Archive for the ‘NSA’ Category

NSA Swears It Won’t Allow Backdoors in New Encryption Standards

Photo: SAUL LOEB / AFP (Getty Images)

The U.S. has been working on new encryption standards meant to withstand the powers of quantum computing, an emergent technology that will supposedly involve machines capable of high-octane mathematical calculations that can crack current-day encryption algorithms without breaking a sweat.

Bloomberg reports that the National Institute of Technical Standards, or NIST, has been holding competitions to help develop these new standards. The goal is to develop better, more hack-resistant public-key cryptography, which will power secure communications for email and other everyday online applications that millions of Americans rely on.

The National Security Agency has also been helping out with the development of these new encryption standards, though its not totally clear how. Dont worry though! The NSA swears that the new protocols are so secure that even its own band of keyboard warriors cant hack them. And the NSA would never put a backdoor in an encryption standard, right?

There are no backdoors, Rob Joyce, the NSAs director of cybersecurity told the news outlet. Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance, Joyce said. Weve worked against all of them to make sure they are solid. The agency declined to comment further.

This sounds good, though it seems important to mention that the NSA does not have... shall we say, an amazing track record when it comes to backdoors. Dont forget that...

G/O Media may get a commission

Save $70

Apple AirPods Max

Experience Next-Level SoundSpatial audio with dynamic head tracking provides theater-like sound that surrounds you

So, sure...no backdoors. Alright!

Read the original post:
NSA Swears It Won't Allow Backdoors in New Encryption Standards

5G NSA vs. SA: How does each deployment mode differ?

Prior to its release, 5G had been long touted as a major upgrade to cellular networking technology. With 5G no longer in its infancy, U.S. mobile network operators, or MNOs, have started to distribute 5G across the nation.

MNOs have two main options to choose from when deploying 5G: non-standalone (NSA) and standalone (SA).

NSA dominated as the top choice for initial 5G deployments among MNOs, thanks to existing cellular infrastructure. But, as SA 5G deployments take off, it's important to understand the distinctions between the two. Both approaches are valid ways of constructing a 5G network, but the chosen deployment mode determines how efficiently the 5G network operates.

Both NSA and SA use the 5G New Radio (5G NR) interface, enabling them to deliver features and capabilities based on the standards defined by the 3rd Generation Partnership Project (3GPP). 5G NR offers myriad use cases, but one of its most essential features is it provides a path from 4G LTE to 5G.

When it comes to NSA 5G, the clue is in the name: It's 5G that can't stand on its own in terms of infrastructure. NSA is a 5G radio access network (RAN) that operates on a legacy 4G LTE core -- known as Evolved Packet Core (EPC) -- and manages control plane functions. NSA includes both a 4G and 5G base station, but the 4G base station takes precedence. Because the NR control plane anchors to the EPC, radio frequency signals forward to the primary 4G base station.

NSA 5G, also known as Release 15 by 3GPP, is considered the first stage of 5G. Initial 5G deployments used NSA because MNOs could use their current infrastructure to build a 5G network. Carriers with 4G LTE networks could implement a 5G RAN on top of their existing architectures. NSA 5G can serve as a steppingstone for carriers unprepared to make a hefty investment when transitioning from legacy 4G LTE to 5G networks.

The drawback of NSA 5G, however, is it can't deliver certain capabilities that a pure, unfettered SA 5G network can. For example, NSA doesn't enable the low latency that is one of the biggest draws to 5G. Another disadvantage of NSA is it requires a higher level of energy to power 5G networks with 4G infrastructure. 5G NR is more energy-efficient than LTE, IEEE reported, but using two different forms of cellular technology massively increases power consumption in a network.

NSA 5G also shouldn't be confused with dynamic spectrum sharing (DSS), another method of deploying 5G with 4G technology. While NSA creates a 5G network with 4G infrastructure using dual connectivity, DSS permits 4G LTE and 5G NR to coexist in the same frequency band. 5G networks have a variety of spectrum bands available for use, and DSS distributes spectrum between bands based on user demands.

