this device, and refuses to let their customers use their own hardware instead. [Andrew] believes that this probably violates FCC rules. In any case, he wanted to run his own gateway instead of being locked into AT&Ts. The fiber connection uses 802.1x security on the physical connection, which also serves to lock customers into the official hardware. If a user could extract the 802.1x certificates, they could replace the official AT&T gateway with their own hardware, which is the point of the writeup.

The exploit itself starts with a firmware downgrade, back to a version that still contains the vulnerability. The vulnerability? A REST server intended for troubleshooting and debugging. A bit of work later, and the hardware is rooted, with a telnet server just waiting for you. It shouldnt be very surprising, the OS under the hood is a standard embedded Linux. The first order of business is to disable the auto-update function, to avoid getting locked back out of the device.

[Andrew] explains how to properly secure the gateway, and re-tune it for better performance, good ideas if you intend to continue using it in your network. The real goal here is extracting the certificates. Im not sure how much of a surprise it should be, but it seems that every device uses the same security certificates, and [Andrew] was kind enough to share the copy he extracted.

[Andrew] sent this in on the Hackaday Tipline. If you have research to share, or came across something you think we should cover, be sure to let us know about it!

Go here to see the original:
This Week In Security: Exim, Apple Sign-in, Cursed Wallpaper, And Nuclear Secrets - Hackaday

The same Russian intelligence unit that leaked Democrats' files in 2016 is engaged in an ongoing email hacking campaign, the National Security Agency announced Thursday.

Hackers in Russia's GRU, its military intelligence agency, regularly target email accounts, as is common for many with robust cyber capabilities. But this is the first time that the NSA has issued a direct public alert that named the agency and warned of an ongoing hacking campaign.

Byers Market Newsletter

Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.

It wasn't immediately clear if the advisory was merely a byproduct of the NSA's stated desire to be a better public adviser to the public on cybersecurity issues, or if it had a particular strategic aim. The agency launched its Cybersecurity Directorate in October with the intent of being a more open cybersecurity ally. In January, it said that it had alerted Microsoft to a critical Windows vulnerability rather than exploiting the flaw for its own purposes, the first time it made such an announcement.

The alert describes how the GRU is targeting a vulnerability in unpatched Unix systems, an alternative to the operating systems of Microsoft and Apple. It does not specify who it has seen targeted.

It does specify that the campaign is the work of GRU's Unit 74455, which has been tied to some of the most infamous cyberattacks in history. The U.S. Justice Department has accused Unit 74455 of creating the Guccifer 2.0 and DCLeaks personas, which then leaked stolen Democratic emails and files as part of its 2016 election interference campaign.

They are probably Russias most brazen and successful cyberattack organization, said John Hulquist, the director of threat intelligence at FireEye, which tracks the group.

The U.K. has named 74455 as the creators of NotPetya, the ransomware worm that grew wildly out of control and spread around the world in 2017, causing billions of dollars in damage and prompting international outcry.

In February, the State Department accused Unit 74455 of running a multitiered harassment campaign against the nation of Georgia.

Kevin Collier

Kevin Collier is a cybersecurity reporter based in New York City.

Originally posted here:
The NSA has a warning: Russia's most infamous hackers are still active - NBC News

Cybersecurity

Optional caption goes here. Optional caption goes here. Optional caption goes here. Optional caption goes here.

The National Security Agency's cybersecurity directorate is focusing its resources on protecting medical research related to the COVID-19 pandemic and assisting critical infrastructure that can help speed up America's economic recovery, according to the agency's Deputy Director George Barnes.

Speaking on a webcast hosted by the Intelligence National Security Alliance, Barnes provided an update on the agency's cyber-focused directorate formed late last year. The rise of the COVID-19 pandemic has provided a whole host of additional challenges, increasing the collective digital threat surface as governments and businesses moved to mostly online operations and putting public health organizations and pharmaceutical companies working on a vaccine and other aspects of the response firmly in the crosshairs of nation-state hackers.

Barnes said the fallout from the pandemic has pushed the directorate to ask "how do we protect critical activities that are vital to us getting back in a healthy state?" and enable Americans to get back to work and keep the economy moving. When it comes to protecting private and public medical research, the agency's bread and butter -- signals intelligence can provide medical research organizations with insight into what information foreign governments are after as well as the tools and methods they're using to get it.

"It wasn't [more than] a few days into March where phone calls were coming in to NSA asking us for our insights and our support to that community, and so we have doubled down and really accelerated and intensified efforts to reach out," he said.

