October 22, 2014

NSA denies it knew about Heartbleed, says it is in the national interest for it to disclose vulnerabilities

odniIt looks like the ramifications of the Heartbleed bug in OpenSSL will be felt for quite a while to come. While security analysts are asking if the NSA had prior knowledge of the bug, cyber criminals are at work stealing data from sites which haven’t patched their servers and changed their SSL certificates. The Canadian Revenue Agency has said that the Heartbleed bug was the reason why an attacker was able to steal 900 social insurance numbers, and British parenting website Mumsnet said that username and password data used to authenticate users during log in was accessed before the site was able to patch its servers.

As for the NSA, the Director of National Intelligence has issued a statement saying that the NSA was not aware of the Heartbleed vulnerability until it was made public. The statement went on to say that the Federal government relies on OpenSSL the same as everyone else to protect the privacy of users of government websites and other online services.

However, what is even more important is that the statement categorically says that had the NSA, or any other of the agencies and organizations which make up the U.S. intelligence community, found the bug they would have reported it to the OpenSSL project.

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” said the statement issued by the ODNI Public Affairs Office. The statement also said that when Federal agencies discover a new vulnerability “it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”

The Office of the Director of National Intelligence also said that in response to the President’s Review Group on Intelligence and Communications Technologies report that it had reinvigorated an interagency process for deciding when to share vulnerabilities.  According to the report, “The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of  encryption technology for data in transit, at rest, in the cloud, and in storage.” Such a statement is important following the accusations that the NSA tried (and succeeded) in weakening certain encryption standards.

The report also says that, “US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In  rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.”

This “rare” use of zero-day vulnerabilities was reiterated by the ODIN statement. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

Another NSA backdoor found in RSA’s products

rsa-squareAccording to research performed by a group of professors from Johns Hopkins, the University of Wisconsin and the University of Illinois, the security company RSA used a second security tool developed by the NSA which reduced the time needed to crack secure Internet communications.

At the end of last year is was revealed that the NSA paid RSA $10 million to use the Dual Elliptic Curve random number generator in its products. It has since come to light that the Dual Elliptic Curve algorithm had a built-in flaw which made it easier for the NSA to decrypt data that was encrypted with a random number generated by the Dual Elliptic Curve generator.

According to research seen by Reuters, the team of academic researchers have discovered that a second NSA tool, known as the “Extended Random” extension for secure websites, could reduce the time needed to crack a version of RSA’s Dual Elliptic Curve software by tens of thousands of times.

The company is reported to have told Reuters that it had not intentionally weakened security on any product and noted that Extended Random was not widely adopted. RSA also said that the Extended Random functionality has been removed from its software.

“We could have been more skeptical of NSA’s intentions,” said RSA Chief Technologist Sam Curry. “We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure.”

The researchers were able to demonstrate the weakness of the Dual Elliptic Curve random number generator by decrypting TLS connections made using the RSA Share library in several seconds.

Following the release of documents by former NSA contractor Edward Snowden, a presidential advisory group reported that the NSA’s practice of subverting cryptography standards should stop.

The possibility of a back door in the Dual Elliptic Curve random number generator was first mooted back in 2007. Recent research shows that when the NSA’s default parameters are replaced with new values, the current popular cryptography libraries are still vulnerable. According to the report’s authors, “The RSA BSAFE implementations of TLS make the Dual EC back door particularly easy to exploit compared to the other libraries we analyzed. ”

The research concludes that the Extended Random extension allows a client to request longer TLS random numbers from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000.

IBM says no NSA backdoors in its products

SP-robert_weber-230x300In an open letter written published on the web, IBM has confirmed that it does not include any NSA “backdoors” in its products. The letter written by Robert C. Weber, an IBM Senior Vice President, is IBM’s latest assurance to its clients following the months of revelations about the US government’s spying activities. As a result of the documents leaked by Edward Snowden, various US technology companies have come under pressure to reveal if they have been working with the NSA.

The IBM letter states that the technology giant has not provided client data to the NSA or any other government agency. Specifically it states that:

  • IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.
  • IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.
  • IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.
  • IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.
  • IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

“Given the global discussion about data security and privacy, we wanted to communicate our view on these issues,” wrote Weber. “It has long been our (and our clients’) expectation that if a government did have an interest in our clients’ data, the government would approach that client, not IBM.”

