Jump to content

Search the Community

Showing results for tags 'nsa'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 108 results

  1. The National Security Agency (NSA) improperly collected records on American phone calls and texts last year, according to new documents obtained and released by the American Civil Liberties Union (ACLU). The error occurred between Oct. 3 and Oct. 12, the documents show, and had not been previously disclosed. The documents were obtained by the ACLU through a Freedom of Information Act request. The incident occurred four months after the NSA said it had deleted scores U.S. records that were collected since 2015 due to a separate error. The records contained details on the duration of U.S. phone calls but not the content of them. The ACLU records show the agency also used improperly obtained information in February 2018, which likely led to the NSA's decision to purge millions of records a few months later in June. The agency allegedly used some of that improperly collected data to seek approval to spy on some targets, but the records do not indicate whether that information was ultimately used for those purposes. The new disclosures come as part of the ACLU's ongoing lawsuit against the NSA over the call records program, which gathers metadata on domestic text messages and phone calls. "The technical irregularities that led NSA to delete data last summer were identified and addressed," an NSA spokesman told The Hill in a statement Wednesday. "Since that time, NSA identified additional data integrity and compliance concerns caused by the unique complexities of using company-generated business records for intelligence purposes. Those data integrity and compliance concerns have also been addressed and reported to NSA’s overseers, including the congressional oversight committees and the Foreign Intelligence Surveillance Court." The spokesman said the agency cannot comment further "on these concerns because they involve operational details of the program that remain classified." The ACLU is using the new documents to underscore its argument that the call records program should not be allowed to exist. "These documents further confirm that this surveillance program is beyond redemption and a privacy and civil liberties disaster," Patrick Toomey, staff attorney with the ACLU's National Security Project, said in a statement. "The NSA's collection of Americans' call records is too sweeping, the compliance problems too many, and the evidence of the program's value all but nonexistence. There is no justification for leaving this surveillance power in the NSA's hands." The ACLU, responding to the records, sent a letter to the House Judiciary Committee on Wednesday calling for an end to the authority that enables the call records program, referred to as Section 215. Privacy activists have long argued that elements of the USA Freedom Act — which enables the call detail records program — should not be reauthorized, including the Section 215 authorities. They say the program has not effectively stopped any terrorist attacks and encroaches on the personal lives of Americans. The USA Freedom Act, a pared-down version of the 2001 Patriot Act, is up for reauthorization at the end of this year. Civil liberties activists have been fighting for Congress to let the Section 215 authorities to expire. But some lawmakers have said they need to hear from the NSA and the White House before making a final decision. As far as the status of the program, the NSA spokesperson said in Wednesday's statement, "This is a deliberative interagency process that will be decided by the Administration." A top national security aide to House Minority Leader Kevin McCarthy (R-Calif.) in a podcast earlier this year revealed that, for the past six months, the NSA hasn't used the program and predicted that the Trump administration would not ask to renew it. A group of bipartisan lawmakers last month introduced a bill that would end the program take away the NSA's authority to restart it. Source
  2. The Chinese are making doubly sure public displays of displeasure with their totalitarian regime such as occurred in Tiananmen Square in 1989 will never be repeated. They are instituting a technological surveillance program so pervasive that when completed -- quite soon, it seems -- it will enforce conformity throughout their giant country on a scale that would stupefy Orwell and Huxley. China’s plan to judge each of its 1.3 billion people based on their social behavior is moving a step closer to reality, with Beijing set to adopt a lifelong points program by 2021 that assigns personalized ratings for each resident. The capital city will pool data from several departments to reward and punish some 22 million citizens based on their actions and reputations by the end of 2020, according to a plan posted on the Beijing municipal government’s website on Monday. Those with better so-called social credit will get “green channel” benefits while those who violate laws will find life more difficult. The Beijing project will improve blacklist systems so that those deemed untrustworthy will be “unable to move even a single step,” according to the government’s plan. Bloomberg has more to say about this incipient "brave new world." The final version of China’s national social credit system remains uncertain. But as rules forcing social networks and internet providers to remove anonymity get increasingly enforced and facial recognition systems become more popular with policing bodies, authorities are likely to find everyone from internet dissenters to train-fare skippers easier to catch -- and punish -- than ever before. Bad news for Winston Smith. Or is it Winston Chang? Thank God, it's China! Or is it? Perhaps the Chinese are only being public, and therefore somewhat more honest and transparent, about their plans and the world in which we all already live. After all, when it comes to technological surveillance, they are merely playing catch-up to our NSA, which has been monitoring us all for decades with only sporadic protest. Does the NSA have their own form of a rating system? We don't know, but they surely have some way -- various algorithms, one assumes -- for deciding who deserves more attention. Meanwhile, Google -- lord on high of the internet -- works with the NSA through the PRISM program and with the Chinese on a new China-only search engine that will be subject to Communist Party regulation, an equal opportunity silicon behemoth. Google's experience with NSA makes this outreach to the Chinese almost seamless. When you think about it, the similarity of approach and method is blood-curdling. It wouldn't be surprising if important components of the new surveillance technology for this latest Chinese initiative to control the behavior of their entire population were "borrowed" in part from Google. What does this all mean to us -- the common man and woman of the USA (and elsewhere really)? Whether we choose to think about it or not, almost all of us realize we have no private life any more, no secrets the government couldn't easily ascertain should it be the slightest bit interested. Even a presidential candidate was not exempt from such surveillance. What possibility do we have? This has already been factored into our personalities and behaviors, at the very least unconsciously, in ways we can only begin to guess as it is now such a mundane occurrence. I would imagine many phenomena such as political correctness and its attendant virtue signaling are amplified by the knowledge that we are constantly observed. It also contributes to the extraordinary uniformity and group think pervading our educational system and media. The employees of Google themselves behave much like a cult, eager to drum out the mildest of apostates. The self-styled social justice warriors on our campuses act similarly, ever searching for the most "victimized" person as the eye in the sky watches and, hopefully, approves. All the to-ing and fro-ing on our supposedly contentious social media are just fodder for the homogenization to come. It's all very Chinese, if you think not very far back to the Cultural Revolution. But Mao and Jiang Qing didn't have the technological weapons available today and were beaten back, temporarily anyway. Now the battle for freedom is global. Source
  3. from the ALL-WHISTLES-MUST-BE-BLOWN-INSIDE-THE-HOUSE----The-management dept The NSA is promising to be kinder to whistleblowers. This is important, at least to the NSA, because its most famous whistleblowers have eventually gone outside the system to deliver news of systemic surveillance program abuse to the masses. I don't think NSA officials necessarily want to handle internal complaints and scale back abusive collection programs. I think they just want to make sure no one outside of the NSA and its direct oversight hear about it. That being said, the NSA definitely needs to work on its interpersonal relationships with disgruntled employees. People yelling about Snowden not going through the proper channels didn't have much to say about his proper channel being on the chopping block for retaliating against a whistleblower. And protections for contractors are still weaker than those offered to federal employees, which means the NSA can keep complainers quieter by continuing to rely on outsiders to handle the dirty work of analyzing incoming intel. To be fair, this effort to protect whistleblowers seems a lot more earnest than past efforts. At least in this case, the NSA consulted with outside groups for input on anti-retaliation policies. Even so, whistleblower protections work better in theory than in practice. The NSA is the government's most secretive agency and has a long history of abusing its surveillance authorities. It's been resistant to internal change for much of its lifespan and change is something nearly every whistleblower is seeking. If it can keep whistleblowers from becoming leakers, it can better hide its misdeeds from the public. And that's something we need to be wary of anytime the NSA starts talking about protecting employees who aren't happy with its programs, policies, or practices. Source