SA 5G networks include both a 5G RAN and a cloud-native 5G core, something NSA networks lack and substitute with a 4G core. SA networks can perform essential 5G functions, such as reducing latency, improving network performance and centrally controlling network management functions, because of their 5G cores.

SA requires MNOs to configure a completely new architecture and learn how to manage it. As carriers waited for SA technology to mature, most opted to simply reconfigure their 4G networks to support 5G, as it was cheaper and more convenient.

New providers without established 4G core networks couldn't follow that strategy, though. Because they couldn't rely on a 4G core, they needed to build their 5G infrastructure from scratch. SA is now looking to take the crown among MNOs, as carriers start to deploy it to take advantage of the improvements it offers over NSA.

The biggest disadvantage of SA is it's costly to implement and time-consuming for network professionals to learn the new 5G core infrastructure. Regardless, MNOs are making the shift to SA because NSA can serve as a step toward 5G networking, but it isn't considered true 5G due to its reliance on 4G LTE.

Ultimately, the biggest difference between NSA and SA is how each mode provides 5G. NSA uses a 5G RAN, as well as a 4G LTE core, while SA is an end-to-end 5G network with both a 5G RAN and NR core. Their methods of deployment determine how each mode supports the 3GPP-defined NR specifications.

5G NR specifications include the following:

All three features support an array of industries and services, including emerging sectors, such as IoT. However, SA 5G is the only deployment mode that supports all three specifications. NSA 5G can only enable enhanced mobile broadband because it has a 4G core that can extend to support the specification. SA can enable all three features because it has a more powerful and more flexible 5G core.

According to an October 2021 Exfo and Heavy Reading study, 88% of MNOs based in North America and Europe have planned to deploy SA 5G within the next year. Around 49% plan to deploy it in 2022, while another 39% are planning to deploy it by 2023. Despite the simplicity and inexpensive costs of deploying NSA, carriers are making the move to SA 5G to reap the most beneficial and anticipated capabilities of the technology.

Visit link:
5G NSA vs. SA: How does each deployment mode differ?

FBI and NSA say: Stop doing these 10 things that let the hackers in – ZDNet

Cyber attackers regularly exploit unpatched software vulnerabilities, but they "routinely" target security misconfigurations for initial access, so the US Cybersecurity and Infrastructure Security Agency (CISA) and its peers have created a to-do list for defenders in today's heightened threat environment.

CISA, the FBI and National Security Agency (NSA), as well as cybersecurity authorities from Canada, New Zealand, the Netherlands, and the UK, have compiled a list of the main weak security controls, poor configurations, and poor security practices that defenders should implement to thwart initial access. It also contains the authorities' collective recommended mitigations.

"Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim's system," CISA says.

SEE: Just in time? Bosses are finally waking up to the cybersecurity threa

The list of actions includes all obvious candidates, such as enabling multi-factor authentication (MFA) on key systems, such as virtual private networks (VPNs), but which are prone to misconfigurations when implemented in complex IT environments.

For example, last year Russian hackers combined a default policy shared by multiple MFA solutions and a Windows printer privilege of escalation flaw to disable MFA for active domain accounts and then establish remote desktop protocol (RDP) connections to Windows domain controllers. This complexity can also be seen in the choice of, deployment and use of VPNs, whose adoption escalated after the pandemic struck.

Recent research by Palo Alto Networks found that 99% of cloud services utilize excessive permissions, against the well-known principle of least privilege to limit opportunities for attackers to breach a system.

The security controls outlined in CISA's list serve as a useful checklist for organizations, many of which deployed remote-working IT infrastructure hastily due to the pandemic, and amid today's heightened geopolitical tensions due to Russia's invasion of Ukraine. It also follows the EU joining the US-Five Eyes in jointly blaming the Russian military on this year's cyberattack against Viasat's European satellite broadband users.

