A recently declassified report revealed the U.S. National Security Agency failed to fully secure its systems since the Edward Snowden leaks in 2013.

The report detailed the findings of the Department of Defense inspector general's 2016 assessment of the NSA's security efforts around privileged user management. The heavily redacted report was declassified after Charlie Savage, a Washington correspondent for The New York Times, filed a Freedom of Information Act lawsuit. The assessment looked at how the NSA handles privileged access management, and, according to the report, the NSA was found wanting.

After Edward Snowden leaked over a million files in 2013, the NSA began an initiative, dubbed Secure the Net (STN), with seven privileged user management goals. The inspector general's assessment found that the NSA met only four out of the seven goals: developing and documenting a plan for a new system administration model; assessing the number of system administrators across the enterprise; implementing two-factor access controls over data centers and machine rooms; and implementing two-factor authentication controls for system administration.

According to the report, dated Aug. 29, 2016, not all of the four privileged user management initiatives were fully met. "[The] NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms in accordance with the initiative requirements and policies, and did not extend two-stage authentication controls to all high-risk users," the report read.

Additionally, the assessment found that three of the seven STN initiatives for strong privileged user management were not accomplished. The NSA was supposed to "fully implement technology to oversee privileged user activities; effectively reduce the number of privileged access users; and effectively reduce the number of authorized data transfer agents."

There were 40 STN initiatives in total, though the assessment focused on the seven related to privileged access management. The conclusion reached in the assessment was, while the NSA was successful in part, it "did not fully address all the specifics of the recommendations."

Learn everything you need to know about privileged access management in the enterprise

Find out how to manage and monitor privileged user accounts

Test your privileged user management knowledge with this quiz

Visit link:

Privileged user management trips up NSA - TechTarget

The notoriously secretive National Security Agency has decided to dip a careful toeinto the open source software world by launching an official GitHub page.

The page, which appeared recently, lists 32 NSA-developed technologies that the agency is making available viaOpen Source Software (some are still coming soon). These range from projects like goSecure, a portable Virtual Private Network solution, to Unfetter, a technology that provides a mechanism for network defenders, security professionals, and decision makers to quantitatively measure the effectiveness of their security posture, and beyond.

Much of the technology listed, though, is quite old. For example, one code repository included is forSecurity Enhanced Linux (SELinux), an access control mechanism that has been part of the Linux kernel sinceversion 2.6.0,released in 2003. Another repository containing security enhancements for Android has been a part of Androids operating system since version4.3, which dates back to 2013.

The new GitHub presence is part of the NSAsTechnology Transfer Program, the mechanism by which the military spy agency licenses patented technology for developmentin the private sector space. The NSAspresence on GitHub will allow the developer community to use and contribute to the posted code. Its a win-win, the agency says the public benefits by adopting, enhancing, adapting, or commercializing the software, the site declares. The government benefits from the open source communitys enhancements to the technology.

The NSA has become more amenable to a presence on the social web in recent years. The agency launched a Twitter account in 2013, at a time when it was working to repair its public imagein the wake of the Edward Snowden leaks. Some see the GitHub page as an extension of this attemptto build public goodwill.

The NSA is far from the only federal agency onGitHub the San Francisco-based company lists134 federal government accountsand 11U.S. military and intelligence accounts.

Read more:

The NSA is now sharing a bunch of code on GitHub - FedScoop

Getty Image

There may one day be a ticking time bomb buried deep in Russias digital infrastructure. Only a few people at the height of security clearance and confidentiality know where, or when, the cyber weapon could be deployed. It was one of President Obamas final acts, inking authorization for the NSA, CIA and U.S. Cyber Command to develop implants that could give Russia a taste of their own medicine after they were found to have interfered in the U.S. election. However, its not known whether President Trump will ever take action, as Obama left the ultimate decision for him to make.

A new report from the Washington Post details the Obama administrations struggle to effectively warn the U.S. public of Russian hackers lurking about in the voting systems of many states, not to mention the Wikileaks dump and DNC hack. Afraid it would look like he was leaping to Clintons defense, Obama tried to walk a fine line between stopping Russian efforts to hack the election, retaliating for what had already been done, and communicating to the American people that Trumps claims the election was rigged were true just not quite how the Republican candidate meant it.

Limited by partisan politics, afraid of jumping ahead while the government spooks finished their research, and above all concerned about making the situation worse by coming on too strong or too soon, Obama might have appeared hamstrung. But behind the scenes he was crafting a strong response to Russian infringement on U.S. sovereignty. Obama had something up his sleeve that the public couldnt know about yet a major cyber espionage project that would let Russia know the United States could reach as deep into Moscow as the Kremlin had into Washington.

We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized, Obama said in a December, 2016 statement released by the White House.

While the CIA, NSA, and U.S. Cyber Command got started on Obamas cyber weapon, operations started to let Moscow know the United States was watching. Like the submarines that occasionally surfaced off enemy shores during the Cold War as a reminder of proximity and reach, or like Russias recent penchant for buzzing U.S. ships and diplomats cars with various aircraft, the U.S. implanted code that was deep enough to be taken seriously, but relatively easy to find.

If its ever deployed, the cyber weapon would target networks important to the adversary and that would cause them pain and discomfort if they were disrupted, according to one anonymous official. Its a long term project that by all accounts required Obamas signature to get started, but now only needs the spooks to keep running the ball down the field. Unless President Trump calls a time out or countermands the project which is possible, although sources say that Trump hasnt done so yet its only a question of how long it will take to reach the Russian end zone.

(Via Washington Post)

Read more here:

Obama Ordered The NSA To Prepare For A 'Retaliatory Cyber-Strike' Against Russia Before Leaving Office - UPROXX

A type of cryptocurrency mining malwarehas spread due to an exploitdeveloped by the US National Security Agency,cybersecurity researchers say.