  4. from the violating-the-law-on-the-regular dept More evidence of the NSA's abuse of its surveillance powers has surfaced, thanks to a FOIA lawsuit by the EFF. To date, the EFF has secured 73 FISC opinions as the result of this lawsuit and is still fighting for the release of six opinions the government has chosen to withhold entirely. One of the opinions released to the EFF shows the NSA's frequent assertions about proper minimization, careful deployment of surveillance techniques, and supposedly robust oversight are mostly false. The NSA abuses its powers and withholds evidence of its abuses from the FISA court, undermining the system of checks and balances meant to keep the agency in line. The opinion [PDF] embedded below is just one of several recently acquired by the EFF, but it still shows plenty of surveillance power abuse by the agency. Aaron Mackey of the EFF summarizes the contents of the order: Much of the opinion is redacted, leaving only sentence fragments for readers to parse. But even these fragments manage to produce a decent depiction of apparently long-running program abuses by the NSA. What the court called "unauthorized electronic surveillance," the government claimed was only a violation of minimization procedures. Even if the court was willing to cede this argument to the government (and it wasn't), the court goes on to point out that the NSA had done nothing to address this violation of minimization procedures. A little further on, the court makes it clear repairing minimization procedures does not excuse prior unauthorized collections, nor would it make similar collections legal in the future. And it appears the NSA again withheld info from the court, preventing it from doing its job properly. This is only one of several FISA court documents discussing unauthorized collections. The stockpile of FOIAed documents indicates the government has rarely used its collections programs correctly. The history of the NSA's interactions with the FISA court is littered with references to over-collection and agency obfuscation. This is more of the same from an agency that claims to be precisely and thoroughly controlled by external and internal oversight. The FISA court documents don't align with the NSA's narrative. Instead, they show an agency willing to ignore the law and mislead the court to engage in surveillance its oversight has never authorized. Source
  5. Supreme Court nominee discussed notable surveillance cases during Friday testimony. On Friday, during the final day of hearings before the Senate Judiciary Committee, Sen. Patrick Leahy (D-Vt.) had an interesting exchange over recent privacy cases with the Supreme Court judicial nominee, Judge Brett Kavanaugh. "I've talked repeatedly in this hearing about how technology will be one of the huge issues with the Fourth Amendment going forward," said Kavanaugh, who serves on the United States Court of Appeals for the District of Columbia Circuit. Opening their six-minute tête-à-tête, Leahy began by asking the appellate court judge about what Kavanaugh wrote in November 2015 in a case known as Klayman v. Obama. In that case, a well-known conservative activist attorney, Larry Klayman, sued the then-president on June 7, 2013—the day after the Snowden revelations became public. The complaint argued that the National Security Agency's telephone metadata program ("Section 215"), which gathered records of all incoming and outgoing calls for years on end, was unconstitutional. US District Judge Richard Leon ruled in favor of plaintiff and attorney Larry Klayman in December 2013 and ordered that the NSA's program be immediately halted. But he stayed his order pending the government appeal, which reversed Judge Leon in August 2015. Klayman asked the appeals court to re-hear the case with all of the District of Columbia appellate judges, in what’s known as an en banc appeal. This was denied, and Kavanaugh separately agreed with that decision in a November 2015 concurrence. "I do so because, in my view, the Government's metadata collection program is entirely consistent with the Fourth Amendment," Kavanaugh wrote. "Therefore, plaintiffs cannot show a likelihood of success on the merits of their claim, and this Court was right to stay the District Court's injunction against the Government’s program. The Government’s collection of telephony metadata from a third party such as a telecommunications service provider is not considered a search under the Fourth Amendment, at least under the Supreme Court's decision in Smith v. Maryland, 442 U.S. 735 (1979). That precedent remains binding on lower courts in our hierarchical system of absolute vertical stare decisis." Kavanaugh went further, saying that even if the Section 215 metadata program was a search, it should be considered "reasonable" in the name of national security. "The Fourth Amendment allows governmental searches and seizures without individualized suspicion when the Government demonstrates a sufficient 'special need'—that is, a need beyond the normal need for law enforcement—that outweighs the intrusion on individual liberty," he wrote. "Examples include drug testing of students, roadblocks to detect drunk drivers, border checkpoints, and security screening at airports." USA Freedom Act So Sen. Leahy wanted to know why Kavanaugh went out of his way to say this months after Leahy himself had authored a revision in the law, known as the USA Freedom Act, and when two government watchdogs had called for Section 215 to end. (An outside analysis also found in January 2014 that Section 215 was ineffective.) "I was trying to articulate what I thought based on precedent at the time, when your information went to a third party and when the government went to a third party, the existing privacy Supreme Court precedent was that your privacy interest was essentially zero," Kavanaugh said Friday. "The opinion by Chief Justice Roberts this past spring in the Carpenter case is a game changer." Carpenter v. United States involved a suspect, Timothy Carpenter, who was accused of leading an armed robbery gang that hit Radio Shack and other cell phone stores in Michigan and Ohio in 2010 and 2011. The government was able to warrantlessly obtain 127 days' worth of his CSLI from his mobile provider, which detailed precisely where Carpenter had been during that time. The Supreme Court ultimately ruled earlier this year that, when the government seeks to obtain such a large volume of intimate information, it needs to get a warrant first in most cases. The impact of Carpenter is starting to be felt in cases around the country. "Do you think if Carpenter had been decided you would have written the concurrence you did in Klayman?" Leahy asked. "I don't see how I could have," Kavanaugh said. "Thank you, I agree with that," the Vermont senator replied. More than the sum of its parts Sen. Leahy then moved on to a 2012 Supreme Court case, United States v. Jones, which in retrospect has become one of a string of three major pro-privacy decisions that the high court has made within the last decade. That case began in federal court in Washington, DC, and moved on to the appellate court on which Kavanaugh now sits, the United States Court of Appeals for the District of Columbia Circuit. Before the Supreme Court agreed to hear Jones, the government, which lost at the appellate level, asked the DC Circuit to reconsider en banc. It declined to do so, but Kavanaugh wrote a dissent in November 2010 even though he was not on the original panel of three appellate judges. Kavanaugh and three other Circuit judges wrote that Jones, which involved the warrantless placement of a GPS tracker on a suspected drug dealer's car, was very similar to a 1983 decision known as United States v. Knotts. In that case, the Supreme Court found that there was no "reasonable expectation of privacy" when traveling on a public road. Therefore, a majority concluded, it was OK for the police to put a short-range FM transmitter on a drug suspect's car as it drove 100 miles from Minnesota to Wisconsin. "The reasonable expectation of privacy as to a person's movements on the highway is, as concluded in Knotts, zero," Kavanaugh wrote in 2010. "The sum of an infinite number of zero-value parts is also zero." Quoting from this very line during the Friday hearing, Leahy compared Kavanaugh's analysis to a statement as being closer to "the Chinese government than what we'd get from James Madison, had he known about what we can do." Then, he brought his question home to the present day: "So, because of Carpenter, do you believe there comes a point at which collection of data about a person becomes so pervasive that a warrant would be required even if one collection of one bit of the data would not?" Mosaic theory While he didn't come right out and say it, Leahy seemed to be probing whether Kavanaugh ascribes to what many legal scholars call the "mosaic theory." This is the notion that, while a series of discrete surveillance or near-surveillance actions in and of themselves may be legal, there comes a point when those are aggregated over a long enough period of time that they become an unreasonable search in violation of the Fourth Amendment. Both men undoubtedly knew that the DC appeals court ultimately ruled in favor of the mosaic theory in August 2010 when it handed an intermediate win to Antoine Jones and his co-defendant, Lawrence Maynard. Kavanaugh reminded the hearing that, in this same dissent, he pointed out that there was a Fourth Amendment violation in the physical attachment of the GPS on Jones' Jeep Grand Cherokee. (This line of reasoning was what was ultimately seized upon by Justice Antonin Scalia and the conservative wing of the Supreme Court.) But when Kavanaugh addressed whether or not he agreed with the mosaic theory, he was measured in his answer. Kavanaugh seemed to suggest that he disagreed with his DC appeals court colleagues on this point. "I think the Supreme Court case law in the Riley case, written by Chief Justice Roberts, and the Carpenter case, written by Chief Justice Roberts—both majority opinions—show his and the court's recognition of the issue that you're describing in that technology," Kavanaugh said. "It's made things different, and we need to understand those differences for purposes of applying Fourth Amendment law now, and I do think those two decisions are quite important. Someone sitting in this chair 10 years from now—the question of technology on Fourth Amendment, First Amendment, [and] War Powers [are] going to be of central importance. I appreciate your question, but I think the Supreme Court case law is developing in a way consistent with your concern." "Do you think it's consistent with the fact that there will be areas so pervasive that you will need warrants?" Leahy asked. "The Supreme Court case law is certainly suggesting as much in the Riley and Carpenter case and the Jones GPS case, which I had written the opinion in." In short, Kavanaugh, in deferring to the government, seemed to acknowledge that he may be in the minority on this point. The Senate Judiciary Committee is expected to vote on his nomination on September 17, with a full floor vote set to come at the end of the month. With no substantive objection from the Republican majority, Kavanaugh is all but set to be confirmed, in which case he will replace retired Justice Anthony Kennedy, for whom he clerked. Source
