Mediaboss Marketing

Colour me shocked. It appears the NSA has been collecting a treasure trove of hacks for Windows, both desktop and servers, covering all versions of the OS bar Windows 10. And this toolbox of capabilities, which also included ways to get into banking and other related systems, has leaked to the public.

I suspect your jaw isnt gaping in surprise. Whats followed has been just as predictable.

First, theres shock that the NSA might have built such a collection of exploits. Sorry, what doyou expect the NSA to be doing? Creating toolkits that can be used against undesirables is what it exists for. Injecting custom spyware onto the laptop of a terrorist could bring up incredibly useful intelligence information, after all.

Then theres the public horror that the NSA didnt tell Microsoft about the exploits. Why is anyone surprised? Sure, its good practice for security researchers to tell Microsoft (or Apple, Facebook, Google, whoever) that theyve uncovered a security hole. There are processes inplace by which such reports are made, the vendor is given time to patch things and issue anupdate, and then the exploit is made public once the patch has been issued. Its all very gentlemanly, and some companies even offer financial rewards.

Would I expect the NSA to tell Microsoft about the exploits? Of course not. Keeping such flaws hidden from Microsoft meant they were exploitable for as long as possible.

No-one is suggesting the NSA, or any other equivalent organisation, is using these tools against the wider population. I dont think there have been mass deployments of EmeraldThread or EternalRomance or EclipsedWing or any of the other rather charming codenames. (Nasty1 and Nasty2 and ReallyNasty3 just dont have the same ring to them.)

But then we come onto the real problems. The tools have now been released into the wild, and it doesnt take much effort to download them. Thismeans there will be a flood of script kiddies trying them out and targeting everyone from NASA to the takeaway down the street. Thats a whole pile of grief no-one needed.

It would be interesting to analyse which antivirus packages would protect you against these exploits. My hunch, backed by discussions with friends in the industry, is almost none. As they say about financial results, past performance is no guarantee of future results.

Even so, now the toolkit has leaked, its of much less use to the NSA, and any other organisations that might have had access to it. That cant be a good thing. Dont confuse that statement with any desire on my part to see government-mandated encryption backdoors being forced into end user applications. I see a differencebetween what an organisation such as the NSA or GCHQdoes and thefar more widespread misuse of data-snooping that we have seen in the UK. And my distrust of the ability of government departments, including the NHS, to keep massive datasets secure has almost no limits.

Then we come to Microsofts interesting claim that these exploits have been patched already, but only very recently. One wonders whether the NSA told Microsoft about the leak once it knew its toolkit was compromised and Microsoft went into top gear to get fixes out as soon as possible.

It does mean, of course, that the old mantra about running only the most current and fully patched versions of applications and operating systems is as true today as it has ever been. Microsoft rather coyly states that Of the three remaining exploits, EnglishmanDentist, EsteemAudit, and ExplodingCan, none reproduces on supported platforms, which means that customers running Windows 7 and recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. So if youre on XP, youre on your own.

Its also true that weve managed to get ourselves into a situation where OSes are so complex that it is now effectively impossible to ensure they are secure. The approach taken by Apples iOS, forcing a walled garden approach on the developers and the execution of code, is arguably the most secure widespread end user platform available. But that still doesnt mean that the core OS itself is secure. Is open source the answer? Maybe, but exploits are found there too.

You may be thinking Ill use this final paragraph to deliver the answer. Sadly, there isnt one. If GCHQ or the NSA want to access my computers, they will either hack their way in, use a backdoor that we dont know about, or just turn up with a warrant and remove every device fitted with a mains plug. And there is nothing I, or you, can do.

This article originally appeared in PC Pro.

View post:
If you're surprised the NSA can hack your computer, you need a reality check - IT PRO

The suspect in the National Security Agency leak investigation will be allowed to see classified information used as evidence in her trial under an order recently issued by a federal judge in Augusta.