According to Dr.Web, a Russian anti-virus vendor, the NSA's "DoublePulsar" backdoor whichwas leaked earlier this year by a group called the Shadow Brokers allows the entry of a Trojan program that installs software to secretly mine the privacy-oriented digital currency monero.

In a 15th Juneblog post, Dr.Web laid out the nuts and bolts of the malware, noting:

"This malicious program, designed for mining the Monero (XMR) cryptocurrency, was dubbed Trojan.BtcMine.1259. Trojan.DownLoader24.64313 downloads the miner to a computer. This loader Trojan is distributed via the backdoor DoublePulsar."

It's not immediatelyclear how many machines have been infected with the malware due to the NSA exploit, and a representative for the company wasn't immediately available to comment when reached.

Wiredreported in April that tens of thousands of machine were impacted following the exploit's release.

DoublePulsar has also been identified as a factor in the recent "WannaCry" ransomware attacks, which impacted hundreds of thousands of computers across the globe.

Image via Shutterstock

The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Have breaking news or a story tip to send to our journalists? Contact us at [emailprotected].

More:

NSA 'DoubleStar' Backdoor Blamed for Cryptocurrency Mining Malware - CoinDesk

Its been a tough year for the National Security Agency (NSA), and hacking group Shadow Brokers is responsible for much of the trouble. Over the past few months, theyve leaked more than a few implants the NSA term for malware code developed by the agency.

Recently, the agencys DOUBLEPULSAR tool was used to help spread the massive malware attack WannaCry. Bleeping Computer noted that its now on the hunt again, this time digging in with a Monero cryptocurrency miner on PCs running unsecured Server Message Block (SMB) devices.

According to the International Business Times, the new malware strain goes by the unassuming name Trojan.BtcMine.1259. First detected by Russian antivirus firm Dr. Web, the attack targets computers running unsecured SMB protocols and downloads a malware loader onto the machine. It then scans for minimal kernel threads. If PCs have enough resource room to spare, the download grabs the cryptocurrency miner and goes to work.

Based on current infection data, according to the International Business Times, researchers believe the new malware strain leverages DOUBLEPULSAR to gain access, parts of the Ghost RAT library to communicate with its command-and-control (C&C) server and other malware variants to carry out its attack. Once compromised, victim PCs mine Monero currency in the background and send the proceeds back to cybercriminals.

Why Monero? As Live Bitcoin News explained, this cryptocurrency is among the fastest-growing in the digital money market. It presents an ideal opportunity for fraudsters looking to avoid the scrutiny that comes with more traditional bitcoin transactions.

Updating to the latest Windows version should protect corporate devices from this newest attack. While DOUBLEPULSAR infections peaked at 100,000 in early April, the number fell to just 16,000 this month thanks to the MS17-010 patch, Bleeping Computer reported.

DOUBLEPULSAR isnt the first NSA tool leaked by the Shadow Brokers. In April, the group also released the EternalBlue exploit, which was used to carry out surveillance activities, according to ZDNet. It was subsequently adopted by fraudsters to attack targets in Singapore using the Ghost RAT Trojan and other parts of South Asia using Backdoor.Nitol.

This exploit also leveraged SMB vulnerabilities and is rendered useless by proper Windows patching. Since many PCs arent regularly updated or run older versions of the OS no longer covered by Windows support, however, CyberScoop argued that the tool will be used for years to come by both sophisticated cybercriminals and amateurs.

As Bob Wandell, former information assurance chief of the U.S. Department of Defense (DoD), explained to CyberScoop, The payloads that can be loaded onto EtnernalBlue are boundless and uniformly malicious.

Even government-built malware isnt safe from theft and compromise. Exploits such as EternalBlue give cybercriminals long-term access options, while backdoors such as DOUBLEPULSAR provide ways for attackers to jump on the newest malware bandwagon: background cryptocurrency mining.

Fraudsters will take what they can get. Theyll innovate if needed, but they prefer to leverage tools from other sources that can quickly compromise thousands of machines.

Its another case study for regular security updates and continual monitoring of network services. Supposed IT safety only lasts until attackers discover how to break down the door, steal the key or dig a tunnel.

See the original post here:

Cryptocurrency Miner Digging Into PCs Based On NSA Exploit - Security Intelligence (blog)

NEW YORKThe dynamics of a cyberattack often include speed, automation and adaptive tradecraft. Mounting an effective defense, however, isnt always fast enough. To help even the score, a group led by the National Security Agency called OpenC2.org is developing an open, standardized computer language for the command and control of computer defenses.

The attackers are attacking at the speed of light, and the defenders are defending at the speed of lawyers. We have to change that, said Duncan Sparrell, OpenC2.org member and consultant with SFractal Consulting.

Speaking at the Borderless Cyber conference today, Sparrell said attackers have the upper hand as security experts, vendors and businesses struggle to coordinate and streamline fast defenses.

OpenC2.org is advocating automated command and control. It is the single biggest thing missing in the industry today, he said.

OpenC2 is a language that enables the coordination and execution of command and control of defense components between domains and within a domain. OpenC2.org is the organization promoting the idea. The group has 88 members, representing 50 companies and government agencies including Bank of America, Cisco and Zepko, a UK-based managed security provider.

While two open standards, STIX and TAXII, already exist, Sparrell points out with those the focus is on identifying threats, and not on taking action.

STIX and TAXII compliment what we are doing, he said. Industry coordination on identifying threats is the easy part. Sparrell said, in an industry dominated by vendors selling defensive solutions, an open-platform that automates actions is harder to achieve than across-the-board industry buy-ins.

Sparrell explains OpenC2 allows companies to move at machine speed. It compliments vendor solutions. This is a limited language that only conveys an action that is part of a vendor cybersecurity process. Its about which action to take, based on what the event trigger is.

