Daily Archives: May 11, 2017

NSA Director Adm. Mike Rogers cast a dash of doubt Tuesday on the intelligence community's conclusion that Russia-tied hackers sought to help Donald Trump in the 2016 election, explaining for the first time in public testimony why his agency had only "moderate confidence" in that judgment.

Testifying before a Senate Armed Services Committee hearing, Rogers affirmed he and the NSA were highly confident the Russians sought to hurt Hillary Clinton in the election. But Sen. Tom Cotton, R-Ark., asked Rogers who also heads U.S. Cyber Command -- why the NSA differed on the related conclusion about Trump in the Jan. 6 intelligence report on alleged Russian interference in the election.

That conclusion stated that the Russian government aspired to help President-elect Trumps election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him.

The FBI and CIA backed that with high confidence, but the NSA only held that judgment with moderate confidence.

Cotton noted that fellow Sen. Elizabeth Warren, D-Mass., during the hearing called Trump Russias preferred candidate and asked Rogers to explain the discrepancy.

I wouldnt call it a discrepancy, Id call it an honest difference of opinion between three different organizations and in the end I made that call, Rogers said.

He added that when he looked at the data, for each of the other judgments there were multiple sources and he could exclude every other alternative rationale. But for this particular conclusion, it didnt have the same level of sourcing and the same level of multiple sources, he said.

He noted that he still agreed with the judgment, but he wasnt at the same confidence level as CIA Director John Brennan and FBI Director James Comey.

Probed further by Sen. Tim Kaine, D-Va. -- who was Clintons running mate Rogers clarified that while he was highly confident the Russians wanted to prevent Clinton from winning, and to undercut her effectiveness if she did win, he was only moderately confident the Russians actively wanted Trump to win.

The FBI, CIA and NSA were all in complete agreement about the Clinton-related conclusion in the report, which stated: Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russias goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.

Earlier at Monday's hearing, Rogers also testified that there has been no reduction in Russian efforts to affect the outcome of other countries' elections, and warned about the dangers of state and non-state actors moving from data "extraction" to data "manipulation."

Chairman John McCain, R-Ariz., asked Rogers if he had seen a reduction in Russian efforts to meddle in elections and pointed toward alleged interference in Sundays French presidential race.

No I have not, Rogers said, adding that U.S. needs to publicly out Russian behavior.

They need to know we will publicly identify this behavior, he said.

Emmanuel Macron, the eventual winner of the French election, was hit by a hack Friday which revealed a number of his campaign team's emails. It was not clear who was behind the hack, but it was reminiscent of hacks that hit the 2016 U.S. election that exposed Democratic National Committee staff emails, and the private emails of Clinton campaign Chairman John Podesta. Both the Clinton campaign and the Obama administration have blamed Russia for those hacks.

Rogers was also asked by lawmakers to lay out his worst-case scenario for future cyber attacks. Rogers said he was concerned about outright destructive activity on critical infrastructure as well as cyberattacks moving from the obtaining and revealing data to data manipulation on a massive scale.

Such as changing voter rolls? asked McCain.

Yes, said Rogers. Thats a very different kind of challenge for us.

He also warned about a possible situation in which, as the effectiveness of cyberattacks becomes clearer, non-state actors decide cyber is an attractive weapon with which to destroy the status quo.

During further questioning, Rogers said the National Security Agency became aware of Russian attempts to interfere with political institutions in the summer of 2015.

He said that when he came aware of Russian actions, he informed the FBI, and also in his role as head of the U.S. Cyber Command, informed the Pentagon to make sure its systems were optimized in order to be able to withstand such an attack.

Adam Shaw is a Politics Reporter and occasional Opinion writer for FoxNews.com. He can be reached here or on Twitter: @AdamShawNY.

See more here:
NSA chief explains 'discrepancy' over claim that Russia ...

In computer security and cryptography, _NSAKEY was a variable name discovered in Windows NT 4 Service Pack 5 (which had been released unstripped of its symbolic debugging data) in August 1999 by Andrew D. Fernandes of Cryptonym Corporation. That variable contained a 1024-bit public key.

Microsoft's operating systems require all cryptography suites that work with its operating systems to have a digital signature. Since only Microsoft-approved cryptography suites can be installed or used as a component of Windows, it is possible to keep export copies of this operating system (and products with Windows installed) in compliance with the Export Administration Regulations (EAR), which are enforced by the US Department of Commerce Bureau of Industry and Security (BIS).

