Daily Archives: June 1, 2017

National Security Agency analysts under the Obama administration improperly searched Americans' information, but the searches were conducted largely out of error, according to a review of publicly available intelligence documents reported on by Circa last week.

The website reported that Obama's NSA violated privacy protections by searching a subset of intelligence for Americans' information. The story draws in part from a partially declassified April 2017 Foreign Intelligence Surveillance Court opinion, which says that the NSA repeatedly and inappropriately queried, or searched, "U.S. person identifiers" within a swath of data. The data was collected under Section 702 of the Foreign Intelligence Surveillance Act, meaning that it targeted a foreigner, on foreign soil, for a foreign intelligence purpose.

The NSA at the time was not allowed to search a chunk of intelligence, known as "upstream," using U.S. person identifiers (like an American's email address)but it did, and "with much greater frequency than had previously been disclosed" to the FISC. Upstream data is obtained from "providers that control the telecommunications "backbone" over which telephone and Internet communications transit," according to an independent government oversight agency.

Of this, Circa wrote:

The admitted violations undercut one of the primary defenses that the intelligence community and Obama officials have used in recent weeks to justify their snooping into incidental NSA intercepts about Americans.

Circa has reported that there was a three-fold increase in NSA data searches about Americans and a rise in the unmasking of U.S. person's identities in intelligence reports after Obama loosened the privacy rules in 2011.

Officials like former National Security Adviser Susan Rice have argued their activities were legal under the so-called minimization rule changes Obama made, and that the intelligence agencies were strictly monitored to avoid abuses.

The intelligence court and the NSA's own internal watchdog found that not to be true.

This sounds nefarious, especially against the backdrop of a months-long controversy over unmasking and leaks. But as Circa hints some paragraphs later, the incidents, which were self-reported by the NSA to Congress and the FISC, were in part the result of a system design quirk.

"The system automatically includes in a search all authorities an analyst's credentials permit the analyst to access," Adam Klein, a senior fellow at the Center for a New American Security, told THE WEEKLY STANDARD. "That meant that analysts with access to upstream data had to opt out of querying upstream when setting their search criteria. That system design apparently resulted in non-compliant queries."

A January notice to the FISC also said that "human error was the primary factor" in a portion of these improper queries. The NSA in an announcement also claimed that the incidents were "not willful." And as Klein told TWS, "There have been no reported incidents of intentional misuse of Section 702 by the agencies responsible for implementing it."

The NSA inspector general report read:

For the queries into FAA 702 upstream data, SV concluded that analysts had not removed the FAA 702 upstream authority from their search criteria (that automatically defaulted on the basis of their credentials) or had not included the appropriate . . . limiters to prevent FAA 702 upstream data from being queried.

The NSA told the FISC about the incidents as the court conducted its annual review for 702 certifications. The non-compliance triggered a broader NSA review, and ultimately resulted in the agency declaring the end of "about" collectionor the gathering of communications that mention a target. "About" collection often scooped up entirely domestic communications, drawing the ire of civil liberties advocates. The NSA also announced that it would purge much of its upstream data, and the FISC gave the go-ahead for analysts to query upstream using U.S. person identifiers, now that "about" has ended.

The court's late March certification reflected that change. But the court was not pleased with the non-compliance. The FISC in October described it as "a very serious Fourth Amendment issue" and attributed the agency's delayed disclosure to "an institutional 'lack of candor.'"

Still, the incidentincluding the NSA's self-reporting and public announcementsexemplifies the extent of 702 oversight, Klein said.

"The program is subject to extensive oversight, including judicial supervision by the Foreign Intelligence Surveillance Court. The recent end of "about" collection in response to FISC oversight shows that it has real teeth," he said.

If you have questions about this fact check, or would like to submit a request for another fact check, email Jenna Lifhits at jlifhits@weeklystandard.com or The Weekly Standard at factcheck@weeklystandard.com.

Read more:
Fact Check: Why did the NSA breach privacy protections? - The Weekly Standard

"I have reviewed the declaration of Michael V. Hayden dated March 8, 2017," Drake's statement said. "As a result of personal knowledge I gained as a long-time contractor and then senior executive (1989-2008) of the NSA, I know the statements made by Hayden in that declaration are false or, if not literally false, substantially misleading."

