Archive for the ‘NSA’ Category

Personal Security Takes A Hit With Public Release Of NSA’s Hacking Toolkit – Techdirt

Former members of Team Espionage recently expressed their concern that the Shadow Brokers' dump of NSA Windows exploits had done serious damage to the security of the nation. The unwanted exposure of NSA power tools supposedly harmed intelligence gathering efforts, even though the tools targeted outdated operating systems and network software.

However, there are still plenty of computers and networks online using outmoded software. This makes the released exploits a threat (especially those targeting XP users, as that version will never be patched). But not much of a threat to national security, despite the comments of anonymous former Intelligence Community members. It makes them a threat to personal security, as Chris Bing at CyberScoop points out:

One of these hacking tools, a backdoor implant codenamed DOUBLEPULSAR which is used to run malicious code on an already compromised box has already been installed on 30,000 to 50,000 hosts, according to Phobos Group founder Dan Tentler. Other researchers have also engineered different detection scripts to quickly scan the internet for infected computers.

John Matherly, the CEO of internet scanning-tool maker Shodan.io, said that upwards of 100,000 computers could be affected.

Rather surprisingly, data gathered by security researchers shows a majority of the infected computers are in the United States. This shows Microsoft's steady updating push still faces a sizable resistance right here at home. What it also shows is how fast exploits can be repurposed and redeployed once they're made public. The scans for DOUBLEPULSAR have turned up thousands of hits worldwide.

DOUBLEPULSAR is simply a backdoor, but an extremely handy one. Once installed, it makes targeted computers extremely receptive to further malware payloads.

The presence of DOUBLEPULSAR doesnt mean theyre infected by the NSA, it means there is a loading dock ready and waiting for whatever malware anyone wants to give it, Tentler said. The chances are none that all theses hosts [were hacked by] the NSA.

So, there's that small bit of comfort. It's not the NSA nosing around the innards of your Windows box, but a bunch of script kiddies playing with new toys adding them to the normal rolls of malware purveyors seeking to zombify your device and/or make off with whatever information is needed to open fraudulent credit card accounts or whatever.

The NSA certainly could have informed Microsoft of these exploits before it ended support for certain platforms, thus ensuring late- (or never-) adopters were slightly more protected from malware merchants and state agencies. But that's the Vulnerabilities Equity Process for you: no forewarning until a third party threatens to turn your computing weapons over to the general public.

Here is the original post:
Personal Security Takes A Hit With Public Release Of NSA's Hacking Toolkit - Techdirt

NSA suggests using virtualization to secure smartphones | PCWorld – PCWorld

Thank you

Your message has been sent.

There was an error emailing this page.

The U.S. National Security Agency is now suggesting government departments and businesses buy smartphones secured using virtualization, a technology it currently requires only on tablets and laptops

The change comes about with the arrival of the first virtualization-based smartphone security system on the U.S. Commercial Solutions for Classified list.

CSFC is a program developed by the NSA to help U.S. government agencies and the businesses that serve them to quickly build layered secure systems from approved components.

AnHTC A9 smartphone security-hardened by Cog Systemsusing its D4 virtualization platform is now on that list, alongside devices without virtualization from Samsung Electronics, LG Electronics, and BlackBerry.

In the modified A9, communications functions are secured by running them in separate virtual machines on the D4 virtualization platform.

It's the first smartphone on the CSFC list to use virtualization, which the NSA has only required on more powerful devices such as tablets and laptops until now.

"If virtualization technology was commonly available in the smartphone, we could leverage it for some solutions. To date, the devices that have been considered did not offer that technology," the NSA's technical guidance reads.

Cog Systems' position on the list isn't definitive yet: It's still seeking certification for the D4/A9 combination against the National Information Assurance Partnership's mobile platform and IPSec VPN Client protection profiles. Vendors typically have six months to obtain the certification in order to remain on the list. For now, D4's validation is ongoing at Gossamer Security Solutions' Common Criteria Testing Laboratory.

