Tag - security

The Weird End of the NSA’s Phone Dragnet
Why the Current Section 215 Reform Debate Means Virtually Nothing
Apple and Google Attended a Confidential Spy Summit in a Remote, Esoteric English Mansion
Ron Wyden and Rand Paul Sorta-Kinda Killed the Patriot Act
If an Ex-NSA Chief and ACLU Adviser Agree on Surveillance Reform, Why Can’t Congress?
US Cyber Command and Pentagon Kill $475M Cyber National Mission Force Contract
US Navy Looking for Industry Assistance to Protect its Drones Against Enemy Hacks
Ersatz Password Scheme Deceives Hackers While Protecting Stored Passwords
Is This The NSA’s Secret to Cracking Secure Communications Such as SSL?
NSA Planned Surreptitious Malware Implants in Android App Stores

The Weird End of the NSA’s Phone Dragnet

The Atlantic explores the weird end of the NSA’s phone dragnet in a very enlightening essay:

Earlier this month, a federal appeals court ruled that while the surveillance agency has long claimed to be acting in accordance with Section 215 of the Patriot Act, the text of that law in fact authorizes no such program. The Obama Administration has been executing a policy that the legislature never passed into being.

But the law that doesn’t even authorize the program is set to expire at the end of the month. And so the court reasoned that Congress could let it expire or vote to change it. For this reason, the court declined to issue an order shutting the program down.

President Obama didn’t shut the program down either. One might think the illegality of its ongoing operations would bother him, but he’s effectively punted to Congress too.

Days ago, the House of Representatives acted: they voted overwhelmingly, 338 to 88, “to end the National Security Agency’s mass collection of phone records from millions of Americans with no ties to terrorism,” passing the USA Freedom Act, an effort “to rein in NSA surveillance while renewing key sections of the… Patriot Act.” The bill divided civil libertarians, some of whom thought it didn’t go far enough because the government could still access bulk data held by phone companies.

That brings us to the wee hours of Saturday morning. “After vigorous debate and intense last-minute pressure by Republican leaders, the Senate on Saturday rejected legislation that would end the federal government’s bulk collection of phone records,” The New York Times reports. “With the death of that measure — passed overwhelmingly in the House — senators then scrambled to hastily pass a short-term measure to keep the program from going dark when it expires June 1 but failed.”

Read the entire article.

Why the Current Section 215 Reform Debate Means Virtually Nothing

From one eye-opening read to another. Bruce Schneier writes that Chris Soghoian of the ACLU explains why the current Patriot Act section 215 reform debate means virtually nothing thanks to countless other authorities and methodologies the intelligence community uses to spy on American citizens:

There were 180 orders authorized last year by the FISA Court under Section 215 — 180 orders issued by this court. Only five of those orders relate to the telephony metadata program. There are 175 orders about completely separate things. In six weeks, Congress will either reauthorize this statute or let it expire, and we’re having a debate — to the extent we’re even having a debate — but the debate that’s taking place is focused on five of the 180, and there’s no debate at all about the other 175 orders.

Now, Senator Wyden has said there are other bulk collection programs targeted at Americans that the public would be shocked to learn about. We don’t know, for example, how the government collects records from Internet providers. We don’t know how they get bulk metadata from tech companies about Americans. We don’t know how the American government gets calling card records.

If we take General Hayden at face value — and I think you’re an honest guy — if the purpose of the 215 program is to identify people who are calling Yemen and Pakistan and Somalia, where one end is in the United States, your average Somali-American is not calling Somalia from their land line phone or their cell phone for the simple reason that AT&T will charge them $7.00 a minute in long distance fees. The way that people in the diaspora call home — the way that people in the Somali or Yemeni community call their family and friends back home — they walk into convenience stores and they buy prepaid calling cards. That is how regular people make international long distance calls.