In his six-page ruling this month, U.S. Magistrate Judge Brian Epps said Reality Winner, 25, will be permitted to inspect the sensitive records in a secure area, so long as she signs a memorandum of understanding barring unauthorized disclosure of them.

Those records, according to Epps order, could include intelligence reports, government network audit logs, FBI reports calls 302s, a government agencys email correspondence and internal security report, written and recorded transcripts of a June 3 FBI interview with Winner and some of her handwritten correspondence.

Winner, Epps wrote in his order, is subject to the courts authority, contempt powers, and other authorities, and shall fully comply with the nondisclosure agreements she has signed, this order, the MOU, and applicable statutes.

Before Epps issued his order, Winners defense attorneys had argued she could be blocked from getting a fair trial if she were not permitted to see such evidence under the rules federal prosecutors proposed to safeguard top-secret information in the case.

The government has accused Winner of leaking to The Intercept online news outlet a top-secret NSA report about Russias meddling in the 2016 presidential election. A federal grand jury has indicted her on a single count of "willful retention and transmission of national defense information. She has pleaded not guilty.

Gary Davis and Billie Winner-Davis, stepfather and mother of Reality Leigh Winner, spoke to The Atlanta Journal-Constitution on about who their daughter really is. Video by Hyosub Shin/AJC

Read the original:
Judge: Accused NSA leaker can see classified information in her trial - Atlanta Journal Constitution

Based on the info written in the documents, the CIA pre-installed ExpressLane in the systems of newer partners. For older ones, it gets installed by an agent personally visiting a partner site under the guise of installing a software update. ExpressLane disguises itself as a harmless exe file in Windows' System 32 folder, but it actually collects files of interest. When an agent inserts a thumb drive to run the fake software update, ExpressLane automatically uploads the compressed and encrypted files it gathered.

That thumb drive will also install a "kill date" that disrupts the system by a certain date, forcing the partner to call the CIA for service. This tactic guarantees agents can collect data even if a partner refuses the shady software update. It's unclear what the CIA plans to do with all that biometric data -- it could be using them for a secret operation, but it could also be collecting them for no particular reason. Either way, the more info it gathers, the more powerful it becomes, so it's not really surprising for the agency to ensure that nobody can keep secrets from it.

See the article here:
CIA uses a secret tool to spy on NSA, FBI and other intel partners - Engadget

The NSA has begun what is likely to be a determined PR campaign to retain mass spying laws as they head toward expiration at the end of the year.

In a post on its website titled "Section 702 Saves Lives, Protects the Nation and Allies," America's surveillance nerve center argues it "relies" on the controversial part of the Foreign Intelligence Surveillance Act (FISA) to "uncover the identities or plans of terrorists."

The law has "played both a unique and decisive role in national defense," it goes on, adding that it also "informs" the intelligence community's "cybersecurity efforts."

The post then goes on to claim that the NSA's interpretation of Section 702 enabled it to reveal the identities of "overseas terrorists" responsible for an unspecified attack that resulting in the death of more than 20 people last year and claims it enabled them to "refute the terrorist organization's denial of any involvement."

It claims that in that case, the extra intel enabled the US government to launch operations against the unnamed group in question and that its "contribution to the fight probably hadn't been factored into the adversaries' schemes."

The argument is a textbook example of how the intelligence services make their case for continued extraordinary powers even after it's shown they abused those same powers.

The details are sufficiently vague and limited to prevent any independent analysis while also allowing the snoops to claim necessary operational security. The case is also referenced as if it were but a single example of many times that the NSA's powers have been used to provide additional national security, but we have no way of knowing whether this was literally one case or one of many as the NSA and associate services refuse to provide broader context or statistics.

This approach of pointing only to the value of such extraordinary powers obscures the larger question of whether the same information could have been revealed by a different method, and ignores whether the resources and trade-offs with privacy and civil rights are sufficiently valuable to be worth continuing them.

However, when it comes to Section 702, the single case provided in this post does not address the biggest problem with the legislation: that, despite its name, the Foreign Intelligence Surveillance Act has increasingly been used to spy on Americans.

