Mediaboss Marketing

A declassified report from the Defense Department Inspector General has been released, according to the New York Times.

The 60-page report commissioned by Congress assesses 7 of the 40 components that the National Security Agency outlined for their Secure the Net initiative. This initiative was put forth to help improve the security of sensitive systems after the Snowden disclosures in 2013.

The NSA, according to the inspector generals report, had some successes, but the overall initiative did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.

According to the Times, the report details how their efforts fell short, including the failure to reduce the number of privileged users who can access sensitive computer systems; their failure to consistently keep data center machine rooms secure, as well as failing to lock the server racks containing highly classified data; and the failure to fully implement software that would monitor users.

The report also noted the agencys failure to declare an exact number of people with abilities to transfer data. The lists containing this information were kept on spreadsheets that were corrupted and are no longer available.

The inspector generals report noted that NSA CIO Gregory Smithberger told the inspector general that the elimination of all insider risks and threats is not feasible. He told the Times, While the media leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a good news story.

The importance of securing classified information, as the report warns, was underscored the same month the inspector generals report was produced, according to the Times. In August 2016, a group called the Shadow Brokers obtained and auctioned off classified hacking tools allegedly from the NSA some of which were dumped online. Those tools were later seen as part of the global WannaCry ransomware attack.

We welcome the observations and opportunities for improvement offered by the U.S. Defense Departments Inspector General, Vanee Vines, spokesperson for the NSA told the Times. NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls.

Read this article:
Secure the Net initiative found to be an overall failure for NSA - Federal Times

VR Systems provides voter registration software and hardware to elections offices in eight states. Courtesy of VR Systems hide caption

VR Systems provides voter registration software and hardware to elections offices in eight states.

The Florida elections vendor that was targeted in Russian cyberattacks last year has denied a recent report based on a leaked National Security Agency document that the company's computer system was compromised.

The hackers tried to break into employee email accounts last August but were unsuccessful, said Ben Martin, the chief operating officer of VR Systems, in an interview with NPR. Martin said the hackers appeared to be trying to steal employee credentials in order to launch a spear-phishing campaign aimed at the company's customers.

VR Systems, based in Tallahassee, Fla., provides voter registration software and hardware to elections offices in eight states.

"Some emails came into our email account that we did not open. Even though NSA says it's likely that we opened them, we did not," Martin says. "We know for a fact they were never opened. They did not get into our domain."

VR Systems COO Ben Martin told NPR that no elections vendor would send customers software updates once voting had begun, which it had in this case. Dina Ivory/Courtesy of VR Systems hide caption

Instead, Martin said, the company isolated the suspicious emails and alerted law enforcement authorities, who it was already working with because of two attempts to break into state voter registration databases earlier last summer.

The NSA document said that at least one of the company's email accounts was "likely" compromised based on information uncovered later in the spear-phishing campaign. That attack took place days before the November election and involved fake emails sent to as many as 122 local election officials in an apparent effort to trick them into opening attachments containing malicious software.

"They tried to pretend to be us to leverage our relationship with our customers," said Martin.

But Martin noted that while the NSA says the emails were made to look as if they came from VR Systems, they were sent from a phony email address vr.elections@gmail.com. He said his company does not use Gmail and never sends its customers documents in the form of email attachments. He added that no elections vendor would send customers software updates once voting had begun, which in this case it had.

"That's why I believe most of our customers knew immediately that this was bogus," said Martin. The company was alerted to the fake emails by one of its customers, and Martin said it immediately warned its other customers. So far, there is no evidence that any of the recipients opened the attachments or had their systems infected with the malicious software.

Still, cybersecurity experts say the attempted attacks are a clear sign of Russian interest in interfering with U.S. elections either by manipulating votes or causing chaos at the polls. Some have warned that vendors might be exploited to gain access to local or state voting systems.

In this case, the NSA report concluded that the purpose of the malicious software was "to establish persistent access or survey the victim for items of interest to the threat actors." While last year's attacks appeared to only involve voter registration systems, some experts say such systems can be used as a gateway to actual voting machines.