While one of the directorate's core missions is protecting national security systems such as nuclear command and control infrastructure, the organization has realized that many of the vulnerabilities they're called upon to defend against are the result of poorly designed parts and components. A lack of coordination between the industries that create technologies and the governments who use them to protect cyberspace "we are not well positioned as a nation" to defend against digital espionage and supply chain compromises.

That has caused the directorate to canvass the Department of Defense as well as the defense industrial base and non-defense businesses to create a more collaborative, bidirectional relationship.

"We are tied between government and industry. Industry drives government, industry creates the capabilities, the solutions that we press into service operationally," said Barnes. "Our security can't just start once we take something on and receive it and deploy it. It has to start from the design, and we know all too well that designs are ripe for plucking."

The directorate was initially designed to focus on protecting national security systems and the defense industrial base from hacking groups, foreign intelligence services and other threats. It was also set up to boost information sharing efforts and foster better cooperation between NSA, other agencies and the private sector on digital security matters.

Curtis Dukes, formerly head of the now defunct Information Assurance branch at NSA, told FCW last year that information sharing efforts between intelligence agencies are often hampered by a declassification process that waters down the usefulness of most threat data, and the directorate seems designed to counter that criticism. It operates out of a new 380,000 square foot building alongside personnel from its sister agency, U.S. Cyber Command and cleared representatives from defense contractors and other federal agencies.

The organization's ambitions are also bold, and it has outlined a portfolio that includes defending U.S. defense assets, protecting critical infrastructure from cyberattacks, raising situational and threat awareness among American commercial enterprise, curbing intellectual property theft by foreign nations and partnering with academia and industry to cultivate a technically minded workforce that treats cybersecurity as a critical component rather than an add on after-the-fact.

In each arena, Barnes said the directorate focused resources on the things only it can do. Success will be measured not by NSA but by the customers it serves, from DOD, intelligence agencies and the Joint Chiefs of Staff to other civilian agencies and the broader cybersecurity community. When it comes to working with the Department of Homeland Security and its component Cybersecurity and Infrastructure Security Agency, the directorate is quickly building relationships while pondering how to share data and work together to push out threat advisories to critical infrastructure, contractors and the private sector at large.

"At NSA I want to do things that nobody else can do," Barnes said. "I don't want to do things that others can do. The world's too big, we have too many priorities, too many pressing needs to pursue duplication out of product."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [emailprotected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.

Continued here:
NSA's cyber wing looks to safeguard COVID research and expand outreach - FCW.com

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drives daily audio interviews onApple PodcastsorPodcastOne.

Tom Temin: Mr. Ziring, good to have you on.

Neal Ziring:Thanks, Tom, its good to be here.

Tom Temin: Is it correct to say that even the NSA does have people teleworking? I know a lot of people need to be in the SCIFs and so forth in the intelligence community, but you do have some teleworking going on also?

Neal Ziring:Well, I cant go into detail on that, Tom. But you know, were having to react to this crisis like everyone else, and both ourselves and everyone across the national security community that we serve is trying their best to keep their workforce safe while continuing to do their vital national security missions. And collaboration is always a part of that.

Tom Temin: Sure. So lots of federal agencies from the least secure to the most secure are using all kinds of collaboration tools. Give us what are the big security requirements and considerations for these types of tools?

Neal Ziring:Sure, you know, we were watching this, we were supporting all sorts of DoD workforce efforts. And we noticed there was a vacuum in terms of guidance to help people use collaboration services securely. So, you know, we have a great deal of deep expertise here in our workforce on this. So we put together what we thought were core requirements that individuals who maybe were suddenly trying to work from home or from some remote location could pick up and use to choose a collaboration service that would meet their own security needs. For example, does it use good encryption? Does it have ability to use multi factor authentication, can the user see and control who connects? These are all very important requirements for selecting a service that youre going to use for government work.

Tom Temin: Because you have a list of about seven cybersecurity aspects of these encryption, two different levels of encryption and so on, and theres a yes or no according to each one are there any particular characteristics that if they get a no at, that product would be just simply ruled out all together?