As noted in the joint alert, attackers commonly exploit public-facing applications, external remote services, and use phishing to obtain valid credentials and exploit trusted relationships and valid accounts.

The joint alert recommends MFA is enforced for everyone, especially since RDP is commonly used to deploy ransomware. "Do not exclude any user, particularly administrators, from an MFA requirement," CISA notes.

Incorrectly applied privileges or permissions and errors in access control lists can prevent the enforcement of access control rules and could give unauthorized users or system processes access to objects.

Of course, make sure software is up to date. But also don't use vendor-supplied default configurations or default usernames and passwords. These might be 'user friendly' and help the vendor deliver faster troubleshooting, but they're often publicly available 'secrets'. The NSAstrongly urges admins to remove vendor-supplied defaults in its network infrastructure security guidance.

"Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup," CISA notes. "These default credentials are not secure they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software."

SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the web

CISA notes that remote services, such as VPNs, lack sufficient controls to prevent unauthorized access. Defenders should add access control mechanisms like MFA to reduce risks. Also, put the VPN behind a firewall, and use IDS and IPS sensors to detect suspicious network activity.

Other key problems include: strong password policies are not implemented; open ports and internet-exposed services that can be scanned via the internet by attackers; failure to detect or block phishing using Microsoft Word and Excel documents booby-trapped with malicious macros; and poor endpoint detection and response.

CISA's recommendations include control access measures, implanting credential hardening, establishing centralized log management, using antivirus, employing detection tools and searching for vulnerabilities, maintaining configuration management programs, and implementing patch management.

CISA also recommends adopting a zero-trust security model, but this is likely a long-term goal. US federal agencies have until 2024 to make significant headway on thisaim.

The full list of security 'don'ts' includes:

Read the original here:
FBI and NSA say: Stop doing these 10 things that let the hackers in - ZDNet

NSA’s Rob Joyce: Even the good hactivists are problematic – The New Statesman

Since the Russia-Ukraine conflict broke out, war on the ground has been brutal and catastrophic. Cyber warfare has been comparably insignificant, and projections about mass online shutdowns have not materialised.

However, there has been some intervention from hostile state actors. Just last week, the Foreign, Commonwealth and Development Office (FCDO) announced that Russia was almost certainly behind a major cyber operation targeting the US commercial communications and internet satellite company Viasat, which happened an hour before the invasion on 24 February.

After months of analysis, the UK governments National Cyber Security Centre (NCSC) has now attributed the hacks to the Russian state. While the primary target was the Ukrainian military, the attacks also impacted Ukrainian Viasat customers, and caused disruption to wind farms and internet users across central Europe. Additionally, the NCSC has ascertained that Russia was also behind an earlier attack on the Ukrainian government on 13 January, which involved defacing government websites and the deployment of destructive malware.

Interestingly, global sanctions on Russia have caused ransomware attacks to decrease since March, noted Rob Joyce, cyber security director of the US National Security Agency (NSA), at the NCSCs CyberUK conference in Wales this week. Sanctions have made it harder for criminals to organise attacks and move money in the West, he said.

But cyber threats do not only come from hostile states. Speaking in a panel discussion, Joyce highlighted the rise of cyber vigilantes lone actors on both sides of the conflict who are taking matters into their own hands to infiltrate and destroy their enemys systems.

While activism in support of Ukraine might seem commendable, Joyce warned that such an approach is not conducive to ethical behaviour. You want to sit back and root for the folks who are trying to do noble things but it is problematic, he said. We are trying to hold bad actors accountable in other nations [and] we have to be good international citizens in the cyber arena.

Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC), said that roughly 300,000 hactivists related to the Russia-Ukraine conflict have been identified so far, and added that the extent of cyber vigilantism has taken [government] by surprise.

