Mediaboss Marketing

TechCrunch

Alleged NSA hack group Shadow Brokers releases new trove of exploits TechCrunch Shadow Brokers, the group behind last year's release of hacking exploits allegedly used by the National Security Agency, has dropped another trove of files. In a Medium post today, the hacker group offered up a password giving free access to files it ...

See the article here:
Alleged NSA hack group Shadow Brokers releases new trove of exploits - TechCrunch

For many, many years, Senator Ron Wyden has been directly asking the US intelligence community a fairly straightforward question (in his role as a member of the Senate Intelligence Committee): just how many Americans are having their communications swept up in surveillance activities supposedly being conducted on foreigners under the FISA Amendments Act (FISA being Foreign Intelligence Surveillance Act). Wyden started asking way back in 2011 and got no answers. His continued questioning in 2013 resulted in Director of National Intelligence James Clapper lying to Congress in a public hearing, which Ed Snowden later claimed was a big part of the inspiration to make him leak documents to the press.

Just last month, we noted that Wyden had renewed his request for an accurate depiction of how many Americans have had their communications swept up, this time asked to new Director of National Intelligence, Dan Coats. Unfortunately, for all these years, it's basically felt like Senator Wyden tilting at a seeming windmill, with many others in Congress basically rolling their eyes every time the issue is raised. I've never understood why people in Congress think that these kinds of things can be ignored. There have been a few attempts by others -- notably on the House Judiciary Committee -- to ask similar questions. Almost exactly a year ago, there was a letter from many members of the HJC, and there was a followup in December. But, notably, while there were a number of members from both parties on that letter, the chair of the House Judiciary Committee, Bob Goodlatte, did not sign the letter, meaning that it was unlikely to be taken as seriously.

Suddenly, though, it seems that the ins-and-outs of Section 702, and how the "incidental" information it collects on Americans is used has taken on a much wider interest, following President Trump's misleading suggestion that President Obama tapped his phone lines, and some Trump supporters trying to twist typical 702 surveillance to justify those remarks. Either way, if that leads people to actually look at 702, that may be a good result out of a stupid situation. And, thus, we get to this surprising moment, in which Goodlatte has actually sent a similar letter to Coats (along with ranking member John Conyers) asking about the impact of 702 surveillance on Americans. And since (for reasons that are beyond me) Reuters refuses to link to the actual source materials, you can read the full letter here or embedded below.

The letter demands an answer by April 24th. And, yes, it's notable that Goodlatte has signed on, because Section 702 is up for reauthorization at the end of the year, and if Goodlatte is not on board with reauthorization, then the NSA is going to have some difficulty in getting it through.

You have described reauthorization of Section 702 as your "top legislative priority." Although Congress designed this authority to target non-U.S. persons located outside of the United States, it is clear that Section 702 surveillance programs can and do collect information about U.S. persons, on subjects unrelated to counterterrorism. It is imperative that we understand the size of this impact on U.S. persons as our Committee proceeds with the debate on reauthorization.

The letter then even points to Coats' response to Wyden during Coats' confirmation hearing that he was "going to do everything I can to work with Admiral Rogers in NSA to get you that number." Of course, back in December, it was said that the intelligence community might finally deliver that number... in January. And it's now April. Still, with Goodlatte finally taking an interest in this, it's a sign that the NSA can't just coast by and continue to completely ignore this.

Read the rest here:
Oh, Sure, Now Congress Is Serious About Asking NSA About Surveillance On Americans - Techdirt

President Donald Trump should not have accused American intelligence agencies of wiretapping Trump Tower during the 2016 Presidential campaign, former director of the Central Intelligence Agency and National Security Agency Michael Hayden said Thursday afternoon in a talk at Princeton University.

Thats awful, and thats untrue, Hayden said. The retired four-star Air Force general said that the assorted intelligence agencies do not have political motives in their actions.

Just found out that Obama had my wires tapped in Trump Tower just before the victory, Trump tweeted on March 4. He has since maintained that the Obama administration, and specifically National Security Advisor Susan Rice, monitored the Trump campaigns communications.

Trump has not provided any firm evidence for his claims, the New York Times reported on Wednesday.

Although there has been a particularly public conflict between Trump and the CIA at times, it is normal for there to be tensions between an incoming president and intelligence agencies, Hayden said. I dont know if youve been following along up here in New Jersey, but it hasnt been smooth.

It has been harder than usual for Trump and the intelligence agencies to work together because Trump thinks intuitively by nature and is not used to consuming the large amounts of information intelligence agencies provide.

Hayden also recounted stories from his time in the upper echelons of American government. He was the director of the NSA when the 9/11 attacks happened.

He had to address the agencys tens of thousands of employees two days after the attacks and reassure them that their work mattered, he said. Some employees were scared to come to work.

