Archive for NSA

« Older Entries

North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts

Posted in Commentary with tags on May 7, 2024 by itnerd

So let’s do a bit of quick education before we get to the story.

DMARC: Domain-based Message Authentication, Reporting and Conformance is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. 

With that out of the way, this story will now make a bit more sense. The NSA has put out a statement about North Koreans who are using weak security policies related to DMARC to facilitate their efforts to spearfish targets in the US and beyond:

The DPRK leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets’ private documents, research, and communications.

“Spearphishing continues to be a mainstay of the DPRK cyber program and this CSA provides new insights and mitigations to counter their tradecraft,” said NSA Cybersecurity Director Dave Luber. 

The report contains background on the DPRK’s cyber program and past information-gathering examples, an explanation of how a strong Domain-based Message Authentication Reporting and Conformance (DMARC) policy can help block DPRK actors, red flag indicators of malicious activity, two sample emails used by DPRK cyber actors, and mitigation measures.

Al Iverson, Industry Research and Community Engagement Lead for Valimail had this comment: 

“North Korea found a way to exploit something that security and deliverability experts have been worried about over these past few months; there’s a whole bunch of domain owners out there who are not necessarily security savvy, and perhaps focused more on email marketing efforts. Those domain owners (and there are more than a million of them out there) were quick to implement a bare minimum DMARC policy to comply with new mailbox provider sender requirements. What they didn’t realize, is that this can leave the domain unprotected against phishing and spoofing. 

People must protect their domain by fully implementing DMARC properly to ensure that bad guys find no phishing or spoofing success when they work their way down the list of domains… to yours.

The NSA, the FBI and the U.S. Department of State have identified this as an issue already and Valimail is fully aligned with the advisory they issued at the end of the week.”

If I were the person in charge of email in an organization, I’d be reading this report, and then get about figuring out how to not be the North Korean’s next victim. Because clearly this is a today problem and not something that you can get to whenever.

2 Comments »

CISA/NSA Releases Info Sheets To Help To Enhance Cloud Security

Posted in Commentary with tags , on March 8, 2024 by itnerd

The NSA and CISA released five Cybersecurity Information Sheets in an alert to enhance cloud security, providing crucial recommendations, best practices, and mitigations for securing cloud environments. 

 Matt Muir, Threat Research Lead at Cado Security had this comment:

“It’s reassuring to see these agencies highlight the differences between cloud and on-premise security practices, along with providing tailored advice for securing the cloud in particular. Hopefully, the advice will give organizations the nudge they need to recognise the wider threats and implications of cloud adoption. By taking heed of this advice and implementing appropriate controls, organizations can mitigate the pervasive threat of cloud attacks.”

The only comment that I have is whether organizations will take heed of this advice. It’s good advice. But many organizations still have the view that the cloud is safer than on-premise. That needs to change.

UPDATE: Dave Ratner, CEO, HYAS adds this:

   “As an increasing number of organizations are utilizing MSSP and MSP providers for cyber security and related functions, it’s imperative to have guidance both for the organizations utilizing them as well as the MSSP and MSP providers themselves. Since criminals and bad actors will often go after the weakest link in the chain, everyone needs to consider cyber resiliency as paramount and understand both how the MSSP/MSP providers will enable it for each client organization, as well as how the MSSP/MSP’s will enable it for themselves. Anyone without a solid cyber resiliency strategy in 2024 is putting themselves at risk.”

Leave a comment »

NSA Issues Guidance On Adopting A Zero Trust Stance

Posted in Commentary with tags on March 7, 2024 by itnerd

The National Security Agency has issued new guidance for adopting zero-trust network principles: Advancing Zero Trust Maturity Throughout the Network and Environment Pillar. 

The NSA first issued guidance for a zero-trust (ZT) framework in February 2021, inspired by the 2020 Verizon breach and then again in April 2023 with – Advancing Zero Trust Maturity Throughout the User Pillar

This week’s release focusses on the third pillar of the seven ZT pillars, the network and environment component of Zero Trust, comprised of hardware and software assets, non-person entities, and protocols for inter-communication.

