Mediaboss Marketing

The National Security Agency has decided to halt a controversial surveillance program, but this was just the tip of an iceberg of government abuses of privacy and due process.

The NSA said recently that it will no longer engage in warrantless spying on Americans' digital communications that merely mention a foreign intelligence target, referred to in the intelligence community as "about" communications. The agency had claimed the authority to engage in such surveillance under Section 702 of the Foreign Intelligence Surveillance Act, which allows it to target non-U.S. citizens or residents believed to be outside the country, although Americans' communications are oftentimes swept up as well.

"NSA will no longer collect certain internet communications that merely mention a foreign intelligence target," the agency announced in a statement. "Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target."

"Even though NSA does not have the ability at this time to stop collecting 'about' information without losing some other important data, the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target," it continued.

The agency's decision is certainly welcome, though we must make the perhaps generous assumption that it will do -- or not do, in this case -- what it says it will, and that it will not simply change its mind in the future.

We are reminded of the public testimony of then-National Intelligence Director James Clapper at a March 2013 Senate Intelligence Committee hearing. At one point, Sen. Ron Wyden, D-Ore., asked Clapper plainly, "Does the NSA collect any type of data at all on millions, or hundreds of millions of Americans?" Clapper then lied to his face, and the faces of all Americans, saying, "No, sir," and then, "Not wittingly." Within a matter of months, news stories based on information from the Edward Snowden leaks would reveal the NSA's bulk collection of Americans' phone metadata and internet communications.

Then there is the matter of the "backdoor search loophole," by which the FBI or other agencies may search NSA databases for information about Americans collected under Section 702 without having to go through all that pesky business of obtaining a warrant.

The Fourth Amendment is quite clear: Government searches require a warrant issued by a judge based on probable cause and describing the specific "place to be searched, and the persons or things to be seized." New technology may make our communications quicker and more convenient -- as well as more easily recorded -- but it does not alter that fundamental principle.

-- By the L.A. Daily News editorial board, Digital First Media

See original here:
EDITORIAL: NSA halts one abuse, but many remain - Lowell Sun

New York Times

Malware Case Is Major Blow for the NSA New York Times In 2013, Edward J. Snowden gave journalists hundreds of thousands of N.S.A. documents he had taken as a contractor, igniting a global debate over the agency's targeting of allies as well as foes. Last August, shortly after the Shadow Brokers' debut, ... Watertown Daily Times | Ellen Nakashima & Craig Timberg: NSA ...WatertownDailyTimes.com NSA officials worried about the day its potent hacking tool would get loose. Then it did.Washington Post Hackers behind stolen NSA tool for WannaCry: More leaks comingCNET Reuters -McClatchy Washington Bureau -Steemit -The Official Microsoft Blog - Microsoft all 133 news articles »

Originally posted here:
Malware Case Is Major Blow for the NSA - New York Times

If there is one thing to take away from the entire WannaCry ransomware debacle, it is how the NSA is largely responsible for these problems. To be more specific, the intelligence agency successfully kept a Windows vulnerability hidden from the public. Although the agency reported said issue to Microsoft, it is doubtful they did so right away. That may come to change, thanks to a new legislative proposal.

It is not entirely surprising to learn the US government is not too happy with NSA exploits being used to shut down computers all over the world. The WannaCry ransomware attack makes use of the EternalBlue vulnerability affecting the Windows SMB protocol. The NSA was all too aware of this problem, and it is their exploit code which was distributed on the internet which facilitated this global attack. Moreover, it continues to fuel other ransomware attacks as well.

To put things in order, a new legislative proposal has been drafted by Democratic Texas Senator Brian Schatz. If his bill were to be approved, the NSA will be legally obligated to share cyber exploits with the manufacturer immediately. Disclosure of such undocumented attack vectors will allow for companies to patch security holes a lot quicker and keep enterprises and consumers safe.

Part of this legislative proposal revolves around establishing a Vulnerability Equities Review Board. This board is made up of heads of US security agencies and Presidential Cabinet members. Their goal would be to create new policies and regulations to determine when non-government entities will need to be informed regarding tech exploits. Doing so should eventually reduce the number of cyber attacks as a whole.

For the time being, it remains to be seen if this bill will gain any major support from other politicians. Its a public secret the NSA has a lot more sway among politicians than most people would like. Keeping the country safe at all times is a very demanding job, even though the NSA as overextended its legal powers numerous times in the past. It is due time something changes to address this problem.

Moreover, Microsoft publicly criticizes the existing US cybersecurity policies for allowing security agencies not to disclose these vulnerabilities in a timely manner. In fact, the NSA did the opposite, as they created an in-house developed exploit to take advantage of this weakness whenever they wanted. Stockpiling such powerful weapons is a very dangerous business, as is evident in this particular case.

Although it took a group of hackers stealing the NSA exploits to bring this information to light, it is evident the NSA is not always acting in the publics best interest. In a strange way, the entire world should be grateful for what The Shadow Brokers did, as they exposed some of the NSAs most powerful hacking tools known to date. Unfortunately, their publication of said exploits has been used for nefarious purposes.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

Read the original:
Legislative Proposal Wants to Force NSA to Disclose Tech Exploits Sooner - The Merkle

This article first appeared on the Council on Foreign Relations site.