It was already known that Microsoft used two keys, a primary and a spare, either of which can create valid signatures. Microsoft had failed to remove the debugging symbols in ADVAPI32.DLL, a security and encryption driver, when it released Service Pack 5 for Windows NT 4.0, and Andrew Fernandes, chief scientist with Cryptonym, found the primary key stored in the variable _KEY and the second key was labeled _NSAKEY.[1] Fernandes published his discovery, touching off a flurry of speculation and conspiracy theories, including the possibility that the second key was owned by the United States National Security Agency (the NSA) and allowed the intelligence agency to subvert any Windows user's security.[2]

During a presentation at the Computers, Freedom and Privacy 2000 (CFP2000) conference, Duncan Campbell, senior research fellow at the Electronic Privacy Information Center (EPIC), mentioned the _NSAKEY controversy as an example of an outstanding issue related to security and surveillance.[citation needed]

In addition, Dr. Nicko van Someren found a third key in Windows 2000, which he doubted had a legitimate purpose, and declared that "It looks more fishy".[3]

Microsoft denied the speculations on _NSAKEY. "This report is inaccurate and unfounded. The key in question is a Microsoft key. It is maintained and safeguarded by Microsoft, and we have not shared this key with the NSA or any other party."[4] Microsoft said that the key's symbol was "_NSAKEY" because the NSA is the technical review authority for U.S. export controls, and the key ensures compliance with U.S. export laws.[5]

Richard Purcell, Microsofts Director of Corporate Privacy, approached Campbell after his presentation and expressed a wish to clear up the confusion and doubts about _NSAKEY. Immediately after the conference, Scott Culp, of the Microsoft Security Response Center, contacted Campbell and offered to answer his questions. Their correspondence began cordially but soon became strained; Campbell apparently felt Culp was being evasive and Culp apparently felt that Campbell was hostilely repeating questions that he had already answered. On 28 April 2000, Culp stated that "we have definitely reached the end of this discussion ... [which] is rapidly spiraling into the realm of conspiracy theory"[6] and Campbell's further inquiries went unanswered.

As for the third key, Microsoft claimed it was only in beta builds of Windows 2000 and that its purpose was for signing Cryptographic Service Providers.[5]

Some in the software industry question whether the BXA's EAR has specific requirements for backup keys.[citation needed] However, none claim the legal or technical expertise necessary to authoritatively discuss that document. The following theories have been presented.

Microsoft stated that the second key is present as a backup to guard against the possibility of losing the primary secret key. Fernandes doubts this explanation, pointing out that the generally accepted way to guard against loss of a secret key is secret splitting, which would divide the key into several different parts, which would then be distributed throughout senior management.[7] He stated that this would be far more robust than using two keys; if the second key is also lost, Microsoft would need to patch or upgrade every copy of Windows in the world, as well as every cryptographic module it had ever signed.

On the other hand, if Microsoft failed to think about the consequences of key loss and created a first key without using secret splitting (and did so in secure hardware which doesn't allow protection to be weakened after key generation), and the NSA pointed out this problem as part of the review process, it might explain why Microsoft weakened their scheme with a second key and why the new one was called _NSAKEY. (The second key might be backed up using secret splitting, so losing both keys needn't be a problem.)

A second possibility is that Microsoft included a second key to be able to sign cryptographic modules outside the United States, while still complying with the BXA's EAR. If cryptographic modules were to be signed in multiple locations, using multiple keys is a reasonable approach. However, no cryptographic module has ever been found to be signed by _NSAKEY, and Microsoft denies that any other certification authority exists.

Microsoft denied that the NSA has access to the _NSAKEY secret key.[8]

It was possible to remove the second _NSAKEY using the following (note this was for Windows software in 1999).

There is good news among the bad, however. It turns out that there is a flaw in the way the "crypto_verify" function is implemented. Because of the way the crypto verification occurs, users can easily eliminate or replace the NSA key from the operating system without modifying any of Microsoft's original components. Since the NSA key is easily replaced, it means that non-US companies are free to install "strong" crypto services into Windows, without Microsoft's or the NSA's approval. Thus the NSA has effectively removed export control of "strong" crypto from Windows. A demonstration program that replaces the NSA key can be found on Cryptonym's website.[1]

In September 1999, Legion2000 reverse-engineered both the primary key and the _NSAKEY into PGP-compatible format and published them to the key servers.[9]

Continue reading here:
_NSAKEY - Wikipedia

In mid-December 2009, engineers at Googles headquarters in Mountain View, California, began to suspect that hackers in Chinahad obtained access to private Gmail accounts, including those used by Chinese human rights activists opposed to the government in Beijing.

Like a lot of large, well-known Internet companies, Google and its users were frequently targeted by cyber spies and criminals. But when the engineers looked more closely, they discovered that this was no ordinary hacking campaign.

In what Google would later describe as a highly sophisticated and targeted attack on our corporate infrastructure originating from China, the thieves were able to get access to the password system that allowed Googles users to sign in to many Google applications at once. This was some of the companys most important intellectual property, considered among the crown jewels of its source code by its engineers. Google wanted concrete evidence of the break-in that it could share with U.S. law enforcement and intelligence authorities. So they traced the intrusion back to what they believed was its source a server in Taiwan where data was sent after it was siphoned off Googles systems, and that was presumably under the control of hackers in mainland China.

Google broke in to the server, says a former senior intelligence official whos familiar with the companys response. The decision wasnt without legal risk, according to the official. Was this a case of hacking back? Just as theres no law against a homeowner following a robber back to where he lives, Google didnt violate any laws by tracing the source of the intrusion into its systems. Its still unclear how the companys investigators gained access to the server, but once inside, if they had removed or deleted data, that would cross a legal line. But Google didnt destroy what it found. In fact, the company did something unexpected and unprecedented it shared the information.