In reiterating its commitment to its customers, the letter states several times that IBM would challenge the any orders served on it by the NSA for data, stored inside or outside the USA, through judicial action or other means.

The letter also calls for the U.S. government to enter into a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected. It also goes on to say that no government should subvert commercial technologies, such as encryption, that are intended to protect business data.

NSA deliberately infected 50,000 computer networks with malware

nsa_aerial_300pxAccording to documents provided by former NSA-employee Edward Snowden, the US National Security Agency (NSA) infected 50,000 networks with malware designed to steal sensitive information. The revelations come from the Dutch newspaper NRC which says it has seen the documents first hand.

A top secret presentation given in 2012 showed how the NSA hacked – called  ‘Computer Network Exploitation’ (CNE) by the NSA – over 50,000 networks using malware. It is thought that the infiltration discovered earlier this year at the Belgium telecom provider Belgacom is an example of the NSA’s infiltration techniques, this time according to NRC in conjunction with GCHQ. The malware infected Belgacom’s computers by luring employees to a fake LinkedIn page.

This hacking work is carried out by a special department in the NSA called TAO (Tailored Access Operations), which is said to employ more than a thousand hackers. By 2008 the TAO had access to over 20,000 networks with the program recently expanded to include up to 50,000 networks around the world including some in Rome, Berlin, Pristina, Kinshasa, and Rangoon.

The installed malware took its instructions from  a command and control server and could be turned on and off at will. The malware, known as ‘implants’, can be put into a sleeper mode and activated when needed. “The NSA-presentation shows their CNE-operations in countries such as Venezuela and Brazil. The malware installed in these countries can remain active for years without being detected,” wrote Floor Boon, Steven Derix and Huib Modderkolk of NRC.

According to the NSA’s careers website the organization carries out three types of Computer Network Operations:

  • Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
  • Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information systems and networks.
  • Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.

The presentation also revealed that along with CNE missions the NSA has access to large Internet cables at 20 different locations; runs over 80 regional Special Collection Service (SCS) installations that are part of a joint CIA-NSA program; and maintains liaison with 30 third-party countries outside of the Five Eyes partnership of Australia, Canada, the U.K. and New Zealand.

Belgium’s largest telecommunications company victim to a nation-state sponsored spying campaign

belgium_flag_mapThe Belgium government has revealed that a foreign state has been spying on its largest telecommunications company Belgacom. The company, which is a top tier carrier for voice traffic in Africa and the Middle East, was hacked by an intruder with significant financial and logistic means.

According to the Belgian daily newspaper De Standaard, the NSA is responsible for the attack and the agency has been monitoring international telephone traffic through Belgacom for two years. It is thought that the NSA was primarily interested in Belgacom’s subsidiary BICS, which provides international phone lines for Africa and the Middle East.

“This fact, combined with the technical complexity of the hacking and the scale on which it occurred, points towards international state-sponsored cyber espionage,” Federal prosecutors said in a statement.

The government of Belgium, which has a majority stake in Belgacom, condemned the intrusion but did not actually accuse the USA directly. The hack was performed using malware with advanced encryption techniques. Belgacom has now removed the unknown malware from its internal systems.

These latest accusations come in the midst of further revelations about the NSA’s actvities thanks to documents released by Edward Snowden. According to the Brazilian television network Globo, the NSA has been spying using the computer systems of companies including Google Inc. and the Brazilian state oil firm Petroleo Brasileiro. It is also alleged that the NSA hacked into France’s Foreign Ministry and has been snooping through international financial transactions made via the Belgian-based international banking cooperative SWIFT.

Microsoft clarifies position on passing vulnerability information to US government

microsoft logo(LiveHacking.Com) – The repercussions of Edward Snowden revelations about the National Security Agency’s Prism surveillance system are still occurring and attention has now turned to the role that security vulnerabilities play in the surveillance done by the NSA.

A few days ago US news agency Bloomberg claimed that Microsoft provides the US government with information on security vulnerabilities in Windows and other of its products before it tells it customers. Bloomberg’s Michael Riley wrote, “Microsoft provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix. That information can be used to access the computers of terrorists or military foes.”

