Mediaboss Marketing

A series of leaks has rocked the National Security Agency over the past few years, resulting in digital spy tools strewn across the web that have caused real damage both inside and outside the agency. Many of the breaches have been relatively simple to carry out, often by contractors like the whistleblower Edward Snowden, who employed just a USB drive and some chutzpah. But the most recently revealed breach, which resulted in state secrets reportedly being stolen by Russian spies, was caused by an NSA employee who pleaded guilty Friday to bringing classified information to his home, exposing it in the process. And all, reportedly, to update his resume.

The Justice Department Friday announced that Nghia Hoang Pho, a 67-year-old from Ellicott City, Maryland, has admitted to willful retention of national defense information. He'll face up to 10 years in prison, but is free until his sentencing in early April. Pho is a naturalized United States citizen originally from Vietnam. Pho illegally mishandled classified information in spite of being an agent in the NSA's elite Tailored Access Operations foreign hacking group (now called Computer Network Operations) from 2006 to 2016. Though it's somewhat astonishing that someone with his position and training would cause such a basic breach, Pho brought classified data and paper documents to his home between 2010 and 2015. The New York Times, which originally reported on Pho's case before his identity was known, notes that he seems to have been charged in March 2015.

"In connection with his employment, Pho held various security clearances and had access to national defense and classified information. Pho also worked on highly classified, specialized projects," the DoJ said in a statement on Friday. "Pho removed and retained US government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information."

'Classified data is highly sensitive and shouldn't be able to be removed. It shows that TAO didn't have good controls over that data.'

David Kennedy, TrustedSec

That information didn't stay on Pho's computer. Instead, Pho appears to be the NSA employee from whom Russia stole valuable data, by compromising the Kaspersky antivirus software on a then-unidentified NSA employee's personal computer. Because antivirus software has deep and far-reaching permissions, Russian intelligence used its hooks into Kaspersky to lift files, and any number of secrets. Kaspersky has repeatedly denied any association with the Russian government.

Pho stands out among recent NSA leak culprits in that he specifically worked as a developer for TAO, which would have brought him into contact with a diverse array of sensitive NSA data, systems, and materials. One would also have thought an elite programmer focused on developing advanced hacking tools would know better than to put classified data at risk by transporting it to his house.

"It's not a mistake that's supposed to be common," says David Kennedy, the CEO of TrustedSec, who formerly worked at the NSA and with the Marine Corps' signal intelligence unit. "Lax practices, for sure. Classified data is highly sensitive and shouldn't be able to be removed. It shows that TAO didn't have good controls over that data."

The fact that Pho was a developer is significant, though, says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked for TAO at the NSA (a fact that wasn't public until the NSA leakers known as the Shadow Brokers revealed it in April).

"CNO developers are usually experts in a very narrow field and often don't really understand how their tools are used in operations, so his lack of operations security is not as surprising as it should be." Williams says. "There's also an intense pressure to get the mission done, so the idea that a developer would take work home is not at all surprising."

Apparently, though, Pho wasn't focused entirely on work. The New York Times reports that the TAO developer brought home the materials so he could update his resume. The case documents don't give much indication of what types of data and materials Pho took and left on his personal computer. The frantic investigation into valuable NSA tools stolen by Russian spies, though, indicates that Pho may have exposed more than just resume materials.

Other NSA leaks have come from contractor Reality Winner, who sent classified information to The Intercept in September, and Harold Martin, another contractor, who was charged in October 2016 for bringing terabytes of NSA data to his house, like Pho.

Pho stands out, though, both for the apparent audaciousness of his actions, and his affiliation with TAO, a highly regarded unit within the world's most powerful intelligence apparatus. If someone like that can accidentally cause a critical NSA breach, there's no telling who else might have as well.

Go here to read the rest:
Here's the NSA Agent Who Inexplicably Exposed Critical ...

The contents of a highly sensitive hard drive belonging to a division of the National Security Agency have been left online.

The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed "Red Disk." The disk image belongs to the US Army's Intelligence and Security Command, known as INSCOM, a division of both the Army and the NSA.

The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme in recent data leaks and exposures. In the past year alone, Accenture, Verizon, and Viacom, and several government departments, were all dinged by unsecured data.

Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and informed the government of the breach in October. The storage server was subsequently secured, though its owner remains unknown.