  6. The National Security Agency (NSA) is purging what appears to be hundreds of millions of phone records collected by U.S. telecom companies that the agency had acquired since 2015. National Security Agency headquarters in Fort Meade, Maryland The National Security Agency (NSA) is purging what appears to be hundreds of millions of phone records collected by U.S. telecom companies that the agency had acquired since 2015. The agency released a statement on Thursday saying it began deleting records in May after "analysts noted technical irregularities in some data received from telecommunications service providers." The records date back to 2015 and were obtained under the Foreign Intelligence Surveillance Act. The statement added that "the root cause of the problem has since been addressed" for future call record collecting. In a written follow-up statement to the Associated Press, the NSA said it is "following a specific court-authorized process," but technical irregularities resulted in the production of some call records that the NSA "was not authorized to receive." The NSA faced a legal battle surrounding its Internet surveillance data collection program in 2017, when the 4th U.S. Circuit Court of Appeals ruled that a challenge brought by the American Civil Liberties Union could move forward. David Kris, a member of the Justice Department during the Obama administration, told the New York Times that the agency's announcement represents a "failure" of the Obama administration to properly implement the Freedom Act, a surveillance law passed in 2015 after the controversial Patriot Act expired. Others placed the blame elsewhere. “Telecom companies hold vast amounts of private data on Americans,” Sen. Ron Wyden, D-Ore., told the Times. “This incident shows these companies acted with unacceptable carelessness, and failed to comply with the law when they shared customers’ sensitive data with the government." The Associated Press contributed to this report. Source
  7. Here are eight AT&T-owned locations, buildings that are reportedly central to the NSA's internet spying purposes. Have you ever wondered what locations on American soil serve as backbone or “peering” facilities that the NSA might secretly be using for eavesdropping purposes? The Intercept revealed eight such AT&T-owned locations: two in California, one in Washington, another in Washington, D.C., one in New York, one in Texas, one in Illinois, and one in Georgia. You might pass by these AT&T buildings having no idea that they are “central to an NSA spying initiative that has for years monitored billions of emails, phone calls, and online chats passing across U.S. territory.” While neither AT&T nor NSA spokespeople would confirm that the NSA has tapped into data at these eight locations that normally route telecom companies’ data traffic, former AT&T employees did confirm the locations of the “backbone node with peering” facilities. AT&T refers to the peering sites as “Service Node Routing Complexes.” The Intercept explained various code-named NSA surveillance programs, previously made public thanks to Edward Snowden, which seem to have taken place at these eight AT&T facilities. In addition, the Intercept article cites “a top-secret NSA memo” that “has not been disclosed before;” the memo “explained that the agency was collecting people’s messages en masse if a single one were found to contain a ‘selector’ – like an email address or phone number – that featured on a target list.” The NSA's past activity There’s a bit of a history lesson included in the article, going over how the NSA was hoovering emails if they mentioned information about surveillance targets, including domestic communications that violated citizens’ Fourth Amendment right to be protected against unreasonable searches and seizures. The NSA moved to using a cautionary banner that warned analysts not to read the communication unless it had been lawfully obtained. The NSA acknowledged the violations in April 2017. The messages had reportedly been part of upstream surveillance allowed under Executive Order 12333. After receiving a NSA memo via Freedom Of Information Act (FOIA) request, the ACLU previously warned that NSA analysts might even be “laughing at your sex tape” thanks to surveillance under EO 12333. At any rate, according to The Intercept, the eight AT&T buildings that have secretly served as NSA spying hubs for monitoring “billions of emails, phone calls, and online chats” – codenamed FAIRVIEW for NSA surveillance – are located at: 30 E Street Southwest in Washington, D.C. 1122 3rd Avenue in Seattle, Washington 611 Folsom Street in San Francisco, California 811 10th Avenue in New York City 420 South Grand Avenue in Los Angeles, California 4211 Bryan Street in Dallas, Texas 10 South Canal Street in Chicago, Illinois 51 Peachtree Center Avenue in Atlanta, Georgia Source
  8. POSTER NOTE: This is important because it ties in the military combat capabilities (special ops) with the NSA. Gen. Paul Nakasone assumed the directorship of the National Security Agency and Cyber Command, now officially a unified combatant command, from Adm. Michael Rogers in a ceremony May 4. In doing so, Nakasone became “the primary guardian of our nation’s cyber domain, said Patrick Shanahan, deputy secretary of defense. The ceremony, held at the newly unveiled Integrated Cyber Center and Joint Operations Center, marked the elevation of Cyber Command to the 10th combatant command and the first new combatant command since Africa Command came online in 2007. A wide range of high profile guests including Sen. Ben Cardin, D-Maryland, Rob Joyce, special assistant to president and cybersecurity coordinator on the national security staff, Gen. Joseph Dunford, chairman of the Joint Chiefs of Staff, Joseph Kernan, undersecretary of defense for intelligence, Gen. John Hyten, commander of Strategic Command, Gen. Mark Milley, Army chief of staff and Essye Miller, acting DoD CIO, were in attendance. Shanahan, who presided over the event along with Director of National Intelligence Dan Coats, told Nakasone that “Adm. Rogers has built capability and integration. Your challenge is to build scale and to strengthen our arsenal of cyberweapons, cyber shield, cyber warriors.” Rogers explained during the ceremony that four years ago the organization he took command of was given a structure and a plan. “Our job,” he said, “was to take that structure and that plan, build it out, create a vision, operationalize this idea and ensure that it was integrated with a broader set of activities executed by the Department of Defense.” Nakasone called the elevation “a day of new beginnings, of renewed partnerships and of our enduring commitment of the defense of our nation.” “Today we start writing the opening chapter for U.S. Cyber Command as our nation’s newest unified combatant command,” he said. “From defensive operations protecting our networks to offensive operations against ISIS and other adversaries, CYBERCOM has matured rapidly.” He added: “Our team now has both the challenge and more importantly the opportunity to build a combatant command from the ground up. The elevation today marks a proud day for CYBERCOM and the nation and I am fortunate to be here to lead you into this next chapter of our great history.” Source
  9. The agency collected a staggering 534 million domestic phone records last year, up threefold on the year earlier. New figures reveal a sharp increase in the number of searches of Americans' calls and messages by the intelligence community during the Trump administration's first year in office. The figures, published Friday by the Office of the Director of National Intelligence (ODNI), show a rise in targeted surveillance and searches of people's data. It's the latest annual report from the government's chief spy, which has faced calls to be more transparent in the wake of the Edward Snowden disclosures into its surveillance programs. According to the figures, 7,512 searches of Americans' calls and messages without a warrant, up by 42 percent on the year prior. The government gets these search powers under the controversial section 702 authority, which allows the National Security Agency (NSA) to gather intelligence on foreigners overseas by collecting data from choke points where fiber optic cables owned by telecom giants enter the US. The powers also authorize the collection of data from internet giants and tech companies. But data collected under section 702 is near indiscriminate, and it also sweeps up large amounts of data on Americans, who are constitutionally protected from warrantless surveillance. The actual number of searches on Americans is likely significantly higher, because the reported figures don't account for searches by other civilian agencies, like the FBI or the Drug Enforcement Administration -- which also don't require a warrant to search the database. "We're almost certainly talking about tens of thousands of Americans being queried by FBI but have no clear info on that or the number of Americans whose data is collected," said Jake Laperruque, senior counsel at the Project On Government Oversight. Congress has long asked the government to reveal how many Americans have their data inadvertently collected by the NSA. Both the Obama and Trump administrations refused to disclose how many Americans are caught up in the dragnet. "Overall the numbers show that the scale of warrantless surveillance is growing at a significant rate, but ODNI still won't tell Americans how much it affects them," said Laperruque. It's not the only figure in the report to see a massive increase. The NSA targeted 129,080 foreign individuals or groups, representing a rise of 20 percent in the number of targets on the year earlier. Patrick Toomey, staff attorney at the ACLU's National Security Project, tweeted that the figure was the "biggest jump on record." The report also shows a massive spike in the number of collected phone records last year. The details of who calls who and when, collected under the NSA's phone metadata collection programs, was later curtailed when the Freedom Act was ratified in 2015. Last year, a staggering 534 million call detail records were collected, up from 151 million -- more than a three-fold increase on the year earlier. The figures don't represent the number of Americans whose phone records were collected, and likely includes duplicates, the report said. The number of orders to collect phone records, however, remained the same on the previous year. Robyn Greene, policy counsel and government affairs lead at New America's Open Technology Institute, said the intelligence community may have changed interpretations of their legal authorities. "The report raises some serious questions if the intelligence community, and the courts may be interpreting their authorities in an overbroad manner to permit too much collection," said Greene. "It's hard to imagine how you get the same number of targets yet over three-times as many records collected unless you've reinterpreted what constitutes a call detail record," Greene added. The report also showed a similar pattern with national security letters, a subpoena-like power that can compel tech and phone companies to turn over data on grounds of national security. Although the number of letters increased marginally by 5 percent to 12,762 last year, the number of requests for information more than tripled, indicating that the FBI sought more data per letter than in previous years. These letters are particularly controversial because they require no court approval and almost always include a gag order, which prevents the subject of the letter from being informed. In recent years, several companies including Apple, Facebook, Microsoft, Twitter, and Yahoo have fought to have details of the secretive letters publicly revealed. In 2008, a US court found the National Security Letter statute, amended by the Patriot Act in 2001, was unconstitutional. A separate case in 2013 found that the gag order provision was found to be in breach of the First Amendment, though the government appealed the ruling. Source
