Tag Archives: NSA

“To the full extent of their capabilities”

Took me a while to clear up time and read Dave Aitel’s post on his experience with the NSA as compared to the interview that Edward Snowden did with James Bamford of Wired. Make sure you do too, and then come back here for a quick reality adjustment.

So, just to set things straight: I agree with the first point that talk about how working at the NSA consists of abiding with a metric ton of rules, regulations and bureaucratic nightmares. It’s also true for most modern western intelligence agencies (your mileage may vary of course, and this is based on personal subjective observations of course).

However, the NSA (and other agencies in other countries) know very well how to bypass these restrictions, and are very happy to use 3rd party resources to do the dirty work for them. That’s exactly how shady (again – my opinion) companies work in the market of intelligence collections, “lawful interception”, exploit research and development, etc.

This also enables overcoming the difficulties posed by the second point in the article, which pertains to the US’s ability to spy on China (and other countries). In order to provide a more cohesive intelligence landscape, you can’t just focus collection efforts on military and government, as civilian infrastructure is always part of the play for both sides (hey – we just talked about using 3rd parties for intelligence. Guess what? The same thing happens with other countries). As such, “crossing the line” is a needed practice that is often outsourced in terms of liability, legality and ethics, to entities that are willing to take said liability/legality/ethics upon themselves.

And just to steal the closing soundbite: “Every country in the world is engaged in cyber espionage to the full extent of its capabilities. The US just happens to be the one that got caught. This time.

Getting things right goes a long way when you are bleeding

I’m starting to see a trend here with the weekend posts. I can stomach most of the FUD during the work days, but things get to me through the weekend. Oh well. There goes a “mandatory” heartbleed post:

Yes, it’s a bad one. No it’s not the worst one. And no – the sky isn’t falling, and the Internet isn’t about to go away.

Heartbleed was one of the most media driven (and ready) bugs in a few years. Logo, website, clear message, and two XKCD strips. The last of which is probably the best explanation to laypersons of what it’s all about.

And did the media catch up on it. Oh yeah… The usual naysayers, FUD-spreading evangelists had their 3.5 minutes of fame. And everyone started recommending that users immediately change their password.

Or maybe not. No! Wait until the site fixes their SSL implementation. Or yes? Ummm, what to do?… That’s where things get interesting.

The real issue here is this: sites affected by heartbleed could potentially be leaking information. And by leaking I mean that anyone with intimate knowledge of the bug could have been, in the past two years, pulling data from those sites. That includes session information, usernames, passwords, and even the private keys used to secure said SSL connections.

Which means that if you think that you were targeted by someone in the past two years, or that your information could have meant something to someone in the past two years with the capability to snoop on those credentials, yes, you should probably do something about it. BUT, and it’s a bug but (yeah, yeah, yeah), you need to remember that it’s not as simple as checking that the website in question has applied the fix. Not even close. If (and again – IF) you believe you need to change your password, you also need to remember that whoever had the knowledge and capability to syphon all that information, was pretty certainly also stealing the server private keys. Initially pundits were skeptical that private encryption keys would be compromised through heartbleed. But as always – if it’s hackable, it will be hacked, and the proof came in pretty quickly.

So yes, there are online tools that will allow you to check whether a certain site had the issue fixed. But these aren’t enough, as you would need to verify somehow (and that’s not easy) that the site also generated a new private encryption key, and got a new server certificate to go with it in to be used AFTER patching the SSL implementation.

Tricky, isn’t it? Yeah, welcome to security…

Anyways – don’t just blatantly go updating your passwords nilly-nelly. First figure whether you really need to, then consider the entire picture: were you exposed just during the time from when heartbleed was announced until the site was fixed? are you concerned about three-letter-agencies that had knowledge of heartbleed and were dumping gigabytes of server RAM so they can get everyone’s data? Then figure whether that site’s private keys and certificates were updated. Then act.

Good luck with that. I’ll leave you with a bleeding heart punch so you won’t need to see that logo AGAIN on a security blog 😛

Hacking, Business, and Politics

I’ve recently had the great fortune to be called in as an industry expert to comment on current news at the Fox Business “Money with Melissa Francis”. I’ll be the first one to tell you that every (read: EVERY) mass media outlet has an agenda. From Fox, through CBS, NBC, CNN to Al-Jazeera. They have their agendas that works with their audiences, which works well with the “you get what you pay for” approach for most people (for a nice overview of media bias read this: http://en.wikipedia.org/wiki/Media_bias_in_the_United_States).

As it came about, my latest commentary on the show was on the meeting held between President Obama and a few tech company CEOs in light of the NSA surveillance mandate. As always – I’m keeping a fair separation between my business and hacking views and my personal political ones, and I expressed my take on the matter (TL;DR: It’s a PR charade designed to make everyone look a bit better).

Nevertheless, and probably because of the wider audience this kind of broadcast reaches, I received some comments (surprisingly from both sides) that were of political nature.

Granted, this is Fox, and my fellow panelists on the show are a couple of the more verbal and respected figures on the network, so very quickly the discussion became highly political. You could notice that at these points I was less than conversational ;-).

I do think that there needs to be a “balancing” voice whenever topics of this nature are brought up to a public discussion, and if you ask me the discussion shouldn’t be political as in “this guy is bad, and the other guy is good”, but more of the “this is the situation, here’s how it’s good/bad for us (the people), what can we do to change it?”. At the end of the day, even when pushing a political/economical agenda of any form, the discussion should end with an idea or a call for action. I see little merit in simple criticism (unless we are talking about entertainment media – where sarcasm is my first friend, and the likes of Jon Stewart, Louis CK, are my heroes). When faced with an opportunity to provide information, commentary and call for action I’d rather be able to educate and encourage discussion than opt for the easy way out of playing out the right “tune” for my audience.

Specifically in this case – surveillance is going to happen, I mean, we are talking about the intelligence agency here. And guess what? whatever mandate they get, they are going to do their best to be able to fulfill their main task (gather actionable intelligence) which includes things like working with other agencies outside the US to get information on assets that they may not be privy to (us citizens that are not specifically suspects). It’s (almost like) hacking the legal system to get what you need. I know – been there, done that.

Also – while we’ve been caught with our hands in the cookie jar, almost any other nation either has, or is developing, or buying the same kind of capacity to gather intelligence at this scope. How about discussing this? How about discussing the outsourcing of intelligence gathering of the more borderline kind that companies such as Gamma Group, NSO Group, HackingTeam, and their likes?

Last but not least – if you are a security practitioner, and you haven’t had a chance to take a look at the “I am the cavalry” initiative, you probably owe it to yourself to check it out: http://www.iamthecavalry.org/