The leak marks yet another exposure of classified government data. Since the Edward Snowden disclosures in 2013, the agency made headlines last year when Harold Martin, an NSA contractor, was indicted for removing terabytes of secret data from the agency's headquarters. Another contractor, Reality Winner, was indicted this year for leaking classified secrets to news site The Intercept.

When approached prior to publication, an NSA spokesperson did not return a request for comment. An INSCOM spokesperson was unable to comment by the time of publication.

The disk image, when unpacked and loaded, is a snapshot of a hard drive dating back to May 2013 from a Linux-based server that forms part of a cloud-based intelligence sharing system, known as Red Disk. The project, developed by INSCOM's Futures Directorate, was slated to complement the Army's so-called distributed common ground system (DCGS), a legacy platform for processing and sharing intelligence, surveillance, and reconnaissance information.

Each branch of the military has its own version of the intelligence sharing platform -- the Army's is said to be the largest -- but the Army's system struggled to scale to the number of troops who need it.

Red Disk was envisioned as a highly customizable cloud system that could meet the demands of large, complex military operations. The hope was that Red Disk could provide a consistent picture from the Pentagon to deployed soldiers in the Afghan battlefield, including satellite images and video feeds from drones trained on terrorists and enemy fighters, according to a Foreign Policy report.

But the system was slow, crash prone, and difficult to use. A memo from 2014 by soldiers with one deployed brigade said the system was "a major hindrance to operations," as reported by the Associated Press.

The Pentagon spent at least $93 million on Red Disk, but it was never fully deployed in the field. The project has since been largely seen as a failure.

While the contents of the disk are readable, the system itself wouldn't boot -- likely because it relies on dependent systems and servers that are only available from within the Pentagon's network. But the files alone offer a glimpse into how Red Disk worked.

Red Disk was a modular, customizable, and scalable system for sharing intelligence across the battlefield, like electronic intercepts, drone footage and satellite imagery, and classified reports, for troops to access with laptops and tablets on the battlefield. Marking files found in several directories imply the disk is "top secret," and restricted from being shared to foreign intelligence partners.

Red Disk could draw in vast amounts of intelligence, documents, videos, and audio from several sources, including signals intelligence, radar, wide area aerial surveillance, drones, and audio databases -- some fed in directly from the NSA. That raw, mostly unstructured data passed through software called NiFi (formerly NiagraFiles), a since declassified NSA system to support highly scalable and flexible data flows, which directs different kinds of data across multiple computer networks and geographically dispersed sites. That was particularly useful for Red Disk, which relied on obtaining and sending data over wide areas.

An icon found in the leaked files, used to "target" individuals of interest. (Image: supplied)

The data then was sorted and organized through various filters. The data would be indexed, allowing analysts to carry out metadata tagging, extract geo-temporal information, and run a data provenance process to verify the source and owner of certain data.

All the collected intelligence would be stored in a central repository to be analyzed, correlated, and enriched. An analyst could pull intelligence from the repository based on their security clearance. An analyst would obtain their access from their Pentagon-issued certificate-based credentials, which grants them access only to data they are permitted to see.

The system also comes with several plug-in apps, allowing analysts to interact with intelligence data. One program includes DOMEX, a document and media program for analyzing seized documents and electronic evidence.

Several files also point to biometric analysis tools, and an integration of human language technologies to allow analysts to query reports and play audio in English.

One image found on the drive reveals how analysts can target individuals of interest, such as potential terrorists, in the DCGS system for later action -- such as by ground troops or autonomous drones.

Vickery noted that the disk image also contains other sensitive files, including private keys used for the system to access other servers on the intelligence community's network. The keys belong to a third-party firm, Invertix, a working partner of INSCOM and a key developer of Red Disk.

Invertix, now named Altamira Technologies, did not respond to a request for comment.

INSCOM's data exposure is the latest in a long list of government leaks in the past year.

Several government agencies, including US Central Command and US Pacific Command and the National Geospatial Intelligence Agency, charged with analyzing top secret satellite imagery, have admitted exposing sensitive or classified information.

Vickery, who searches for exposed data online, has been responsible for finding much of the data. But he said the latest data exposure was entirely avoidable.

"What are we doing wrong when 'top secret' data is literally two mouse clicks away from worldwide exposure?" he said. "How did we get here, and how do we find a way out?"

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-7558849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

See the rest here:
New NSA leak exposes Red Disk, the Army's failed ...