Drake's statement was provided to the U.S. Department of Justice this week, as part of discovery, by attorney Rocky Anderson the Salt Lake City mayor at the time of the 2002 Olympics who represents plaintiffs Mary Josephine Valdez, Howard Stephenson, Deeda Seed, Will Bagley and Thomas Nelson Huckin.

In January, Judge Robert Shelby rejected an attempt by the Department of Justice to dismiss the case.

The NSA has the capability to seize and store electronic communications passing through U.S. intercept centers, according to a statement from Drake.

After Sept. 11, 2001, "the NSA's new approach was that the president had the authority to override the Foreign Intelligence Surveillance Act (FISA) and the Bill of Rights, and the NSA worked under the authority of the president," Drake said. "The new mantra to intercepting intelligence was 'just get it' regardless of the law."

Additional information on NSA's intelligence gathering came to light in 2013 when Edward Snowden revealed to Glenn Greenwald of the Guardian, the scope of U.S. and British global surveillance programs.

One of the documents Snowden purloined spoke to the 2002 operation, where the NSA sought detailed records without warrants from telecom communications systems in Utah, including Qwest Communications.

The document, labeled "Top Secret," has several entries, including this one: "In early 2002, NSA personnel met with senior vice president of government systems and other employees from Company E [later identified as Qwest]. Under authority of the President's Surveillance Program (PSP), NSA asked Company E to provide call records in support of security for the Olympics in Salt Lake City... On 19 February 2002, Company E submitted a written proposal that discussed methods it could use to regularly replicate call record information stored in a Company E facility and potentially froward the same information to NSA ... "

In 2011 the NSA completed the $1.2 billion digital storage faci`lity called the Utah Data Center in Bluffdale.

In a 2012 lawsuit in U.S. District Court for the Northern District of California, two former highly-placed NSA employees said the agency was not filtering personal electronic data but was storing everything it collected.

"The capacity of NSA's infrastructure far exceeds the capacity necessary for the storage of discreet, targeted communications," said William Binney. "The capacity of NSA's infrastructure is consistent, as a mathematical matter, with seizing both the routing information and the contents of all communications."

In the same case, J. Kirk Wiebe, who worked as a senior analyst at the NSA from 1975 to 2001, concurred with Binney and Drake.

"I agree with Mr. Drake's assessment that everything changed at the NSA after the attacks of September 11. The prior approach focused on complying with the Foreign Intelligence Act (FISA)," he stated. "The post-September 11 approach was that NSA could circumvent federal statutes and the Constitution as long as there was some visceral connection to looking for terrorists."

By contrast, in the Utah case, current NSA Director of Operations Wayne Murphy, like Hayden, rejected allegations of an NSA "blanket" surveillance program during the 2002 Winter Olympics. He noted, however, that NSA collection of communications did and does continue to exist but is "targeted at one-end foreign communications where a communicant was reasonably believed to be a member or agent of Al-Qaeda or another international terrorist organization."

Anderson called the NSA's surveillance programs "Orwellian."

Read more here:
NSA conducted blanket surveillance of Salt Lakers during 2002 Games, former official says - Salt Lake Tribune

Russian President Vladimir Putin condemned Edward Snowden's 2013 release of confidential NSA documents as "wrong" but defended Snowden against accusations of treason in a new interview released Thursday. He said in a show airing this month on Showtime that Snowden "didnt betray the interest of his country."

Putin made the comments to interviewer Oliver Stone as part of "ThePutin Interviews,"which will air on Showtime on June 12.

Stone is best known as the director of "Wall Street,""Natural Born Killers" and "Snowden," in which Joseph Gordon-Levitt plays Snowden.

Snowden currently lives in exile in Russia for leaking NSA documents that detailed international bulk surveillance operations.

In newly released clips from the interview, Putin reveals that he sees Snowden's actions as legal but not moral.

"I think he shouldnt have done it," Putin said of Snowden's actions. "If he didnt like anything at his work he should have simply resigned. But he went further. Thats his right. But since you are asking me whether it's right or wrong, I think its wrong."

Earlier in the interview, Putin said that Snowden had not taken any actions against the United States during or after the leaks.

"Snowden is not a traitor. He didnt betray the interest of his country. Nor did he transfer any information to any other country which would have been pernicious to his own country or to his own people." said Putin.