Hours after the attacks, Hayden directed the NSA to expand monitoring of communications between Afghanistan and the United States. He later played a critical role in expanding the surveillance program that former CIA employee Edward Snowden revealed in 2013.

In Haydens view, Snowden should not be considered a true whistleblower, since he did not expose any illegal activity. Everything that the NSA did was authorized by Congress and Presidents Bush and Obama, so the American public should already have known what was happening, Hayden said.

There are far more checks on the powers of the NSA to collect data on Americans than the organizations foreign counterparts have, Hayden said in defense of the agency. In other countries, including Western democracies, legislatures and courts do not have oversight, but they do in America.

We know that as night follows day, we will end up in a Congressional hearing sooner or later, Hayden said. When he led the CIA and NSA, he would use the maximum powers allotted to him by the Constitution, American law, and American policy to keep the country safe, even if he knew some of his actions would be controversial.

Complete transparency is not possible from the spy agencies because the full reality would scare some Americans, Hayden said. He advocated for what he calls a policy of translucence over full transparency, so that Americans could know generally what was going on without hearing unnecessary specifics.

Frightened people dont make good Democrats or Republicans, Hayden said.

Hayden teaches a course as George Mason University called Intelligence and Public Policy in which he challenges his students to find the correct amount of control and knowledge that the American public should have over the intelligence agencies that are tasked with protecting it.

At the beginning of the course, he asks his students a single question, which he wants them to answer over the course of the semester, he said.

Is the secret pursuit of secret truth compatible with American democracy? Hayden asked. "Is the secret pursuit of any secret truth compatible with any modern democracy?

Continued here:
Former CIA and NSA director: Trump should stop attacking ... - Packet Online

Observer

Trump Has a Problem With NSABut So Does Obama Observer More rarely, the NSA intercepts phone calls in which one of the interlocutors is an American. As long as this operation has been approved per the Foreign Intelligence Surveillance Actmeaning a top-secret Federal court has issued a warrant for this ... Former CIA Analyst: Susan Rice's NSA demasking denials don't add upFox News Susan Rice's White House Unmasking: A Watergate-style ScandalNational Review Oh My: Former Obama NSA Susan Rice Reportedly Directed Dubious 'Unmasking' of Trump AlliesTownhall The New Yorker -American Free Press -Slate Magazine -Bloomberg all 1,368 news articles »

Read more from the original source:
Trump Has a Problem With NSABut So Does Obama - Observer

The choice of Rob Joyce, former head of the National Security Agencys Tailored Access Operations unit as cyber security coordinator puts an experienced offensive cyber operator at the nexus of the nations cyber policy and strategy at a time when nation-state cyber interference is at the forefront of public consciousness.

Joyce succeeds Michael Daniel, who had a public policy, economist and finance background and spent nearly a decade in cyber policy at the Office of Management and Budget and the White House. Joyces background, by contrast, is as an operator in the cyber realm, bringing an intimate understanding of the threat to the forefront of national cyber policy.

As cyber coordinator, Joyce is not the federal chief information security officer (CISO). That post is largely focused on securing the federal enterprise; the cyber coordinator drives policy beyond the federal government. The cyber coordinator is also interested in cybersecurity across the entire digital ecosystem, including private industry, state and local governments and foreign governments, as well. So its a much broader role than what the federal CISO focuses on, says Daniel, who is now president of the Cyber Threat Alliance, a non-profit focused on cyber threat sharing across the industry. There is some degree of overlap and complementarity obviously the cybersecurity coordinator has to care about the security of federal networks but the cybersecurity coordinator has a broader mandate than that.

Little is publicly known about NSAs offensive cyber activities. But in a rare public appearance last August at the USENIX 2016 conference, Joyce described the five steps to a successful cyber intrusion initial exploitation, establish presence, install tools, move laterally and collect/ex-filtrate/exploit and then walked through the weaknesses he and his hackers came across and exploited each day.

If you really want to protect your network, he said then, you really have to know your network. You have to know the devices, the security technologies, and the things inside it. His clear message: His team often knew better than the networks managers. Indeed, while NSA hackers might not understand products and technologies as well as the people who design them, Joyce said they learn to understand the security aspects of those products and technologies better than the people who created them.

You know the technologies you intended to use in that network, he said. We know the technologies that are actually in use in that network. [Theres a] subtle difference. Youd be surprised at the things that are running on a network versus the things you think are supposed to be there.

Penetration-testing is essential, as is follow-up. Joyces OTA regularly conducted Red Team testing against government networks. Well inevitably find things that are misconfigured, things that shouldnt be set up within that network, holes and flaws, he said. The unit reported its findings, telling the network owner what to fix.