  10. Internet paranoiacs drawn to bitcoin have long indulged fantasies of American spies subverting the booming, controversial digital currency. Increasingly popular among get-rich-quick speculators, bitcoin started out as a high-minded project to make financial transactions public and mathematically verifiable — while also offering discretion. Governments, with a vested interest in controlling how money moves, would, some of bitcoin’s fierce advocates believed, naturally try and thwart the coming techno-libertarian financial order. It turns out the conspiracy theorists were onto something. Classified documents provided by whistleblower Edward Snowden show that the National Security Agency indeed worked urgently to target bitcoin users around the world — and wielded at least one mysterious source of information to “help track down senders and receivers of Bitcoins,” according to a top-secret passage in an internal NSA report dating to March 2013. The data source appears to have leveraged the NSA’s ability to harvest and analyze raw, global internet traffic while also exploiting an unnamed software program that purported to offer anonymity to users, according to other documents. Although the agency was interested in surveilling some competing cryptocurrencies, “Bitcoin is #1 priority,” a March 15, 2013 internal NSA report stated. The documents indicate that “tracking down” bitcoin users went well beyond closely examining bitcoin’s public transaction ledger, known as the Blockchain, where users are typically referred to through anonymous identifiers; the tracking may also have involved gathering intimate details of these users’ computers. The NSA collected some bitcoin users’ password information, internet activity, and a type of unique device identification number known as a MAC address, a March 29, 2013 NSA memo suggested. In the same document, analysts also discussed tracking internet users’ internet addresses, network ports, and timestamps to identify “BITCOIN Targets.” The agency appears to have wanted even more data: The March 29 memo raised the question of whether the data source validated its users, and suggested that the agency retained bitcoin information in a file named “Provider user full.csv.” It also suggested powerful search capabilities against bitcoin targets, hinting that the NSA may have been using its XKeyScore searching system, where the bitcoin information and wide range of other NSA data was cataloged, to enhance its information on bitcoin users. An NSA reference document indicated that the data source provided “user data such as billing information and Internet Protocol addresses.” With this sort of information in hand, putting a name to a given bitcoin user would be easy. Error retrieving document: Error: Request has been terminated Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc. The NSA’s budding bitcoin spy operation looks to have been enabled by its unparalleled ability to siphon traffic from the physical cable connections that form the internet and ferry its traffic around the planet. As of 2013, the NSA’s bitcoin tracking was achieved through program code-named OAKSTAR, a collection of covert corporate partnerships enabling the agency to monitor communications, including by harvesting internet data as it traveled along fiber optic cables that undergird the internet. Specifically, the NSA targeted bitcoin through MONKEYROCKET, a sub-program of OAKSTAR, which tapped network equipment to gather data from the Middle East, Europe, South America, and Asia, according to classified descriptions. As of spring 2013, MONKEYROCKET was “the sole source of SIGDEV for the BITCOIN Targets,” the March 29, 2013 NSA report stated, using the term for signals intelligence development, “SIGDEV,” to indicate the agency had no other way to surveil bitcoin users. The data obtained through MONKEYROCKET is described in the documents as “full take” surveillance, meaning the entirety of data passing through a network was examined and at least some entire data sessions were stored for later analysis. At the same time, MONKEYROCKET is also described in the documents as a “non-Western Internet anonymization service” with a “significant user base” in Iran and China, with the program brought online in summer 2012. It is unclear what exactly this product was, but it would appear that it was promoted on the internet under false pretenses: The NSA notes that part of its “long-term strategy” for MONKEYROCKET was to “attract targets engaged in terrorism, [including] Al Qaida” toward using this “browsing product,” which “the NSA can then exploit.” The scope of the targeting would then expand beyond terrorists. Whatever this piece of software was, it functioned a privacy bait and switch, tricking bitcoin users into using a tool they thought would provide anonymity online but was actually funneling data directly to the NSA. The hypothesis that the NSA would “launch an entire operation overseas under false pretenses” just to track targets is “pernicious,” said Matthew Green, assistant professor at the Johns Hopkins University Information Security Institute. Such a practice could spread distrust of privacy software in general, particularly in areas like Iran where such tools are desperately needed by dissidents. This “feeds a narrative that the U.S. is untrustworthy,” said Green. “That worries me.” The NSA declined to comment for this article. The Bitcoin Foundation, a nonprofit advocacy organization, could not immediately comment. Although it offers many practical benefits and advantages over traditional currency, a crucial part of bitcoin’s promise is its decentralization. There is no Bank of Bitcoin, no single entity that keeps track of the currency or its spenders. Bitcoin is often misunderstood as being completely anonymous; in fact, each transaction is tied to publicly accessible ID codes included in the Blockchain, and bitcoin “exchange” companies typically require banking or credit card information to convert Bitcoin to dollars or euros. But bitcoin does offer far greater privacy than traditional payment methods, which require personal information up to and including a Social Security number, or must be linked to a payment method that does require such information. Furthermore, it is possible to conduct private bitcoin transactions that do not require exchange brokers or personal information. As explained in the 2009 white paper launching bitcoin, “the public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.” For bitcoin adherents around the world, this ability to transact secretly is part of what makes the currency so special, and such a threat to the global financial status quo. But the relative privacy of bitcoin transactions has naturally frustrated governments around the world and law enforcement in particular — it’s hard to “follow the money” to criminals when the money is designed to be more difficult to follow. In a November 2013 letter to Congress, one Homeland Security official wrote that “with the advent of virtual currencies and the ease with which financial transactions can be exploited by criminal organizations, DHS has recognized the need for an aggressive posture toward this evolving trend.” Green told The Intercept he believes the “browsing product” component of MONKEYROCKET sounds a lot like a virtual private network, or VPN. VPNs encrypt and reroute your internet traffic to mask what you’re doing on the internet. But there’s a catch: You have to trust the company that provides you a VPN, because they provide both software and an ongoing networking service that potentially allows them to see where you’re going online and even intercept some of your traffic. An unscrupulous VPN would have complete access to everything you do online. Emin Gun Sirer, associate professor and co-director of the Initiative for Cryptocurrencies and Contracts at Cornell University, told The Intercept that financial privacy “is something that matters incredibly” to the bitcoin community, and expects that “people who are privacy conscious will switch to privacy-oriented coins” after learning of the NSA’s work here. Despite bitcoin’s reputation for privacy, Sirer added, “when the adversary model involves the NSA, the pseudonymity disappears. … You should really lower your expectations of privacy on this network.” Green, who co-founded and currently advises a privacy-focused bitcoin competitor named Zcash, echoed those sentiments, saying that the NSA’s techniques make privacy features in any digital currencies like Ethereum or Ripple “totally worthless” for those targeted. The NSA’s interest in cryptocurrency is “bad news for privacy, because it means that in addition to the really hard problem of making the actual transactions private … you also have to make sure all the network connections [are secure],” Green added. Green said he is “pretty skeptical” that using Tor, the popular anonymizing browser, could thwart the NSA in the long term. In other words, even if you trust bitcoin’s underlying tech (or that of another coin), you’ll still need to be able to trust your connection to the internet — and if you’re being targeted by the NSA, that’s going to be a problem. NSA documents note that although MONKEYROCKET works by tapping an unspecified “foreign” fiber cable site, and that data is then forwarded to the agency’s European Technical Center in Wiesbaden, Germany, meetings with the corporate partner that made MONKEYROCKET possible sometimes took place in Virginia. Northern Virginia has for decades been a boomtown for both the expansive national security state and American internet behemoths — telecoms, internet companies, and spy agencies call the area’s suburbs and office parks home. Liberty Reserve website name seizure notice. Bitcoin may have been the NSA’s top cryptocurrency target, but it wasn’t the