Putin, an ex-KGB agent, is known for his tight-gripped rule over Russia as well as an unrivaled intelligence operation against the United States.

During the interview, Putin said that Russian intelligence suffers from the problems he implied he saw with the NSA.

"Our intelligence services always conform to the law. Thats the first thing. And secondly, trying to spy on your allies if you really consider them allies and not vassals is just indecent. Because it undermines trust. And it means that in the end it deals damage to your own national security," he said.

See the article here:
Putin: What Snowden did to the NSA was 'wrong' - The Hill

Cybersecurity

How much would you pay for access to stolen hacking tools developed by some of the NSA's most elite computer scientists? The enigmatic entity calling itself TheShadowBrokers thinks that $23,000 is a fair price.

The mysterious group that first appeared in August 2016 claiming to have a trove of tools pilfered from the Equation Group, which has been identified as an NSA hacking operation, have been periodically releasing bits of that stash for free.

In April, TheShadowBrokers dumped tools and exploits that led to the WannaCry ransomware attack as well as other malware that has been used in recent attacks.

The group then issued a long blog post written in pigeon English, complaining that no one had offered to buy the stolen data and make them "go dark," and contemplating the launch of a "wine of month" style subscription service.

In a new blog post, TheShadowBrokers announced that interested subscribers can sign up during the month of June for a fee of 100 ZEC or Zcash cryptocurrency worth about $235 a share -- and then in the first two weeks of July patrons will receive the next dump of hacking tools.

TheShadowBrokers said they have not decided what will be in the next release, but said it will include "Something of value to someone."

"The time for 'I'll show you mine if you show me yours first' is being over," states the post. "Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers' first. This is being wrong question. Question to be asking 'Can my organization afford not to be first to get access to theshadowbrokers dumps?'"

In the May 15 blog post, TheShadowBrokers stated that future releases of tools could include, "web browser, router, handset exploits and tools; select items from newer Ops Disks, including newer exploits for Windows 10; compromised network data from more SWIFT providers and Central banks; compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs."

Cybersecurity experts continue to speculate over who is or are TheShadowBrokers and how they acquired the NSA data -- possibly from an insider such as former contractor Hal Martin, who has been charged under the Espionage Act with stealing classified data from the NSA and CIA.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

The rest is here:
ShadowBrokers launch subscription service for stolen NSA tools - FCW.com

By Ms. Smith, Network World | May 31, 2017 8:54 AM PT

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

The idea of crowdfunding to raise enough money to buy NSA-linked hacking tools from the Shadow Brokers is picking up steam and making some people steam.

The price tag for getting hold of stolen Equation Group hacking tools is 100 Zcash. When I started the article about the Shadow Brokers revealing details about its June dump of the month subscription service, the cost of 100 Zcash was equal to $22,779. By the time I finished writing, it was equal to $23,251. As I start this article, 100 Zcash is equal to $24,128. By tomorrow, the first day to subscribe to the Shadow Brokers monthly dump service, Zcash will likely cost even more dollars. If you dont have that kind of money, but want to partake in the spoils of the June dump, then maybe crowdfunding is the way to go?

At least that is what Hacker Houses Matthew Hickey and a security researcher gong by x0rz have proposed as the solution. They formed a Shadow Brokers Response Team, which a goal of creating open and transparent crowd-funded analysis of leaked NSA tools and launched a Patreon campaign to raise $25,000.

The campaign, dubbed a harm reduction exercise, states:

This patreon is a chance for those who may not have large budgets (SME, startups and individuals) in the ethical hacking and whitehat community to pool resources and buy a subscription for the new monthly released data.

Their hope is that by purchasing the stolen data and analyzing it, another attack like WannaCry can be prevented. But, oh my, some security experts are vehemently opposed to the idea and likened the crowdfunding effort to enabling cyberterrorists, negotiating with terrorists, or funding evil.

The Shadow Brokers did not reveal what data the group might dump in June, claimed to be undecided about it, but when first announcing the monthly dump subscription service, they said the dump could be:

The Patreon reads:

As a harm reduction exercise it is important that any compromised parties are notified, vulnerabilities in possession of criminals are patched and tools are assessed for capabilities. We will release any and all information obtained from this once we have assessed and notified vendors of any potential 0days.