So the 215 program that has been disclosed publicly, the 215 program that is being debated publicly, is about records to major carriers like AT&T and Verizon. We have not had a debate about surveillance requests, bulk orders to calling card companies, to Skype, to voice over Internet protocol companies. Now, if NSA isn’t collecting those records, they’re not doing their job. I actually think that that’s where the most useful data is. But why are we having this debate about these records that don’t contain a lot of calls to Somalia when we should be having a debate about the records that do contain calls to Somalia and do contain records of e-mails and instant messages and searches and people posting inflammatory videos to YouTube?

Certainly the government is collecting that data, but we don’t know how they’re doing it, we don’t know at what scale they’re doing it, and we don’t know with which authority they’re doing it. And I think it is a farce to say that we’re having a debate about the surveillance authority when really, we’re just debating this very narrow usage of the statute.

People like Chris are highly important to the work being done to prevent further violations of American freedoms and privacy. Although al Qaeda and Osama bin Laden lost the battle, it seems they have won the war against the American way of life.

Americans have been brainwashed into believing this surveillance is helping catch terrorists when it fact it has had virtually zero impact on thwarting any tangible terror plots.

Apple and Google Attended a Confidential Spy Summit in a Remote, Esoteric English Mansion

This is one of the more disconcerting things I have read in a while. It seems tech firms Apple and Google just attended a confidential spy summit in a remote English mansion, a location often used for esoteric meetings:

Among an extraordinary list of attendees were a host of current or former heads from spy agencies such as the CIA and British electronic surveillance agency Government Communications Headquarters, or GCHQ. Other current or former top spooks from Australia, Canada, France, Germany and Sweden were also in attendance. Google, Apple, and telecommunications company Vodafone sent some of their senior policy and legal staff to the discussions. And a handful of academics and journalists were also present.

According to an event program obtained by The Intercept, questions on the agenda included: “Are we being misled by the term ‘mass surveillance’?” “Is spying on allies/friends/potential adversaries inevitable if there is a perceived national security interest?” “Who should authorize intrusive intelligence operations such as interception?” “What should be the nature of the security relationship between intelligence agencies and private sector providers, especially when they may in any case be cooperating against cyber threats in general?” And, “How much should the press disclose about intelligence activity?”

No good can possibly come from a meeting of this type.

Ron Wyden and Rand Paul Sorta-Kinda Killed the Patriot Act

BoingBoing reports Senators Ron Wyden and Rand Paul sorta-kinda killed the Patriot Act section 215 renewal after leaving Senate Majority Leader Mitch McConnell without any compromise:

After an all-night session, Rand Paul [R-KY] and Ron Wyden [D-OR] tag-teamed majority leader Mitch McConnell [R-KY] and beat him to the mat — he has abandoned the current legislative effort to extend section 215 of the Patriot Act, which authorizes mass surveillance and is set to expire on June 1.

This was not what we expected — political handicappers had put safe money on some kind of compromise emerging from today’s session. With no such compromise in sight, McConnell will have to start over, twisting arms and knocking heads to get Congress to re-authorize another long stretch of unaccountable, secret mass surveillance. He’s got his work cut out for him as the Senate has adjourned until May 31 — 24 hours before the deadline.

The fight is not yet over as the better-than-nothing-but-not-so-good USA Freedom Act was more or less defeated in the Senate as well.

If an Ex-NSA Chief and ACLU Adviser Agree on Surveillance Reform, Why Can’t Congress?

Well here is an interesting opinion piece over at The Christian Science Monitor. Former NSA Chief, Retired General Keith Alexander and law professor Geoffrey Stone ask what, on the surface, seems like a fairly provocative question in the post-Snowden era: If an ex-NSA chief and ACLU adviser can agree on surveillance reform, why can’t Congress?:

As Americans, we share these bedrock principles: that freedom, privacy, and individual liberty are fundamental American values; that a core responsibility of our government is to keep our nation and our people safe; that the collection of intelligence is essential in the modern world to protect our nation’s security; and that, at present, the trust of the American people has been eroded and needs to be reestablished with new safeguards that ensure that the agencies charged with carrying out the collection of intelligence do so in a manner that is consistent with our deepest national values.