only one. The March 15, 2013 NSA report detailed progress on MONKEYROCKET’s bitcoin surveillance and noted that American spies were also working to crack Liberty Reserve, a far seedier predecessor. Unlike bitcoin, for which facilitating drug deals and money laundering was incidental to bigger goals, Liberty Reserve was more or less designed with criminality in mind. Despite being headquartered in Costa Rica, the site was charged with running a $6 billion “laundering scheme” and triple-teamed by the U.S. Department of Justice, Homeland Security, and the IRS, resulting in a 20-year conviction for its Ukrainian founder. As of March 2013 — just two months before the Liberty Reserve takedown and indictment — the NSA considered the currency exchange its No. 2 target, second only to bitcoin. The indictment and prosecution of Liberty Reserve and its staff made no mention of help from the NSA. Just five months after Liberty Reserve was shuttered, the feds turned their attention to Ross Ulbricht, who would go on to be convicted as the mastermind behind notorious darkweb narcotics market Silk Road, where transactions were conducted in bitcoin, with a cut going to the site’s owner. Ulbricht reportedly held bitcoins worth $28.5 million at the time of his arrest. Part of his unsuccessful defense was the insistence that the FBI’s story of how it found him did not add up, and that the government may have discovered and penetrated the Silk Road’s servers with the help of the NSA — possibly illegally. The prosecution dismissed this theory in no uncertain terms: Though the documents leaked by Snowden do not address whether the NSA aided the FBI’s Silk Road investigation, they show the agency working to unmask bitcoin users about six months before Ulbricht was arrested, and that it had worked to monitor Liberty Reserve around the same time. The source of the bitcoin and Liberty Reserve monitoring, MONKEYROCKET, is governed by an overseas surveillance authority known as Executive Order 12333, the language of which is believed to give U.S. law enforcement agencies wide latitude to use the intelligence when investigating U.S. citizens. Civil libertarians and security researchers have long been concerned that otherwise inadmissible intelligence from the agency is used to build cases against Americans though a process known as “parallel construction”: building a criminal case using admissible evidence obtained by first consulting other evidence, which is kept secret, out of courtrooms and the public eye. An earlier investigation by The Intercept, drawing on court records and documents from Snowden, found evidence the NSA’s most controversial forms of surveillance, which involve warrantless bulk monitoring of emails and fiber optic cables, may have been used in court via parallel construction. Patrick Toomey, an attorney with the ACLU’s National Security Project, said the NSA bitcoin documents, although circumstantial, underscore a serious and ongoing question in American law enforcement: Although an NSA document about MONKEYROCKET stated the program’s “initial” concern was counterterrorism, it also said that “other targeted users will include those sought by NSA offices such as Int’l Crime & Narcotics, Follow-The-Money and Iran.” A March 8, 2013 NSA memo said agency staff were “hoping to use [MONKEYROCKET] for their mission of looking at organized crime and cyber targets that utilize online e-currency services to move and launder money.” There’s no elaboration on who is considered a “cyber target.” Documents published with this story: Pages From OAKSTAR Weekly 2013-03-08 Pages From OAKSTAR Weekly 2013-03-15 Pages From OAKSTAR Weekly 2013-03-22 Pages From OAKSTAR Weekly 2013-03-29 Pages From OAKSTAR Weekly 2013-04-05 Pages From SECOND LOOK SSO20Mar2012 wStormbrewMap Entry From SSO News Entries From Sample SSO Accesses Entry From SSODictionary v1.0 Pages From OAKSTARSiteBook v1.0 Source
  11. A new generation of crypto-jacking attacks is making the rounds, significantly improving on the unsophisticated campaigns that have characterized such attacks so far. According to Imperva, the campaigns, one of which the firm dubbed RedisWannaMine, is aimed at both database servers and application servers. And where the first generation of crypto-jacking was limited in complexity and capability (the attacks contained malicious code that downloaded a crypto-miner executable file and ran it with a basic evasion technique or none at all), the new wave of threats are something else altogether. RedisWannaMine demonstrates a worm-like behavior, combined with advanced exploits to increase the attackers’ infection rate. Crypto-jacking, in which a victim’s computer is infected with a coin-mining malware that surreptitiously steals compute power to mind for cryptocurrencies like Bitcoin and Monero, has spread significantly in the last few months as the value of virtual currencies continues to skyrocket. Imperva researchers have concluded that these attacks now account for roughly 90% of all remote code execution attacks in web applications. In this case, the attackers are using a two-pronged infection campaign. First, it runs code to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, internal and external and scanning port 6379, which is the default listening port of Redis. Secondly, it uses a script to scan for the same server message block vulnerability that was used by the NSA to create the infamous Eternal Blue exploit – the root vector behind WannaCry. When the script finds a vulnerable server, it launches the infection process for the crypto-miner malware. Between the two prongs, RedisWannaMine is taking aim the attack surface from both the database and application sides.“In a nutshell, crypto-jacking attackers have upped their game and they are getting crazier by the minute,” researchers said in an analysis. Source: https://www.infosecurity-magazine.com/news/rediswannamine-uses-nsa-exploit/
  12. Your PC might be making some criminal sweet, sweet cash, according to the findings of a cybersecurity firm. You might remember the chaos caused by the WannaCry cybersecurity crisis last year, where a security exploit developed by the National Security Agency in the US was used to create a devestating ransomware attack on an international scale that affected over 230,000 computers in over 150 countries. Well, out of the fire of that nightmare has come a new exploit called WannaMine, with a completely different goal in mind; to covertly use infected computers and networks to mine cryptocurrency. Cybersecurity firm Panda Security from Spain discovered WannaMine in October, and according to cybersecurity firm CrowdStrike, it has grown significantly since; potentially infecting tens of thousands of computers. Furthermore, it poses additional risks due to how it gains access to victim compuerts; it uses a two pronged approach, stealing stolen logins to try and break in to a victim's computer via a tool called Mimicatz before resorting to the EternalBlue method of breaking into the victim's computer. According to CrowdStrike, WannaMine can infect a computer in an array of ways, ranging from a user clicking on a malicious link in an email or webpage to targeted remote access attack by a hacker. Once the WannaMine script has infected a computer, it uses two normal Windows applications—PowerShell and Windows Management Instrumentation—to do its dirty work. This has disastrous implications as antivirus software on the average user's computer will be unable to detect the malware due to it not leaving any files as a trace. While it's well noted by mining aficionados that CPU mining has notoriously weak yields and is usually wort little, doing so on the scale of tens of thousands of infected computers and large mainframe networks can be much more profitable; and much more dangerous. Furthermore, WannaMine manages to bypass this obstacle by mining a cryptocurrency called Monero, which is popular with malware miners because it can be generated with consumer hardware like CPU's rather than expensive GPU's. While this may not have drastic implications for the average consumer aside from a noticeably slower PC, this exploit has proven disastrous for businesses and mainframes. The malware has led to multiple companies' computer and network infrastructure completely shutting down, leading to several days of downtime and lost work. As cryptocurrency malware gets more efficient and harder to detect, it's likely that this will not be the last time we hear about criminals profiting significantly off of the suffering of the average, computer-illiterate user. While WannaMine can be removed on an individual system level, as of today no complete system patch for it exists, leaving millions of systems potentially vulnerable to being tuned into nonconsensual mining rigs. Modmy.com
  13. Russian government-backed hackers stole highly classified U.S. cyber secrets in 2015 from the National Security Agency after a contractor put information on his home computer, two newspapers reported on Thursday. As reported first by The Wall Street Journal, citing unidentified sources, the theft included information on penetrating foreign computer networks and protecting against cyber attacks and is likely to be viewed as one of the most significant security breaches to date. In a later story, The Washington Post said the employee had worked at the NSA’s Tailored Access Operations unit for elite hackers before he was fired in 2015. The NSA declined to comment, citing agency policy “never to comment on our affiliates or personnel issues.” Reuters was not able to independently verify the reports. If confirmed, the hack would mark the latest in a series of breaches of classified data from the secretive intelligence agency, including the 2013 leaks of data on classified U.S. surveillance programs by contractor Edward Snowden. Another contractor, Harold Martin, is awaiting trial on charges that he took classified NSA material home. The Washington Post reported that Martin was not involved in the newly disclosed case. Republican U.S. Senator Ben Sasse, a member of the Senate Armed Services Committee, said in a statement responding to the Journal report that, if true, the details were alarming. ”The NSA needs to get its head out of the sand and solve its contractor problem,“ Sasse said. ”Russia is a clear adversary in cyberspace and we can’t afford these self-inflicted injuries.” Tensions are already high in Washington over U.S. allegations of a surge in hacking of American targets by Russians, including the targeting of state election agencies and the hacking of Democratic Party computers in a bid to sway the outcome of the 2016 presidential election in favor of Republican Donald Trump. Citing unidentified sources, both the Journal and the Post also reported that the contractor used antivirus software from Moscow-based Kaspersky Lab, the