Kaspersky Lab released details from an internal investigation on Wednesday, hours before a hearing in Congress on its antivirus technology.

Russian spies didn't need Kaspersky Lab's antivirus software to steal information from an NSA staffer, the company says -- the computer was already infected with malware.

Kaspersky Lab has been under scrutiny in the US after multiple reports alleged that the Moscow-based security company had been working with the Russian government for digital espionage. US officials have been on high alert for Russian cyberattacks and internet shenanigans, fearing national security threats to everything from the country's elections to its power grid.

Kaspersky's software had allegedly helped someone steal the NSA's hacking tools in 2015 and provide them to Russian spies,the Wall Street Journalfirst reported.

But an internal investigation by Kaspersky Lab suggests that the NSA staffer would have been hacked regardless of what antivirus program was on the computer. That's because malware had already slipped in.

The security company released preliminary details from its investigation on Wednesday, just hours ahead of a hearing before the House Committee on Science and Technology on the risks Kaspersky Lab might pose.

According to the investigation, the company said, the NSA staffer downloaded pirated software onto his personal laptop, including an illegal Microsoft Office activation key generator, on Oct. 4, 2014.

"The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user's machine," Kaspersky said in its report.

The NSA declined to comment for this story. The staffer had already broken procedure by bringing classified data onto his personal computer at home.

Kaspersky Lab said its antivirus technology would have been able to block the malware disguised as a key generator if the staffer hadn't disabled the software to allow the download. After the staffer turned his antivirus back on, it spotted the hidden malware, along with a stash of the NSA's hacking tools.

Antivirus software is designed to find malware, regardless of whether it's from a cybercriminal hiding it in pirated software or a government agency using it to hack nation states. That's why Kaspersky's software picked up the NSA's tools during its scans, the company said.

The NSA's malware had come from Equation Group, a hacking team within the government agency.

"Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware," the company said.

An analyst alerted company CEO Eugene Kaspersky about picking up the NSA's tools, and Kaspersky asked that the archive be deleted. They said the program was not shared with any third parties.

It's still unclear how these tools then ended up with Russian spies, but Kaspersky Lab indicated that the malware hidden on the NSA's staffer's computer could have played a role. There have not been similar incidents in the three years since, according to the investigation.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Here is the original post:
Kaspersky: NSA staffer's laptop was infected with malware

The Wall Street Journal reports there has been a new breach at the National Security Agency via one of the agency's contractors. NSA Handout/Getty Images hide caption

The Wall Street Journal reports there has been a new breach at the National Security Agency via one of the agency's contractors.

Russian hackers stole top secret cybertools from a National Security Agency contractor in yet another embarrassing compromise for U.S. spy agencies, the Wall Street Journal reported Thursday.

The NSA contractor is believed to have taken highly sensitive official software home to a personal computer in 2015. His machine was running a Russian security program made by Kaspersky Labs, which can be exploited by Russia's intelligence agencies, the Journal reported.

The NSA declined to comment.

Members of Congress, however, slammed the spy agency for the latest in a series of breaches blamed not on its own employees but on the vendors it uses in place of or in addition to them.

At least three other contractors Reality Winner, Hal Martin and Edward Snowden also have been accused of hoarding or releasing NSA's secrets. An online entity called the "Shadow Brokers" also has tried to auction what it called software stolen from the NSA.

Nebraska's Republican Sen. Ben Sasse said he was tired of seeing the same headlines about failures of NSA's information security.

"The men and women of the U.S. intelligence community are patriots, but the NSA needs to get its head out of the sand and solve its contractor problem," Sasse said. "Russia is a clear adversary in cyberspace, and we can't afford these self-inflicted injuries."

Intelligence officials often stress that the NSA and its sibling agencies have a "layered" cyberdefense that is larger than any single tool or system. So the failure reported by the Journal might not amount to the loss of what intelligence workers might call "the keys to the kingdom."

Plus spy agency bosses have previously also said they would not run the Russian-made security software from Kaspersky Labs that the Journal said was associated with the loss of the hacking tools. In fact, Acting Homeland Security Secretary Elaine Duke said in September that she was banning the entire federal government from using Kaspersky.

Kaspersky Labs has millions of users around the world and is among NPR's corporate underwriters. It has denied that it is a cat's-paw for Russia's intelligence agencies or any other government.

New Hampshire Democratic Sen. Jeanne Shaheen said Thursday that the widespread use of Kaspersky software was no excuse for what she called the slow action by the U.S. intelligence community and the broader federal government.