That is not to say that the nation’s intelligence agencies have abused their authority. To the contrary, the NSA and other intelligence agencies have worked conscientiously to operate within the express authorities that Congress, the White House, and the Foreign Intelligence Surveillance (FISA) Court have given them. Indeed, the men and women who work at NSA and other national security agencies deserve our admiration and support. Although intelligence agencies often operate out of necessity in secret, in our experience they adhere to the rule of law and comply with multiple layers of effective oversight.

I am not sure “NSA and other intelligence agencies have worked conscientiously to operate within the express authorities that Congress, the White House, and the Foreign Intelligence Surveillance (FISA) Court” is an entirely forthcoming admission. It has been exposed time and time again that either the NSA has outright lied to the FISA court, fails to disclose information, or has been found by FISA to be operating outside their authorities.

The whole opinion piece smells funny and reads like a word-game.

As mentioned in the article, it has been fifteen years since the terrorist attacks of 9/11, but what good have all the terrorism-related intelligence laws afforded the American public? The country is no safer because of so-called operational effectiveness of the counterterrorism tools Congress has provided to the intelligence community. Quite the contrary.

The only reason America is safer today is because there was an attack on American soil, killing American lives, and this opened our eyes to the very real possibility that we need to be more vigilant. American intelligence agencies have yet to prevent a single real terror plot thanks to these tools. Fifteen years of pointless mass surveillance and other authorities granted to the intelligence community have proven these tools unnecessary.

This is why it is time for reform – because things like section 215 of the Patriot Act, and section 702 of the Foreign Intelligence Surveillance Act do nothing to make the country safe. Besides, because of how the intelligence community works, all these capabilities will ultimately fall back on the Reagan era Executive Order 12333 – what amounts to a catch-all intelligence community authority allowing for just about any type of spying, including surveillance of American citizens.

Now that is something in need of reform.

US Cyber Command and Pentagon Kill $475M Cyber National Mission Force Contract

Nextgov reports about US Cyber Command and the Pentagon killing off a $475M cyber contract designed to help with the USCC Cyber National Mission Force:

Cyber Command has called off a sweeping solicitation that would have outsourced support for cyberspying and network attacks against foreigners, as well as the defense of military networks.

As of Friday afternoon, there were few details on why the five-year-old command, which is racing to staff up, revoked an April 30 request for proposals from contractors. The jobs were worth up to $475 million over five years.

Drawing major assistance from industry was supposed to help deploy the so-called Cyber National Mission Force, according to the original solicitation. The purpose of the venture was “to streamline USCYBERCOM’s acquisition of cyber mission support capabilities and services, information technology services, and cyber professional services” across multiple disciplines “under a centralized structure.”

But now the Pentagon is rethinking the whole investment.

This is an interesting development. I wonder if this means the future of the Cyber National Mission Force is in jeopardy.

US Navy Looking for Industry Assistance to Protect its Drones Against Enemy Hacks

NextGov reports about how the US Navy is looking for industry assistance to locate strong measures to protect its drones against enemy hacking attempts:

The Navy says it’s not sure what kind of cyber threats its drones, sensors and missiles are up against. That’s because aerial weapons systems were not expected to become part of the so-called Internet of Things, the present-day entanglement of networked appliances, transportation systems and other data-infused objects.

So, the Navy has kicked off a project to collaborate with outside scientists on research and development that will help protect the branch’s flying munitions from hackers, according to the agency. A key aim is to ensure assets can bounce back in the event of a cyber strike.

As the military becomes more and more educated on the need to build security from the inception of a new capability, we will see bids and requirements like this. It only makes sense to integrate security from the very beginning rather than duct-taping it on later.

