Mediaboss Marketing

New York Times

Federal Court Revives Wikimedia's Challenge to NSA Surveillance New York Times The ruling, by the Court of Appeals for the Fourth Circuit, is significant because it increases the chances that the Supreme Court may someday scrutinize whether the N.S.A.'s so-called upstream system for internet surveillance complies with Fourth ... Newly revived Wikipedia suit could reveal secrets of NSA surveillance programVICE News Court revives Wikimedia lawsuit against NSAWashington Post Wikimedia's lawsuit against the NSA is backThe Verge EFF -WND.com -U.S. News & World Report -DocumentCloud all 33 news articles »

The rest is here:
Federal Court Revives Wikimedia's Challenge to NSA Surveillance - New York Times

A bombshell report claims that the NSA, under then President Obama, conducted years of illegal searches of American's private data. The report appears in the online publication Circa and details how once-classified documents show how the spy agency failed to disclose the abuses.

According to a previously classified report reviewed by Circa, one in 20 electronic communications by Americans were scooped up and kept by the NSA. The NSA admitted that the actions of the so-called 702 database potentially violated the fourth amendment protections of millions of Americans. This even after the spy agency's own supervisors agreed in 2011 to follow certain safeguards. The publication goes on to say the Obama administration self-disclosed the violations late last year just before President Donald Trump was elected. The admittance of wrongdoing was made before the Foreign Intelligence Surveillance Court. The agency received a strong rebuke from the court according to Circa.

In early January, shortly before President Trump's inauguration, Obama administration officials changed the rules regarding the handling of sensitive information of Americans scooped up in NSA data collection. The rule change did away with the previous safeguards and allowed wide dispersion of information on individuals to be spread across several agencies.

The American Civil Liberties Union expressed shock to Circa that the abuses were admitted by government officials. Over the last several months, various operatives with the government have tried to tamp down claims of intentional wiretapping by the former administration.

You can read the full report from Circa as well as the FISA court report in the link to the side of this story.

Link:
Report: Obama era NSA admits to years of illegal searches on Americans - Valley News Live

This story first appeared on CyberScoop.

Storm clouds are rising over the U.S. governments policy on software flawdisclosure after the massive WannaCry infection spread using a cyberweapon developed by the NSA, and even former agency leaders say it might be time to take a fresh look at the Vulnerability Equities Process.

Under the VEP, U.S. officials weigh the benefits of disclosing a newly discoveredflaw to the manufacturer which can issue a patch to protect customers or having the government retain itfor spying on foreign adversaries who use the vulnerable software. The process has always had a bias toward disclosure, former federal officials said.

We disclose something like 90 percent of the vulnerabilities we find, said Richard Ledgett, who retired April 28 as the NSAs deputy director. Theres a narrative out there that were sitting on hundreds of zero days and thats just not the case, he told Georgetown University Law Centers annualcybersecurity law institute.

On the contrary, he said, the process, led by the [White House National Security Council], is very bureaucratic and slow and doesnt have the throughput that it needs. He said itwas an issue NSA leaders had raised with both the previous administration and the Trump White House and that currenthomeland security adviser Thomas Bossert had promised to fix.

A zero day vulnerability is a newly discovered software flaw one the manufacturer has zero days to patch before it can be exploited. An exploit is a piece of code that uses a vulnerability to work mischief on a computer, for instance allowing a remote hacker to download softwareand seize control. Not all zero days are created equal, one of the architects of the VEP, former White House Cybersecurity Coordinator J. Michael Daniel, told CyberScoop recently.

Some exploits might require physical access, or need other exploits to be pre-positioned. Some might even rely on known but widely unpatched vulnerabilities, he said. One of the reasons WannaCry spread so fast despite being relatively unsophisticated in design is that it utilizes a very powerful NSA exploit called EternalBlue.

EternalBlue was one of a large cache of NSA hacking tools dumped on the web last month by an anonymous group calling itself the Shadow Brokers an event that led to calls for the government to give up stockpiling vulnerabilities altogether.

That would be a mistake, Ledgett said, in part because even disclosed vulnerabilities can be exploited. Hackers can take apart the patch and reverse-engineer the vulnerability it is fixing, and then weaponize it with an exploit. Even when theres a patch available, Ledgett noted Many people dont patch, for all sorts of reasons. Large companies, for example, often have custom software that can breakwhen an operating system is updated.

The idea that ifyou disclose every vulnerability, everything would be hunky dory is just not true, he said.

Besides, the NSAs use of its cyber-exploit arsenal wasvery tailored, very specific, very measured, addedLedgett, agreeing that the VEP policy was in about the right place.