To clarify the situation Microsoft has released a statement in which it confirms the existence of several security related programs including the Microsoft Active Protections Program (MAPP) and the Security Cooperation Program (SCP) for Governments. These programs aren’t secret and the confirmation of their existence isn’t a new revelation. According to the statement, “Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.”

What this means is that Microsoft reveals details of the vulnerabilities to its partners, including the US government, just a few days before the public patches are available. The real question is not the timing but the level of detail that Microsoft gives it partners. Many of the vulnerabilities fixed by Microsoft are either privately reported or found by Microsoft. This means that details on how to exploit the vulnerabilities are rarely revealed to the public.

It would seem that members of the Microsoft programs get full access to details on the vulnerabilities as, “Membership provides key technical information on security vulnerabilities prior to the security update being publically available”

NSA Make an Initial Public Release of Security Enhanced Android

(LiveHacking.Com) – The National Security Agency, part of the United States Department of Defense which is responsible for the interception and decryption of foreign communications, has made an initial public release of Security Enhanced (SE) Android, a special version of the Linux based mobile device operating system created to identify and address critical gaps in its security.

The initial aim of the SE Android is to implement the SELinux access control policies, including the Mandatory Access Control (MAC) system. MAC defines and enforces a system-wide security policy which controls all processes, objects, and operations. This means that MAC can confine flawed and malicious applications, even ones that run as “root”, and can prevent privilege escalation.

As well as SELinux for Android, SE Android offer the following unique features:

  • Per-file security labeling support for yaffs2
  • Filesystem images (yaffs2 and ext4) labeled at build time
  • Kernel permission checks controlling Binder IPC
  • Labeling of service sockets and socket files created by init
  • Labeling of device nodes created by ueventd
  • Flexible, configurable labeling of apps and app data directories
  • Userspace permission checks controlling use of the Zygote socket commands
  • Minimal port of SELinux userspace
  • Small TE policy written from scratch for Android
  • Confined domains for system services and apps
  • Use of MLS categories to isolate apps

As part a presentation (PDF) given at the 2011 Linux Security Summit, Stephen Smalley of the NSA explained how with SELinux incorporated into Android the “Gingerbreak” vulnerability, which exploited a problem in the Android volume daemon ‘vold’, would have stopped the exploit six different ways and make the underlying vulnerability completely unreachable.

More details about SE Android including build instructions can be found on the project’s wiki.

Britain Publishes its New Cyber Security Strategy

(LiveHacking.Com) – The United Kingdom has published its new Cyber Security Strategy subtitled “Protecting and promoting the UK in a digital world.” The strategy comes after the UK hosted an International Cyber Security conference in London last month.

The UK makes more money on the Internet than it does out of agriculture and the government is forecasting that there will be 365,000 new Internet related jobs over the next five years.

“While the internet is undoubtedly a force for social and political good, as well as crucial to the growth of our economy, we need to protect against the threats to our security,” said Prime Minister David Cameron. “Cyber security is a top priority for government and we will continue to work closely with the police, security services, international partners and the private sector to ensure that the UK remains one of the most secure places in the world to do business.”

As part of the strategy the UK government want to create a cyber security ‘hub’ that will allow the Government and the private sector to exchange actionable information on cyber threats and manage the response to cyber attacks. Five business sectors – defence, telecoms, finance, pharmaceuticals and energy will take part in a pilot that will begin in December.

They are also looking a ways to use GCHQ’s world-class expertise in cyber security in the commercial sector. Since GCHQ is part of the UK’s security services this needs to be done without compromising the agency’s core security and intelligence mission. This move is quite radical and can be likened to the American government opening the doors to the NSA.

To tackling cyber crime, the strategy sets out plans to expand the number of specialists in the Police force who are trained in cyber crime and to create a new cyber crime unit. The new unit will help deal with the most serious national-level cyber crimes and to be part of the response to major national incidents.

There are also plans to create a new Defence Cyber Operations Group with in the Ministry of Defence. The group will develop new tactics, techniques and plans to deliver military cyber capabilities.

You can download a copy of the strategy here.