Ersatz Password Scheme Deceives Hackers While Protecting Stored Passwords

ThreatPost discusses Ersatz, a rather unique scheme for protecting stored passwords while at the same time deceiving hackers, with the intent to trigger security alerts to notify security personnel of potential cracking:

Similar in theory to the Honeywords Project, developed by Ari Juels and Ron Rivest at MIT, Ersatz Passwords instead present the attacker with a long list of phony passwords, and simultaneously trigger an alert within the system notifying admins of an attempted cracking.

The paper explains that the process of computing the real password hash would require an attacker to have access to a hardware security module resident in the authentication server. That dependency makes offline cracking almost impossible. The presentation of the phony passwords is unlike Honeywords, which mixes a list of phony passwords alongside the real ones in a database; in the Ersatz scheme, the real passwords are never available to the hacker.

The researchers said that a system-side initialization of the scheme involves the application of a hardware-dependent function that is applied to each stored hash and fed to the same hash function with the original salt.

“After that, the output is stored in the password file replacing the old stored value,” the researchers wrote. “If an adversary obtains this file and tries to crack any user passwords, the probability that he will get any apparent match is negligible, even if a user password is from a standard dictionary.”

The researchers assert that this puts a serious dent in the effectiveness of offline cracking tools such as John the Ripper. The attacker would, as a result, need access to the hardware in order to properly access the correct hashes.

This sounds like a very interesting solution. I wonder how viable and practical it is in real-world use. Theoretically is appears as if it could solve a lot of the problems we face today with offline brute-force attacks against stolen password files.

Is This The NSA’s Secret to Cracking Secure Communications Such as SSL?

The Daily Beast digs deep into the the basics behind Logjam-type vulnerabilities and asks an intriguing question: is this The NSA’s Secret to cracking secure communications such SSL?:

Yet slides in the Snowden documents revealed the NSA’s astonishing success in exploiting IPSec. The researchers outlined an approach which, although requiring the construction of a dedicated supercomputer, lies within the NSA’s grasp. Diffie-Hellman uses a prime number in its computation, and although there are an astonishing number of usable primes, most systems use a standard prime number.

The basic idea is to do a nearly astronomical amount of work precomputing partial answers needed to break any connection associated with a given prime number and then, because most systems use a common prime number, perform only a little more work to crack any given connection. So with a huge amount of initial work and money, but only a modest amount of work per connection, the NSA could break two-thirds of the IPSec connections on the planet—opening up an untold number of corporate VPNs.

The researchers have no direct evidence that the NSA did this, but I believe their suspicions are well founded. The NSA is not made up of magicians, and all its successes must have a prosaic explanation. If the NSA did indeed discover this technique unnoticed, its failure to disclose is yet more evidence that the NSA does not care about the security of non-classified systems; it would rather spend hundreds of millions of dollars developing a cracking system than simply notifying the world how to secure U.S. businesses before some other foreign intelligence service discovers the same thing.

NSA Planned Surreptitious Malware Implants in Android App Stores

Iain Thomson of The Register on the latest from the Snowden treasure trove. This time the report is about surreptitious malware implants by the NSA in Android app stores:

According to a presentation released from the Snowden archive to The Intercept the so-called “5 Eyes” nation’s intelligence agencies – from the US, UK, Canada, Australia, and New Zealand – spent 2011 and 2012 working out ways to subvert connections to popular app stores, such as those run by Google and Samsung, in a project dubbed IRRITANT HORN.

That the intelligence services are working on software that can subvert iOS, Android and other smartphone operating systems isn’t new. But the presentation details how operatives could intercept communications between app servers and customers to install code that could harvest personal information and even display disinformation on handsets.

The spur for this effort was the Arab Spring uprisings in the Middle East and Africa. The intelligence agencies reasoned that in such a situation then it needed to be able to put out software that could influence actions on the ground.

Just another day at Ft. Meade, MD.

Copyright © 2015, Scott Jarkoff, & all respective content owners.