The goal is working with the cybersecurity industry to standardize interfaces and protocols that enable interoperability of different tools, he said.

Despite the fact the OpenC2 is still under development, it has a few flagship users such as Zepko and Phantom Cyber. Sparrell said OpenC2 helped Phantom Cyber save a $1 million on stopping phishing attacks.

Yes its being deployed, yes its being adopted, but no its not fully standardized and its still in development, he said.

This month the OpenC2.org took an important step toward becoming an industry standard and is now under the umbrella of the Organization for the Advancement of Structured Information Standards, or OASIS a nonprofit international consortium that develops open IT standards. OASIS is hosting this weeks Borderless Cyber conference.

View original post here:

NSA-Backed OpenC2.org Aims to Defend Systems at Machine Speed - Threatpost

CNNs claiming Democratic and Republican sources for this, but even if its gospel truth, I cant imagine itll do Trump any (further) damage on Russiagate. WaPo first reported a few weeks ago that he asked DNI Dan Coats and NSA chief Mike Rogers to intervene with Comey to try to get the FBI to back off its Russia investigation. The idea that the president might have tried to enlist one part of the intelligence community to slow down a federal probe being conducted by another part is a serious charge.

But CNN doesnt repeat that charge. They claim that Coats and Rogers told Bob Mueller and the Senate Intel Committee behind closed doors (after their famous public testimony) that Trump asked them only to speak up publicly and affirm that theres no evidence that he personally colluded with Russia. If you strain hard, you can try to stretch that into some sort of obstruction ploy Comey had refused to clear Trump publicly, after all, because the FBI investigation was still ongoing but no average voter is going to fault Trump for feeling exasperated that his deputies wouldnt lift the cloud of suspicion over him if they had reason to believe hes been falsely accused. If they thought that he had colluded and then he asked him to lie and say that he hadnt, obviously that would be a different matter. But if all he was asking was for them to tell the exculpatory truth and if it really was a request, not a direct order then whats the red-letter scandal in his interactions with Coats and Rogers?

Coats and Rogers also met individually last week with the Senate intelligence committee in two closed briefings that were described to CNN by Democratic and Republican congressional sources. One source said that Trump wanted them to say publicly what then-FBI Director James Comey had told the President privately: that he was not under investigation for collusion. However, sources said that neither Coats nor Rogers raised concerns that Trump was pushing them to do something they did not want to do. They did not act on the Presidents alleged suggestion

One congressional source expressed frustration that Coats and Rogers didnt answer the questions in public, especially since what they ended up expressing in private was that they did not feel that the President pressured either of them to do anything improper.

Rogers interaction with the President is also documented in a memo written by his deputy at the NSA, Richard Ledgett.

Coats and Rogers each found Trumps request odd and uncomfortable, in CNNs words, but evidently neither believed he crossed a line. And theres no claim here that he ordered or even asked them to lean on Comey on his behalf. He wanted them to clear his name after having been told repeatedly by Comey that he wasnt personally a target of the FBI investigation. That may not have been proper protocol but everyone can sympathize with the impulse.

By the way, tomorrows the deadline for the White House to turn over any Oval Office recordings of Trump and Comey. If Trump ignores it, whats the House Intel Committees next move?

[E]ven with a subpoena, the panel stands little chance of actually compelling Trump to turn over anything he doesnt voluntarily want to produce, according to legal experts, setting lawmakers up for a high-stakes choice: Let it go, and look like they are giving the president a pass; or pursue the subpoena, and risk exposing the legislative branchs weakness in the midst of a historic probe of the president

There are exemptions for federal officials claiming executive privilege on behalf of the president and no figure in the White House is closer to the president than than the president himself. Congress can try to circumvent that hurdle by passing what is known as a contempt resolution ordering the matter to a court but against a Republican president, that is a tall order in a GOP-led Congress.

The best-case scenario for the Committee is that they somehow get Paul Ryan to go along with a contempt resolution and the court battle over whether executive privilege entitles Trump to withhold any recordings drags on for years. That is to say, this is less a matter of squeezing evidence out of Trump than it is a test of Republican loyalty to the president. Will they challenge him by issuing a subpoena, knowing that if they win in court, the audio could further damage Trumps presidency and their own electoral chances, or will they roll over by refusing to issue a subpoena, leaving potential evidence of obstruction untouched? Theres going to be a court fight over the tapes between Mueller and the White House eventually, I assume. Maybe thatll be the House GOPs out: If Muellers going to take this on, why do we have to get in the middle of it?

The likeliest outcome here, actually, will be the White House declaring tomorrow that there are no tapes of Trump and Comey. Newt Gingrich hinted to the AP in an interview that he thinks Trumps tweet about Oval Office tapes was a bluff, designed to rattle a political enemy much as Trumps foray into Birtherism was designed to rattle Obama. Well see.

Read the original:

Report: DNI, NSA chief told Mueller that Trump asked them to say publicly that there was no collusion with Russia - Hot Air

The WCry ransomware worm has struck again, this time prompting Honda Company to halt production in one of its Japan-based factories after finding infections in a broad swath of its computer networks, according to media reports.

Honda officials didn't explain why engineers found WCry in their networks 37 days after the kill switch was activated. One possibility is that engineers had mistakenly blocked access to the kill-switch domain. That would have caused the WCry exploit to proceed as normal, as it did in the 12 or so hours before the domain was registered. Another possibility is that theWCry traces in Honda's networks were old and dormant, and the shutdown of the Sayama plant was only a precautionary measure. In any event, the discovery strongly suggests that as of Monday, computers inside the Honda network had yet to install a highly critical patch thatMicrosoft released in March.