There is an extreme unpredictability associated with these exploits that make it difficult to attribute, contain and stop them, she said. Hactivism can also impact regular citizens quite significantly, due to spillover onto non-primary targets (such as with the Viasat campaign) and breaches on public tools like Google Maps, impeding peoples ability to travel and infiltrating personal location data.

Some hactivists do not act alone and have the advantage of an organisation behind them, making them even more of a threat. Perhaps the best-known is Anonymous, the pro-Ukraine collective that has vowed to keep attacking Russia until its aggression stops. The groups actions have caused Russia to become the most hacked country in the world in 2022 so far, with breaches affecting 3.5 million people, according to research from virtual private network (VPN) provider Surfshark.

But hactivist collectives exist on both sides. Conti, a group of pro-Russia ransomware cyber criminals, have now restyled themselves as political activists, said Jonathan Hope, senior technology evangelist at cyber security firm Sophos, who spoke in another session at CyberUK on ransomware.

Vigilantes can be more ruthless and chaotic than other cyber criminals, he noted, as they destroy data for the sake of it rather than for financial gain, meaning victims are less likely to get their information back. Theyre hacking for Mother Russia with no checks, controls or balances, Hope said. Its a tool, a weapon to destroy data.

The rise in such sporadic hacking makes it ever more important that governments secure and stress-test their critical national infrastructure, said Juhan Lepassaar, executive director of the European Union Agency for Cyber Security.

He said that the UK has done great work in securing its telecoms sector, and other industries and countries need to follow suit. It pays off to build a framework where you stress-test the most critical sectors in society. [The sectors should be] incentivised to do it themselves.

There was consensus that both organisations and individuals need to be encouraged to undertake basic steps in cyber security. Joyce said that attitudes are changing, albeit a little late intelligence agencies have focused on counter-insurgency and terrorism for the past two decades, he said, which has caused cyber defence to fall by the wayside.

Weve not been investing in IT and now China is threatening those systems, he said. We will now do the things that we should have done ten or 20 years ago. The narrative has shifted.

Moving the onus of cyber security from response to prevention is key, added Lepassaar. In fact, Ukraines thorough preparations are what has helped the country stay online despite multiple setbacks and has even enabled them to host press conferences in besieged cities, he said. There has been a good deal of resilience from the Ukrainian state around maintaining connectivity. [This shows] the value of building partnerships early on and making sure you build distributed systems that are difficult to take down and attack.

Sign up for The New Statesmans newsletters Tick the boxes of the newsletters you would like to receive. Morning Call Quick and essential guide to domestic and global politics from the New Statesman's politics team. World Review The New Statesmans global affairs newsletter, every Monday and Friday. The New Statesman Daily The best of the New Statesman, delivered to your inbox every weekday morning. Green Times The New Statesmans weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. This Week in Business A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. The Culture Edit Our weekly culture newsletter from books and art to pop culture and memes sent every Friday. Weekly Highlights A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. Ideas and Letters A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Events and Offers Sign up to receive information regarding NS events, subscription offers & product updates.

Here is the original post:
NSA's Rob Joyce: Even the good hactivists are problematic - The New Statesman

Data sharing and the Budapest Convention. NSA says new encryption standard won’t have backdoors. New York enacts measures to protect power grid. – The…

At a glance.

The Council of Europe has announced that the Second Additional Protocol to the Convention on Cybercrime (also known as the Budapest Convention) was opened for signature at a conference of the Councils Committee of Ministers.. The protocols goal is to encourage the sharing of electronic evidence like subscriber info and traffic data among council member states through direct cooperation with service providers and registrars. Representatives from member states including Austria, Finland, Italy, Spain, and Sweden were present at the signing, as well as non-member states including the US and Japan. Secretary General Marija Pejinovi Buri explained, The Second Protocol brings the Budapest Convention up to date with current, technological challenges, so that it remains the most relevant and effective international framework for combating cybercrime in the years ahead. Justice Minister of Italy, Marta Cartabia, added, The use of ICT (Information and Communication Technologies) by organised crime in all sectors (sexual exploitation, drug trafficking, smuggling, terrorism) represents a further challenge for our judicial authorities and for our institutionsThe Second Additional Protocol, therefore, responds to the need for greater and more efficient co-operation between States and between the States and the private sector, clarifying the cases in which the service providers will be able to provide the data in their possession directly to the competent authorities of other countries. The Protocol is open for signature by Parties to the Convention and will be implemented once ratified by five States.