The Senate and House intelligence committees will explore Russia's efforts to interfere in U.S. elections last year and how to prevent future attacks at two hearings on Wednesday. Former Secretary of Homeland Security Jeh Johnson will appear before the House committee. The Senate panel will hear from current U.S. intelligence officials and state election experts.

View post:
Despite NSA Claim, Elections Vendor Denies System Was Compromised In Hack Attempt - NPR

When Edward Snowden walked out of the NSA in 2013 with thumb drives full of its most secret files, the agency didn't have a reliable list of peoplelike Snowdenwho had privileged access to its networks. Nor did it have a reliable list of those who were authorized to use removable media to transfer data to or from an NSA system.

That's one of the alarming revelations in a Department of Defense Inspector General report from last year. The report, which was ordered by Congress, reviewed whether the NSA had completed some of the most important initiatives it has started in response to the Snowden leak to make its data more secure. The New York Times obtained the DOD IG report via FOIA.

The most shocking detail in the report is that even at the new National Security Agency data center in Utah, "NSA did not consistently secure server racks and other sensitive equipment" in data centers and machine rooms. At the Utah Data Center and two other facilities, the report stated, "we observed unlocked server racks and sensitive equipment." The finding that the NSA wasn't locking down all its server racks was first disclosed and reported in a House Intelligence Committee Report on Edward Snowden's leaks released in December.

But the more fundamental problem revealed in the report is that the NSA has done little to limit the number of people who have access to what are supposed to be the most protected hardware the NSA has.

The IG report examined seven of the most important out of 40 "Secure the Net" initiatives rolled out since Snowden began leaking classified information. Two of the initiatives aspired to reduce the number of people who had the kind of access Snowden did: those who have privileged access to maintain, configure, and operate the NSA's computer systems (what the report calls PRIVACs), and those who are authorized to use removable media to transfer data to or from an NSA system (what the report calls DTAs).

The government's apparent lack of curiosity is fairly alarming

But when DOD's inspectors went to assess whether NSA had succeeded in doing this, they found something disturbing. In both cases, the NSA did not have solid documentation about how many such users existed at the time of the Snowden leak. With respect to PRIVACs, in June 2013 (the start of the Snowden leak), "NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users." The report offered no explanation for how NSA came to no longer have that spreadsheet just as an investigation into the biggest breach thus far at NSA started. With respect to DTAs, "NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach."

There seem to be two possible explanations for the fact that the NSA couldn't track who had the same kind of access that Snowden exploited to steal so many documents. Either the dog ate their homework: Someone at NSA made the documents unavailable (or they never really existed). Or someone fed the dog their homework: Some adversary made these lists unusable. The former would suggest the NSA had something to hide as it prepared to explain why Snowden had been able to walk away with NSA's crown jewels. The latter would suggest that someone deliberately obscured who else in the building might walk away with the crown jewels. Obscuring that list would be of particular value if you were a foreign adversary planning on walking away with a bunch of files, such as the set of hacking tools the Shadow Brokers have since released, which are believed to have originated at NSA.

NSA headquarters in Maryland. Image: MJB/Flickr

The government's apparent lack of curiosityat least in this reportabout which of these was the case is fairly alarming, because it is a critically important question in assessing why NSA continues to have serious data breaches. For example, it would be important to know if Hal Martin, the Booz Allen Hamilton contractor accused of stealing terabytes of NSA data in both hard copy and digital form, showed up on these lists or if he simply downloaded data for decades without authorization to do so.

Even given the real concern that Russia or someone else might have reason to want to make the names of PRIVACs and DTAs inaccessible at precisely the time the NSA reviewed the Snowden breach, the NSA's subsequent action does provide support for the likelihood the agency itself was hiding how widespread PRIVAC and DTA access was. For both categories, DOD's Inspector General found NSA did not succeed in limiting the number of people who might, in the future, walk away with classified documents and software.

With PRIVACs, the NSA simply "arbitrarily" removed privileged access from some number of users, then had them reapply for privileged access over the next 3 months. The NSA couldn't provide DOD's IG with "the number of privileged users before and after the purge or the actual number of users purged." After that partial purge, though, NSA had "a continued and consistent increase in the number of privileged users."