Vendors don't seek certification lightly, according to Carl Nerup, chief marketing officer at Cog Systems. "It's a very expensive process," he said, between US$500,000 and $700,000 for each new model.

Somehow, though, Cog Systems is eating the additional cost of certification: The price for its security-hardened A9 is the same as HTC's list price for an unmodified phone, said Nerup. "We have multiple groups within the U.S. Department of Defense that have procured the device," he added.

A commercial off-the-shelf (COTS) smartphone like the modified A9 isn't only of interest to government customers, though, Cog Systems CEO Dan Potts pointed out. "In the oil and gas industry, they want to buy COTS. They want it to be at a competitive price, but with a greater concern for security."

Once certification for the modified A9 is in the bag, Potts is looking forward to seeking certification for D4 virtualization on other smartphones. The first time around takes time because there is a lot of preparatory work to do, but much of that work will also apply to other smartphones. Potts expects certification of D4 on other hardware to go more quickly.

Eric Klein, director for mobile software and enterprise mobility at analyst firm VDC Research, has had his eye on Cog Systems since meeting the company at Mobile World Congress.

He sees the broadest opportunity for Cog Systems in the enterprise market -- and expects that its approach to endpoint security could even take some business away from enterprise mobility management vendors.

Peter Sayer covers European public policy, artificial intelligence, the blockchain, and other technology breaking news for the IDG News Service.

See the original post:
NSA suggests using virtualization to secure smartphones | PCWorld - PCWorld

The NSA will stop reading American emails that mention intelligence … – The Verge

The NSA has stopped collecting messages sent from US citizens that cross international borders and mention foreign intelligence targets, according to a new report in The New York Times. The controversial practice, made public by Edward Snowden in 2013, allowed the agency to collect emails and other messages that mention a foreign intelligence target, even if neither party is subject to surveillance and one of the parties is a US citizen (and thus subject to constitutional protections against unwarranted searches).

The NSA confirmed the change in a subsequent announcement, writing that the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target.

The truth changed everything.

In practical terms, this meant that including an email or phone number associated with a surveillance target (say, osamabinladen@gmail.com) in the body of an email could lead to the message being surfaced to NSA analysts.

According to the Times, the change came about last year after the NSA discovered analysts querying databases in violation of court guidelines set forth in 2011. Those violations triggered a broader review of NSA practices, which ultimately forced the NSA to discontinue the practice.

The move comes amid a broader debate over Section 702 of the FISA Amendments Act, the legal authority used by the NSA to justify this collection. Signed into law in 2008, the laws authorities are scheduled to expire at the end of this year unless renewed by Congress. Surveillance critics are hoping to significantly curtail those authorities, leading to significant debate in Congress.

Speaking on Twitter, Edward Snowden applauded the change, saying simply, The truth changed everything.

Update 3:09PM ET: Updated with NSA announcement.

Read more:
The NSA will stop reading American emails that mention intelligence ... - The Verge

NSA will stop illegally collecting American emails

The NSA is attempting to adhere to a 2011 ruling by the Foreign Intelligence Surveillance Court. The court found this "about the target" collection program violated the Fourth Amendment because some internet companies packaged and processed emails in bundles -- meaning if one message contained a foreign target's email address, the entire group was swept up. The NSA was intercepting domestic communications, resulting in illegal searches.

FISC allowed the surveillance to continue, but with a new safeguard in place: The NSA proposed a program where it would keep these bundled emails in a separate repository where analysts would not be able to see them.

In 2016, the NSA reported the revamped program was not going as planned and analysts were, in fact, still searching the sequestered documents, The New York Times says. FISC delayed renewing the agency's warrantless surveillance program until it promised to cancel the entire "about the target" collection process.

The NSA has argued its bulk-collection methods help officials track potential threats, as contact with someone under surveillance is grounds for suspicion. Privacy advocates like the American Civil Liberties Union argue otherwise.

"This development underscores the need for Congress to significantly reform Section 702 of FISA, which will continue to allow warrantless surveillance of Americans," ACLU legislative counsel Neema Singh Guliani says in response to today's news. "While the NSA's policy change will curb some of the most egregious abuses under the statute, it is at best a partial fix. Congress should take steps to ensure such practices are never resurrected and end policies that permit broad, warrantless surveillance under Section 702, which is up for reauthorization at the end of the year."