In May, it was hard to excuse so many companies not yet applying a two-month-old patch to critical systems that were vulnerable to advanced NSA exploit code put into the public domain. The failure is even harder to forgive five weeks later, now that WCry's wake of destruction has come into full view.

Read the original:

Honda shuts down factory after finding NSA-derived Wcry in its networks - Ars Technica

After reading through the 61 pages of redacted content of the August 2016 DOD Inspector Generals report on the National Security Agencys (NSA) implementation of the Secure-the-Net initiative, acquired by The New York Times via a Freedom of Information Act (FOIA) request, the only image one can conjure up is that of the Katzenjammer Kids running amok.

The NSA data protection (or lack thereof) was thrust into the spotlight when Edward Snowden, then a contractor in Hawaii, purloined 1.5m documents. How Snowden carried out his massive data collection is interesting, as he used his natural access and then conned his colleagues into giving up their internal access credentials in his role as the system admin. In the months that followed there were no shortage of opinions on how the NSA could or should tighten up its ship.

The Secure-the-Net (STN) initiative was launched post-Snowden, which included 40 specific recommendations focused on insider threats to NSA systems, data, and infrastructure. Seven of those recommendations were designed to secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access.

The seven STN initiatives were:

The Department of Defense (DOD) report reviewed the NSAs progress on tightening up its ship with respect to the seven STN recommendations. The audit was conducted at four facilities between January and July of 2016.

The DOD report takes the NSA to the woodshed. Not because the NSA didnt attempt to implement, but rather, because they did a half-ass job in the implementation.

The reports scorching verbiage surrounds this partial implementation of the recommendations: for example, the

NSA did not effectively implement the three privileged access related STN initiatives because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness.

For example, with respect to two-factor authentication (2FA), the NSA implemented it for system admins, but not for those with privileged access. It is well documented how Snowden bypassed the then presentprivileged access controls and conned his colleagues into giving him their credentials which he then went on to use to expand his access.

A 2FA requirement would have required the owner of the credentials to have been participatory in Snowdens use of their credentials. NSA implementation as described in the report shows how they opted to leave open the very window that Snowden climbed through to harvest the data he stole.

Furthermore, the report goes on to chastise the NSA for not having a clue about how many individuals had privileged access in 2014, nor in 2016, and nor could the NSA document how the purge/pruning had been carried out. That meant the inspection team couldnt find out exactly how many people had privileged access.

While focus has largely been on the trusted insider gone bad, Edward Snowden, the Shadow Brokers acquisition of NSAs Office of Tailored Access Operations (TAO)collection tools compromise clearly indicates a need by the NSA to continue to place their focus on locking down their own house.

How the TAO compromise occurred remains a mystery. It could have been an insider (contractor or staff) or it might have been a result of the contractor alleged to have built the exposed tools, the Equation Group, having themselves been hacked. Coincidentally, the inspector general report was published the week after the Shadow Brokers offered the TAO tools for auction. An active August 2016 indeed.

But what of the NSA contractor Harold Martin, another NSA insider?Martin, who worked for Booz Allen Hamilton, he was found to have hoarded up to 50 terabytes of NSA information. The indictment on Martin was sealed until October 2016, but he was arrested on 27 August 2016, yes two days prior to the arrival of the inspectors general report. August 2016 was truly a busy month in the world of espionage and counterespionage.

Is it hard to catch an insider?Yes, it is. If the individual does not exceed their natural access, process and procedures, they will be difficult to detect, and while it is safe to say that 100% is not achievable, there are steps which can be taken to secure the environment to bring the risk as close to zero as possible. This was the intent of the STN.

Has there been any good to come out of the STN? Absolutely, the National Industrial Security Program of the United States, marshaled by the Defense Security Service, has brought into play their mandatory insider threat program at all cleared facilities and contractors. These programs became mandatory on June 1 2017.

One might recall the recent arrest of NSA contractor, Reality Winner, also a contractor from Booz Allen Hamilton, who took a highly classified document assessing and discussing the Russian military intelligence entitys (the GRU) hand in meddling in the US election. Winner, using her privileged access, printed out the report, and then mailed it to a media outlet. Once the NSA saw the document, they quickly determined who had had access, who had printed the document and then who had had contact with a media outlet.

What they apparently werent able to do was to determine how and why Winner had privileged access to information to information about which she had no need to know.

One could argue this rapid-fire capability used to identify Winner would not have been present without the STN initiatives. On the other hand, one might surmise the privileged access portion of NSAs STN program continues to need tweaking.

Here is the original post:

NSA failed to implement security measures, says damning report - Naked Security

VR Systems provides voter registration software and hardware to elections offices in eight states. Courtesy of VR Systems hide caption

VR Systems provides voter registration software and hardware to elections offices in eight states.

The Florida elections vendor that was targeted in Russian cyberattacks last year has denied a recent report based on a leaked National Security Agency document that the company's computer system was compromised.

The hackers tried to break into employee email accounts last August but were unsuccessful, said Ben Martin, the chief operating officer of VR Systems, in an interview with NPR. Martin said the hackers appeared to be trying to steal employee credentials in order to launch a spear-phishing campaign aimed at the company's customers.

VR Systems, based in Tallahassee, Fla., provides voter registration software and hardware to elections offices in eight states.

"Some emails came into our email account that we did not open. Even though NSA says it's likely that we opened them, we did not," Martin says. "We know for a fact they were never opened. They did not get into our domain."

VR Systems COO Ben Martin told NPR that no elections vendor would send customers software updates once voting had begun, which it had in this case. Dina Ivory/Courtesy of VR Systems hide caption

Instead, Martin said, the company isolated the suspicious emails and alerted law enforcement authorities, who it was already working with because of two attempts to break into state voter registration databases earlier last summer.