Indeed, he said, there was an argument to be made that Microsoft, which last weekend rushed out an unprecedented patch for discontinued but still widely used software like Windows XP, should bear some of the blame for not patching the discontinued products in March, when it patched its current products apparently in response to an advance warning from the NSA.

Daniel revealed theVEP in 2014, in response to suspicions that the NSA had known about the huge Heartbleed vulnerability in a very widely used piece of open-source software it hadnt, hesaid. But the policy has been in place since 2010, according to documents declassified in response to a Freedom of Information Act request from the Electronic Frontier Foundation an internet freedom advocacy group.

And Ledgett said the NSA had previously had a similar policy in place for decades. At the heart of the process, he said, is a balancing of how valuable the vulnerability in question is for the NSAs foreign intelligence mission, versus how damaging it might be U.S. companies or Americans generally, if it were discovered by an adversaryor revealed before it could be patched.

Ledgett said the new process balanced more or less the same factorsin more or less the same way although there were additional players like the State and Commerce Departments at the table in the National Security Council-led VEP.

The thing thats new since since 2014 is the risk of disclosure of a vulnerability, he said.

But former NSA director and retired four-star Air Force Gen. Michael Haydenpoints out two other things that have also changed affecting where NSA places the fulcrum in its balancing of offensive and defensive equities.

Far more often now the vulnerability in question is residing on a device that is in general use (including by Constitutionally protected US persons) than on an isolated adversary network, he wrote in a blog post for the Chertoff Group, where he now works.

He said that a comfort zone the NSA had previously enjoyed had also narrowed considerably. The comfort zone was called NOBUS, short for nobody but us. In other words,This vulnerability is so hard to detect and so hard to exploit that nobody but us (a massive, technological powerful, resource rich, nation state security service) could take advantage of it.

That playing field is being leveled, not just by competing nation states but also by powerful private sector enterprises, he concluded, The NOBUS comfort zone is considerably smaller than it once was.

This week, bipartisan bills in both chambers sought to give the VEP a basis in law.Sens. Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory Gardner, R-Colo., and Reps. Ted Lieu, D-Calif., and Blake Farenthold, R-Texas, put forwardtheProtecting Our Ability to Counter Hacking Act, or PATCH Act.

Excerpt from:
Government not 'sitting on hundreds of zero days,' former NSA official says - FedScoop

Cybersecurity researchers have discovered a new worm that uses seven of the NSA's leaked exploits.

If the NSA's leaked hacking tools had a Voltron, it would be EternalRocks.

On Sunday, researchers confirmed new malware, named EternalRocks, that uses seven exploits first discovered by the National Security Agency and leaked in April by the Shadow Brokers group. Experts described the malware as a "doomsday" worm that could strike suddenly.

Earlier this month, the WannaCry ransomware plagued hospitals, schools and offices around the world and spread to more than 300,000 computers. It uses two NSA exploits that were leaked by the Shadow Brokers, EternalBlue and DoublePulsar. A few days later, researchers found Adylkuzz, new malware that spread using those same exploits and created botnets to mine for cryptocurrency.

Now, there's EternalRocks. Miroslav Stampar, a cybersecurity expert for Croatia's CERT, first discovered the hodgepodge of hacks on Wednesday. The earliest findings of EternalRocks goes all the way back to May 3, he wrote in a description on GitHub.

EternalRocks uses EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch -- all tools leaked by the Shadow Brokers. Stampar said he found the packed hack after it infected his honeypot, a trap set to monitor incoming malware.

The majority of the tools exploit vulnerabilities with standard file sharing technology used by PCs called Microsoft Windows Server Message Block, which is how WannaCry spread so quickly without being noticed. Microsoft patched these vulnerabilities in March, but many outdated computers remain at risk.

Unlike WannaCry, which alerts victims they've been infected through ransomware, EternalRocks remains hidden and quiet on computers. Once in a computer, it downloads Tor's private browser and sends a signal to the worm's hidden servers.

Then, it waits. For 24 hours, EternalRocks does nothing. But after a day, the server responds and starts downloading and self-replicating. That means security experts who want to get more information and study the malware will be delayed by a day.

"By delaying the communications the bad actors are attempting to be more stealthy," Michael Patterson, CEO of security firm Plixer, said in an emailed statement. "The race to detect and stop all malware was lost years ago."

It even names itself WannaCry in an attempt to hide from security researchers, Stampar said. Like variants of WannaCry, EternalRocks also doesn't have a kill-switch, so it can't be as easily blocked off.