When giving talks on cybersecurity, I often get asked what keeps me up at night.

My short and glib answer is my four-year-old (he really is a horrible sleeper). I certainly dont sit up at night worrying about a cyberattack on the power grid or the manipulation of the stock market by cybercriminals.

Subscribe to Newsweek from $1 per week

In fact, nothing I ever saw in classified channels about a cyber threat cost me a wink of sleep.

Other intelligence did, though, about planned terrorist attacks and nuclear proliferation and other horrors managed by other directorates. During the year I spent working on counterterrorism at DHS before I went to work on cybersecurity at the White House, I spent many nights wondering if we had made the right decisions to counter some very dangerous threats.

So when it comes to WannaCry, I dont discount the possibility that the closure of hospital ERs and the rescheduling of operations may have cost lives.

Many pundits in the field seem to agree with Edward Snowden, who told the Guardian that the NSA should have disclosed the vulnerability exploited by the malware when they found it, not when they lost it.

Yet, even Snowden hedges on whether disclosure would have prevented the attack. If the NSA had disclosed the vulnerability earlier, the attack may not have happened (emphasis added).

Snowden hedges because no amount of warning would have been enough to get Windows XP out of hospitals, or get hospitals to install the latest patches in a timely manner. If NSA had disclosed the vulnerability years ago, it would likely still remain exploitable today.

But I am also attuned to the reality that the intelligence collected by NSA through exploiting this vulnerability likely saved lives, possibly many.

Contrary to prevailing sentiments in the privacy community, NSA does not exploit vulnerabilities for its own amusement. I dont know what intelligence NSA collected using this exploit kit. What I do know is that it is difficult to overstate the importance of signals intelligence to our national security.

This picture taken on November 3, 2016 shows on a A viruses list at the LHS (High Security Laboratory) of the INRIA (National Institute for Research in Computer Science and Automation) in Rennes, France, November 3 2016. Robert K. Knake writes that the NSA deserves blame for losing the exploit kit but not for developing it in the first place. DAMIEN MEYER/AFP/Getty

That vulnerability may have been exploited to gather intelligence vital to negotiating the Iranian nuclear deal, slowing North Koreas program, or, yes, stopping a terrorist attack.

NSA deserves blame for losing the exploit kit, not for developing it in the first place. I am deeply disturbed that seven years after the Manning leaks, and four years after the Snowden leaks, we still dont have good protections against insider threats within the defense and intelligence community.

But NSA is a spy agency. More specifically, it is a signals intelligence agency. In the 21st century, that means it will, for certain missions, need to develop and exploit zero day vulnerabilities and not release them to the public.

Contrary to what Microsoft President Brad Smith has written, this incident doesnt show the dangers of stockpiling vulnerabilities. There is no evidence that NSA was hoarding hundreds or thousands of vulnerabilities it was not using (stockpiling). Instead, it shows they were actively exploiting a small number of very useful vulnerabilities.

Smith is right that this incident is comparable to the U.S. military having some of its Tomahawk missiles stolen. To continue the analogy, his solution suggests that the theft of a Tomahawk missile should mean that the U.S. government should remove them from its arsenal instead of tightening security controls around them.

We can blame NSA for poor operational security (though we should applaud them for getting information to Microsoft so a patch could be issued two months ago).

We can blame the criminals behind WannaCry for targeting hospitals.

And we can blame hospital administrators for wanting the benefits brought with the IT revolution without taking on the costs of securing or updating those systems.

But we cant blame the NSA for spying. Thats what they do.

Robert K. Knake is the Whitney Shepardson senior fellow at the Council on Foreign Relations.

Here is the original post:
Don't Blame NSA for Making the WannaCry Cyberattack Program - Newsweek

After last weeks massive ransomware attack shut down machines around the world, the NSA, which knew of the exploit before it was public, became a target for criticism. Microsoft patched the problem before the attack, but its still raised questions about how, and when, the NSA decides to hold on to software vulnerabilities.

The Protecting Our Ability to Counter Hacking Act of 2017

A new bill would help bring accountability to how the NSA deals with those vulnerabilities. Introduced by Sen. Brian Schatz, the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act, would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available.

The law would also legally establish a review board with high-ranking members of the federal government. The board would be chaired by the secretary of homeland security and include agency directors from the intelligence community as well as the secretary of commerce. The law would also require annual reports to Congress on the boards activities.

A version of the governments process, known as "vulnerabilities equities process," has been in place for some time, although its exact details are unclear. A version of the board already exists, but some have criticized the process as opaque, and a law would go some way toward binding the federal government to the system.

The NSA most famously faced criticism for its exploit process in 2014, when Bloomberg reported that the agency had exploited the Heartbleed bug, which exposed vulnerabilities in devices around the world. (The agency denied the report.) Microsoft obliquely criticized the US after the WannaCry ransomware attack last week, calling the incident a wake-up call about vulnerability hoarding.

See the article here:
After WannaCry, a new bill would force the NSA to justify its hacking tools - The Verge