Every 'Threat' The NSA Spreads FUD About Seems To Be Something The NSA Itself Is Actually Doing

from the i-guess-they-would-know... dept

Nearly a year ago, well before all the Snowden leaks, we had a discussion about how, for all the talk from Keith Alexander about how the US was facing "unprecedented cyberattacks" that might bring about a "cyber Pearl Harbor," in reality, it appeared that the real global threat to computer systems was... the US government itself, via Keith Alexander's "US Cyber Command," which had, by far, the most sophisticated and advanced digital attack unit and wasn't afraid to use it. In fact, the US government seems to think it has incredibly broad powers to attack digitally. Of course, the nature of those attacks have become a lot more clear lately. And, as a part of that, one thing that's becoming clear: every time you hear a scary story about a kind of attack that some foreigners might do, you can pretty much guarantee: the NSA has already done it.

You may recall that, late in 2012, the House Intelligence Committee, led by dishonest NSA defender Rep. Mike Rogers, put out a report claiming that Americans should not use networking equipment made by Huawei, the Chinese networking giant, hinting that the company might be inserting backdoors and spyware into the equipment for the Chinese government. Huawei -- which had actually previously publicly asked the US government to investigate it to prove that such claims were false -- was not at all pleased about this, claiming that the whole thing was libelous and "utterly lacking in substance." A month ago, Huawei suggested that it was going to just ditch the US market because of all of this.

And yet... the recent NSA revelations about its technical capabilities to backdoor various hardware products showed that it's actually the NSA which has backdoors in Huawei's equipment. That doesn't foreclose the possibility that the Chinese have hacked it as well, but it sure looks ridiculous. As the Wired article linked above summarizes: "US to China: We hacked your internet gear we told you not to hack." This certainly plays into the hands of the Chinese, who have long argued that the attack on Huawei by Mike Rogers and friends was really just an attempt to pump up US-based competitors like Cisco (whose products the NSA has also apparently compromised).

And then there's the whole "BIOS" attack thing. You may recall that the big "scoop" in the hilariously lopsided 60 Minutes infomercial for the NSA by John Miller (a counterterrorism official pretending to be a journalist), was that there was some scary foreign threat out there from another country that was going to "infect the BIOS" of every computer on earth and turn them all into bricks. Experts pointed out that the claims were pure gibberish.

Except in that same report about the NSA's technical capabilities came the news that it's the NSA that is installing malware in the BIOS. As Marcy Wheeler notes:

Most fearmongering claims the NSA makes may well be projection about its own activities.

None of this means that others (and the finger is usually pointed at the Chinese) aren't doing the same sorts of things themselves. But it sure does seem pretty hypocritical to go around fearmongering about the things that we, ourselves, are doing.

Filed Under: bios, china, cyberattacks, fud, nsa, threats
Companies: huawei

Report Suggests NSA Engaged In Financial Manipulation, Changing Money In Bank Accounts

from the that-would-be-big dept

Matt Blaze has been pointing out that when you read the new White House intelligence task force report and its recommendations on how to reform the NSA and the wider intelligence community, that there may be hints to other excesses not yet revealed by the Snowden documents. Trevor Timm may have spotted a big one. In the recommendation concerning increasing security in online communications, the second sub-point sticks out like a sore thumb: If you can't read that, it says:

Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial system.

While there have been plenty of reports about the US running hundreds of offensive cyberattacks on others, outside of things like Stuxnet, not many have been directly identified. And I'm unaware of any claims suggesting attempts to "manipulate the financial system" of any particular country and/or to "change the amounts held in financial accounts." It seems a bit odd to come out of the blue like that, and certainly suggests that this particular bullet point likely came as a result of a rather specific thing that came up during the task force's review.

So, now we wait for the inevitable news of what sort of financial shenanigans the NSA was up to.