Google uncovered evidence of one of the most extensive and far-reaching campaigns of cyber espionage in U.S. history. Evidence suggested that Chinese hackers had penetrated the systems of nearly three dozen other companies, including technology mainstays such as Symantec, Yahoo, and Adobe, the defense contractor Northrop Grumman, and the equipment maker Juniper Networks. The breadth of the campaign made it hard to discern a single motive. Was this industrial espionage? Spying on human rights activists? Was China trying to gain espionage footholds in key sectors of the U.S. economy or, worse, implant malware in equipment used to regulate critical infrastructure?

The only things Google seemed certain of was that the campaign was massive and persistent, and that China was behind it. And not just individual hackers, but the Chinese government, which had the means and the motive to launch such a broad assault.

Google shared what it found with the other targeted companies, as well as U.S. law enforcement and intelligence agencies. For the past four years, corporate executives had been quietly pressing government officials to go public with information about Chinese spying, to shame the country into stopping its campaign. But for President Obama or Secretary of State Hillary Clinton to give a speech pointing the finger at China, they needed indisputable evidence that attributed the attacks to sources in China. And looking at what Google had provided it, government analysts were not sure they had it. American officials decided the relationship between the two economic superpowers was too fragile and the risk of conflict too high to go public with what Google knew.

Google disagreed.

Deputy Secretary of State James Steinberg was at a cocktail party in Washington when an aide delivered an urgent message: Google was going to issue a public statement about the Chinese spying campaign. Steinberg, the second-highest-ranking official in U.S. foreign policy, immediately grasped the significance of the companys decision. Up to that moment, American corporations had been unwilling to publicly accuse the Chinese of spying on their networks or stealing their intellectual property. The companies feared losing the confidence of investors and customers, inviting other hackers to target their obviously weak defenses, and igniting the fury of Chinese government officials, who could easily revoke access to one of the biggest and fastest-growing markets for U.S. goods and services. For any company to come out against China would be momentous. But for Google, the most influential company of the Internet age, it was historic.

The next day, January 12, 2010, Googles chief legal officer, David Drummond, posted a lengthy statement to the companys blog, accusing hackers in China of attacking Googles infrastructure and criticizing the government for censoring Internet content and suppressing human rights activists. We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech, said Drummond.

Back at the State Department, officials saw a rare opportunity to put pressure on China for spying. That night Hillary Clinton issued her own statement. We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation, she said. The ability to operate with confidence in cyberspace is critical in a modern society and economy.

As diplomatic maneuvers go, this was pivotal. Google had just given the Obama administration an opening to accuse China of espionage without having to make the case itself. Officials could simply point to what Google had discovered as a result of its own investigation.

It gave us an opportunity to discuss the issues without having to rely on classified sources or sensitive methods of intelligence gathering, Steinberg says. The administration had had little warning about Googles decision, and it was at odds with some officials reluctance to take the espionage debate public. But now that it was, no one complained.

It was their decision. I certainly had no objection, Steinberg says.

The Obama administration began to take a harsher tone with China, starting with a major address Clinton gave about her Internet Freedom initiative nine days later. She called on China to stop censoring Internet searches and blocking access to websites that printed criticism about the countrys leaders. Clinton likened such virtual barriers to the Berlin Wall.

For its part, Google said it would stop filtering search results for words and subjects banned by government censors. And if Beijing objected, Google was prepared to pull up stakes and leave the Chinese market entirely, losing out on billions of dollars in potential revenues. That put other U.S. technology companies in the hot seat. Were they willing to put up with government interference and suppression of free speech in order to keep doing business in China?

After Googles declaration, it was easier for other companies to admit theyd been infiltrated by hackers. After all, if it happened to Google, it could happen to anyone. Being spied on by the Chinese might even be a mark of distinction, insofar as it showed that a company was important enough to merit the close attention of a superpower. With one blog post, Google had changed the global conversation about cyber defense.

The company had also shown that it knew a lot about Chinese spies. The NSA wanted to know how much.

Google had also alerted the NSA and the FBI that its networks were breached by hackers in China. As a law enforcement agency, the FBI could investigate the intrusion as a criminal matter. But the NSA needed Googles permission to come in and help assess the breach.

On the day that Googles lawyer wrote the blog post, the NSAs general counsel began drafting a cooperative research and development agreement, a legal pact that was originally devised under a 1980 law to speed up the commercial development of new technologies that are of mutual interest to companies and the government. The agreements purpose is to build something a device or a technique, for instance. The participating company isnt paid, but it can rely on the government to front the research and development costs, and it can use government personnel and facilities for the research. Each side gets to keep the products of the collaboration private until they choose to disclose them. In the end, the company has the exclusive patent rights to build whatever was designed, and the government can use any information that was generated during the collaboration.