Under the NSA's highly questionable interpretation of Section 702, the agency has gathered huge amounts of data on an unknown number of US citizens by claiming that it can grab and store information on anyone connected to a foreign target.

How many American citizens? The NSA refuses to say, and has done so for years. Having provided excuse after excuse for why it is unable to produce such a figure, in June the spy nerds gave up any pretense that it was going to do so.

That led to a fiery exchange between Senator Ron Wyden (D-OR), who has acted as a watchdog on the intelligence services' powers in his position as a member of the US Senate's Intelligence Committee, and director of national intelligence Daniel Coats back in June.

"You promised that you would provide a 'relevant metric' for the number of law-abiding Americans who are swept up in the FISA 702 searches," Wyden barked at Coats. "This morning you went back on that promise."

Coats responded: "What I pledged to you is I would make every effort to try to find out why we were not able to come to a specific number of collection of US persons There were extensive efforts on the part of the NSA to get you an appropriate answer they were not able to do that..."

Wyden angrily interjected: "Respectfully, that's not what you said. You said: 'We are working to produce a relevant metric...'"

"But we were not able to do it. Working to do it is different from doing it," retorted Coats.

It's not just the storing of information on US citizens a situation that goes directly against the actual wording of the FISA that worries lawmakers and privacy groups. Over time it has emerged that the NSA allows the FBI to access that database without limit and to use search terms related to US citizens including their names, email address and telephone numbers, to search for possible incriminating evidence in domestic crimes.

Under significant political pressure, the NSA vowed that it would stop gathering information on anyone and everyone that even mentions a foreign target but it has not said it will reduce its existing database of information or limit its access by other government agencies. There is also nothing to stop the NSA from changing its mind at a later date unless specific changes are made to the law itself.

And that is ultimately what this unusual NSA public post is about: pushing back against efforts to rewrite the law to exclude the NSA from doing many of the things it has bent Section 702's wording to accommodate.

With Congress required to reauthorize FISA at the end of the year and with lawmakers due to hold hearings in its next session starting in September on what should be done, the NSA is pushing back against a growing consensus that radical changes need to be made to the law to prevent it from being abused.

Tech firms have already proposed five very specific changes to the law the first of which is to explicitly ban the broader targeting of anyone connected to a foreign target a permanent part of the law.

They also want: agencies like the FBI to get a warrant before searching the 702 database; the wording tightened up so the intelligence services have to specifically identify individuals rather than insist on access to all data within which they will search for individuals; better oversight of the process; and increased transparency over the number and type of requests made under this section of the law.

Recent investigations into declassified documents have also shown that the NSA and FBI routinely violated civil liberties laws during the Obama Administration by carrying out improper searches, sharing raw intelligence data and failing to delete unauthorized intercepts.

In the lead up to the new session of Congress where the future of Section 702 will be decided, a number of organizations have actively opposed the law.

The Electronic Frontier Foundation wants the Supreme Court to explicitly rule that the gathering of intelligence on US citizens through FISA is illegal bypassing Congressional wheeler dealing altogether.

Even security policy wonk publication Just Security has lambasted the misleading arguments put forward by Section 702 advocates who oppose reform.

We have checked with the Senate and House Judiciary Committees and so far there are no scheduled hearings on the reauthorization of FISA and Section 702 but there are indisputably coming and this week's post by the NSA is almost certainly just the first shot in a pitched battle that will be fought between now and the end of 2017.

Sponsored: The Joy and Pain of Buying IT - Have Your Say

More here:
NSA ramps up PR campaign to keep its mass spying powers - The Register

WJBF-TV

Accused NSA leaker Reality Winner in court next week WJBF-TV AUGUSTA, Ga. (WJBF) Accused NSA leaker Reality Winner will be in federal court in Augusta next week. Winner, who worked for a defense contractor here in Augusta, is charged with leaking classified information to an online news site called The ...

Original post:
Accused NSA leaker Reality Winner in court next week - WJBF-TV