We believe it is in the greater good to obtain these exploits and mitigate the risk presented by them, the campaign adds.

The campaign launched yesterday and thus far has 24 patrons with a crowdfunded total of $2,225. The goal is to raise $25,000. If that goal is not met, the bitcoin funds will be donated to a to a charitable organization campaigning for human and/or digital rights. Patreon subscribers will be refunded if the platform allows it (or we will not post to prevent a charge). We will split whatever maybe left over from this evenly between EDRI and the EFF. If you had money to spend on an exploit auction like this, giving it to charity should not be too objectionable for you.

Of course, the Shadow Brokers might be playing everyone and not have anything left to dump. Conversely, the group might still have powerful NSA Equation Group-developed exploits. The NSA could just step up and tell all affected parties how it was exploiting their products, as it allegedly did when it told Microsoft, so the patches can be developed and deployed before the exploits are in the public domain. But lets get real; thats highly unlikely to happen.

Nevertheless, the Patreon floats the idea:

If the NSA are willing to inform us about what it is they have lost, the capabilities and vulnerabilities it has exploits for - so that we can make informed decisions to defend our networks then we will withdraw from this option. We need accurate guidance to be able to defend our networks and so far that guidance is not forthcoming from anywhere else.

While some people view pooled funding resources as a way to give the Shadow Brokers the least amount yet still get hold of the dump to get things patched, others are adamant that giving the group any money is morally wrong.

At the time of publishing, 100 ZEC (Zcash) had slightly decreased from $24,128 at the time I started the article to $23,662. If you dont have that to spare for the June data dump monthly subscription, will you join the crowdfunding campaign?

Read more here:
Crowdfunding campaign to buy stolen NSA hacking tools from Shadow Brokers - Network World

A hacker group with suspected ties to the Vietnamese government appears to be researching a leaked National Security Agency tool codenamed ODDJOB, based on documents uploaded to the repository VirusTotal andtied to a source already identified as OceanLotus group, otherwise known as APT32.

A classified user manual for ODDJOB was originally published on April 14 by a mysterious group, known for sharing NSA documents, named the Shadow Brokers. A copy of this same document was then uploaded April 17 to VirusTotal along with other malicious email attachments by OceanLotus. Multiple U.S. cybersecurity firms say OceanLotus is aligned with the interests of the Vietnamese government.

The specific version of the manual uploaded by OceanLotus was not weaponized, meaning it didnt carry malware that could be used to convert the harmless PDF to a phishing lure.

ODDJOB is a high-quality, masterfully engineered digital weapon believed to have been once used to help U.S. spies collect intelligence stored on machines running older versions of Microsoft Windows. Details on this backdoor implant are scarce at the moment. The operational computer code behind ODDJOB was not released by the ShadowBrokers.

OceanLotus apparent interest in the ODDJOB manual underscores the efforts now being made by nation-backed hacking groups to better understand, and potentially reuse, leaked NSA capabilities a fear perhaps already realized with the WannaCry ransomware campaign.

When ODDJOB is deployed against a target computer it attempts to obscure network traffic by appearing to be the Microsoft Background Intelligence Transfer Services, or BITS, which is typically used by Windows Update to apply a patch to a computer.

As of Thursday afternoon, the related file uploaded to VirusTotal remained in plain view.

The manual was first made public by the Shadow Brokers in April, but interest in this document by nation-states was previously unreported.

CyberScoop first reported Wednesday that OceanLotus was likely behinda cyber-espionage operation aimed at the Philippines government; a campaign which similarly saw sensitive documents be uploaded to VirusTotal. The reason for why these documents are being uploaded to a public forum remains unclear.

In addition to the ODDJOB manual, the aforementioned file dump includes, among other documents, an apparently leaked transcript of a phone conversation between U.S. President Donald Trump and Philippines President Rodrigo Duterte,briefing notes for a call between Philippine government officials and a U.S. senator, and internal documents tied to the Philippine National Security Council.

OceanLotus has been known to conduct missions against valuable corporations, foreign governments, dissidents and domestic journalists since at least 2014, according to research conducted by FireEye.

Read more:
Vietnamese hackers appear to be researching an NSA backdoor tool - CyberScoop