Its not clear what the NSA and Google built after the China hack. But a spokeswoman at the agency gave hints at the time the agreement was written. As a general matter, as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers, she said. It was the phrase tailored solutions that was so intriguing. That implied something custom built for the agency, so that it could perform its intelligence-gathering mission. According to officials who were privy to the details of Googles arrangements with the NSA, the company agreed to provide information about traffic on its networks in exchange for intelligence from the NSA about what it knew of foreign hackers. It was a quid pro quo, information for information.

And from the NSAs perspective, information in exchange for protection.

The cooperative agreement and reference to a tailored solution strongly suggest that Google and the NSA built a device or a technique for monitoring intrusions into the companys networks. That would give the NSA valuable information for its so-called active defense system, which uses a combination of automated sensors and algorithms to detect malware or signs of an imminent attack and take action against them. One system, called Turmoil, detects traffic that might pose a threat. Then, another automated system called Turbine decides whether to allow the traffic to pass or to block it. Turbine can also select from a number of offensive software programs and hacking techniques that a human operator can use to disable the source of the malicious traffic. He might reset the sources Internet connection or redirect the traffic to a server under the NSAs control. There the source can be injected with a virus or spyware, so the NSA can continue to monitor it.

For Turbine and Turmoil to work, the NSA needs information, particularly about the data flowing over a network. With its millions of customers around the world, Google is effectively a directory of people using the Internet. It has their e-mail addresses. It knows where theyre physically located when they log in. It knows what they search for on the web. The government could command the company to turn over that information, and it does as part of the NSAs Prism program, which Google had been participating in for a year by the time it signed the cooperative agreement with the NSA. But that tool is used for investigating people whom the government suspects of terrorism or espionage.

The NSAs cyber defense mission takes a broader view across networks for potential threats, sometimes before it knows who those threats are. Under Googles terms of service, the company advises its users that it may share their personal information with outside organizations, including government agencies, in order to detect, prevent, or otherwise address fraud, security or technical issues and to protect against harm to the rights, property or safety of Google. According to people familiar with the NSA and Googles arrangement, it does not give the government permission to read Google users e-mails.

They can do that under Prism. Rather, it lets the NSA evaluate Google hardware and software for vulnerabilities that hackers might exploit. Considering that the NSA is the single biggest collector of zero day vulnerabilities, that information would help make Google more secure than others that dont get access to such prized secrets. The agreement also lets the agency analyze intrusions that have already occurred, so it can help trace them back to their source.

Google took a risk forming an alliance with the NSA. The companys corporate motto, Dont be evil, would seem at odds with the work of a covert surveillance and cyber warfare agency. But Google got useful information in return for its cooperation. Shortly after the China revelation, the government gave Sergey Brin, Googles cofounder, a temporary security clearance that allowed him to attend a classified briefing about the campaign against his company. Government analysts had concluded that the intrusion was directed by a unit of the Peoples Liberation Army. This was the most specific information Google could obtain about the source of the intrusion. It could help Google fortify its systems, block traffic from certain Internet addresses, and make a more informed decision about whether it wanted to do business in China at all. Googles executives might pooh-pooh the NSAs secret sauce. But when the company found itself under attack, it turned to Fort Meade for help.

In its blog post, Google said that more than twenty companies had been hit by the China hackers, in a campaign that was later dubbed Aurora after a file name on the attackers computer. A security research firm soon put the number of targets at around three dozen. Actually, the scope of Chinese spying was, and is, much larger.

Security experts in and outside of government have a name for the hackers behind campaigns such as Aurora and others targeting thousands of other companies in practically every sector of the U.S. economy: the advanced persistent threat. Its an ominous-sounding title, and a euphemistic one. When government officials mention APT today, what they often mean is China, and more specifically, hackers working at the direction of Chinese military and intelligence officials or on their behalf.

The advanced part of the description refers in part to the hackers techniques, which are as effective as any the NSA employs. The Chinese cyber spies can use an infected computers own chat and instant-messenger applications to communicate with a command-and-control server. They can implant a piece of malware and then remotely customize it, adding new information-harvesting features. The government apparatus supporting all this espionage is also advanced, more so than the loose-knit groups of cyber vandals or activists such as Anonymous that spy on companies for political purposes, or even the sophisticated Russian criminal groups, who are more interested in stealing bank account and credit card data. China plays a longer game. Its leaders want the country to become a first-tier economic and industrial power in a single generation, and they are prepared to steal the knowledge they need to do it, U.S. officials say.

Thats where the persistent part comes into play. Gathering that much information, from so many sources, requires a relentless effort, and the will and financial resources to try many different kinds of intrusion techniques, including expensive zero day exploits. Once the spies find a foothold inside an organizations networks, they dont let go unless theyre forced out. And even then they quickly return. The threat such spying poses to the U.S. economy takes the form of lost revenue and strategic position. But also the risk that the Chinese military will gain hidden entry points into critical-infrastructure control systems in the United States. U.S. intelligence officials believe that the Chinese military has mapped out infrastructure control networks so that if the two nations ever went to war, the Chinese could hit American targets such as electrical grids or gas pipelines without having to launch a missile or send a fleet of bombers.