Filed Under: cyberattacks, financial manipulation, nsa

Kurt Eichenwald Claims Snowden Is A Chinese Spy And Leaks Are Just To Protect Their Cyber Attacks

from the good-luck-with-that dept

And the attempts to tar and feather Ed Snowden continue. The latest is that famed reporter Kurt Eichenwald, who started attacking Ed Snowden months ago, has written up a long speculative article for Newsweek arguing that Ed Snowden has "escalated the cyber war" by giving China the necessary cover it needs to avoid reining in its own cyber attacks. There are a lot of words in the piece -- in usual Eichenwald fashion -- which just add flowery language around the basic point:

"Snowden changed the argument from one of 'The Chinese are doing this, it's intolerable' to 'Look, the U.S. government spies, so everybody spies,' '' says Richard Bejtlich, chief security officer at Mandiant, the firm that linked hacking intrusions in America to the Chinese military. "Of course the U.S. spies, but none of what the U.S. is doing is benefiting American business, and pretty much everything the Chinese are doing is benefiting Chinese businesses."

That is, if you follow the bizarre logic here, without Snowden, Eichenwald believes that the US would have somehow convinced the Chinese to stop their cyber attack program. And, now because of Snowden, the Chinese can ignore that effort, by pointing out that the US is doing a ton of online hacking too. This is ludicrous on multiple levels. First: the idea that China would actually back off of its online efforts is simply not based in reality. They're going to attack and they're gong to keep attacking. Second, there's the idea that it's Snowden's fault that China now has this excuse not to stop hacking. It wasn't Snowden who made the decision to have the NSA overreach in its operations. That's on the US government -- but in Eichenwald's mind (fed heavily by US intelligence community employees) -- the US government can do no wrong and its spying is "different" than Chinese activities, because it's for good reasons.

Of course, this is the same excuse that defenders of bad state behavior always use. In fact, it's the same excuse that the Chinese use for many of their own online activities -- such as the Great Firewall of China, which they don't see as censorship, but providing a better internet.

But, Eichenwald then goes even further into the ridiculous zone when, on Twitter, he flat out stated that he's sure Snowden is actually a Chinese spy:

@jonzomatthews Let me say it bluntly: Do I believe Snowden is a Chinese spy? Yes. And that is why he left ALL of the documents in Hong Kong.

— Kurt Eichenwald (@kurteichenwald) November 1, 2013

Again, nearly everything about that statement is ridiculous. He didn't "leave all of the documents in Hong Kong." He provided heavily encrypted versions to a very small number of journalists, and then got rid of the files himself. Eichenwald takes that to mean he "left" them in Hong Kong, based on nothing, and all of this apparently means that Snowden is working for the Chinese (even though he left China pretty quickly).

Of course, all of this is coming out even as more and more officials around the world, including in the US, are recognizing how important the Snowden leaks have been in showing the nature of how the NSA has gone way beyond what it's supposed to be doing. It really feels like Eichenwald's piece is just a last gasp effort by his friends in the intelligence community to try to tar and feather Snowden rather than take responsibility for their own activities.

Filed Under: china, cyberattacks, ed snowden, espionage, kurt eichenwald

NSA Claims It Doesn't Do Online Attacks; That's A Different Organization... Run By The NSA

from the who-do-they-think-they're-kidding dept

There are times you just shake your head and wonder who the NSA top officials think they're kidding with their statements. Take, for example, some recent comments from the NSA's number two guy in charge, Chris Inglis, the Deputy Director, who gave an interview to the BBC where he tried to paint the NSA as not being quite as bad as everyone says, but admitted that there could be more transparency. That's all the usual stuff, but the following tidbit caught my eye:

The job of the NSA, Mr Inglis said, was to exploit networks to collect intelligence in cyberspace and to defend certain networks - but not carry out destructive acts.

"NSA had a responsibility from way back, from our earliest days, to both break codes and make codes," he said. "We have a responsibility to do intelligence in a space we once called the telecommunications arena - now cyberspace - and the responsibility to make codes or to defend signals communications of interest.