The NSA document said that at least one of the company's email accounts was "likely" compromised based on information uncovered later in the spear-phishing campaign. That attack took place days before the November election and involved fake emails sent to as many as 122 local election officials in an apparent effort to trick them into opening attachments containing malicious software.

"They tried to pretend to be us to leverage our relationship with our customers," said Martin.

But Martin noted that while the NSA says the emails were made to look as if they came from VR Systems, they were sent from a phony email address vr.elections@gmail.com. He said his company does not use Gmail and never sends its customers documents in the form of email attachments. He added that no elections vendor would send customers software updates once voting had begun, which in this case it had.

"That's why I believe most of our customers knew immediately that this was bogus," said Martin. The company was alerted to the fake emails by one of its customers, and Martin said it immediately warned its other customers. So far, there is no evidence that any of the recipients opened the attachments or had their systems infected with the malicious software.

Still, cybersecurity experts say the attempted attacks are a clear sign of Russian interest in interfering with U.S. elections either by manipulating votes or causing chaos at the polls. Some have warned that vendors might be exploited to gain access to local or state voting systems.

In this case, the NSA report concluded that the purpose of the malicious software was "to establish persistent access or survey the victim for items of interest to the threat actors." While last year's attacks appeared to only involve voter registration systems, some experts say such systems can be used as a gateway to actual voting machines.

The Senate and House intelligence committees will explore Russia's efforts to interfere in U.S. elections last year and how to prevent future attacks at two hearings on Wednesday. Former Secretary of Homeland Security Jeh Johnson will appear before the House committee. The Senate panel will hear from current U.S. intelligence officials and state election experts.

Read the original:

Despite NSA Claim, Elections Vendor Denies System Was Compromised In Hack Attempt - NPR

When Edward Snowden walked out of the NSA in 2013 with thumb drives full of its most secret files, the agency didn't have a reliable list of peoplelike Snowdenwho had privileged access to its networks. Nor did it have a reliable list of those who were authorized to use removable media to transfer data to or from an NSA system.

That's one of the alarming revelations in a Department of Defense Inspector General report from last year. The report, which was ordered by Congress, reviewed whether the NSA had completed some of the most important initiatives it has started in response to the Snowden leak to make its data more secure. The New York Times obtained the DOD IG report via FOIA.

The most shocking detail in the report is that even at the new National Security Agency data center in Utah, "NSA did not consistently secure server racks and other sensitive equipment" in data centers and machine rooms. At the Utah Data Center and two other facilities, the report stated, "we observed unlocked server racks and sensitive equipment." The finding that the NSA wasn't locking down all its server racks was first disclosed and reported in a House Intelligence Committee Report on Edward Snowden's leaks released in December.

But the more fundamental problem revealed in the report is that the NSA has done little to limit the number of people who have access to what are supposed to be the most protected hardware the NSA has.

The IG report examined seven of the most important out of 40 "Secure the Net" initiatives rolled out since Snowden began leaking classified information. Two of the initiatives aspired to reduce the number of people who had the kind of access Snowden did: those who have privileged access to maintain, configure, and operate the NSA's computer systems (what the report calls PRIVACs), and those who are authorized to use removable media to transfer data to or from an NSA system (what the report calls DTAs).

The government's apparent lack of curiosity is fairly alarming

But when DOD's inspectors went to assess whether NSA had succeeded in doing this, they found something disturbing. In both cases, the NSA did not have solid documentation about how many such users existed at the time of the Snowden leak. With respect to PRIVACs, in June 2013 (the start of the Snowden leak), "NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users." The report offered no explanation for how NSA came to no longer have that spreadsheet just as an investigation into the biggest breach thus far at NSA started. With respect to DTAs, "NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach."

There seem to be two possible explanations for the fact that the NSA couldn't track who had the same kind of access that Snowden exploited to steal so many documents. Either the dog ate their homework: Someone at NSA made the documents unavailable (or they never really existed). Or someone fed the dog their homework: Some adversary made these lists unusable. The former would suggest the NSA had something to hide as it prepared to explain why Snowden had been able to walk away with NSA's crown jewels. The latter would suggest that someone deliberately obscured who else in the building might walk away with the crown jewels. Obscuring that list would be of particular value if you were a foreign adversary planning on walking away with a bunch of files, such as the set of hacking tools the Shadow Brokers have since released, which are believed to have originated at NSA.

NSA headquarters in Maryland. Image: MJB/Flickr

The government's apparent lack of curiosityat least in this reportabout which of these was the case is fairly alarming, because it is a critically important question in assessing why NSA continues to have serious data breaches. For example, it would be important to know if Hal Martin, the Booz Allen Hamilton contractor accused of stealing terabytes of NSA data in both hard copy and digital form, showed up on these lists or if he simply downloaded data for decades without authorization to do so.

Even given the real concern that Russia or someone else might have reason to want to make the names of PRIVACs and DTAs inaccessible at precisely the time the NSA reviewed the Snowden breach, the NSA's subsequent action does provide support for the likelihood the agency itself was hiding how widespread PRIVAC and DTA access was. For both categories, DOD's Inspector General found NSA did not succeed in limiting the number of people who might, in the future, walk away with classified documents and software.

With PRIVACs, the NSA simply "arbitrarily" removed privileged access from some number of users, then had them reapply for privileged access over the next 3 months. The NSA couldn't provide DOD's IG with "the number of privileged users before and after the purge or the actual number of users purged." After that partial purge, though, NSA had "a continued and consistent increase in the number of privileged users."

As with PRIVACs, the NSA "could not provide supporting documentation for the total number of DTAs before and after the purge" and so was working from an "unsubstantiated" estimate. After the Snowden leak, the NSA purged all DTAs and made them reapply, which they did in 2014. The NSA pointed to the new number of DTAs and declared it a reduction from its original "unsupported" estimate. When asked how it justified its claim that it had reduced the number of people who could use thumb drives with NSA's networks when it didn't know how many such people it had to begin with, the NSA explained, "although the initiat[iv]e focused on reducing the number of DTA, the actions taken by NSA were not designed to reduce the number of DTAs; rather they were taken to overhaul the DTA process to identify and vet all DTAs." The IG Report notes that the NSA "continued to consistently increase the number of DTAs throughout the next 12 months."