The Zero Trust maturity model network is secured in-depth through key functions of the four networking and environment pillar capabilities:

  • Data flow mapping
  • Macro segmentation
  • Micro segmentation
  • Software Defined Networking

The NSA CSI, Embracing a Zero Trust Security Model, defines the concept of ZT as a security strategy with core principles: acknowledgement of the ubiquity of cyber threats, and elimination of implicit trust favoring instead continuous verification of all aspects of the operational environment.

A zero-trust security model requires stringent access controls for accessing network resources, whether inside or outside the physical perimeter, to limit the breach consequences.

In contrast to the conventional IT security model, where all network entities are presumed trustworthy, zero-trust architecture assumes the presence of existing threats and restricts network access accordingly.

Mark Cooper, President & Founder, PKI Solutions had this comment:

   “Public Key Infrastructure (PKI) supports the zero-trust model by managing and securing digital certificates and keys. PKI is core to critical infrastructure protection environments. It ensures authenticated and encrypted communication within a network, aligning with zero-trust principles by verifying every user and device before granting access. PKI is core to critical infrastructure protection environments. What is often missing and overlooked is the required level of posture management that focuses on proactive monitoring for misconfigurations and remediating them before they become vulnerabilities that get exposed. “

   “This approach highlighting the required level of security posture management complements the NSA’s guidance by enhancing trust verification and limiting adversaries’ network access.”

I’m a big fan of zero trust as it reduces the chance that you could get pwned by a threat actor. Which is why I am glad that the NSA is offering guidance that organizations of all sizes should be following.

Leave a comment »

NSA Admits To Buying User Browsing Data

Posted in Commentary with tags , on January 29, 2024 by itnerd

The NSA has recently admitted to buying user browsing data. Here’s what Senator Ron Wyden had to say on this:

U.S. Senator Ron Wyden, D-Ore., released documents confirming the National Security Agency buys Americans’ internet records, which can reveal which websites they visit and what apps they use. In response to the revelation, today Wyden called on the administration to ensure intelligence agencies stop buying personal data from Americans that has been obtained illegally by data brokers. A recent FTC order held that data brokers must obtain Americans’ informed consent before selling their data. 

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote in a letter to Director of National Intelligence (DNI) Avril Haines today. “To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

 John Gunn, CEO, Token had this comment:

Senator Wyden’s efforts are misguided. Instead of working to hinder the critical work of law enforcement agencies that keep everyone safe, he should focus his efforts on the data aggregators. Data purchased by the NSA, marketers, and others is out there in regular commercial markets for anyone to purchase. Nothing is gained by excluding law enforcement from doing their jobs, and people’s privacy is not any more protected by excluding law enforcement from public markets for information. If some of the data being used is obtained illegally, then stop the illegal collection.

I can see a different view on this issue. I am all for law enforcement having access to the data that they need to fight crime. But there needs to be clear limits on how they access that data. It cannot be a free for all where the NSA or any law enforcement agency can get anything that they want with little or no oversight. I’m free to be convinced otherwise as this is a complex issue.

Leave a comment »

NSA + DoD Open AI Security Center

Posted in Commentary with tags , on September 29, 2023 by itnerd

The news is out that the DoD and the NSA is about to open an AI Security Center. Here’s why they are doing this:

The AI Security Center will become the focal point for developing best practices, evaluation methodology and risk frameworks with the aim of promoting the secure adoption of new AI capabilities across the national security enterprise and the defense industrial base.  

The new entity will consolidate the agency’s various artificial intelligence, security-related activities.  

“The AI Security Center will work closely with U.S. Industry, national labs, academia across the [intelligence community] and Department of Defense and select foreign partners,” Nakasone said during a discussion hosted by the National Press Club in Washington.

Emily Phelps, Director, Cyware had this comment:

   “In an era where technological advancements are both an advantage and a potential threat, centralizing expertise and capabilities can foster rapid development while ensuring that vulnerabilities are addressed quickly. Collaborative initiatives with the Defense Department, intelligence community, academia, and international partners can provide a holistic approach to AI-supported security. It’s crucial for the US to not only maintain but enhance its leadership in AI, ensuring that its innovative capabilities remain protected.”

This is a really good move by the NSA. It puts the smartest minds on the topic in one place. Which will make it way easier to respond to whatever curve balls that AI has in store for all of us.