company whose products were banned from U.S. government networks last month because of suspicions they help the Kremlin conduct espionage. Kaspersky Lab has strongly denied those allegations. Russian government officials could have used flaws in Kaspersky software to hack into the machine in question, security experts told Reuters. They could also have intercepted traffic from the machine to Kaspersky computers. Kaspersky said in a statement on Thursday that it found itself caught in the middle of a geopolitical fight. “Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal,” it said. “It is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.” The Department of Homeland Security on Sept. 13 banned Kaspersky products in federal networks, and the U.S. Senate approved a bill to ban them from use by the federal government, citing concerns the company may be a pawn of the Kremlin and poses a national security risk. James Lewis, a cyber expert with the Washington-based Center for Strategic and International Studies, said the report of the breach sounded credible, though he did not have firsthand information on what had transpired. “The baffling parts are that he was able to get stuff out of the building and that he was using Kaspersky, despite where he worked,” Lewis said. He said that intelligence agencies have considered Kaspersky products to be a source of risk for years. Democratic Senator Jeanne Shaheen, who led calls in Congress to purge Kaspersky Lab products from government networks, on Thursday called on the Trump administration to declassify information about threats posed by Kaspersky Lab. “It’s a disservice to the public and our national security to continue withholding this information,” Shaheen said in a statement. https://venturebeat.com/2017/10/05/russian-hackers-reportedly-stole-nsa-data-in-2015-likely-via-kaspersky-software/
  14. The move to elevate Cyber Command to a full unified combatant command and split it off from the National Security Agency shows that cyber intelligence collection and information war are rapidly diverging fields. The future leadership of both entities is now in question, but the Pentagon has set out a conditions-based approach to the breakup. That represents a partial victory for the man who directs both Cyber Command and the NSA. The move would mean that the head of Cyber Command would answer directly to the Defense Secretary and the National Security Agency would get its own head. It’s a move that many have said is long overdue, and its exact timing remains unknown. So what does the split mean for the Pentagon, for Cyber Command, and for the future of U.S. cyber security? The split will give the commander of Cyber Command central authority over resource allocation, training, operational planning and mission execution. The commander will answer to the Defense Secretary directly, not the head of Strategic Command. “The decision means that Cyber Command will play an even more strategic role in synchronizing cyber forces and training, conducting and coordinating military cyberforce operations and advocating for and prioritizing cyber investments within the department,” said Kenneth Rapuano, assistant defense secretary for Homeland Defense and Global Security. The Start of a Process The move announced on Friday fulfills a mandate in the National Defense Authorization Act of 2017. Former Defense Secretary Ash Carter hinted at the split back in May 2016. But it won’t happen immediately. Instead, Defense Secretary James Mattis and Joint Chiefs Chairman Gen. Joe Dunford will nominate a flag officer to take over the new Cyber Command as well as the NSA. That person could be Adm. Michael Rogers, who currently heads both, or someone else. Trump has reportedly asked Mattis to give him the name of a nominee. Speculation has focused on Army Lt. Gen. William Mayville as the nominee to head Cyber Command. Once that new person is nominated and confirmed and once Mattis and Dunford are satisfied that splitting the two entities will not hamper the ability of either Cyber Command or the NSA to conduct their missions independently, only then will Cyber Command and the NSA actually split. What Does it Mean for Leadership? Read one way, the announcement means Rogers will lose power. Even were he to become the nominee to the new elevated Cyber Command, he would still wind up losing the NSA eventually. If he were to stay on as head of NSA after the confirmation of a new Cyber Command head, as expected, he would briefly serve under Mayville until the formal split. Read another way, the lack of a concrete timetable for the split, despite such a requirement in the authorization bill, represents a partial win for Rogers. Rogers took over the NSA and Cyber Command in the spring of 2014. He has been resistant to the idea of a split, telling lawmakers in September that U.S. national security benefitted from the dual-hat arrangement. This view was not shared by then-Director of National Intelligence James Clapper nor then-Defense Secretary Ash Carter. Rogers’ resistance was one of many issues that rubbed them the wrong way. It got so bad that in November, unnamed sources told The Washington Post that Clapper and Carter were urging President Barack Obama to fire Rogers. The truth is a bit more nuanced. Clapper’s goal was “to split the NSA from CYBERCOM. He was not a strong advocate of removal, but was willing to defer to [the Secretary of Defense] if Carter felt strongly about selecting new leadership at Cyber Command,” a source inside the intelligence community said. “There were other concerns unrelated to the potential split.” Rogers outlasted both Clapper, who had long planned to retire at the end of the Obama administration; and Carter, a political appointee. Rogers’ attitude toward an NSA-Cyber Command split evolved. In May, he testified that he would support a split was done in a way that did not hamper either the NSA or Cyber Command. The manner in which the split was announced is in keeping with what Rogers has said he wanted. The move toward a conditions-based split also met with the approval of Sen. John McCain, R-Ariz, a longtime Rogers ally. “I appreciate the administration’s commitment today to ensuring that a future separation of the so-called ‘dual hat’ relationship between Cyber Command and the National Security Agency will be based on conditions, rather than arbitrary political timelines,” McCain said in a statement. “While Cyber Command and the National Security Agency should eventually be able to operate independent of one another, the administration must work closely with the Congress to take the necessary steps that will make this separation of responsibilities successful, and to ensure that each agency will emerge more effective and more capable as a result.” What It Means for Cyber Command, the NSA, and Cyber Operations The elevation of Cyber Command represents a big step forward for the military’s cyber ability, but it has yet to catch up to the NSA in terms of collecting signals intelligence or creating network accesses, according to Bill Leigher, who as a rear admiral helped stand up Navy Fleet Cyber Command. Leigher, who now directs government cyber solutions for Raytheon, applauds the split because the NSA, which collects foreign intelligence, and Cyber Command, a warfighting outfit, have fundamentally different missions.This caused tension between the two organizations under one roof. Information collected for intelligence gathering may be useful in a way that’s fundamentally different from intelligence for military purposes, he says. “If you collecting intelligence, it’s foreign espionage. You don’t want to get caught. The measure of success is: ‘collect intelligence and don’t get caught.’ If you’re going to war, I would argue that the measure of performance is’ what we do has to have the characteristics of a legal weapon in the context of war and the commander has to know what he or she uses it.” This puts the agencies in disagreement about how to use intel and tools that they share. “From an NSA perspective, cyber really is about gaining access to networks. From a Cyber Command point of view, I would argue, it’s about every piece of software on the battlefield and having the means to prevent that software from working the way it was intended to work [for the adversary],” he said. The split will allow the agencies to pursue the very different tools, operations, and rules each of their missions requires, he said. Expect NSA to intensify its focus on developing access for intelligence, and Cyber Command to prepare to rapidly deploy massive cyber effects at scale during military operations and shut down the enemy. Both of this will likely leverage next-generation artificial intelligence but in very different ways said Leigher. article Wired article
  15. In a message posted online early this morning, the Shadow Brokers — the cyber-espionage group believed to have stolen hacking tools from the NSA — announced new details about their upcoming "monthly dump service." The group previously teased the new monthly dump service in mid-May, four days after the WannaCry ransomware wreaked havoc across the world using two hacking tools the Shadow Brokers leaked online in mid-April. Trying to capitalize on the hype around NSA hacking tools created by the WannaCry outbreak, this new monthly dump service is yet another attempt from the Shadow Brokers to commercialize and sell their exploits. Previously, the group held a public auction, a crowdfunding campaign, and tried to sell individual exploits, all of which have failed to attract the customers they hoped. Group claims to have browser and Windows 10 exploits The group now wants people to pay a monthly fee for a small dump of exploits each month. In mid-May, the Shadow Brokers promised they'd leak the following types of tools and data: The message the group posted today provides more details about how their monthly dump service would work: The biggest change in the Shadow Brokers modus operandi is a switch from Bitcoin to Zcash, a cryptocurrency that is more private and almost impossible to track. Earlier this week, the Shadow Brokers started moving the 10.5 Bitcoin (~ $24,000) they gained from their previous operations through a Bitcoin mixing service designed to hide the true recipient behind a wall of micro-transactions. With Zcash, this wouldn't be a problem, since this cryptocurrency hides the sender's address, allowing money to move through the Blockchain without the fear of having it tracked. There's no evidence the Shadow Brokers have new exploits Despite announcing the move to a new crypto-currency the Shadow Brokers immediately blast Zcash, saying the project has connections to the US government and Israeli intelligence. According to some experts, this paranoid and non-sensical attack on Zcash, the lack of demo exploits, and the emptying of the main Bitcoin wallet is a sign that the Shadow Brokers don't have the exploits they claim to have, and they're only attempting a last cash grab. "I think [...] they don't have much of value to showcase/publish anymore in terms of content," Iliasse Sdiqui, cyber-analyst for the Delma Institute told Bleeping Computer. The expert believes that by moving to Zcash, and then spending half of their announcement criticizing the crypto-currency they just switched to is a way to divert attention from the fact they haven't released any evidence they are in possession of new exploits. "[The] Shadow Brokers are just shifting focus away from the dump itself," said Sdiqui. "That's why they would blast the currency, just to prolong the text and fill up the blanks." Group want $22,000 per month from each subscriber The price for subscribing to the Shadow Brokers' monthly dump service is 100 Zcash, which is around $22,000 at today's value. That's a pretty high entry fee for a service there's no evidence of having any palpable content. Last year, when the Shadow Brokers announced their presence to the world, the group released tens of exploits to prove that they truly are in possession of NSA hacking tools. According to the Shadow Brokers themselves, all the tools which they initially announced have now been released. What the group is now selling has never been advertised or mentioned until mid-May. Source