When, in 2008, someone introduced a worm into DOD's networks via a thumb drive, it decreed that it would no longer use removable media. Then, after Chelsea Manning exfiltrated a bunch of documents on a Lady Gaga CD, the government again renewed its commitment to limiting the use of removable media. This report reveals that only in the wake of the Snowden leaks did the NSA get around to developing a vetted list of those who could use thumb drives in NSA's networks. Yet as recently as last year, Reality Winner (who, as an Air Force translator, was presumably not a privileged access user at all) stuck some kind of removable media into a Top Secret computer, yet the government claims not to know what she downloaded or whether she downloaded anything at all (it's unclear whether that Air Force computer came within NSA's review).

When contacted with specific questions about its inability to track privileged users, the NSA pointed to its official statement on the DOD IG Report. "The National Security Agency operates in one of the most complicated IT environments in the world. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock." The Office of Director of National Intelligence did not immediately respond with comment to my questions.

Yet this issue pertains not just to the recent spate of enormous data breaches, which led last month to the worldwide WannaCry ransomware attack using NSA's stolen tools. It also pertains to the privacy of whatever data on Americans the NSA might have in its repositories. If, three years after Snowden, the NSA still hasn't succeeded in limiting the number of people with the technical capability to do what he did, how can NSA ensure it keeps Americans' data safe?

Excerpt from:

The NSA Has Done Little to Prevent the Next Edward Snowden ... - Motherboard

Circa News has been covering the alleged abuses of the intelligence community against Americans. They noted how the unmasking protocol for intercepts collected by the National Security Agency changed under the Obama administration, supposedly to better catch terrorists prepping for lone wolf attacks, could open Americans up to political espionage. Then, they wrote about how the FBI may have illegally shared spy data on Americans with unauthorized parties who did not have clearance to view such information. The Foreign Intelligence Surveillance Court (FISA) wrote a ten-page ruling listing hundreds of privacy violations committed by the FBI when gathering information during the tenure of then-FBI Director James Comey. Now, a former NSA contractor has filed a lawsuit against James Comey, allegedly a covering up the illegal methods that are being used to monitor Americans and violate their constitutional privacy rights. Once again, John Solomon and Sara Carter were on the case.

The contractor Dennis Montgomery reportedly took multiple hard drives containing 600 million classified documents to prove how the intelligence community is violating Americans privacy. He was granted immunity, but the FBI never followed through. The FBI has documentation of them taking possession of the hard drives. Montgomery alleges that over 20 million Americans identities were illegally unmasked:

A former U.S. intelligence contractor tells Circa he walked away with more than 600 million classified documents on 47 hard drives from the National Security Agency and the CIA, a haul potentially larger than Edward Snowden's now infamous breach.

And now he is suing former FBI Director James Comey and other government figures, alleging the bureau has covered up evidence he provided them showing widespread spying on Americans that violated civil liberties.

The suit, filed late Monday night [June 12] by Dennis Montgomery, was assigned to the same federal judge who has already ruled that some of the NSA's collection of data on Americans violates the U.S. Constitutions Fourth Amendment, setting up an intriguing legal proceeding in the nations capital this summer.

Montgomery says the evidence he gave to the FBI chronicle the warrantless collection of phone, financial and personal data and the unmasking of identities in spy data about millions of Americans, This domestic surveillance was all being done on computers supplied by the FBI," Montgomery told Circa in an interview. "So these supercomputers, which are FBI computers, the CIA is using them to do domestic surveillance."

[]

Montgomery alleges that more than 20 million American identities were illegally unmasked - credit reports, emails, phone conversations and Internet traffic, were some of the items the NSA and CIA collected.

He said he returned the hard drives to the FBI, a fact confirmed in government documents reviewed by Circa.

As Congress wallows in Russian collusion hysteria, maybe they should also put these under the microscope since a) its more grounded in reality; and b) there appears to be an actual paper trail.

Link:

ICYMI: Former NSA Contractor Sues James Comey, Alleges Cover Up Of Spy Activities On Over 20 Million Americans - Townhall

It appears the NSA hasn't learned much since Ed Snowden left with several thousands of its super-secret documents. Agency officials were quick to claim the leaks would cause untold amounts of damage, but behind the scenes, not much was being done to make sure it didn't happen again.

A Defense Department Inspector General's report obtained via FOIA lawsuit by the New York Times shows the NSA fell short of several security goals in the post-Snowden cleanup. For an agency that was so concerned about being irreparably breached, the NSA still seems primed for more leakage. Charlie Savage reports:

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Departments inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times.

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of privileged users, who have greater power to access the N.S.A.s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

Let's not forget the NSA wants to be engaged in ensuring the cybersecurity of the nation. It's repeatedly asked for more power and a better seat in the CyberWar room. But it doesn't even take its OWN security seriously. The NSA told its oversight it was engaging in 40 "Secure the Net" initiatives, directly after the first Snowden leak. Two years later, it told Congress it had completed 34 of 40 STN initiatives. The term "completion" apparently has multiple definitions, depending on who's using the word. The IG sampled only seven of the initiatives and found four were mostly done and three were nowhere near completed. Extrapolating from the sampling, it's safe to assume the NSA's internal security efforts are only slightly more than half-baked.