Operation Aurora was the first glimpse into the breadth of the ATPs exploits. It was the first time that names of companies had been attached to Chinese espionage. The scope of this is much larger than anybody has ever conveyed, Kevin Mandia, CEO and president of Mandiant, a computer security and forensics company located outside Washington, said at the time of Operation Aurora. The APT represented hacking on a national, strategic level. There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now, said Mandia, a veteran cyber investigator who began his career as a computer security officer in the air force and worked there on cybercrime cases. Mandiant was becoming a goto outfit that companies called whenever they discovered spies had penetrated their networks. Shortly after the Google breach, Mandiant disclosed the details of its investigations in a private meeting with Defense Department officials a few days before speaking publicly about it.

The APT is not one body but a collection of hacker groups that include teams working for the Peoples Liberation Army, as well as so-called patriotic hackers, young, enterprising geeks who are willing to ply their trade in service of their country. Chinese universities are also stocked with computer science students who work for the military after graduation. The APT hackers put a premium on stealth and patience. They use zero days and install backdoors. They take time to identify employees in a targeted organization, and send them carefully crafted spear-phishing e-mails laden with spyware. They burrow into an organization, and they often stay there for months or years before anyone finds them, all the while siphoning off plans and designs, reading e-mails and their attachments, and keeping tabs on the comings and goings of employees the hackers future targets. The Chinese spies behave, in other words, like their American counterparts.

No intelligence organization can survive if it doesnt know its enemy. As expansive as the NSAs network of sensors is, its sometimes easier to get precise intelligence about hacking campaigns from the targets themselves. Thats why the NSA partnered with Google. Its why when Mandiant came calling with intelligence on the APT, officials listened to what the private sleuths had to say. Defending cyberspace is too big a job even for the worlds elite spy agency. Whether they like it or not, the NSA and corporations must fight this foe together.

Googles Sergey Brin is just one of hundreds of CEOs who have been brought into the NSAs circle of secrecy. Starting in 2008, the agency began offering executives temporary security clearances, some good for only one day, so they could sit in on classified threat briefings.

They indoctrinate someone for a day, and show them lots of juicy intelligence about threats facing businesses in the United States, says a telecommunications company executive who has attended several of the briefings, which are held about three times a year. The CEOs are required to sign an agreement pledging not to disclose anything they learn in the briefings. They tell them, in so many words, if you violate this agreement, you will be tried, convicted, and spend the rest of your life in prison, says the executive.

Why would anyone agree to such severe terms? For one day, they get to be special and see things few others do, says the telecom executive, who, thanks to having worked regularly on classified projects, holds high-level clearances and has been given access to some of the NSAs most sensitive operations, including the warrantless surveillance program that began after the 9/11 attacks. Alexander became personal friends with many CEOs through these closed-door sessions, the executive adds. Ive sat through some of these and said, General, you tell these guys things that could put our country in danger if they leak out. And he said, I know. But thats the risk we take. And if it does leak out, they know what the consequences will be.

But the NSA doesnt have to threaten the executives to get their attention. The agencys revelations about stolen data and hostile intrusions are frightening in their own right, and deliberately so. We scare the bejeezus out of them, a government official told National Public Radio in 2012. Some of those executives have stepped out of their threat briefings meeting feeling like the defense contractor CEOs who, back in the summer of 2007, left the Pentagon with white hair.

Unsure how to protect themselves, some CEOs will call private security companies such as Mandiant. I personally know of one CEO for whom [a private NSA threat briefing] was a life-changing experience, Richard Bejtlich, Mandiants chief security officer, told NPR. General Alexander sat him down and told him what was going on. This particular CEO, in my opinion, should have known about [threats to his company] but did not, and now it has colored everything about the way he thinks about this problem.

The NSA and private security companies have a symbiotic relationship. The government scares the CEOs and they run for help to experts such as Mandiant. Those companies, in turn, share what they learn during their investigations with the government, as Mandiant did after the Google breach in 2010. The NSA has also used the classified threat briefings to spur companies to strengthen their defenses.

In one 2010 session, agency officials said theyd discovered a flaw in personal computer firmware the onboard memory and codes that tell the machine how to work that could allow a hacker to turn the computer into a brick, rendering it useless. The CEOs of computer manufacturers who attended the meeting, and who were previously aware of the design flaw, ordered it fixed.

Private high-level meetings are just one way the NSA has forged alliances with corporations. Several classified programs allow companies to share the designs of their products with the agency so it can inspect them for flaws and, in some instances, install backdoors or other forms of privileged access. The types of companies that have shown the NSA their products include computer, server, and router manufacturers; makers of popular software products, including Microsoft; Internet and e-mail service providers; telecommunications companies; satellite manufacturers; antivirus and Internet security companies; and makers of encryption algorithms.

