Mediaboss Marketing

The WCry ransomware worm has struck again, this time prompting Honda Company to halt production in one of its Japan-based factories after finding infections in a broad swath of its computer networks, according to media reports.

Honda officials didn't explain why engineers found WCry in their networks 37 days after the kill switch was activated. One possibility is that engineers had mistakenly blocked access to the kill-switch domain. That would have caused the WCry exploit to proceed as normal, as it did in the 12 or so hours before the domain was registered. Another possibility is that theWCry traces in Honda's networks were old and dormant, and the shutdown of the Sayama plant was only a precautionary measure. In any event, the discovery strongly suggests that as of Monday, computers inside the Honda network had yet to install a highly critical patch thatMicrosoft released in March.

In May, it was hard to excuse so many companies not yet applying a two-month-old patch to critical systems that were vulnerable to advanced NSA exploit code put into the public domain. The failure is even harder to forgive five weeks later, now that WCry's wake of destruction has come into full view.

View post:
Honda shuts down factory after finding NSA-derived Wcry in its networks - Ars Technica

Despite attempts to bolster security at the NSA following Edward Snowden's leaks, a new report indicates gaps remain.

A number of initiatives to strengthen security were mandated at the National Security Agency (NSA) following the leaks by Edward Snowden of 1.5 million documents, but implementation of those procedures lacked teeth, according to a report by the Department of Defense (DoD).

The 61-page report from the DoD's inspector general on the NSA's putting into practice of the Secure-the-Net (STN) initiative, faults the agency and, as security intelligence expert Christopher Burgess, writing for Sophos's Naked Security blog puts it, "the only image one can conjure up is that of the Katzenjammer Kids running amok."

Once the insider risk was presented by Snowden's leaks, the STN initiative was put into place offering 40 recommendations focused on insider threats to NSA systems, data and infrastructure.

Among that group of 40, seven directives specifically addressed secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access.

The seven STN initiatives were:

The report from the DoD examined the NSA's progress in putting these seven recommendations into place, based on its study between January and July 2016 of four facilities.

The DoD report, acquired by The New York Times under a FOIA request, "takes the NSA to the woodshed," Burgess wrote. While the NSA did attempt to implement the recommendations, it failed to do an effective job in carrying out implementation, Burgess said.

The NSA only partially got some operations in place, the report explained. One example regarded two-factor authentication, which was implemented for system administrators but not for others with credentials for privileged access (which was how Snowden was able to exfiltrate data).

Perhaps even more critical, the report found that the NSA could not determine who had elevated access privileges. In light of Snowden's actions and then the later acquisition by the Shadow Brokers of NSA materials, there is lax security within the agency, the DoD report stated.

The tightening up of its operations was the intent of the STN initiatives. While Burgess, a former CIA operations officer, said some good resulted primarily an insider threat program initiated at all facilities insiders are still capable of harvesting NSA data, as evidenced by the arrest in May of Reality Winner, another NSA contractor, who used her privileged access to remove NSA material regarding Russian interference in the U.S. presidential election and then provided it to the media.

"Reality Winner did not have need-to-know access," Burgess told SC Media on Wednesday. He pointed to one of the recommendations included in the seven STN initiatives: Oversee privileged user activities. Winner had privileged access, Burgess explained, but had no need to know about Russian meddling in the presidential election.

"Had monitoring activity been in place," Burgess said, "she would have been detected."

Clearly, Burgess concluded, some tweaking is still needed to the NSA's STN program to plug insiders' capabilities.

Original post:
DoD faults NSA for lax security implementations, Sophos report - SC Magazine

After reading through the 61 pages of redacted content of the August 2016 DOD Inspector Generals report on the National Security Agencys (NSA) implementation of the Secure-the-Net initiative, acquired by The New York Times via a Freedom of Information Act (FOIA) request, the only image one can conjure up is that of the Katzenjammer Kids running amok.

The NSA data protection (or lack thereof) was thrust into the spotlight when Edward Snowden, then a contractor in Hawaii, purloined 1.5m documents. How Snowden carried out his massive data collection is interesting, as he used his natural access and then conned his colleagues into giving up their internal access credentials in his role as the system admin. In the months that followed there were no shortage of opinions on how the NSA could or should tighten up its ship.