"That's different than what most people conceive as offence or attack in this space."

That task of destructive cyber attack, if ordered, lies with the US military's rapidly expanding Cyber Command.

Except, as we've noted more than a few times, US Cyber Command is the NSA. It's run by Keith Alexander, the director of the NSA, and it's housed in the same place as the NSA. For all intents and purposes, US Cyber Command is the NSA, and Alexander has no problem at all swapping hats depending on what's most convenient. He regularly tries to talk about "protecting the network" when it suits him, ignoring that the same efforts he's looking at (greater access to corporate networks) would also make it much easier for the NSA and US Cyber Command to launch offensive attacks -- which Snowden's leaks proved the NSA did hundreds of times.

Pretending the two are different, and that the NSA only focuses on "breaking codes and making codes" is yet another bogus claim from an NSA official, adding to a very long list.

Filed Under: attacks, chris inglis, cyberattacks, cybersecurity, nsa, online attacks, us cybercom

Feds Waged Hundreds Of Cyberattacks On Other Countries; Spent $25 Million Buying Vulnerabilities

from the we-are-the-cybersecurity-threat dept

It's pretty typical for companies and governments hoping to "bury" important bad news to release it late on a Friday evening, hoping to miss the news cycle. If you're extra lucky, that Friday happens to come right before a long weekend, such as Labor Day. But, for the life of me, I can't figure out why a major news publication, like the Washington Post would break a big story on a Friday night before Labor Day weekend, pretty much guaranteeing that it doesn't get very much attention at all. Very bizarre -- but we figured we'd try to bring this story to you guys on Tuesday, back after the week is underway so the story doesn't get lost. The details: as suspected, the US is actually one of the leading proponents of offensive cyberattacks. This isn't a huge surprise, since they've more or less admitted to having "broad powers" but there have been questions both about the rules of engagement and just how often the US uses these capabilities.

Wonder no more. The Washington Post's Barton Gellman has the story from the black budget, showing 231 offensive cyber-operations in 2011, a number that likely went up quite a bit in 2012 (and again in 2013). For all the hype about "cybersecurity" threats from abroad, it still looks like the biggest cybersecurity threat out there is our own government. And, yes, everyone already knows about Stuxnet, and it sounds like most of these offensive efforts aren't nearly as ambitious, but there's still a lot going on.

Separately, the story confirms earlier reports that the US government is a huge purchaser of exploits from various hackers, choosing to exploit them, rather than use them to help protect our systems. For 2013, the feds budgeted $25.1 million for the "additional covert purchases of software vulnerabilities." But, that's really on a fraction of the number of exploits. The report notes that most vulnerabilities the NSA uses actually are designed at home.

Also those few hundred attacks appear to downplay the capabilities of the NSA (and the CIA) should they want to do more, because it sounds like they've hacked into a variety of networks and have zombie machines at the ready:

By the end of this year, GENIE is projected to control at least 85,000 implants in strategically chosen machines around the world. That is quadruple the number — 21,252 — available in 2008, according to the U.S. intelligence budget.

The NSA appears to be planning a rapid expansion of those numbers, which were limited until recently by the need for human operators to take remote control of compromised machines. Even with a staff of 1,870 people, GENIE made full use of only 8,448 of the 68,975 machines with active implants in 2011.

For GENIE’s next phase, according to an authoritative reference document, the NSA has brought online an automated system, code-named TURBINE, that is capable of managing “potentially millions of implants” for intelligence gathering “and active attack.”

While the fact that the NSA is doing all of this isn't a huge surprise and merely confirms earlier reports, the actual scale of the operations is certainly quite eye-opening.

