Archive for November 2013
[*Passive NSA Acknowledgement of Over-reaching It’s Own Authority?]
By JAMES RISEN and LAURA POITRAS
Published: November 22, 2013
WASHINGTON — Officials at the National Security Agency, intent on maintaining its dominance in intelligence collection, pledged last year to push to expand its surveillance powers, according to a top-secret strategy document.
United States Can Spy on Britons Despite Pact, N.S.A. Memo Says (November 21, 2013)
In a February 2012 paper laying out the four-year strategy for the N.S.A.’s signals intelligence operations, which include the agency’s eavesdropping and communications data collection around the world, agency officials set an objective to “aggressively pursue legal authorities and a policy framework mapped more fully to the information age.”
Written as an agency mission statement with broad goals, the five-page document said that existing American laws were not adequate to meet the needs of the N.S.A. to conduct broad surveillance in what it cited as “the golden age of Sigint,” or signals intelligence. “The interpretation and guidelines for applying our authorities, and in some cases the authorities themselves, have not kept pace with the complexity of the technology and target environments, or the operational expectations levied on N.S.A.’s mission,” the document concluded.
Using sweeping language, the paper also outlined some of the agency’s other ambitions. They included defeating the cybersecurity practices of adversaries in order to acquire the data the agency needs from “anyone, anytime, anywhere.” The agency also said it would try to decrypt or bypass codes that keep communications secret by influencing “the global commercial encryption market through commercial relationships,” human spies and intelligence partners in other countries. It also talked of the need to “revolutionize” analysis of its vast collections of data to “radically increase operational impact.”
See Also: Supporting Intel 2020: Presented by Mr. Henry Muller, Director, Intelligence & Information Warfare Directorate: Intelligence, Surveillance, and Reconnaissance (ISR) S&T Challenges Given on 20 Sep 2013
Four cyber-security experts testified before a Senate committee about the Healthcare.gov website’s lack of security and risk of exposure to Americans.
All four cyber security experts unanimously concurred that, given the security issues, Americans should not use the site at present.
“It’s not only social security numbers … it’s one of the largest collections of personal data, social security and everything else, that we’ve ever seen,” said David Kennedy, CEO of information security firm TrustedSEC.
One key problem facing Healthcare.gov is that security wasn’t built into the site from the very beginning, he said — an opinion shared by both Kennedy and Fred Chang, the distinguished chair in cyber security at Southern Methodist University.
“There’s not a lot of security built into the site, at least that’s what we can see from a 10,000 foot view,” Kennedy told the committee.
Kennedy told FoxNews.com he based this on an analysis revealing a large number of SQL injection attacks against the healthcare.gov website, which are indicative of "a large amount" of hacking attempts.
‘I would say the website is either hacked already or will be soon.’
– David Kennedy, CEO of information security firm TrustedSEC
"Based on the exposures that I identified, and many that I haven’t published due to the criticality of exposures – if a hacker wanted access to the site or sensitive information – they could get it," he told FoxNews.com.
The operators of the crippled Fukushima nuclear plant have postponed the extremely complicated and difficult task of removing damaged atomic rods.
New video footage from a robot has revealed new leaks within the damaged reactors meaning the rods now can’t be taken out as planned.
(Reuters) – Activist hackers linked to the collective known as Anonymous have secretly accessed U.S. government computers in multiple agencies and stolen sensitive information in a campaign that began almost a year ago, the FBI warned this week.
The hackers exploited a flaw in Adobe Systems Inc’s software to launch a rash of electronic break-ins that began last December, then left "back doors" to return to many of the machines as recently as last month, the Federal Bureau of Investigation said in a memo seen by Reuters.
The memo, distributed on Thursday, described the attacks as "a widespread problem that should be addressed." It said the breach affected the U.S. Army, Department of Energy, Department of Health and Human Services, and perhaps many more agencies.
Investigators are still gathering information on the scope of the cyber campaign, which the authorities believe is continuing. The FBI document tells system administrators what to look for to determine if their systems are compromised.
An FBI spokeswoman declined to elaborate.
Excerpt from Million Mask March speech
November 5, 2013
We declare our Independence from the Enlightened Few who seek to Subjugate and Rule.
We declare our Freedom from an All powerful Beaurocracy.
Power belongs to the Governed and is better managed locally.
We declare our intention as the Children of Love and Freedom, to fill this Earth with lives full of LOVE, RESPECT, & THANKSGIVING, not servitude to the ever more Heartless Iron Fist.
We are now Awakened and United, and as people with hopes and feelings, deserving of the bounty this Planet can provide.
Let Us contemplate these words. Meditate on their Meaning, and Let Us return a year from now, on November 5, 2014 a Stronger, Wiser, Infinitely Loving People ready to Give more than we Take.
Humanity will either Transcend its baser impulses or we shall allow ourselves to be Destroyed.
If there is to be a New World Order, let the People decide what it is to be. We have seen enough war, pestilence, famine, and death. A new age of Freedom, Charity, Peace, and Love has begun so that all the Peoples of America & the World may Thrive.
The change that is going to happen and is happening right here right now needs to start with you. Their power is the peoples ignorance.
To all of the soldiers around the world of every nation, right now I ask you to stand down and return home to your families.
To the Powers that Be, We the People stand here united upon this common ground of fairness, justice and freedom, We have come here not only with anger in our eyes but with love in our hearts. We the People will bestow upon you the mercy you have denied others.
We will not stop. We will not give up.
You should have expected us.
A blog covering security and security technology.
October 9, 2013
The NSA’s New Risk Analysis
As I recently reported in the Guardian, the NSA has secret servers on the Internet that hack into other computers, codename FOXACID. These servers provide an excellent demonstration of how the NSA approaches risk management, and exposes flaws in how the agency thinks about the secrecy of its own programs.
Here are the FOXACID basics: By the time the NSA tricks a target into visiting one of those servers, it already knows exactly who that target is, who wants him eavesdropped on, and the expected value of the data it hopes to receive. Based on that information, the server can automatically decide what exploit to serve the target, taking into account the risks associated with attacking the target, as well as the benefits of a successful attack. According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options. The documentation mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head — all delivered from a FOXACID subsystem called Ferret Cannon. Oh how I love some of these code names. (On the other hand, EGOTISTICALGIRAFFE has to be the dumbest code name ever.)
Snowden explained this to Guardian reporter Glenn Greenwald in Hong Kong. If the target is a high-value one, FOXACID might run a rare zero-day exploit that it developed or purchased. If the target is technically sophisticated, FOXACID might decide that there’s too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FOXACID might run an exploit that’s less valuable. If the target is low-value and technically sophisticated, FOXACID might even run an already-known vulnerability.
According to Snowden, the TAO — that’s Tailored Access Operations — operators running the FOXACID system have a detailed flowchart, with tons of rules about when to stop. If something doesn’t work, stop. If they detect a PSP, a personal security product, stop. If anything goes weird, stop. This is how the NSA avoids detection, and also how it takes mid-level computer operators and turn them into what they call "cyberwarriors." It’s not that they’re skilled hackers, it’s that the procedures do the work for them.
And they’re super cautious about what they do.
While the NSA excels at performing this cost-benefit analysis at the tactical level, it’s far less competent at doing the same thing at the policy level. The organization seems to be good enough at assessing the risk of discovery — for example, if the target of an intelligence-gathering effort discovers that effort — but to have completely ignored the risks of those efforts becoming front-page news.