Archive for NSA

NSA, FBI and CISA Release Cybersecurity Information Sheet On Deepfakes And Their Threats To Organizations

Posted in Commentary with tags , , on September 14, 2023 by itnerd

The NSA, FBI and CISA have released a CSI or cybersecurity information sheet called Contextualizing Deepfake Threats to Organizations. Here’s the TL:DR via this media alert:

Today, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends. Threats from synthetic media, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications, including the National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators. Between 2021 and 2022, U.S. Government agencies collaborated to establish a set of employable best practices to take in preparation and response to the growing threat. Public concern around synthetic media includes disinformation operations, designed to influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty.

The authoring agencies urge organizations review the CSI for recommended steps and best practices to prepare, identify, defend against, and respond to deepfake threats.

Allen Drennan, Principal & Co-Founder, Cordoniq had this to say:

“The threat of deepfakes has been an ongoing challenge, however with the introduction of unregulated AI data mining that could provide unfettered access to media, this elevates the threat to a whole new level. Consumers who have provided photos, videos, audio and recordings to third-party social networks, email host providers and even online meeting solutions may find that their likeness is easily consumed by AI training models to better recreate deepfakes that not only look and sound like their intended target but also behave like them. Since many of these organizations maintain information for protracted periods of time as part of their terms of service, consumers may find these AI models can train against their likeness retroactively. Federal regulation of privacy as it relates to consumer provided content to companies and organizations is critical in preventing the wide-spread use of deepfakes.”

This cybersecurity information sheet is very much worth reading as this is an emerging threat that all should take seriously. And with emerging threats, it’s better to get out front of them rather than be on the defensive.

NSA Releases Guidelines On Mitigating Software Memory Safety Issues

Posted in Commentary with tags on November 15, 2022 by itnerd

Yesterday the NSA released released guidelines on how organizations can implement protections against  software memory safety issues Here’s an snippet from the press release on the topic:

The “Software Memory Safety” Cybersecurity Information Sheet highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts.
“Memory management issues have been exploited for decades and are still entirely too common today,” said Neal Ziring, Cybersecurity Technical Director. “We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors.”
Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities. Poor memory management can lead to technical issues as well, such as incorrect program results, degradation of the program’s performance over time, and program crashes.

I got commentary from Yotam Perkal, Director, Vulnerability Research at Rezilion on this guidance:

Regarding the NSA guidelines, it is true that the majority of exploitable vulnerabilities in languages such as C and C++, are due to memory issues. That said, these languages are still extremely widely used especially in applications that are performance oriented. In the latest StackOverflow developer survey, close to 40% of developers claimed to be using either C or C++ in their daily work, even in open source projects over 15% of the code is still written in these languages (see here). Hence, I don’t see them disappearing any time soon. 

It is also important to note that even with a memory safe language, memory management is not entirely memory safe as most of these languages allow the developers the flexibility to perform potentially unsafe memory management tasks. Moreover, for an existing project, migration of code from one language to another isn’t a trivial task and requires skilled workforce in both the source and target language. So all in all I think while the recommendation is valid, I don’t believe it will be widely adopted. 

Organizations that do have applications written in memory unsafe languages, should definitely take efforts to make sure they perform proper testing (SAST and DAST) as part of the development cycle in order to identify potential memory issues before code makes its way to production. They should also make sure to enable various binary hardening mechanisms such as ASLR, CFG, NX bit and others while compiling code written in memory unsafe languages.These mechanisms make potential exploitation far more complex. There are open-source tools that enable evaluation of binary hardening status for existing binaries such as 

For open-source projects, there is a possibility to check eligibility to enroll to Google’s OSS-Fuzz project which aims to make common open source software more secure and stable by performing automated fuzzing.

I would recommend that software developers read this guidance and take Mr. Perkal’s advice to make sure that their applications are less exploitable. Because these are dangerous times that we live in, and anything that one can do to minimize the risk of an application that can be exploited is a good thing.

Smile! You’re In The NSA’s Facial Recognition Database!

Posted in Commentary with tags on June 1, 2014 by itnerd

Let’s see how this goes over with the US Public.

According to the New York Times, the NSA who aren’t exactly in the good books with the American public are collecting millions of photos for a facial recognition database:

The spy agency’s reliance on facial recognition technology has grown significantly over the last four years as the agency has turned to new software to exploit the flood of images included in emails, text messages, social media, videoconferences and other communications, the N.S.A. documents reveal. Agency officials believe that technological advances could revolutionize the way that the N.S.A. finds intelligence targets around the world, the documents show. The agency’s ambitions for this highly sensitive ability and the scale of its effort have not previously been disclosed.