Filed Under: black budget, cyberattacks, ed snowden, genie, nsa, nsa surveillance, offensive attacks, stuxnet, surveillance

Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them

from the whoa dept

Bloomberg came out with quite a bombshell last night, discussing how lots of tech companies apparently work with the NSA and other government agencies, not to pass data on users over to the government, but to share exploit information, sometimes before it's public or patched -- in some cases so it can be useful for the US government to use proactively. Last month, we had written about how the feds were certainly collecting hacks and vulnerabilities for offensive purposes, but it wasn't clear at the time that some of these exploits were coming directly from the companies themselves.

The report names one major participant: Microsoft:

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

That's fairly incredible. You'd expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.

The same report, once again, implicates the big telcos for their cushy relationship with the intelligence community -- in which the telcos willingly and voluntarily hand over massive amounts of user data. There's no oversight here, because the telcos apparently have no problem dismantling the privacy of their users.

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

The article later notes that the big telcos -- AT&T, Verizon, Sprint, Level3 and CenturyLink -- have all agreed to participate in a program called Einstein 3, which analyzes metadata on emails, but that all of the companies asked for and received assurances that participating wouldn't make them liable for violating wiretapping laws.

Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

Suddenly the "blanket immunity" clauses in CISPA make a lot of sense. The whole point of CISPA, it appears, is to further protect these companies when this kind of information comes out.

Filed Under: cyberattacks, cybersecurity, nsa, offensive cyberattacks, security, sharing, us government, zero day exploits
Companies: at&t, centurylink, level3, microsoft, sprint, verizon

Latest Leak: Obama Wants A List Of Countries To Cyberattack

from the but-of-course dept

Another day, another leak -- and once again, it's not much of a surprise, but rather a confirmation of what's long been suspected. This time, it's that President Obama has ordered the US to draw up a list of "targets" for proactive cyberattacks, as revealed (yet again) by Glenn Greenwald at the Guardian. This is a point we'd raised months ago. For all the talk of "cybersecurity" fears, it's the US that's been the biggest proponent of proactive cyberattacks.

The 18-page Presidential Policy Directive 20, issued in October last year but never published, states that what it calls Offensive Cyber Effects Operations (OCEO) "can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging".

It says the government will "identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power".

The directive also contemplates the possible use of cyber actions inside the US, though it specifies that no such domestic operations can be conducted without the prior order of the president, except in cases of emergency.

Again, this shouldn't be a surprise if you're paying attention. Back in February, we noted that the White House had done an internal "legal review" and decided for itself that it had broad powers when it came to cyberattacks.

I'm guessing we're still going to be seeing a lot more big leaks in the near future....

Filed Under: cyberattacks, cybersecurity, hacking, president obama

IBM Sends 200 Execs To Capitol Hill To Demand The Right To Send Your Private Info To The NSA

from the nice-one,-guys dept

We've talked about various tech companies supporting CISPA, which is really shameful and short-sighted. Yes, it protects them from liability if they trample all over your privacy and provide your private info to the government -- which is why they support it. But if they were truly customer focused companies, they would know that violating your privacy is no way to build a loyal customer base. And, apparently, the right to violate your privacy and hand that info to the government is so important to IBM that it has sent 200 executives to Capital Hill today to lobby in favor of passing CISPA. CISPA is expected to go to a floor vote in the House either this Wednesday or Thursday.

Nearly 200 senior IBM executives are flying into Washington to press for the passage of a controversial cybersecurity bill that will come up for a vote in the House this week.

The IBM executives will pound the pavement on Capitol Hill Monday and Tuesday, holding nearly 300 meetings with lawmakers and staff. Over the course of those two days, their mission is to convince lawmakers to back a bill that’s intended to make it easier for industry and government to share information about cyber threats with each other in real time.

What they still can't explain is what laws currently get in the way of this information sharing? We've been asking for years and no one has answered. Everyone agrees that information sharing around an attack can be useful in stopping it, but no one has explained why that information sharing (a) requires a new law or (b) can't be done without wiping out all basic privacy protections for personal info currently provided under existing law.