Leave a comment »

NSA, FBI and CISA Release Cybersecurity Information Sheet On Deepfakes And Their Threats To Organizations

Posted in Commentary with tags , , on September 14, 2023 by itnerd

The NSA, FBI and CISA have released a CSI or cybersecurity information sheet called Contextualizing Deepfake Threats to Organizations. Here’s the TL:DR via this media alert:

Today, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends. Threats from synthetic media, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications, including the National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators. Between 2021 and 2022, U.S. Government agencies collaborated to establish a set of employable best practices to take in preparation and response to the growing threat. Public concern around synthetic media includes disinformation operations, designed to influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty.

The authoring agencies urge organizations review the CSI for recommended steps and best practices to prepare, identify, defend against, and respond to deepfake threats.

Allen Drennan, Principal & Co-Founder, Cordoniq had this to say:

“The threat of deepfakes has been an ongoing challenge, however with the introduction of unregulated AI data mining that could provide unfettered access to media, this elevates the threat to a whole new level. Consumers who have provided photos, videos, audio and recordings to third-party social networks, email host providers and even online meeting solutions may find that their likeness is easily consumed by AI training models to better recreate deepfakes that not only look and sound like their intended target but also behave like them. Since many of these organizations maintain information for protracted periods of time as part of their terms of service, consumers may find these AI models can train against their likeness retroactively. Federal regulation of privacy as it relates to consumer provided content to companies and organizations is critical in preventing the wide-spread use of deepfakes.”

This cybersecurity information sheet is very much worth reading as this is an emerging threat that all should take seriously. And with emerging threats, it’s better to get out front of them rather than be on the defensive.

Leave a comment »

NSA Releases Guidelines On Mitigating Software Memory Safety Issues

Posted in Commentary with tags on November 15, 2022 by itnerd

Yesterday the NSA released released guidelines on how organizations can implement protections against  software memory safety issues Here’s an snippet from the press release on the topic:

The “Software Memory Safety” Cybersecurity Information Sheet highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts.
 
“Memory management issues have been exploited for decades and are still entirely too common today,” said Neal Ziring, Cybersecurity Technical Director. “We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors.”
 
Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities. Poor memory management can lead to technical issues as well, such as incorrect program results, degradation of the program’s performance over time, and program crashes.

I got commentary from Yotam Perkal, Director, Vulnerability Research at Rezilion on this guidance:

Regarding the NSA guidelines, it is true that the majority of exploitable vulnerabilities in languages such as C and C++, are due to memory issues. That said, these languages are still extremely widely used especially in applications that are performance oriented. In the latest StackOverflow developer survey, close to 40% of developers claimed to be using either C or C++ in their daily work, even in open source projects over 15% of the code is still written in these languages (see here). Hence, I don’t see them disappearing any time soon. 

It is also important to note that even with a memory safe language, memory management is not entirely memory safe as most of these languages allow the developers the flexibility to perform potentially unsafe memory management tasks. Moreover, for an existing project, migration of code from one language to another isn’t a trivial task and requires skilled workforce in both the source and target language. So all in all I think while the recommendation is valid, I don’t believe it will be widely adopted. 

Organizations that do have applications written in memory unsafe languages, should definitely take efforts to make sure they perform proper testing (SAST and DAST) as part of the development cycle in order to identify potential memory issues before code makes its way to production. They should also make sure to enable various binary hardening mechanisms such as ASLR, CFG, NX bit and others while compiling code written in memory unsafe languages.These mechanisms make potential exploitation far more complex. There are open-source tools that enable evaluation of binary hardening status for existing binaries such as checksec.sh. 

For open-source projects, there is a possibility to check eligibility to enroll to Google’s OSS-Fuzz project which aims to make common open source software more secure and stable by performing automated fuzzing.

I would recommend that software developers read this guidance and take Mr. Perkal’s advice to make sure that their applications are less exploitable. Because these are dangerous times that we live in, and anything that one can do to minimize the risk of an application that can be exploited is a good thing.

Leave a comment »

Smile! You’re In The NSA’s Facial Recognition Database!

Posted in Commentary with tags on June 1, 2014 by itnerd

Let’s see how this goes over with the US Public.