The NSA helps the companies find weaknesses in their products. But it also pays the companies not to fix some of them. Those weak spots give the agency an entry point for spying or attacking foreign governments that install the products in their intelligence agencies, their militaries, and their critical infrastructure. Microsoft, for instance, shares zero day vulnerabilities in its products with the NSA before releasing a public alert or a software patch, according to the company and U.S. officials. Cisco, one of the worlds top network equipment makers, leaves backdoors in its routers so they can be monitored by U.S. agencies, according to a cyber security professional who trains NSA employees in defensive techniques. And McAfee, the Internet security company, provides the NSA, the CIA, and the FBI with network traffic flows, analysis of malware, and information about hacking trends.

Companies that promise to disclose holes in their products only to the spy agencies are paid for their silence, say experts and officials who are familiar with the arrangements. To an extent, these openings for government surveillance are required by law. Telecommunications companies in particular must build their equipment in such a way that it can be tapped by a law enforcement agency presenting a court order, like for a wiretap. But when the NSA is gathering intelligence abroad, it is not bound by the same laws. Indeed, the surveillance it conducts via backdoors and secret flaws in hardware and software would be illegal in most of the countries where it occurs.

Of course, backdoors and unpatched flaws could also be used by hackers. In 2010 a researcher at IBM publicly revealed a flaw in a Cisco operating system that allows a hacker to use a backdoor that was supposed to be available only to law enforcement agencies. The intruder could hijack the Cisco device and use it to spy on all communications passing through it, including the content of e-mails. Leaving products vulnerable to attack, particularly ubiquitous software programs like those produced by Microsoft, puts millions of customers and their private information at risk and jeopardizes the security of electrical power facilities, public utilities, and transportation systems.

Under U.S. law, a companys CEO is required to be notified whenever the government uses its products, services, or facilities for intelligence-gathering purposes. Some of these information-sharing arrangements are brokered by the CEOs themselves and may be reviewed only by a few lawyers. The benefits of such cooperation can be profound. John Chambers, the CEO of Cisco, became friends with George W. Bush when he was in office. In April 2006, Chambers and the president ate lunch together at the White House with Chinese president Hu Jintao, and the next day Bush gave Chambers a lift on Air Force One to San Jose, where the president joined the CEO at Cisco headquarters for a panel discussion on American business competitiveness. California governor Arnold Schwarzenegger also joined the conversation. Proximity to political power is its own reward. But preferred companies also sometimes receive early warnings from the government about threats against them.

The Homeland Security Department also conducts meetings with companies through its cross sector working groups initiative. These sessions are a chance for representatives from the universe of companies with which the government shares intelligence to meet with one another and hear from U.S. officials. The attendees at these meetings often have security clearances and have undergone background checks and interviews. The department has made the schedule and agendas of some of these meetings public, but it doesnt disclose the names of companies that participated or many details about what they discussed.

Between January 2010 and October 2013, the period for which public records are available, the government held at least 168 meetings with companies just in the cross sector working group. There have been hundreds more meetings broken out by specific industry categories, such as energy, telecommunications, and transportation.

A typical meeting may include a threat briefing by a U.S. government official, usually from the NSA, the FBI, or the Homeland Security Department; updates on specific initiatives, such as enhancing bank website security, improving information sharing among utility companies, or countering malware; and discussion of security tools that have been developed by the government and industry, such as those used to detect intruders on a network. One meeting in April 2012 addressed use cases for enabling information sharing for active cyber defense, the NSA-pioneered process of disabling cyber threats before they can do damage. The information sharing in this case was not among government agencies but among corporations.

Most meetings have dealt with protecting industrial control systems, the Internet-connected devices that regulate electrical power equipment, nuclear reactors, banks, and other vital facilities. Thats the weakness in U.S. cyberspace that most worries intelligence officials. It was the subject that so animated George W. Bush in 2007 and that Barack Obama addressed publicly two years later. The declassified agendas for these meetings offer a glimpse at what companies and the government are building for domestic cyber defense.

On September 23, 2013, the Cross Sector Enduring Security Framework Operations Working Group discussed an update to an initiative described as Connect Tier 1 and USG Operations Center. Tier 1 usually refers to a major Internet service provider or network operator. Some of the best-known Tier 1 companies in the United States are AT&T, Verizon, and CenturyLink. USG refers to the U.S. government. The initiative likely refers to a physical connection running from an NSA facility to those companies, as part of an expansion of the DIB pilot program. The expansion was authorized by a presidential executive order in February 2013 aimed at increasing security of critical-infrastructure sites around the country. The government, mainly through the NSA, gives threat intelligence to two Internet service providers, AT&T and CenturyLink. They, in turn, can sell enhanced cybersecurity services, as the program is known, to companies that the government deems vital to national and economic security. The program is nominally run by the Homeland Security Department, but the NSA provides the intelligence and the technical expertise.

Through this exchange of intelligence, the government has created a cyber security business. AT&T and CenturyLink are in effect its private sentries, selling protection to select corporations and industries. AT&T has one of the longest histories of any company participating in government surveillance. It was among the first firms that voluntarily handed over call records of its customers to the NSA following the 9/11 attacks, so the agency could mine them for potential connections to terrorists a program that continues to this day. Most phone calls in the United States pass through AT&T equipment at some point, regardless of which carrier initiates them. The companys infrastructure is one of the most important and frequently tapped repositories of electronic intelligence for the NSA and U.S. law enforcement agencies.