Even more ridiculous is that IBM flat out admits that they want to be able to send your info to the NSA. We've pointed out for a while that one of the major concerns with CISPA is that the NSA -- a military agency -- would get access to your info, despite the general prohibition on spying on Americans. Of course, the NSA has twisted that mandate ridiculously, such that it believes it can now spy on anything so long as they claim it may help them in finding a foreign threat. Technically, the law is about the "target" of the information, and the NSA (and potentially the secret ruling from the FISA Court) has interpreted this to mean that as long as the target of the investigation is as foreign threat, then the NSA can snoop through anything in pursuit of that target.

Of course, most folks have been trying to play down the fact that the NSA would get the info. But not IBM. Nope, they're thrilled to send your private info right to the NSA:

[IBM VP of government affairs Chris] Padilla, however, says companies need to be able to share threat data directly with the NSA “because that’s where the expertise is.”

“It really is a simple matter. The expertise in the U.S. government on cybersecurity largely rests in one place, and that's the National Security Agency,” he said. “They tend to know the most, the soonest about cyber threats and I think, frankly, there is a certain amount of feeling in the business community that you should be able to work directly and share information directly with the agency that has the most expertise.”

While the NSA does have some knowledge on cybersecurity, it's an exaggeration to suggest that they have "the expertise" on the subject. It also does nothing to explain why your private info should be included.

Filed Under: chris padilla, cispa, congress, cyberattacks, cybersecurity, lobbying, nsa, privacy, private info
Companies: ibm

CISPA Wouldn't Actually Solve The Reasons Congress Is Giving For Why We Need CISPA

from the it's-the-little-things... dept

As expected, Representatives Mike Rogers and Dutch Ruppersberger have reintroduced CISPA, exactly as it was when it passed the House last year. Incredibly, we've been hearing that they've brushed off the massive privacy concerns by claiming that those were all "fixed" in the final version of the bill that got approved. This is highly disingenuous. While it is true that they made some modifications to the bill at the very end before it got approved, most privacy watchers were (and are) still very concerned. They did convince one organization to flip-flop, and they seem to think that's all they need.

But, here's the thing that no one has done yet: explain why this bill is needed. With President Obama's executive order in place, the government can more easily share threat info with companies, so really the only thing that CISPA piles on is more incentives for companies to cough up private information to the government with little in the way of oversight or restrictions on how that information can be used. And given how frequently the government likes to cry "cyberattack" when it's simply not true, it's only a matter of time before they start using claims of "cyberthreat!" to troll through private information.

And they still refuse to explain why this is needed. We hear lots of scare stories, but no explanation for how this bill helps. For example, Ruppersberger has written up an oped for the Baltimore Sun in which he lays out the reasons we need CISPA, but it's all scare stories, without a single explanation for how CISPA would help. And that's because it wouldn't.

March: Hackers allegedly steal the credit card numbers from 1.5 million Visa and MasterCard customers by breaking into the computer systems of the company's payment processor in New York. The thieves stockpiled the stolen credit card numbers for months before beginning to use them.

Payment processors already have some of the best security people in the world and have a large and widespread community of folks who do nothing but think about security issues for this industry. At what point would that lead the payment processor or Visa or Mastercard to need to hand information over to the government?

August: Cyber attackers disrupt production from Saudi Aramco, the world's largest exporter of crude oil, taking out 30,000 computers in the process, according to press reports.

Saudi Aramco is a Saudi Arabian company. Not sure why they would be sharing info with the US government or how CISPA would relate to them at all.

January: PNC Bank announces to its 5 million customers that its website is getting hit with high traffic consistent of a cyber attack meant to delay business with its online banking customers.

Again, why would PNC need to give information to the government? And, if they could alert their customers to the threat, they can also alert the government. None of that requires the ability to share customer info.

These are just three reported examples of cyber attacks in the past 12 months. Each could have had a devastating impact on the U.S. and global economies. That's more than a bad dream — that's a full-blown nightmare.