The agency intercepts “millions of images per day” — including about 55,000 “facial recognition quality images” — which translate into “tremendous untapped potential,” according to 2011 documents obtained from the former agency contractor Edward J. Snowden. While once focused on written and oral communications, the N.S.A. now considers facial images, fingerprints and other identifiers just as important to its mission of tracking suspected terrorists and other intelligence targets, the documents show.

According to one NSA Power Point presentation described by the newspaper included several images of the same man in different settings and appearances, along with data points such as travel status and known associates. Creepy isn’t it.

Now, here are the key question that need to be asked. The NSA is supposed to do foreign intelligence. So are any Americans caught up in this? How can Americans be assured of the lawfulness of this?

I cannot wait to see what the answer to that is.

Yikes! The NSA Was Able to Capture Live Data From Compromised iPhones [UPDATED]

Posted in Commentary with tags , , on December 31, 2013 by itnerd

Forbes Magazine is reporting that according to security researcher Jacob Appelbaum, the NSA  could install special software onto iPhones as part of a program called DROPOUTJEEP, that provides significant access to user data and other information:

DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted

The NSA according to leaked documents claims a 100% success rate. Here’s what Appelbaum thinks:

“Do you think Apple helped them build that?” Appelbaum asks at one point in his talk. “I don’t know. I hope Apple will clarify that… Here’s a problem: I don’t really believe that Apple didn’t help them. I can’t really prove it, but they [the NSA] literally claim that anytime they target an iOS device, that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. Not sure which one it is. I’d like to believe that since Apple didn’t join the PRISM program until after Steve Jobs died, that maybe it’s just that they write shitty software.”

Ouch. That’s harsh.

There’s no comment yet from Apple. But they would be wise to comment on this and quickly.

UPDATE: All Things Digital has posted a comment from Apple denying any knowledge or participation in the above.

The NSA REALLY Likes The iPhone

Posted in Commentary with tags , , on September 9, 2013 by itnerd

Now I have to admit that I had an “oh crap” moment when I saw this article about the reasons why the iPhone is loved by the NSA. But the more I read it, the (somewhat) better I felt. First, this is what got my attention:

The NSA can retrieve user data on iOS, Android, and BlackBerry devices, according to internal classified documents obtained by German news outlet Der Spiegel. Special task forces within the agency have reportedly studied the three mobile platforms with the goal of accessing the contacts, instant messaging traffic, and location data found on the devices.

The classified documents don’t point to any “large-scale” snooping of smartphone owners, but they do highlight the historic record of a few specific cases. And as detailed in a follow-up story published Monday by Der Spiegel, Apple’s iPhone has been a favorite among NSA agents for several reasons.

The article then goes on to explain how the NSA gets data from iPhones:

NSA programs called “scripts” can spy on 38 different features of the iPhone operating system, though the documents — at least one of which dates back to a 2010 NSA internal report — list just iOS 3 and 4 as the accessible versions. These features include mapping, voice mail, photos, and such apps as Facebook, Yahoo Messenger, and Google Earth.

The NSA also uses the iPhone’s backup files as another infiltration tool, according to Der Spiegel. These files contains such tidbits as contact lists, call logs, and drafts of text messages. And to grab this data, agents don’t even need to hit the iPhone itself — they can simply access the PC used to synchronize with the phone.

Now that’s the part that makes me feel somewhat better. The versions of iOS being referenced in the story are version 3 and 4 of iOS. Now that does not mean any later version such as iOS 6 has anything that the NSA can leverage. We just do not know if that’s the case. Another thing that makes me feel somewhat better. This isn’t, at least not according to story, is that there’s no large scale snooping going on that anyone knows about. Finally when it comes to the backup files, perhaps encrypting them will make them unreadable as you do have that option. Though there’s a report that the NSA can crack encryption so who knows?

Hmmm… Re-reading all of this, I don’t feel somewhat better actually. Does anyone else feel the same?


German Security Chief Says To Ditch American Services To Avoid NSA Spying…. #Fail

Posted in Commentary with tags , , on July 5, 2013 by itnerd

For the last few weeks, the planet has been watching the circus that has been created by Edward Snowden and his leaks about the NSA and their spying activities. For German Interior Minister Hans-Peter Friedrich, the fact that the NSA spies on Internet traffic has got his attention. Thus, he offers this advice:

“whoever fears their communication is being intercepted in any way should use services that don’t go through American servers.”

Good luck with that. When you do anything on the Internet, your traffic can go through any number of routes regardless of what service you’re using or where the service is hosted. So there is always a chance that your traffic can go through a place that the NSA monitors. Mr. Friedrich’s comments also don’t factor in the possibility that some other agency might be monitoring what you’re doing. So simply avoiding Facebook, Google, and Twitter will not get you very far. A more realistic response should be to assume that everything that you do online is being monitored. Thus you have to govern yourself accordingly.

In the meantime, perhaps Mr. Friedrich needs to rethink his comments.