Neal Ziring:Well, we didnt want to go there. We didnt want to be prescriptive because the needs of different agencies vary widely. We wanted to inform folks across the national security spectrum of which requirements they should consider. I dont think any of them are sort of showstoppers in that sense. Theyre all reasonably important, and theyre going to vary between different folks. For example, there are some folks in DoD I know where the authentication is a very important concern for them. So for them, criterion number three use a multi-factor authentication will be vital. And we just wanted to inform them and have a representative list of products its not a comprehensive list showing what they should consider and what they should ask of the products that they start to use.

Tom Temin: Basically, it looks like the only thing that doesnt encrypt or use multi factor authentication or do anything is plain old SMS text, which is not really a brand, but thats what everybodys got on their phones.

Neal Ziring:Yeah, we threw that in as a comparison. Were really hoping people will choose to use more secure means than their SMS.

Tom Temin: And then coming up with the list and the different ratings for the different yes or no answers on the different aspects of security on these products, did you just get that from the product literature? Or did you test them?

Neal Ziring:For the most part, we got it from the product literature, because we noticed this vacuum. We had received multiple sort of time sensitive requests from customers across Dod and other national security establishments saying, Hey, we need some help here. So we got together a team of folks. We did some testing and a whole lot of reading of product literature under conditions emulating what a teleworking user would face. And then we put these together and we invite the folks who maintain these systems, if they spot an inaccuracy in what weve published then they can write to us, and we will correct it. Weve already gone through one round of revision.

Tom Temin: Got it. Were speaking with Neal Ziring, the technical director of the Cybersecurity Directorate at the National Security Agency. And have you heard from any agencies that said, Hey, this happened to us with this particular product, you better be aware of that potential?

Neal Ziring:No, we havent received reports of actual incidents. We have had several national security organizations write to us and say the guidance is helpful and asking additional technical questions. Thats pretty standard for us.

Tom Temin: Sure. And I have a question about these products, too. Suppose someone in a national security situation is teleworking and collaborating over these and lets postulate that no data is being exchanged. Say no documents or something would be exchanged back and forth in that manner. Because it may be against the rules, and depending on the sensitivity of the data, but people are talking. If they were to be talking about something that could be classified or make a reference is one of the issues that voice could be somehow obtained by a third party thats not authorized?

Neal Ziring:Yeah, thats certainly a concern for this category of product, right. Now, we do caution folks to think about what theyre saying over these systems. These are unclassified systems. And so they shouldnt be talking classified over them in any case. But yeah, thats why criterion number one is important, for example, right? Is this something that employs encryption, so that if theres somebody who can see that traffic, then theyre not going to see anything but ciphertext. Thats a very important part of selecting a secure collaboration service.

Tom Temin: Let me ask you this. If you could design a ideal product in terms of cybersecurity for collaboration, what would it look like?

Neal Ziring:Oh, I think it would, it would look a lot Like some of the commercial products that are out there, now, theres some really good ones. It should implement strong encryption, and that encryption should meet published encryption standards. It should support multi-factor authentication. A really important aspect is transparency, the service should let you see who is connected, see where its connecting through. Allow you to see what data you have stored in the service and delete it. And also whether the service provider is going to be sharing data about you or your usage with any third parties. Thats a concern as well.

Tom Temin: And one of the criteria is whether the source code is shared, the public source code is shared. What is the consideration there? Why is that important?

Neal Ziring:Yeah, that is that is criterion number seven. And thats an aspect of transparency, right that lets reviewers or potentially someone like NSA, examine how the product is implementing its security and see that that is being done correctly.

Tom Temin: Theres probably some good guidance for the vendors. Theres one here called Signal which Im not familiar with, but it gets yess on all of the criteria, except FedRAMP. It seems like that company ought to go for its FedRAMP certification.

Neal Ziring:Well, I would encourage any companies that want to provide service of this kind to the federal government to consider FedRAMP. I was there when they started FedRAMP. I think its a great program. FedRAMP is important because in gaining a FedRAMP certification, a company needs to thoroughly document how their security works and how its provided. And then the federal government can have more faith or more assurance when theyre utilizing that service.

Tom Temin: With respect to video, does video add cybersecurity risk in general to the use of these products?

Neal Ziring:I dont think it adds risks in and of itself. For some of the products, using video may affect whether you get to use encryption or not. So thats an important consideration but no, otherwise, go ahead and do the video. Its fine.

Tom Temin: All right. Neal Ziring is technical director of the Cybersecurity Directorate at the National Security Agency. Thanks so much for joining me.

Neal Ziring:Thank you, Tom.

Continue reading here:
Choosing a safe conferencing tool in the era of mass telework - Federal News Network