According to the New York Times, the NSA who aren’t exactly in the good books with the American public are collecting millions of photos for a facial recognition database:

The spy agency’s reliance on facial recognition technology has grown significantly over the last four years as the agency has turned to new software to exploit the flood of images included in emails, text messages, social media, videoconferences and other communications, the N.S.A. documents reveal. Agency officials believe that technological advances could revolutionize the way that the N.S.A. finds intelligence targets around the world, the documents show. The agency’s ambitions for this highly sensitive ability and the scale of its effort have not previously been disclosed.

The agency intercepts “millions of images per day” — including about 55,000 “facial recognition quality images” — which translate into “tremendous untapped potential,” according to 2011 documents obtained from the former agency contractor Edward J. Snowden. While once focused on written and oral communications, the N.S.A. now considers facial images, fingerprints and other identifiers just as important to its mission of tracking suspected terrorists and other intelligence targets, the documents show.

According to one NSA Power Point presentation described by the newspaper included several images of the same man in different settings and appearances, along with data points such as travel status and known associates. Creepy isn’t it.

Now, here are the key question that need to be asked. The NSA is supposed to do foreign intelligence. So are any Americans caught up in this? How can Americans be assured of the lawfulness of this?

I cannot wait to see what the answer to that is.

Leave a comment »

Yikes! The NSA Was Able to Capture Live Data From Compromised iPhones [UPDATED]

Posted in Commentary with tags , , on December 31, 2013 by itnerd

Forbes Magazine is reporting that according to security researcher Jacob Appelbaum, the NSA  could install special software onto iPhones as part of a program called DROPOUTJEEP, that provides significant access to user data and other information:

DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted

The NSA according to leaked documents claims a 100% success rate. Here’s what Appelbaum thinks:

“Do you think Apple helped them build that?” Appelbaum asks at one point in his talk. “I don’t know. I hope Apple will clarify that… Here’s a problem: I don’t really believe that Apple didn’t help them. I can’t really prove it, but they [the NSA] literally claim that anytime they target an iOS device, that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. Not sure which one it is. I’d like to believe that since Apple didn’t join the PRISM program until after Steve Jobs died, that maybe it’s just that they write shitty software.”

Ouch. That’s harsh.

There’s no comment yet from Apple. But they would be wise to comment on this and quickly.

UPDATE: All Things Digital has posted a comment from Apple denying any knowledge or participation in the above.

Leave a comment »

The NSA REALLY Likes The iPhone

Posted in Commentary with tags , , on September 9, 2013 by itnerd

Now I have to admit that I had an “oh crap” moment when I saw this news.com article about the reasons why the iPhone is loved by the NSA. But the more I read it, the (somewhat) better I felt. First, this is what got my attention:

The NSA can retrieve user data on iOS, Android, and BlackBerry devices, according to internal classified documents obtained by German news outlet Der Spiegel. Special task forces within the agency have reportedly studied the three mobile platforms with the goal of accessing the contacts, instant messaging traffic, and location data found on the devices.

The classified documents don’t point to any “large-scale” snooping of smartphone owners, but they do highlight the historic record of a few specific cases. And as detailed in a follow-up story published Monday by Der Spiegel, Apple’s iPhone has been a favorite among NSA agents for several reasons.

The article then goes on to explain how the NSA gets data from iPhones:

NSA programs called “scripts” can spy on 38 different features of the iPhone operating system, though the documents — at least one of which dates back to a 2010 NSA internal report — list just iOS 3 and 4 as the accessible versions. These features include mapping, voice mail, photos, and such apps as Facebook, Yahoo Messenger, and Google Earth.

The NSA also uses the iPhone’s backup files as another infiltration tool, according to Der Spiegel. These files contains such tidbits as contact lists, call logs, and drafts of text messages. And to grab this data, agents don’t even need to hit the iPhone itself — they can simply access the PC used to synchronize with the phone.

Now that’s the part that makes me feel somewhat better. The versions of iOS being referenced in the story are version 3 and 4 of iOS. Now that does not mean any later version such as iOS 6 has anything that the NSA can leverage. We just do not know if that’s the case. Another thing that makes me feel somewhat better. This isn’t, at least not according to story, is that there’s no large scale snooping going on that anyone knows about. Finally when it comes to the backup files, perhaps encrypting them will make them unreadable as you do have that option. Though there’s a report that the NSA can crack encryption so who knows?

Hmmm… Re-reading all of this, I don’t feel somewhat better actually. Does anyone else feel the same?

 

Leave a comment »

« Older Entries