Then a few years later, it would be time to test that network again. It is not uncommon for us to find the same security flaws that were in the original report, Joyce said. Inexcusable, inconceivable, but returning a couple of years later, the same vulnerabilities continue to exist. Ive seen it in the corporate sector too. Ive seen it in our targets.

Laziness is a risk factor all its own. People tell you youre vulnerable in a space, close it down and lock it down, Joyce said, reflecting on the fact that network administrators frequently dont take all threats and risks seriously enough. Dont assume a crack is too small to be noted or too small to be exploited. Theres a reason its called advanced persistent threats: Because well poke and well poke and well wait and well wait and well wait, because were looking for that opportunity to [get in and] finish the mission.

As an offensive cyber practitioner, Joyce sought to identify and, when needed, exploit the seams in government and enemy networks. He focused on the sometimes amorphous boundaries where the crack in the security picture might come from getting inside a personal device, an unsecured piece of operational security, such as a security camera or a network-enabled air conditioning system, or even an application in the cloud. Cloud computing is really just another name for somebody elses computer, he said. If you have your data in the cloud, you are trusting your security protocols the physical security and all of the other elements of trust to an outside entity.

Most networks are well protected, at least on the surface. They have high castle walls and a hard crusty shell, he said. But inside theres a soft gooey core.

Figuring out how to protect that core from a national security and policy perspective will be Joyces new focus, and if Daniels experience is any indicator, it will be a challenge.

From his perspective, cybersecurity is only partly about technology. Adversaries tend to get into networks through known, fixable vulnerabilities, Daniel says. So the reason those vulnerabilities still exist is not a technical problem because we know how to fix it its an incentive problem an economics problem. That is, network owners either fail to recognize the full extent of the risks they face or, if they do, may be willing to accept those risks rather than invest in mitigating them.

The challenge, then, is formulating policy in an environment in which the true level of risk is not generally understood. In that sense, Joyces ability to communicate the extent to which hackers can exploit weaknesses could be valuable in elevating cyber awareness throughout the White House.

The NSC is about managing the policy process for the national security issues affecting the US government, Daniel explains. You dont have any direct formal authority over anyone. But you do have the power to convene. You have the power to raise issues to people in the White House. You have the ability to try to persuade and cajole. The background he brings will obviously color what he prioritizes and what he puts his time against. But the role itself will not be dramatically different. understanding how to get decisions keyed up in a way that you can actually get them approved.

Joyces background could affect how this administration views commercial technologies, such as cloud services, mobile technology and other advances that, while ubiquitous in our daily lives, are not yet standard across the federal government.

Trust boundaries now extended to partners, Joyce said a year ago. Personal devices youre trusting those on to the network. So what are you doing to really shore up the trust boundary around the things you absolutely must defend? That for me is what it comes down to: Do you really know what the keys to the kingdom are that you must defend?

National security cyber policy is not just defensive, however, and having a coordinator with a keen insiders understanding of offensive cyber capabilities could have a significant long-term impact on national cyber strategy.

Just as Daniel sees cybersecurity as an incentives, or economics problem, Kevin Mandia, chief executive at the cyber security firm FireEye and founder of Mandiant, its breach-prevention and mitigation arm, sees incentives and disincentives as playing a critical role for cyber criminals and nation-state attackers, alike. Simply put, he says, the risk-reward ratio tilts in their favor, because the consequences of an attack do not inflict enough pain.

Mandia agrees that the first priority for U.S. cyber policy should be self-defense. Every U.S. citizen believes the government has a responsibility to defend itself, he said at the FireEye Government Forum March 15. So first and foremost, our mission security folks must defend our networks. But the second thing the private sector wants is deterrence. We need deterrence for cyber activities.

And in order to develop an effective deterrence policy, he argues, the nation needs fast, reliable attribution the ability to unequivocally identify who is responsible for a cyber attack.

Id take nothing off the table to make sure we have positive attribution on every single cyber attack that happens against U.S. resources, Mandia says. Because you cant deter unless you know who did it. You have to have proportional response alternatives, and you have to know where to direct that proportionate response.

Where Joyce stands on deterrence and attribution is not yet clear, but what is clear is that sealing off the cracks in federal network security is sure to get more intense.

A lot of people think the nation states are running on this engine of zero-days, Joyce said a year ago, referring to unreported, unpatched vulnerabilities. Its not that. Take any large network and I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days. There are so many more vectors that are easier, less risky and quite often more productive than going down that route.

Closing off those vectors forces threat actors to assume more risk, expose zero-day exploits and operate with less cover. When that happens, the balance of cyber power could finally start to tilt away from the hackers.

Tobias Naegele is the editor in chief of GovTechWorks. He has covered defense, military, and technology issues as an editor and reporter for more than 25 years, most of that time as editor-in-chief at Defense News and Military Times.

Here is the original post:
What to Expect from the NSA Hacker Turned White House Cyber ... - GovTechWorks