The Secure-the-Net (STN) initiative was launched post-Snowden, which included 40 specific recommendations focused on insider threats to NSA systems, data, and infrastructure. Seven of those recommendations were designed to secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access.

The seven STN initiatives were:

The Department of Defense (DOD) report reviewed the NSAs progress on tightening up its ship with respect to the seven STN recommendations. The audit was conducted at four facilities between January and July of 2016.

The DOD report takes the NSA to the woodshed. Not because the NSA didnt attempt to implement, but rather, because they did a half-ass job in the implementation.

The reports scorching verbiage surrounds this partial implementation of the recommendations: for example, the

NSA did not effectively implement the three privileged access related STN initiatives because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness.

For example, with respect to two-factor authentication (2FA), the NSA implemented it for system admins, but not for those with privileged access. It is well documented how Snowden bypassed the then presentprivileged access controls and conned his colleagues into giving him their credentials which he then went on to use to expand his access.

A 2FA requirement would have required the owner of the credentials to have been participatory in Snowdens use of their credentials. NSA implementation as described in the report shows how they opted to leave open the very window that Snowden climbed through to harvest the data he stole.

Furthermore, the report goes on to chastise the NSA for not having a clue about how many individuals had privileged access in 2014, nor in 2016, and nor could the NSA document how the purge/pruning had been carried out. That meant the inspection team couldnt find out exactly how many people had privileged access.

While focus has largely been on the trusted insider gone bad, Edward Snowden, the Shadow Brokers acquisition of NSAs Office of Tailored Access Operations (TAO)collection tools compromise clearly indicates a need by the NSA to continue to place their focus on locking down their own house.

How the TAO compromise occurred remains a mystery. It could have been an insider (contractor or staff) or it might have been a result of the contractor alleged to have built the exposed tools, the Equation Group, having themselves been hacked. Coincidentally, the inspector general report was published the week after the Shadow Brokers offered the TAO tools for auction. An active August 2016 indeed.

But what of the NSA contractor Harold Martin, another NSA insider?Martin, who worked for Booz Allen Hamilton, he was found to have hoarded up to 50 terabytes of NSA information. The indictment on Martin was sealed until October 2016, but he was arrested on 27 August 2016, yes two days prior to the arrival of the inspectors general report. August 2016 was truly a busy month in the world of espionage and counterespionage.

Is it hard to catch an insider?Yes, it is. If the individual does not exceed their natural access, process and procedures, they will be difficult to detect, and while it is safe to say that 100% is not achievable, there are steps which can be taken to secure the environment to bring the risk as close to zero as possible. This was the intent of the STN.

Has there been any good to come out of the STN? Absolutely, the National Industrial Security Program of the United States, marshaled by the Defense Security Service, has brought into play their mandatory insider threat program at all cleared facilities and contractors. These programs became mandatory on June 1 2017.

One might recall the recent arrest of NSA contractor, Reality Winner, also a contractor from Booz Allen Hamilton, who took a highly classified document assessing and discussing the Russian military intelligence entitys (the GRU) hand in meddling in the US election. Winner, using her privileged access, printed out the report, and then mailed it to a media outlet. Once the NSA saw the document, they quickly determined who had had access, who had printed the document and then who had had contact with a media outlet.

What they apparently werent able to do was to determine how and why Winner had privileged access to information to information about which she had no need to know.

One could argue this rapid-fire capability used to identify Winner would not have been present without the STN initiatives. On the other hand, one might surmise the privileged access portion of NSAs STN program continues to need tweaking.

Link:
NSA failed to implement security measures, says damning report - Naked Security

A declassified report from the Defense Department Inspector General has been released, according to the New York Times.

The 60-page report commissioned by Congress assesses 7 of the 40 components that the National Security Agency outlined for their Secure the Net initiative. This initiative was put forth to help improve the security of sensitive systems after the Snowden disclosures in 2013.

The NSA, according to the inspector generals report, had some successes, but the overall initiative did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.