For now, EternalRocks remains dormant as it continues to spread and infect more computers. Stampar warns the worm can be weaponized at any time, the same way that WannaCry's ransomware struck all at once after it had already infected thousands of computers.

Because of its stealthy nature, it's unclear how many computers EternalRocks has infected. It's also unclear what EternalRocks will be weaponized into. Plixer said the worm could be immediately turned into more ransomware or trojan attacks for banking.

The NSA has been widely criticized for holding onto these exploits without warning the companies involved. On Wednesday, Congress introduced a bill that would force the government to hand over its cyber arsenal to independent review boards.

The NSA didn't immediately respond to a request for comment.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.

Continue reading here:
'Doomsday' worm uses seven NSA exploits (WannaCry used two) - CNET

Everyone is talking about WannaCry(pt), the latest ransomware worm that attacked over 150 countries across the globe. It hit hospitals, universities, businesses, a telco, train stations and more. Microsoft responded by releasing emergency security patches for Windows versions as far back as XP. To Microsoft's credit they had released a patch for the issue in February, well before this exploit hit, so those that did not update were the ones hit. The lesson here is to install your security patches when they are available.

The exploit was via a vulnerability in the SMB file share system. The bug was found after the NSA's EternalBlue tool was stolen, yes, the NSA was using the exploit. Initially the tool was used to hack into devices but this latest version was added to ransomware. The unlock cost is between US$300 (10,400 baht) to $600 regardless of the target. It also adds Doublepulsar, a backdoor that allows the machine to be remotely controlled, also stolen from the NSA. BitDefender sent an email saying I was already protected but many were not. The attack was stopped when a clever person in the UK found the kill switch. There are rumours that North Korea was behind this attack like they were with the big Sony hack a while back. Others are suggesting it was a much smaller group.

The potential next version of Android, or its replacement, called Fuchsia has been tested in an early development build. The need for such a product was triggered by Oracle's litigation against Google to get Android royalties. It is open source and you can find it on Github. Hotfix's Kyle Bradshaw compiled the most recent version and you can see what it looks like by searching for "Fuchsia OS Armadillo preview" on YouTube.

With the world moving away from the PC and towards the notebook many are looking for a solution for multi-monitor support. Modern notebooks are so thin they no longer have monitor ports but don't despair, there are many solutions to try. Thunderbolt ports support video, audio, standard data transmission and power. You will of course need a Thunderbolt compatible monitor. Another solution, for those with only one Thunderbolt or USB-C port, is to get a docking station. For older users, the options include a splitter cable, a splitter box and perhaps some USB-to-HDMI adaptors. If you have the right kind of notebook, e.g. a Razor, then you may even be able to use a proper graphics card inside an external box. Those that have tried or used multiple monitors rarely want to go back to one.

The MP3 or MPEG Audio Layer III format has been officially killed off by the Fraunhofer Institute, which did not renew the IP rights and ceased their licensing programme. No, MP3 is not gone, it has essentially become free. MP3 is still a popular format even though others like AAC variants and MPEG-H have more features, better audio quality and use less bandwidth. With the growth of memory on devices many also now use FLAC, a lossless format rather than MP3 which reduces information but "tricks" the ears into hearing all the sound. The most recent example is MQA that may be the basis for the next great streaming technology.

Since I didn't get the LG V20 phone I'm now looking at the Huawei P10 Plus. This is a 5.5-inch QHD+ phone with 6GB of memory and 128GB of storage for a fraction of the price of the Samsung S8. The Leica dual camera is very good and it comes with the latest Kirin 960 processor. It supports a microSD but you would have to be doing a lot of 4K recording to even need such an expansion of up to an additional 256GB. A 3,750mAh non-removable battery adds some extra life and it is Android 7. Unlocked versions are already available for as low as US$630 (21,750 baht) in some places.

I was at a presentation demonstrating the SQLServer on Linux recently and besides the fact that it installs quickly, the advantage of this is that you can set up a virtual machine on a Windows 7 PC and run the latest versions like 2016 or the newest 2017. For Red Hat, Ubuntu and SUSE the product is fully integrated and an update is a simple command line. In the demo using Oracle's free VM, an Ubuntu core virtual machine was created and then SQLServer installed, which was then accessible from the Windows SQL Server Management Studio. Apart from one step involving partitioning, it was all seamless and fast. There are plenty of tutorials on the internet to walk you through this.

Finally for this week, Cray the supercomputer people are moving to supercomputing as a service model, which given how everything else is going should come as no surprise.

Read the original:
Thank the NSA for latest global ransomware - Bangkok Post