As with PRIVACs, the NSA "could not provide supporting documentation for the total number of DTAs before and after the purge" and so was working from an "unsubstantiated" estimate. After the Snowden leak, the NSA purged all DTAs and made them reapply, which they did in 2014. The NSA pointed to the new number of DTAs and declared it a reduction from its original "unsupported" estimate. When asked how it justified its claim that it had reduced the number of people who could use thumb drives with NSA's networks when it didn't know how many such people it had to begin with, the NSA explained, "although the initiat[iv]e focused on reducing the number of DTA, the actions taken by NSA were not designed to reduce the number of DTAs; rather they were taken to overhaul the DTA process to identify and vet all DTAs." The IG Report notes that the NSA "continued to consistently increase the number of DTAs throughout the next 12 months."

When, in 2008, someone introduced a worm into DOD's networks via a thumb drive, it decreed that it would no longer use removable media. Then, after Chelsea Manning exfiltrated a bunch of documents on a Lady Gaga CD, the government again renewed its commitment to limiting the use of removable media. This report reveals that only in the wake of the Snowden leaks did the NSA get around to developing a vetted list of those who could use thumb drives in NSA's networks. Yet as recently as last year, Reality Winner (who, as an Air Force translator, was presumably not a privileged access user at all) stuck some kind of removable media into a Top Secret computer, yet the government claims not to know what she downloaded or whether she downloaded anything at all (it's unclear whether that Air Force computer came within NSA's review).

When contacted with specific questions about its inability to track privileged users, the NSA pointed to its official statement on the DOD IG Report. "The National Security Agency operates in one of the most complicated IT environments in the world. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock." The Office of Director of National Intelligence did not immediately respond with comment to my questions.

Yet this issue pertains not just to the recent spate of enormous data breaches, which led last month to the worldwide WannaCry ransomware attack using NSA's stolen tools. It also pertains to the privacy of whatever data on Americans the NSA might have in its repositories. If, three years after Snowden, the NSA still hasn't succeeded in limiting the number of people with the technical capability to do what he did, how can NSA ensure it keeps Americans' data safe?

Read the original here:
The NSA Has Done Little to Prevent the Next Edward Snowden ... - Motherboard

Oversight

The National Security Agency is still not fully implementing all necessary security protocols to minimize the potential of another Edward Snowden-like data breach, according to a newly declassified 2016 Pentagon watchdog report.

In the wake of the Snowden breach, the NSA outlined 40 privileged-access Secure-the-Net initiatives designed to guard against insider threats by tightening controls over data and monitoring of user access.

The Defense Department's Office of the Inspector General audited seven of the STN protocols and found that the NSA implemented or partially implemented four of the audit sample. Those related to developing a new system administration model, assessing the number of systems administrators, implementing two-stage authentication controls and deploying two-person access controls.

According to the heavily redacted report, the NSA culled the number of systems administrators and implemented a tiered system to take away privileged access from those who do not require it.

The report states the NSA only partially implemented two-stage authentication and two-person access controls and did not consistently secure server racks and other sensitive equipment in data centers and machine rooms.

The three audit initiatives where the NSA missed the mark were in reducing the number of privileged users and data transfer agents as well as fully implementing technology to oversee privileged-user activities.

NSA did not effectively implement the three initiatives because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness, states the audit. As a result, NSAs actions to implement STN did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.

The report states that prior to 2013, the NSA did not know how many privileged users and data transfer agents it had, and that throughout 2014 the number of DTAs actually increased.

The report acknowledges that it is not possible to protect against all insider threats, but stresses that NSA must at least implement all of its own stated protocols.

Although the NSA worked in a fluid situation, NSA should have developed a strategy that detailed a structured framework and methodology for implementing STN to ensure its actions were effective in mitigated vulnerabilities exploited during the security breach, the report states.

The NSAs woes did not end with the Snowden breach. In August 2016, a cryptic group or individual going by the name TheShadowBrokers announced it had acquired a trove of NSA hacking tools and has since been leaking some of the data in an attempt to seduce buyers to pay for the remaining stash.

It is still not clear whether the so-called ShadowBrokers obtained the data through an insider.

The DOD OIG report made three recommendations -- all of which were fully redacted -- and according to the document, the NSA agreed with the recommendations.

The NSA responded to questions about the audit from FCW with an email statement.