CenturyLink, which has its headquarters in Monroe, Louisiana, has been a less familiar name in intelligence circles over the years. But in 2011 the company acquired Qwest Communications, a telecommunications firm that is well known to the NSA. Before the 9/11 attacks, NSA officials approached Qwest executives and asked for access to its high-speed fiber-optic networks, in order to monitor them for potential cyber attacks. The company rebuffed the agencys requests because officials hadnt obtained a court order to get access to the companys equipment. After the terrorist attacks, NSA officials again came calling, asking Qwest to hand over its customers phone records without a court-approved warrant, as AT&T had done. Again, the company refused. It took another ten years and the sale of the company, but Qwests networks are now a part of the NSAs extended security apparatus.

The potential customer base for government-supplied cyber intelligence, sold through corporations, is as diverse as the U.S. economy itself. To obtain the information, a company must meet the governments definition of a critical infrastructure: assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. That may seem like a narrow definition, but the categories of critical infrastructure are numerous and vast, encompassing thousands of businesses. Officially, there are sixteen sectors: chemical; commercial facilities, to include shopping centers, sports venues, casinos, and theme parks; communications; critical manufacturing; dams; the defense industrial base; emergency services, such as first responders and search and rescue; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.

Its inconceivable that every company on such a list could be considered so vital to the United States that its damage or loss would harm national security and public safety. And yet, in the years since the 9/11 attacks, the government has cast such a wide protective net that practically any company could claim to be a critical infrastructure. The government doesnt disclose which companies are receiving cyber threat intelligence. And as of now the program is voluntary. But lawmakers and some intelligence officials, including Keith Alexander and others at the NSA, have pressed Congress to regulate the cyber security standards of critical-infrastructure owners and operators. If that were to happen, then the government could require that any company, from Pacific Gas and Electric to Harrahs Hotels and Casinos, take the governments assistance, share information about its customers with the intelligence agencies, and build its cyber defenses according to government specifications.

In a speech in 2013 the Pentagons chief cyber security adviser, Major General John Davis, announced that Homeland Security and the Defense Department were working together on a plan to expand the original DIB program to more sectors. They would start with energy, transportation, and oil and natural gas, things that are critical to DODs mission and the nations economic and national security that we do not directly control, Davis said. The general called foreign hackers mapping of these systems and potential attacks an imminent threat. The government will never be able to manage such an extensive security regime on its own. It cant now, which is why it relies on AT&T and CenturyLink. More companies will flock to this new mission as the government expands the cyber perimeter. The potential market for cyber security services is practically limitless.

Excerpted from

Original post:
Googles secret NSA alliance: The terrifying deals between ...

The Orange County Register

The National Security Agency has decided to halt a controversial surveillance program, but this was just the tip of an iceberg of government abuses of privacy and due process.

The NSA said last week that it will no longer engage in warrantless spying on Americans digital communications that merely mention a foreign intelligence target, referred to in the intelligence community as about communications. The agency had claimed the authority to engage in such surveillance under Section 702 of the Foreign Intelligence Surveillance Act, which allows it to target non-U.S. citizens or residents believed to be outside the country, although Americans communications are oftentimes swept up as well.

NSA will no longer collect certain internet communications that merely mention a foreign intelligence target, the agency announced in a statement. Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target.

Even though NSA does not have the ability at this time to stop collecting about information without losing some other important data, the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target, it continued.

It is a significant departure from previous assurances that the program was vital to national security, though many have forcefully disputed that claim. Its effectiveness has always been difficult to gauge, however, due to the lack of information the NSA has provided about it.

The agencys decision is certainly welcome, though we must make the perhaps generous assumption that it will do or not do, in this case what it says it will, and that it will not simply change its mind in the future. Our enthusiasm is also tempered by the realization that this is an agency, along with various other government intelligence agencies, that is built on deception and has repeatedly lied about its spying activities and violations of Americans constitutional rights.

Then there is the matter of the backdoor search loophole, by which the FBI or other agencies may search NSA databases for information about Americans collected under Section 702 without having to go through all that pesky business of obtaining a warrant. The loophole is sure to be a bone of contention during congressional debate over the reauthorization of Section 702, which is scheduled to expire at the end of the year.

Given the governments repeated abuses of Americans privacy through its snooping activities, those looking to reauthorize Section 702 have some serious questions to answer about how many Americans have been swept up in this supposed foreign surveillance, and how useful this intelligence actually is.

The Fourth Amendment is quite clear: Government searches require a warrant issued by a judge based on probable cause and describing the specific place to be searched, and the persons or things to be seized. New technology may make our communications quicker and more convenient as well as more easily recorded and stored but it does not alter that fundamental principle.

See the original post:
Their View: NSA stops one abuse, but many remain - VVdailypress.com

There were empty cans of Mountain Dew and Monster Energy everywhere.

Despite the pile of energy drinks, there was a surprising calm in the room as I stood by two dozen cadets at the US Military Academy at West Point. They were tasked with building a server and protecting it from breaches by the National Security Agency for a full week.