Of course, technology continues to rapidly advance, and online communication has changed a lot since 2011. Today, more people are using end-to-end encryption and email providers are offering more secure ways to communicate, potentially making it harder for the NSA to round up these messages in the first place. In 2014, Google announced it would use HTTPS connections in Gmail specifically because the NSA was poking around in users' business.

View original post here:
NSA will stop illegally collecting American emails

Former NSA director explains why the spy agency will end a …

Earlier today, the NSA announced its intentions to limit a surveillance technique that had a nasty side effect of sweeping up communications toand fromAmericans.

In a rare unprompted press statement, the NSA explained that it would halt any upstream internet communications that are solely about a foreign intelligence target, restrictingits surveillance to messages sent or received byforeign intelligence targets.

TechCrunch spoke with General Michael Hayden, former director of the NSA and CIA, about how the shiftwill be implementedand thereasoning behind the agencys surprise decision.

TC: Will this significantly impact the quality of the NSAs data collection on foreign targets?

Hayden: This will have an impact, I think marginal, on some foreign intelligence collection. It also reduces to zero the amount of inadvertent collection you do on Americans. We do that balancing all the time. They decided they were getting too much inadvertent collectionbut you lose some legitimate collection as well.

TC: Why did the NSA have so much trouble complying with court rules?

Hayden: Its routine due diligence, we do this all the time. I have been told there were court concerns about how much inadvertent collection was taking place. No one has blinders on, they know theres going to be grand debate about this system. Theyve got an option here with marginal intelligence disadvantage to reduce how much it squeezes American privacy. Operational, political, legal it all makes sense.

This does not affect something that will be contentious this summer. The stuff you will continue to collect, you can use a U.S. person identifier to query the data youve already collected. That will also be contentious.

Idont think thats right. The number of times you use a U.S. person query is easily retrievable. Incidental [collection]is foreigner is in the conversation, but theres information to, from or about an American.

They didnt know how much inadvertent [collection] they had unless you go back and look at every one. Wyden kept saying, how many? We said we dont know

TC: What does this mean for upstream data collection?

Hayden: What theyre going to do, theyve got to have a selector for upstream to grab the email coming by and it has to be someone they believe is not an American and outside the U.S. Up until this point, they used the selector to check to see who the email was from or to, or if the selector was mentioned in the body of the email.

The problem they had was when you use the selector about in the body of the email, occasionally you will pick up a communication in which neither end is foreign, in which both ends are American. Its inadvertent and its not authorized. When you discover it, you have to flush it from the system. Occasionally, when the foreign selector was in the body of the email and they picked up a communication,unless they looked at the email they would never know it. Itwould just sit in the database.

What they decided to do, and this means giving up a bit of intelligence collection, they are going to stop using the about selector. The only thing youre going to intercept is a communication to or from your target. In order to go the extra mile for American privacy, they are going to give up a bit of collecting that might have been useful. What this means is they were also getting a lot of information from a foreign selector mentioned in a body of email that wasnt us to us.

They are going to give up some coverage, but its due diligence so as not to do the inadvertent collection of communication between two Americans.

And then theyre going to go back in the database and purge all the collection that was triggered by about, without regard to who the communicates were.

TC: Does this mean the agency has a viable workaround that decouples about surveillance from upstream surveillance?

Hayden: They do. There is technology available to them that allows the selector to be applied to the to or from. You got a gajillion emails skidding by, your selector grabs the one related to the foreign target outside the US. [The]selector is just going to look at the to and from, not the content.

It isnt objectionable except when you do it that way, when youre grabbing some emails because of the content, occasionally you are getting emails to and from an American, [on]both ends.

Its an operational decision. We do this all the time,balancing privacy and operational effect. [Its]a reasonably dramatic step to preserve privacy. I think they made the operational decision.

Link:
Former NSA director explains why the spy agency will end a ...