  16. Shadow Brokers, the group that has been releasing alleged NSA hacking tools, may now be exposing the identities of NSA employees. In the metadata of some of the leaked files are names; at least one of the people named has worked for the NSA. In 2014, the US named and indicted five Chinese hackers and more recently, brought charges against two Russian Federal Security Service officers. These actions may have motivated Shadow Brokers to expose the identities of NSA cyber agents. SANS Editor Note: [Jake Williams] As one of the subjects of the article (yes, I'm that Jake Williams), I'm not thrilled with the US Government's response to this threat so far. I wrote in 2014 that the indictment of Chinese hackers would have consequences for US Government network exploitation operators and I stand by that today. While no foreign government has taken action yet, I am convinced the Shadow Brokers have much more left to leak. There's a cautionary tale here to anyone considering working in offensive cyber operations. Source Wall Street Journal Podcast - Modern Cyber Warfare: Where Spies Become Targets Too
  17. Cyber-security firm enSilo has released a patch for Windows XP and Windows Server 2003 that will protect against attacks via ESTEEMAUDIT, a hacking tool dumped online by the Shadow Brokers last month, and allegedly developed by the NSA. At the technical level, ESTEEMAUDIT is a zero-day in the RDP protocol used by Windows to open desktop sessions on remote computers. An analysis of this exploit reveals its usability for breaking into computers with open RDP ports, or for moving laterally inside a network that features PCs with open RDP connections. Microsoft didn't patch against ESTEEMAUDIT attacks enSilo researchers developed a patch for ESTEEMAUDIT because Microsoft has not provided security updates to protect against this zero-day. This is because ESTEEMAUDIT only works on Windows XP and Windows 2003, two operating system that Microsoft stopped supporting in 2014, and 2015, respectively. After the Shadow Brokers dumped a collection of NSA hacking tools on April 14, a day later, Microsoft announced that its engineers had secretly patched Windows against most exploits a month earlier, in March. ESTEEMAUDIT is one of the exploits that didn't receive a patch, along with ENGLISHMANSDENTIST and EXPLODINGCAN. Does Microsoft have an ESTEEMAUDIT patch laying around? After the WannaCry ransomware outbreak, Microsoft did something uncharacteristic and issued an update for Windows XP, Windows 8, and Windows Server 2003, all unsupported versions of its OS. This out-of-band security update patched the older OS versions against the ETERNALBLUE exploit, used by the WannaCry ransomware. Later it was discovered that Microsoft had created the ETERNALBLUE patch in February, but didn't release it, for unknown reasons. Furthermore, the Washington Post found out that the NSA had reached out to Microsoft earlier in the year, to tell the company about the stolen exploits and their capabilities. This is the reason why Microsoft had released patches since March, a month before the actual Shadow Brokers dump. If Microsoft has a patch for the ESTEEMAUDIT exploit stockpiled on one of its servers, we'll never know. In the meantime, XP and Windows Server 2003 users can utilize enSilo's patch to protect against attacks with ESTEEMAUDIT. enSilo hotpatch available for download The security company says the patch — which can be downloaded from here — works on Windows XP SP3 x86, Windows XP SP3 x64, and Windows Server 2003 R2. The patch is direly needed. Despite the advanced age of both operating systems, both are still very popular. For example, Windows XP remains the third most popular OS on the market today, accounting for 7% of all operating systems in use today. Similarly, Windows Server 2003 is currently used by 18% of all organizations today, accounting for more than 600,000 web-facing computers, which host upwards of 175 million websites. Besides applying the enSilo patch, users can disable RDP as an alternative method of protecting their systems. Source
  18. WannaCry - close to 400 samples found in the wild WannaCry is one of the worst malware out there, mostly because it mixes a ransomware element with a worm component that helped it spread like wildfire. So far, close to 400 malware samples have been discovered in the wild. Security researchers from Trustlook have announced that, by their count, 386 WannaCry malware samples have been recorded to date. Despite there being just a little over a week since WannaCry hit the news, infecting some 300,000 devices in 150 countries, hackers seem to have flexed their muscles quite a bit. As you know, WannaCry uses two NSA-hacking tools disclosed after hacker group Shadow Brokers dumped classified documents online. EternalBlue is a tool that takes advantage of a Windows vulnerability, while DoublePulsar helps it spread through networks. The Windows vulnerability has since been patched and users are advised to update their systems if they haven't done so until now, as well as to install a security solution on their devices. It is believed that the original WannaCry infections didn't stem from someone carelessly falling for a phishing email scheme, but rather from the attackers scanning for open ports. As mentioned above, Microsoft has released a patch and created one even for Windows XP, which had been discontinued and was no longer receiving security updates. It was believed that many of those infected were actually using XP, but later data shows that the truth was quite far from that and that most of the devices that fell prey to WannaCry were running Windows 7. The long list of consequences The NSA dump has quite a lot of consequences and they're only going to be more apparent. WannaCry was just the start, complete with its 386 samples. A new worm was discovered by researchers, called EternalRocks, which uses seven NSA hacking tools, compared to two used by WannaCry. Thus far, EternalRocks has not been weaponized with any type of malware, trojan and so on, but this can be done at any time. Source
  19. The NSA used the vulnerability in attacks for 5 years The WannaCry ransomware outburst is living proof that systems across the world need to be running the latest patches and supported operating system versions, but while Microsoft rolled out updates to block the exploit before the mass infection started, new information reveals some behind-the-scenes details. A report from the Washington Post reveals that the NSA itself reported the vulnerability to Microsoft after discovering that a group of hackers managed to steal it from its systems. The National Security Agency was hit by a cyberattack launched by Shadow Brokers last year, and the hackers managed to steal several exploits that the agency itself was using to break into Windows computers. Since most of these exploits were based on unpatched vulnerabilities in Windows, leaking them online could have led to large-scale attacks, so in order to prevent this, the NSA itself reported the bugs to Microsoft to have them patched. The agency, however, did this for its own good, as it was afraid that hackers might use the exploits against computers used by officials in the United States, including those belonging to the Department of Defense. NSA used the flaw for 5 years After being tipped off about the vulnerability, Microsoft developed a patch in mid-February and published it for supported Windows systems in March, with unsupported Windows versions getting the fix only if they were covered by a custom support license. After the massive ransomware infection started this month, Microsoft decided to release this patch for all users, including for those running Windows XP. More worrying is that the NSA actually used the same vulnerability to hack into Windows systems for no less than 5 years before reporting it to Microsoft. And there’s a good chance that the flaw would have remained completely secret if the hackers didn’t break into NSA systems. This is one of the reasons Microsoft criticized the NSA and government departments for not reporting security flaws to vendors, emphasizing that systems worldwide are made vulnerable just because they’re keeping major vulnerabilities for their own hacking programs. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action,” Microsoft said. Source
  20. The NSA used the EternalBlue hacking tool for more than five years before disclosing its existence to Microsoft. With EternalBlue, the NSA was able to gather great quantities of foreign intelligence; an NSA employee speaking on the condition of anonymity said that using the tool "was like fishing with dynamite." The NSA decided to notify Microsoft only after learning that EternalBlue had been stolen. Microsoft could have prevented WannaCry. Article Article