The National Security Agency operates in one of the most complicated IT environments in the world, the NSA stated. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock.

According to the statement, the NSA has undertaken a comprehensive and layered set of enterprise defensive measures to further safeguard operations and advance best practices across the Intelligence Community.

NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls, the statement concluded.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

Originally posted here:
Watchdog: NSA needs to boost insider-threat protocols - FCW.com

It appears the NSA hasn't learned much since Ed Snowden left with several thousands of its super-secret documents. Agency officials were quick to claim the leaks would cause untold amounts of damage, but behind the scenes, not much was being done to make sure it didn't happen again.

A Defense Department Inspector General's report obtained via FOIA lawsuit by the New York Times shows the NSA fell short of several security goals in the post-Snowden cleanup. For an agency that was so concerned about being irreparably breached, the NSA still seems primed for more leakage. Charlie Savage reports:

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Departments inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times.

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of privileged users, who have greater power to access the N.S.A.s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

Let's not forget the NSA wants to be engaged in ensuring the cybersecurity of the nation. It's repeatedly asked for more power and a better seat in the CyberWar room. But it doesn't even take its OWN security seriously. The NSA told its oversight it was engaging in 40 "Secure the Net" initiatives, directly after the first Snowden leak. Two years later, it told Congress it had completed 34 of 40 STN initiatives. The term "completion" apparently has multiple definitions, depending on who's using the word. The IG sampled only seven of the initiatives and found four were mostly done and three were nowhere near completed. Extrapolating from the sampling, it's safe to assume the NSA's internal security efforts are only slightly more than half-baked.

The three the NSA failed to implement are of crucial importance, especially if it's looking to keep its in-house documents safe at home. From the report [PDF]:

NSA officials did not effectively implement three PRIVAC [Privileged Access]-related STN initiatives:

- fully implement technology to oversee privileged user activities;

- effectively reduce the number of privileged users; and

- effectively reduce the number of authorized DTAs [Data Transfer Agents].

First off, the NSA -- prior to the Snowden leaks -- had no idea how many users had privileged access. Post-Snowden, things hardly improved. Considering the tech capabilities of the agency, it's incredibly amusing to see how the NSA "tracked" privileged users.

NSA officials stated they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users.

Pretty much useless, considering this number the NSA couldn't verify (thanks to its missing spreadsheet) was supposed to be used to establish a baseline for the planned reduction in privileged users. Despite missing this key data, the NSA moved ahead, "arbitrarily revoking access" and asking users to reapply for privileged status. It then reported a reduction by citing the number of users it denied restoration of access privileges. It did not factor in any new users it granted privileged access to or tally up the number of accounts it never bothered to revoke.

As the fully-redacted chart presumably points out (according to the text above it), the NSA had a "continued and consistent increase in the number of privileged users once the [redacted] enrollment process began."

The NSA also claimed it had reduced the number of DTAs. And again, the NSA had no receipts.

Although repeatedly requested, NSA officials could not provide supporting documentation for the total number of DTAs before and after the purge or the actual number of users purged.

The NSA's objectively-terrible internal controls (again) ensured no number could be verified.

NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach.

The NSA handled these missing numbers the same way it had privileged users: it made up a new baseline, arbitrarily decided it could show a downtrend in DTAs, and delivered this as "proof" of another completed security initiative.

The report points out repeatedly the NSA's failure to provide documentation backing its STN claims -- either from before the initiatives took force or after they supposedly hag been completed. The IG's comments note the NSA's response to the report ignored its detailed description of multiple failures in order to spin this as a "win" for the agency.

Although the Director, Technology Directorate NSA/CSS Chief Information Officer, agreed, he did not address all the specifics of the recommendation. Therefore, we request that the director provide additional comments on the final report that identify specific actions NSA will take.

Here's how the NSA portrayed the report's findings:

While the Media Leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a "good news" story.

Sure, if you consider a half-done job securing NSA assets to be "good news," rather than just an ongoing series of security holes left halfway unplugged while agency officials testify before Congressional oversight in front of a "MISSION ACCOMPLISHED" banner backdrop.

See the article here:
Oversight Report Shows NSA Failed To Secure Its Systems Following The Snowden Leaks - Techdirt