According to the Times, the report details how their efforts fell short, including the failure to reduce the number of privileged users who can access sensitive computer systems; their failure to consistently keep data center machine rooms secure, as well as failing to lock the server racks containing highly classified data; and the failure to fully implement software that would monitor users.

The report also noted the agencys failure to declare an exact number of people with abilities to transfer data. The lists containing this information were kept on spreadsheets that were corrupted and are no longer available.

The inspector generals report noted that NSA CIO Gregory Smithberger told the inspector general that the elimination of all insider risks and threats is not feasible. He told the Times, While the media leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a good news story.

The importance of securing classified information, as the report warns, was underscored the same month the inspector generals report was produced, according to the Times. In August 2016, a group called the Shadow Brokers obtained and auctioned off classified hacking tools allegedly from the NSA some of which were dumped online. Those tools were later seen as part of the global WannaCry ransomware attack.

We welcome the observations and opportunities for improvement offered by the U.S. Defense Departments Inspector General, Vanee Vines, spokesperson for the NSA told the Times. NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls.

Read this article:
Secure the Net initiative found to be an overall failure for NSA - Federal Times

VR Systems provides voter registration software and hardware to elections offices in eight states. Courtesy of VR Systems hide caption

VR Systems provides voter registration software and hardware to elections offices in eight states.

The Florida elections vendor that was targeted in Russian cyberattacks last year has denied a recent report based on a leaked National Security Agency document that the company's computer system was compromised.

The hackers tried to break into employee email accounts last August but were unsuccessful, said Ben Martin, the chief operating officer of VR Systems, in an interview with NPR. Martin said the hackers appeared to be trying to steal employee credentials in order to launch a spear-phishing campaign aimed at the company's customers.

VR Systems, based in Tallahassee, Fla., provides voter registration software and hardware to elections offices in eight states.

"Some emails came into our email account that we did not open. Even though NSA says it's likely that we opened them, we did not," Martin says. "We know for a fact they were never opened. They did not get into our domain."

VR Systems COO Ben Martin told NPR that no elections vendor would send customers software updates once voting had begun, which it had in this case. Dina Ivory/Courtesy of VR Systems hide caption

Instead, Martin said, the company isolated the suspicious emails and alerted law enforcement authorities, who it was already working with because of two attempts to break into state voter registration databases earlier last summer.

The NSA document said that at least one of the company's email accounts was "likely" compromised based on information uncovered later in the spear-phishing campaign. That attack took place days before the November election and involved fake emails sent to as many as 122 local election officials in an apparent effort to trick them into opening attachments containing malicious software.

"They tried to pretend to be us to leverage our relationship with our customers," said Martin.

But Martin noted that while the NSA says the emails were made to look as if they came from VR Systems, they were sent from a phony email address vr.elections@gmail.com. He said his company does not use Gmail and never sends its customers documents in the form of email attachments. He added that no elections vendor would send customers software updates once voting had begun, which in this case it had.

"That's why I believe most of our customers knew immediately that this was bogus," said Martin. The company was alerted to the fake emails by one of its customers, and Martin said it immediately warned its other customers. So far, there is no evidence that any of the recipients opened the attachments or had their systems infected with the malicious software.

Still, cybersecurity experts say the attempted attacks are a clear sign of Russian interest in interfering with U.S. elections either by manipulating votes or causing chaos at the polls. Some have warned that vendors might be exploited to gain access to local or state voting systems.

In this case, the NSA report concluded that the purpose of the malicious software was "to establish persistent access or survey the victim for items of interest to the threat actors." While last year's attacks appeared to only involve voter registration systems, some experts say such systems can be used as a gateway to actual voting machines.

The Senate and House intelligence committees will explore Russia's efforts to interfere in U.S. elections last year and how to prevent future attacks at two hearings on Wednesday. Former Secretary of Homeland Security Jeh Johnson will appear before the House committee. The Senate panel will hear from current U.S. intelligence officials and state election experts.

View post:
Despite NSA Claim, Elections Vendor Denies System Was Compromised In Hack Attempt - NPR