"This development should serve as a stark warning, not just to the federal government but to states, local governments and the American public, of the serious dangers of using Kaspersky software," Shaheen said.

"The strong ties between Kaspersky Lab and the Kremlin are extremely alarming and have been well-documented for some time. It's astounding and deeply disturbing that the Russian government continues to have this tool at their disposal to harm the United States."

Follow this link:
Report: Hackers Stole NSA Cybertools In Another Breach Via ...

The Wall Street Journal just published an incendiary article that says hackers working for the Russian government stole confidential material from a National Security Agency contractor's home computer after identifying files though the contractor's use of antivirus software from Moscow-based Kaspersky Lab.

The report may well be true, but, for now, there's no way to independently confirm it. The report is based on unnamed people the publication says had knowledge of the matter, and it provides no evidence to support its claim. What's more, the lack of detail leaves open the possibility that, even if Kaspersky's AV did help Russia home in on the highly sensitive code and documents, the disclosure was the inadvertent result of a software bug, and no one from Kaspersky Lab cooperated with the attackers in any way. Also lost in the focus on Kaspersky Lab is the startling revelation that yet another NSA insider managed to sneak classified material outside of the NSA's network and put it on an unsecured computer. More of this analysis will follow.

First, here's a summary of what the WSJ reported.

The unnamed contractor removed the material from the NSA and stored it on a home computer that ran a version of Kaspersky AV. The material, according to the unnamed sources, included "details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the US." Sometime in 2015, the material was stolen by Russia-sponsored hackers who "appear to have targeted the contractor after identifying the files through the contractor's use" of the Kaspersky AV. The breach was discovered in the first three months of 2016.

The post continued:

US investigators believe the contractor's use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Investigators did determine that, armed with the knowledge that Kaspersky's software provided of what files were suspected on the contractor's computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.

The report comes as concerns mount inside the US about Russian hacking in general and more specifically about whether Kaspersky Lab has ever, or might in the future, play a role in supporting such hacks. Rumors have swirled for years that, because of Kaspersky Labs' nationality and the early training founder Eugene Kaspersky received from the Russian government, the company was a Russian proxy that provided, or at least could provide when asked, that country's government with assistance in breaking into the computers of Russian adversaries.

As early as August, according to Cyber Scoop, the FBI quietly briefed private-sector companies on the threat it believed Kaspersky products and services posed. In early September, electronics retailer Best Buy stopped selling Kaspersky software and offered free removals and credits toward competing packages. Last month, the suspicions reached a new high when the US Department of Homeland Security took the unprecedented step of directing all US agencies to stop using Kaspersky products and services.

The US government has never provided hard evidence for the private briefings or the DHS directive. Dave Aitel, a former NSA hacker who is now CEO of penetration-testing firm Immunity, said the allegations aired on Thursday's WSJ post are a plausible explanation.

"That's exactly the kind of behavior that would cause the US government to do what they're doing," he told Ars. "There's only one really big thing, which is they think [Kaspersky] is operating as an agent for a foreign government, most likely wittingly."

The counter argument to what Aitel and plenty of people in security and national security circles are saying is that the extraordinary allegations are based solely on anonymous sources and aren't backed up with any hard evidence. What's more, the anonymous sources never say that anyone from Kaspersky Lab aided or cooperated with the hackers. The latter point leaves open the possibility that the hole left open by Kaspersky AV was unintentional by its developers and was exploited by Russian hackers without any help from the company.

In September 2015, Google Project Zero researcher Tavis Ormandy said his cursory examination of Kaspersky AV exposed multiple vulnerabilities that made it possible for attackers to remotely execute malicious code on computers that ran the software. If the hackers had knowledge the NSA contractor was using the Kaspersky AV, it's at least feasible they exploited those vulnerabilities or similar ones to identify the sensitive materials and possibly also steal them.

Kaspersky has since patched the vulnerabilities. Over the years, Ormandy has discovered equally severe code-execution vulnerabilities in AV software from a host of Kaspersky competitors.

The WSJ article tacitly suggests this alternate theory is not the case. It cites a former NSA hacker speculating that the names and fingerprints of the sensitive files were indexed in a scan performed by the Kaspersky software and then uploaded to the company's cloud environment so they can be compared against a master list of known malware. "You're basically surrendering your right to privacy by using Kaspersky software," the former NSA employee, Blake Darch, told the publication.