  21. Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. The worm's existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws. EternalRocks uses seven NSA tools The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations. Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines. Origin of the EternalRocks name The WannaCry ransomware outbreak, which affected over 240,000 victims, also used an SMB worm to infect computers and spread to new victims. Unlike EternalRocks, WannaCry's SMB worm used only ETERNALBLUE for the initial compromise, and DOUBLEPULSAR to propagate to new machines. EternalRocks is more complex but less dangerous As a worm, EternalRocks is far less dangerous than WannaCry's worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it's actually the opposite. For starters, EternalRocks is far more sneaky than WannaCry's SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage. During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web. Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server. No kill switch domain Additionally, EternalRocks also uses files with identical names to the ones used by WannaCry's SMB worm, in another attempt to fool security researchers into misclassifying it. But unlike WannaCry, EternalRocks does not include a kill switch domain, the Achille's heel that security researchers used to stop the WannaCry outbreak. After the initial dormancy period expires and the C&C server responds, EternalRocks goes into the second stage of its installation process and downloads a second stage malware component in the form of an archive named shadowbrokers.zip. The name of this file is pretty self-explanatory, as it contains NSA SMB-centric exploits leaked by the Shadow Brokers group in April 2017. The worm then starts a rapid IP scanning process and attempts to connect to random IP addresses. The configuration files for NSA tools found in the shadowbrokers.zip archive EternalRocks could be weaponized in an instant Because of its broader exploit arsenal, the lack of a kill switch domain, and because of its initial dormancy, EternalRocks could pose a serious threat to computers with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worm with ransomware, a banking trojan, RATs, or anything else. At first glance, the worm seems to be an experiment, or a malware author performing tests and fine-tuning a future threat. This, however, does not mean EternalRocks is harmless. Computers infected with this worm are controllable via C&C server commands and the worm's owner could leverage this hidden communications channel to send new malware to the computers previously infected by EternalRocks. Furthermore, DOUBLEPULSAR, an NSA implant with backdoor features, remains running on PCs infected with EternalRocks. Unfortunately, the worm's author has not taken any measures to protect the DOUBLEPULSAR implant, which runs in a default unprotected state, meaning other threat actors could use it as a backdoor to machines infected by EternalRocks, by sending their own malware to those PCs. IOCs and more info on the worm's infection process are available in a GitHub repo Stampar set up a few days ago. An SMB free-for-all Currently, there are multiple actors scanning for computers running older and unpatched versions of the SMB services. System administrators have already taken notice and started patching vulnerable PCs or disabling the old SMBv1 protocol, slowly reducing the number of vulnerable machines that EternalRocks can infect. Furthermore, malware such as Adylkuzz also shuts down SMB ports, preventing further exploitation from other threats, also contributing to reducing the number of potential targets for EternalRocks and other SMB-hunting malware. Reports from Forcepoint, Cyphort, and Secdo detail other threats currently targeting computers with SMB ports. Nonetheless, the faster system administrators patch their systems the better. "The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer in a private conversation. "Once infected, he can weaponize any time he wants, no matter the late patch." Article source
  22. WannaCry ransom dialog on infected computers Microsoft rolled out the first Windows XP update after three years in an attempt to protect customers from getting infected with WannaCry, and now the company says governments should treat vulnerabilities in a different way because civilians are the very first ones affected every time such an accident happens. Thousands of computers across the world were infected since Friday with a new ransomware called WannaCry which locks down PCs and asks for a $300 ransom to restore access to files. The infection is based on a vulnerability that was stolen from the NSA earlier this year and which was published online by hacking group Shadow Brokers. The affected organizations include state departments in several large countries, as well as health institutions like the British NHS. Microsoft said on Friday that systems running fully up-to-date versions of supported Windows were protected, and decided to also release an update for computers with older Windows versions, like XP and Server 2003, to block the ransomware. In a statement today, Brad Smith, President and Chief Legal Officer at Microsoft, confirms that the exploit was patched on March 14 for Windows users, confirming that attacks are based on the NSA vulnerability that got leaked accidentally. Update, update, update Smith emphasizes that it’s critical for customers worldwide to update their systems to remain protected, explaining that while some organizations need time for testing, Microsoft is also spending more time to certify updates before shipping them. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past,” Smith explained. Eventually, Smith also calls for governments to treat these issues seriously, pointing out that agencies should no longer create a “stockpile of vulnerabilities,” but instead report them to the vendor. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” he said. One possible solution to prevent these cases in the future is to adopt the Digital Geneva Convention that would make it a requirement for governments to report vulnerabilities to vendors, “rather than stockpile, sell, or exploit them.” Source
  23. Kaspersky is being reviewed by NSA Kaspersky Lab is stuck in the middle of a rather nasty fight between Washington and Moscow as the Russian-based anti-virus provider is being investigated by the US intelligence agencies. Following news that US officials were more and more concerned about how Russian spies could use Kaspersky's software to spy on Americans and sabotage US systems, the National Security Agency has revealed that it is reviewing the government use of the company's products. Mike Rogers, NSA Director, told a Senate committee that he was personally involved in monitoring the Kaspersky issue, but refrained from elaborating, most likely due to the sensitive nature of the situation. Defense Intelligence Agency Director Vincent Stewart also confirmed the investigation saying they are tracking Kaspersky and their software. Kaspersky's defense Kaspersky has issued a statement earlier this week saying the allegations are false. "The company has a 20 year history in the IT security industry of always abiding by the highest ethical business practices, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations," the statement reads. The company points out that the reports are unlikely given how engaging in such an act would ruin a multi-million dollar business that took decades to build. Furthermore, Kaspersky notes that users have full control over telemetry sharing, with participation being voluntary. Kaspersky also points out that over the past ten years, they've discovered and publicly reported on multiple Russian-speaking cyber espionage campaigns, despite the connection the company has with the country. Eugene Kaspersky, the company's founder and CEO, also addressed the issue during an AMA session on Reddit. He said he would be happy to testify before the Senate to clear up any concerns regarding the products his company makes. "I respectfully disagree with thier opinion, and I'm very sorry these gentlemen can't use the best software on the market because of political reasons," Kaspersky said. Source
  24. Geographical spread of computers infected with DOUBLEPULSAR DOUBLEPULSAR, one of the NSA hacking tools leaked last Friday by the Shadow Brokers, has been used in the wild by ordinary hackers, who infected over 36,000 computers across the world. The Shadow Brokers leak from last Friday contained a trove of Windows hacking tools. Among these, there was FUZZBUNCH, a platform for delivering exploits against a selected target, similar to the Metasploit framework used by security researchers and pen-testers around the world. The Shadow Brokers also leaked over 20 exploit packages that could be used together with FUZZBUNCH. These exploits attack a Windows computer through vulnerable services and open a connection that the NSA/hackers could exploit to plant malware on targeted computers. A large number of the leaked NSA Windows exploits are designed to take advantage of vulnerabilities in the SMB (Server Message Block) protocol, which provides file sharing capabilities between Windows computers. Meet DOUBLEPULSAR, the NSA's homegrown malware downloader Included in the Shadow Brokers dump from last week were also "implants," the technical term used for malware planted on targeted computers. One of those implants is DOUBLEPULSAR, which is "RING-0 multi-version kernel mode payload," according to security expert Matthew Hickey, or in simpler terms a "malware downloader" used as an intermediary for downloading more potent malware executables on infected hosts. Earlier this week, trying to assess the number of users vulnerable to the malware leaked last Friday, cyber-security firm Below0Day has performed an Internet-wide scan for Windows computers with open SMB ports (port 445). Their scan returned a number of 5,561,708 Windows computers with port 445 exposed to external connections. Scan results for computers with exposed SMB ports If the owners of these 5.5 million computers haven't installed patches Microsoft made available for the SMB flaws exploited by the NSA tools, they are vulnerable to exploits such as ETERNALBLUE, ETERNALCHAMPION, ETERNALSYNERGY, ETERNALROMANCE, EMERALDTHREAD, or EDUCATEDSCHOLAR. Over 36K computers already infected The next step for Below0Day researchers was to take the 5.5 million IP addresses they previously identified and scan them with a tool released on Monday, capable of identifying computers infected with DOUBLEPULSAR based on SMB connection responses. List of PCs infected with DOUBLEPULSAR When the results came in, researchers discovered 30,625 computers that provided an SMB reply consistent with a DOUBLEPULSAR infection. According to threat intelligence company SenseCy, this shouldn't be a surprise, as hackers started discussing how to deploy the leaked NSA Windows hacking tools as soon as they appeared. What was a surprise was the large number of computers already infected with the NSA's former malware. Because it takes a malware developer roughly a few hours to download the Shadow Brokers dump, scan the Internet, and run FUZZBUNCH to deliver some exploits, this is only the beginning and experts expect more unpatched computers to fall victims to DOUBLEPULSAR. Below is a map with the countries most affected by DOUBLEPULSAR infections. Countries most affected by DOUBLEPULSAR infections Source
×
×
  • Create New...