Ilia Kolochenko, Founder of ImmuniWeb, a member of Europol Data Protection Experts Network and EU CyberNet Member, commented on the importance of the Protocol:

As of today, The Budapest Convention remains the most comprehensive and the most important international treaty designed to combat cybercrime. The Convention, among other things, harmonizes the criminalization of computer offences, accelerates collaboration between law enforcement agencies and facilitates the preservation and seizure of digital evidence stored in a foreign country.

"The 20-year old Convention, however, certainly requires some updates to stay ahead of the rapidly evolving technology landscape and novel tactics deployed by sophisticated threat actors. Despite reasonable concerns expressed by the EU EDPB in relation to possible privacy risks created by the long-awaited Second Protocol, the Protocol brings several major improvements.

"Enhanced mutual assistance in emergency situations is probably the most crucial development. While procedurally its not yet crystal clear how the emergency assistance provisions will be implemented by signatory countries, the provisions definitely bring a sound legal framework to remove some bureaucratic barriers that have been hindering mutual legal assistance in cross-border investigations when time was of the essence.

"Other provisions, such as disclosure of domain name owners and subscriber information, will probably have a less palpable impact, as many countries have already established tenable processes and procedures related thereto. Novel provisions on joint investigation teams will undoubtedly boost multiagency and multijurisdictional cooperation, however, the recent success of numerous joint operations, conducted by national authorities led by Europol and Interpol, convincingly demonstrates that joint investigations work pretty well today.

"That being said, in 2022, the challenges remain pretty similar to 2001. First, countries like Russia, China, India and most African countries are not signatories of the Convention. It is impossible to effectively investigate and prosecute cybercriminals without frictionless cooperation with those states, representing over 3 billionInternet users. Second, the Convention does not create specific duties binding upon national law enforcement agencies, but rather encourages governments to adopt necessary legislation and implement the requisite infrastructure. Third, most law enforcement agencies are already overwhelmed with an avalanche of domestic cases and will unlikely prioritize external requests even if the law provides so. Thus, we will probably observe more countries passing national laws to authorized legal hacking by police to obtain digital evidence in a rapid, licit and straightforward manner.

The US National Institute of Standards and Technology (NIST) is working on establishing quantum encryption standards for the nation, and some might be concerned the advanced technology might be used by another agency, NSA, for surveillance. NSAs director of cybersecurity Rob Joyce attempted to put such worries to rest by promising there will be no backdoors that could allow for spying. Joyce told Dark Reading, Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance. Weve worked against all of them to make sure they are solid.

The Assembly of the US state of New York on Wednesday passed legislation aimed at securing the states energy grid against cyberattack. The bill was introduced by Assemblyman and chair of his chamber's Energy Committee Mike Cusick, who explained, "New York's energy grid is a prime target for hackers and cyber criminals across the globe...The passage of this legislation is a crucial step in our fight against cyber crime and our efforts to bolster the resiliency of our grid. GovTech notes that the bill will also provide a path for future legislation protecting infrastructure, and gives the state's Division of Homeland Security and Emergency Services the power to collaborate with state and federal agencies. Once passed by the Senate, the bill will be reviewed by Governor Kathy Hochul, who in February launched the "Joint Security Operations Center, a collaboration of federal and local partners offering a statewide view of the cyberactivity.

Read the original here:
Data sharing and the Budapest Convention. NSA says new encryption standard won't have backdoors. New York enacts measures to protect power grid. - The...