The unspoken implication is that, once the Kaspersky service indexed the NSA material, company officials privately notified Russian spies so they could target the contractor's computer. But a possible answer is that the Kaspersky network was compromised, allowing the attackers responsible to pin point the location of the files on the contractor's computer. After all, Kaspersky Lab has already disclosed that from mid 2014 to the first quarter of 2015, its network was compromised by highly sophisticated malware that has the hallmarks of nation-sponsored attackers. Aitel of Immunity, however, continued to agree with the theory Kaspersky knowingly aided Russia, although he admitted that at this point there's no public proof it's correct.

"It's not something where someone exploited Kaspersky software," he said. "If that's what it was, it wouldn't be in The Wall Street Journal." Referring to the term for tapping phone and Internet connections for information of interest, he added: "I don't think it was signals intelligence by the Russian government. They clearly got it from a Kaspersky machine. That seems a lot more likely."

The theory is made more plausible by the fact that, by 2015, Kaspersky Lab had detailed knowledge of some of the NSA's most elite hacking tools and methods. Company researchers had acquired this knowledge after doing exhaustive research into a group it dubbed the Equation Group. As Ars reported in February of that year, the hacking team was clearly tied to the NSAif not a part of itby its advanced access to zero-day exploits that would later be used in the Stuxnet worm that reportedly was developed jointly by the NSA and its counterparts in Israel.

In an e-mailed statement, Kaspersky officials wrote:

Kaspersky Lab has not been provided any evidence substantiating the company's involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.

As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.

We make no apologies for being aggressive in the battle against malware and cybercriminals. The company actively detects and mitigates malware infections, regardless of the source, and we have been proudly doing so for 20 years, which has led to continuous top ratings in independent malware detection tests. It's also important to note that Kaspersky Lab products adhere to the cybersecurity industry's strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the US and around the world.

The takeaway is that, as the Kaspersky Lab statement notes, the WSJ's explosive allegations aren't substantiated with any evidence and, further, they're based on anonymous sources. That means, at the moment, there's no way journalists can independently verify the claims. What's more, the article as written leaves open the possibility that the role Kaspersky AV played in the breach was caused by the same sort of critical vulnerability found in virtually all AV software.

That said, if the allegations are true, they're sure to fuel the already growing concern of Russian hacking, which US intelligence agencies say has attempted to influence the US presidential election and widen political and cultural divides on social media. Additionally, if the allegations prove true, it's almost certainly the end of Kaspersky Lab as it has come to be known over the past decade.

What shouldn't go overlooked in Thursday's report is that this is the third known instance in the past four years of an NSA breach resulting from insider access to classified materials. The best known case is whistleblower Edward Snowden, who was able to trawl through NSA networks collecting documents for an extended period of time before turning them over to reporters. In 2016, a separate NSA contractor, Harold T. Martin III, was arrested after he sneaked 50 terabytes of confidential material out of the NSA and stored it at his home in Glen Burnie, Maryland. The trove comprises as much as 75 percent of the exploits belonging to the Tailored Access Operations, the elite hacking NSA unit that develops and deploys some of the world's most sophisticated software exploits.

In May, The New York Times reported that an NSA employee was arrested in 2015 on insider leak suspicions but was never identified. It's not immediately clear if this insider is different from the one mentioned in Thursday's WSJ article. In a report published after Ars went live with this post, The Washington Post said the person who took the NSA material and stored it on his home computer was an NSA employee who worked for the Tailored Access Operations and was in the process of developing tools to replace those considered compromised by the Snowden leaks. The Washington Post went on to say the insider was the same one who came under suspicion in 2015

Adding further urgency is the series of highly damaging leaks made over the past 14 months by a mysterious group calling itself the Shadow Brokers. The trove has included some of the NSA's most potent software exploits and documents detailing past attacks. Whether the leaked Shadow Brokers material was the result of an insider theft or a hack by outsiders remains unknown.

Thursday's report means that yet another trusted insider was able to sneak documents and code outside of the NSA and not only store them on an Internet-connected computer but also one that was running AV software. Whatever role Kaspersky Lab played in the hack, the series of breathtaking security blunders made by the NSA and its workers should remain front and center in this reporting.

Post updated to add Washington Post reporting.

More:
Russia reportedly stole NSA secrets with help of Kaspersky ...