With a lifetime of research -- watching movies about cyberwarfare -- I figured I was all set for this assignment. But there was no dramatic music, no people running around and yelling about "cyber nukes" -- whatever those are. It looked like a normal office, like the one I'm sitting in as I write this. There wasn't even a sweeping camera shot of all the action.

Instead, four groups of cadets sat around rows of laptops at the ready. There was the Web Services team, to make sure their websites were up and running; the Web and Forums team, which moderates what goes on in their servers; the Network Monitoring team, which stands guard; and the Strike Team, which takes action to combat breaches.

The pace picked up a bit as the NSA sent over a task: creating a password restriction in the next two hours. But even then, there was no dramatic rush or screens filled with flowing rivers of green code.

The most noteworthy part of the attack? URLs like "pooploopery.com" and "canadabrokeit.com."

This is the second installment of a two-part series on cybersecurity and West Point.

Those names sound goofy, but the military is taking its cyberdefense capabilities seriously. This exercise, which is held annually at West Point, is part of an increased focus in military academies to train experts against attacks in the future.

After all, cyberwarfare is an increasing concern on and off the battlefield, and the US has already gotten a glimpse of what attacks could look like in the future. The 2016 presidential election was heavily influenced by Russian hackers, while Chinese hackers stole 22 million social security numbers from a federal database in 2015 and North Korean hackers were blamed for a massive breach at Sony the year before. With experts predicting threats like bombings caused by distributed denial-of-service (DDoS) attacks, it's become more important to train future officers to defend online.

"It's certainly a great emphasis. We see the rise of the cyber branch with the United States Army," Major Michael Petullo, an assistant professor at West Point's military academy said. "Individual privacy and freedom is all pending these days on cyber."

That mentality extends beyond the Army's own troops. Last month, the US Air Force issued its "Hack the Air Force" challenge to security specialists around the world, offering hefty rewards to anyone who can break into its public websites. It's a follow-up to challenges like "Hack the Army" and "Hack the Pentagon," in which bug bounty hunters cashed in on $75,000 by identifying the Pentagon's vulnerabilities. It only took five minutes for the first bounty to come during the Army challenge.

Since 2000, the NSA has been testing cadets at military schools by "hacking" servers in their classrooms for an entire week. In April, the Naval Academy, the Coast Guard Academy, the Marine Academy, the Military Academy and the Royal Military College of Canada joined in the Cyber Defense Exercise, looking to see who could best fend off the NSA's cyberattacks.

As part of the challenge, NSA hackers make up the "Red Cell" and teams from each academy make up "Blue Cells." The NSA is allowed to attack at all times, while the cyberdefense teams are restricted from doing anything between 10 p.m. and 9 a.m. To make things even harder, there's the Gray Cell, bots meant to emulate careless users who hackers typically target.

In one Gray Cell scenario, an important politician would come into an Army base with a laptop that potentially has a virus on it. The cadets have to clean off the device and remove any malware before the Gray Cell connects onto the servers.

Do you think that's far-fetched? Vice President Mike Pence and Clinton campaign manager John Podesta probably don't.

"The threat is real and gets more and more advanced every day. It evolves very rapidly," NSA Red Cell lead Curtis Williams said.

The cadets have to prevent the NSA from stealing password tokens, protect their servers from shutdown and block out intruders. The NSA's break-in is inevitable, so the competition becomes about who can defend their servers the longest.

"They end up getting in, but they get into everyone's," said Mitch DeRidder, captain of the Army's Blue Cell. "They're closing in as time goes on."

After DeRidder assigned the duties for the NSA's password challenge, the room fell quiet again. Attacks still flowed in from the NSA, but they were easy to spot because of their goofy names.

The cadets were supposed to monitor for these fake names and block them. Sometimes, it wasn't as obvious as a pooploopery. One ping had come in from lyft.cpm, a rip-off of the popular ride-sharing app.

"They're hoping that we make typos," said Conner Wissman, on the Army's Service team. "They're trying to throw us off because every second of blocking these count."

The team members' eyes glazed over while watching scores of URLs coming into the servers, a boring but necessary task.

"There's nothing I can do, I kind of just sit here and watch," Wissman said. On the Web and Forums team, one cadet folded paper into a small boat. Another cadet, manning the servers, took the boat apart and made a paper hat.

US Army cadets hard at work during the Cyber Defense Exercise. If you look really closely, you can see the paper boat.

By the end of the week, the Navy had won the exercise, but the cadets at West Point weren't defeated. In their loss, they'll be able to learn what went wrong and how to improve for when the nation's cybersecurity is at stake.

For future exercises, the NSA wants the academies to be able to collaborate. It also expects to add additional challenges like protecting other connected devices -- think smart appliances and light bulbs. The cadets already see the value in these challenges.

"Cyber is one of the biggest national security threats," DeRidder said. "Having trained NSA personnel attacking us, that definitely helped prepare us for the future."

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Continue reading here:
Military cadets battle NSA in mock cyber war games - CNET - CNET