The three the NSA failed to implement are of crucial importance, especially if it's looking to keep its in-house documents safe at home. From the report [PDF]:

NSA officials did not effectively implement three PRIVAC [Privileged Access]-related STN initiatives:

- fully implement technology to oversee privileged user activities;

- effectively reduce the number of privileged users; and

- effectively reduce the number of authorized DTAs [Data Transfer Agents].

First off, the NSA -- prior to the Snowden leaks -- had no idea how many users had privileged access. Post-Snowden, things hardly improved. Considering the tech capabilities of the agency, it's incredibly amusing to see how the NSA "tracked" privileged users.

NSA officials stated they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users.

Pretty much useless, considering this number the NSA couldn't verify (thanks to its missing spreadsheet) was supposed to be used to establish a baseline for the planned reduction in privileged users. Despite missing this key data, the NSA moved ahead, "arbitrarily revoking access" and asking users to reapply for privileged status. It then reported a reduction by citing the number of users it denied restoration of access privileges. It did not factor in any new users it granted privileged access to or tally up the number of accounts it never bothered to revoke.

As the fully-redacted chart presumably points out (according to the text above it), the NSA had a "continued and consistent increase in the number of privileged users once the [redacted] enrollment process began."

The NSA also claimed it had reduced the number of DTAs. And again, the NSA had no receipts.

Although repeatedly requested, NSA officials could not provide supporting documentation for the total number of DTAs before and after the purge or the actual number of users purged.

The NSA's objectively-terrible internal controls (again) ensured no number could be verified.

NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach.

The NSA handled these missing numbers the same way it had privileged users: it made up a new baseline, arbitrarily decided it could show a downtrend in DTAs, and delivered this as "proof" of another completed security initiative.

The report points out repeatedly the NSA's failure to provide documentation backing its STN claims -- either from before the initiatives took force or after they supposedly hag been completed. The IG's comments note the NSA's response to the report ignored its detailed description of multiple failures in order to spin this as a "win" for the agency.

Although the Director, Technology Directorate NSA/CSS Chief Information Officer, agreed, he did not address all the specifics of the recommendation. Therefore, we request that the director provide additional comments on the final report that identify specific actions NSA will take.

Here's how the NSA portrayed the report's findings:

While the Media Leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a "good news" story.

Sure, if you consider a half-done job securing NSA assets to be "good news," rather than just an ongoing series of security holes left halfway unplugged while agency officials testify before Congressional oversight in front of a "MISSION ACCOMPLISHED" banner backdrop.

Follow this link:

Oversight Report Shows NSA Failed To Secure Its Systems Following The Snowden Leaks - Techdirt

The National Society of Accountants and their Scholarship Foundation announced this week that 30 students have been awarded this year's annual scholarships, receiving $37,950 in all.

This year's scholarships ranged from $500 - $3,000. Undergrad and graduate students were chosen based on their notable academics, leadership, activities on and off campus, career goals, and individual financial need.

These students are the best and brightest candidates working to earn accounting degrees, stated NSA Scholarship Foundation president Sharon Cook. We are pleased to support them and look forward to having them join the accounting profession.

The NSA's Scholarship Foundation has now provided over $1 million to students pursuing an accounting career since its inception in 1969.

Below are the 2017 scholarship winners, listed alongside their current universities, NSA Affiliated Organization or scholarship, and scholarship value:

For more information on the NSA's Scholarship Foundation, head to organization's site here.

Sean McCabe is a senior editor with Accounting Today.

Visit link:

NSA Scholarship Foundation names 2017 recipients - Accounting Today

The National Security Agency is amongst the most secretive of the US intelligence agencies. It employs genius-level coders and mathematicians in order to break codes, gather information on adversaries, and defend the country against digital threats.

Unsurprisingly, the NSA has always to preferred to work in the dark. But ever since the Snowden leaks in 2013, the organization has gradually increased its public presence. A few years ago, it opened a Twitter account (in fact, it was the first profile Edward Snowden followed when he joined in 2015).

And now, its opened a Github account, and has shared several interesting code repositories under the NSA Technology Transfer Program (TTP). So far, it lists 32 different projects, although some of these are coming soon. Many arent new, either, and have been available for some time. SELinux (Security-Enhanced Linux) for example, has been part of the Linux kernel for years.

Im not surprised the NSAs taken this move. For starters, theres a long and proud tradition of technologies making their way from defense and intelligence environments to the general public. The internet is a brilliant example of that. And engaging with techies via Github is a great way to sanitize its image, and potentially recruit talent.

You can check out the NSAs page here.

Read next: Gillette launches online blade delivery service to take on Dollar Shave Club

Read the original:

The NSA (yes, that NSA) has a Github account now - The Next Web - TNW

Oversight

The National Security Agency is still not fully implementing all necessary security protocols to minimize the potential of another Edward Snowden-like data breach, according to a newly declassified 2016 Pentagon watchdog report.

In the wake of the Snowden breach, the NSA outlined 40 privileged-access Secure-the-Net initiatives designed to guard against insider threats by tightening controls over data and monitoring of user access.

The Defense Department's Office of the Inspector General audited seven of the STN protocols and found that the NSA implemented or partially implemented four of the audit sample. Those related to developing a new system administration model, assessing the number of systems administrators, implementing two-stage authentication controls and deploying two-person access controls.

According to the heavily redacted report, the NSA culled the number of systems administrators and implemented a tiered system to take away privileged access from those who do not require it.

The report states the NSA only partially implemented two-stage authentication and two-person access controls and did not consistently secure server racks and other sensitive equipment in data centers and machine rooms.

The three audit initiatives where the NSA missed the mark were in reducing the number of privileged users and data transfer agents as well as fully implementing technology to oversee privileged-user activities.

NSA did not effectively implement the three initiatives because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness, states the audit. As a result, NSAs actions to implement STN did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.

The report states that prior to 2013, the NSA did not know how many privileged users and data transfer agents it had, and that throughout 2014 the number of DTAs actually increased.