These are just three scare stories of cyber attacks in the past 12 months, none of which would have been impacted by CISPA. So why do we need it again?

Highly trained Chinese, Russian and Iranian hackers are probing, pilfering and plotting every second of every day. They're often after personal data: In November, reports suggested a hacker was able to access nearly 4 million tax returns in South Carolina with a single malicious email. And they're often after the trade secrets of our companies: The media has reported that Coca-Cola may have fallen victim to hackers from a Chinese beverage company.

Again, what does any of that have to do with CISPA?

Many believe that what is happening to American business may be the largest transfer of wealth in the history of the world. It's costing our companies billions of dollars, and it's costing our country thousands of jobs.

Many believe that's pure hogwash. It's not the largest transfer of wealth in the history of the world. It's not costing companies billions of dollars and it's certainly not costing our country thousands of jobs.

Preventing the U.S. government from sharing information about malicious computer code it detects is akin to preventing forecasters from warning citizens about a hurricane.

Except the government already could share a lot of information, and with the executive order can now share more. So why do we need CISPA?

Our legislation doesn't just protect companies. It will also protect every American citizen who, for example, uses electricity or banks online, or whose doctor compiles medical records electronically.

How? It's a serious question. You can talk about all of these hacks, and you can say "yay, cybersecurity bill!" but if you don't explain specifically how that bill does anything to actually stop those attacks or to protect Americans, you're full of it.

It's important to note that under my legislation, your private information will also be kept private from the government. Information-sharing between companies and the government will be entirely voluntary. Businesses do not have to share information with the government in order to receive information from the government. The bill does not authorize the government to monitor your computer or read your email, Tweets or Facebook posts. Nor does it authorize the government to shut down websites or require companies to turn over personal information.

The first sentence is simply not true. Your private information can be shared with the government, so to say that it absolutely will be kept private is simply wrong. The second and third sentences are misleading. Yes, the information sharing is "voluntary" but since there are broad immunity exemptions, if the government is coming to most companies and saying "share this info for cybersecurity reasons, and you can't get sued for doing so," how many companies are going to stand up to the government and say no? There may be a very small number, but for the most part, companies will hand over the info. The fourth and fifth sentences are simply meaningless, because they are unrelated to the legitimate privacy concerns raised.

Once again, we're left in the same boat as before. Lots of scare stories but no explanation of why CISPA is needed or how it actually helps. The whole thing is just way too broad, with vague justifications that simply don't make much sense when you look at the actual threats compared to what the bill would allow.

Filed Under: cispa, congress, cyberattacks, cybersecurity, dutch ruppersberger, mike rogers, privacy

White House Declares It Has 'Broad Powers' When It Comes To Cyberattacks

from the well,-of-course dept

In a bit of news that will shock just about no one, the Obama administration did a legal review over what it's allowed to do in making use of "cyberweapons," and concluded that it has "broad powers" to do all sorts of stuff. The specifics, of course, will remain classified:

That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation's first rules for how the military can defend, or retaliate, against a major cyberattack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code - even if there is no declared war.

Comforting, huh? And, by comforting, I mean "terrifying." While we've already talked a few times about the US using "cyber weapons" against Iran (hello Stuxnet, Flame, etc.) this NY Times report suggests that the White House is being freed up to do much more, though one "concession" is that the use of such tools must be approved by the President, rather than allowing various agencies (Defense Department, mainly) to run off and starting attacking others electronically without first getting it approved by the President.

In the meantime, this looks like yet another case of the White House not minding leaks that make it look good. As we've noted, whenever there are leaks that embarrass the White House, they come down like a ton of bricks on whoever did the leaking as being guilty of espionage. But when the White House itself leaks information about how awesome and powerful they themselves are, no one ever seems to get arrested.

Filed Under: administration, cyberattacks, cyberwar, powers, white house