The report acknowledges that it is not possible to protect against all insider threats, but stresses that NSA must at least implement all of its own stated protocols.

Although the NSA worked in a fluid situation, NSA should have developed a strategy that detailed a structured framework and methodology for implementing STN to ensure its actions were effective in mitigated vulnerabilities exploited during the security breach, the report states.

The NSAs woes did not end with the Snowden breach. In August 2016, a cryptic group or individual going by the name TheShadowBrokers announced it had acquired a trove of NSA hacking tools and has since been leaking some of the data in an attempt to seduce buyers to pay for the remaining stash.

It is still not clear whether the so-called ShadowBrokers obtained the data through an insider.

The DOD OIG report made three recommendations -- all of which were fully redacted -- and according to the document, the NSA agreed with the recommendations.

The NSA responded to questions about the audit from FCW with an email statement.

The National Security Agency operates in one of the most complicated IT environments in the world, the NSA stated. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock.

According to the statement, the NSA has undertaken a comprehensive and layered set of enterprise defensive measures to further safeguard operations and advance best practices across the Intelligence Community.

NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls, the statement concluded.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

Link:

Watchdog: NSA needs to boost insider-threat protocols - FCW.com

A declassified report from the Defense Department Inspector General has been released, according to the New York Times.

The 60-page report commissioned by Congress assesses 7 of the 40 components that the National Security Agency outlined for their Secure the Net initiative. This initiative was put forth to help improve the security of sensitive systems after the Snowden disclosures in 2013.

The NSA, according to the inspector generals report, had some successes, but the overall initiative did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.

According to the Times, the report details how their efforts fell short, including the failure to reduce the number of privileged users who can access sensitive computer systems; their failure to consistently keep data center machine rooms secure, as well as failing to lock the server racks containing highly classified data; and the failure to fully implement software that would monitor users.

The report also noted the agencys failure to declare an exact number of people with abilities to transfer data. The lists containing this information were kept on spreadsheets that were corrupted and are no longer available.

The inspector generals report noted that NSA CIO Gregory Smithberger told the inspector general that the elimination of all insider risks and threats is not feasible. He told the Times, While the media leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a good news story.

The importance of securing classified information, as the report warns, was underscored the same month the inspector generals report was produced, according to the Times. In August 2016, a group called the Shadow Brokers obtained and auctioned off classified hacking tools allegedly from the NSA some of which were dumped online. Those tools were later seen as part of the global WannaCry ransomware attack.

We welcome the observations and opportunities for improvement offered by the U.S. Defense Departments Inspector General, Vanee Vines, spokesperson for the NSA told the Times. NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls.

Original post:

Secure the Net initiative found to be an overall failure for NSA - Federal Times

The American security agency NSA was very secretive in its operations in the past. But with time, and unwanted revelations coming to the surface, the agency started to open up more front of the common population.

NSA already started their Twitter handle after Snowdens revelation and now theyre all set to make their footprint in the open source community. Their GitHub site now contains 32 open source projects, written by the NSA developers, distributed across two accounts. Some of them are coming soon repositories.

However, the NSAs account isnt brand new. It first appeared in 2015, when the agency open sourced a tool called SIMP (System Integrity Management Platform).

These projects have been shared as a part of the NSA Technology Transfer Program (TTP) which acts as a bridge between patented NSA-developed tech and industry, academic institutions, and other research bodies.

The NSA opening up their treasure will help the general public in many ways. In fact, many of the technologies we are currently using, be it the internet, GPS or your Rayban; various defensebodies have been a wellspring for such things.

Check out NSAs new Github site using this link.

Got something to add? Drop your thoughts and feedback.

See original here:

NSA's GitHub Account Has 32 Open Source Projects For People - Fossbytes

After a leaked National Security Agency document alleged Russian operatives attempted to hack into a Florida voter polling software company used by Humboldt County in the 2016 presidential election, California Secretary of State Alex Padilla sent a letter to the federal agency Thursday questioning why the state was not notified earlier.

As the chief elections officer in the most populous state in the nation, I am seriously concerned about the NSAs failure to provide timely and critical information to Americas elections officials, Padilla wrote to NSA Director Admiral Michael Rogers. ... We must be prepared and remain vigilant. Proper preparation requires clear and consistent collaboration among federal, state, and local officials. The NSA cannot afford to sit on critical information that could be used to defend against cyber-attacks.

The five-page classified National Security Agency memo from May that was leaked to the news website The Intercept stated Russias military intelligence unit, the GRU, hacked into the Florida-based voting software company, VR Systems, in August 2016. VR Systems provided voter polling software to Hart InterCivic, which the Humboldt County Elections Office contracted with to provide voter e-polling software.

County officials said that there is no evidence that the hacking attempts were successful or that Humboldt County was a target, and that the e-polling software is not involved in vote counting.

Humboldt County is the only county in the state that contracted through VR Systems, according to the Governors Office of Emergency Services.

The Office of Emergency Services and Secretary of States Office offered aid to the county last week to bolster its cyber-security systems, but County Clerk, Recorder and Registrar of Voters Kelly Sanders and Information Technology Division Director Jim Storm said they are confident in the protections already in place.

Yes, [the Secretary of State] did some preliminary checks looking at known email addresses, Storm said to the Times-Standard last week. There was no evidence that we were hacked or anything like that.

Will Houston can be reached at 707-441-0504.

Advertisement

Continued here:

Secretary of state expresses 'serious concern' with NSA after hacking document leaked - Eureka Times Standard

New York Times

Post-Snowden Efforts to Secure NSA Data Fell Short, Report Says New York Times The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department's inspector general completed in 2016. The report was ...

Read the original post:

Post-Snowden Efforts to Secure NSA Data Fell Short, Report Says - New York Times