Michael Ellis as NSA General Counsel

Over at Lawfare, Susan Hennessey has an excellent primer on how Trump loyalist Michael Ellis got to be the NSA General Counsel, over the objections of NSA Director Paul Nakasone, and what Biden can and should do about it.

While important details remain unclear, media accounts include numerous indications of irregularity in the process by which Ellis was selected for the job, including interference by the White House. At a minimum, the evidence of possible violations of civil service rules demand immediate investigation by Congress and the inspectors general of the Department of Defense and the NSA.

The moment also poses a test for President-elect Biden’s transition, which must address the delicate balance between remedying improper politicization of the intelligence community, defending career roles against impermissible burrowing, and restoring civil service rules that prohibit both partisan favoritism and retribution. The Biden team needs to set a marker now, to clarify the situation to the public and to enable a new Pentagon general counsel to proceed with credibility and independence in investigating and potentially taking remedial action upon assuming office.

The NSA general counsel is not a Senate-confirmed role. Unlike the general counsels of the CIA, Pentagon and Office of the Director of National Intelligence (ODNI), all of which require confirmation, the NSA’s general counsel is a senior career position whose occupant is formally selected by and reports to the general counsel of the Department of Defense. It’s an odd setup — ­and one that obscures certain realities, like the fact that the NSA general counsel in practice reports to the NSA director. This structure is the source of a perennial legislative fight. Every few years, Congress proposes laws to impose a confirmation requirement as more appropriately befits an essential administration role, and every few years, the executive branch opposes those efforts as dangerously politicizing what should be a nonpolitical job.

While a lack of Senate confirmation reduces some accountability and legislative screening, this career selection process has the benefit of being designed to eliminate political interference and to ensure the most qualified candidate is hired. The system includes a complex set of rules governing a selection board that interviews candidates, certifies qualifications and makes recommendations guided by a set of independent merit-based principles. The Pentagon general counsel has the final call in making a selection. For example, if the panel has ranked a first-choice candidate, the general counsel is empowered to choose one of the others.

Ryan Goodman has a similar article at Just Security.

The NSA is Refusing to Disclose its Policy on Backdooring Commercial Products

Senator Ron Wyden asked, and the NSA didn’t answer:

The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others.

These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications.

The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.

[…]

The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws.

“At NSA, it’s common practice to constantly assess processes to identify and determine best practices,” said Anne Neuberger, who heads NSA’s year-old Cybersecurity Directorate. “We don’t share specific processes and procedures.”

Three former senior intelligence agency figures told Reuters that the NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets discovered and manipulated by adversaries.

The article goes on to talk about Juniper Networks equipment, which had the NSA-created DUAL_EC PRNG backdoor in its products. That backdoor was taken advantage of by an unnamed foreign adversary.

Juniper Networks got into hot water over Dual EC two years later. At the end of 2015, the maker of internet switches disclosed that it had detected malicious code in some firewall products. Researchers later determined that hackers had turned the firewalls into their own spy tool here by altering Juniper’s version of Dual EC.

Juniper said little about the incident. But the company acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC as part of a “customer requirement,” according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.

Juniper has never identified the customer, and declined to comment for this story.

Likewise, the company never identified the hackers. But two people familiar with the case told Reuters that investigators concluded the Chinese government was behind it. They declined to detail the evidence they used.

Okay, lots of unsubstantiated claims and innuendo here. And Neuberger is right; the NSA shouldn’t share specific processes and procedures. But as long as this is a democratic country, the NSA has an obligation to disclose its general processes and procedures so we all know what they’re doing in our name. And if it’s still putting surveillance ahead of security.

NSA Advisory on Chinese Government Hacking

NSA Advisory on Chinese Government Hacking

The NSA released an advisory listing the top twenty-five known vulnerabilities currently being exploited by Chinese nation-state attackers.

This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access (T1133) or for external web services (T1190), and should be prioritized for immediate patching.

Sidebar photo of Bruce Schneier by Joe MacInnis.

25 vulnerabilities exploited by Chinese state-sponsored hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.

vulnerabilities exploited Chinese hackers

“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.

The list of vulnerabilities exploited by Chinese hackers

The list is as follows:

The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.

Mitigations are also available

If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:

  • Disabling external management capabilities and setting up an out-of-band management network
  • Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
  • Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
  • Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise

The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.

Additional “most exploited vulnerabilities” lists

Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.

Admins and network defenders are encouraged to peruse them and patch those flaws as well.

Google Responds to Warrants for “About” Searches

One of the things we learned from the Snowden documents is that the NSA conducts “about” searches. That is, searches based on activities and not identifiers. A normal search would be on a name, or IP address, or phone number. An about search would something like “show me anyone that has used this particular name in a communications,” or “show me anyone who was at this particular location within this time frame.” These searches are legal when conducted for the purpose of foreign surveillance, but the worry about using them domestically is that they are unconstitutionally broad. After all, the only way to know who said a particular name is to know what everyone said, and the only way to know who was at a particular location is to know where everyone was. The very nature of these searches requires mass surveillance.

The FBI does not conduct mass surveillance. But many US corporations do, as a normal part of their business model. And the FBI uses that surveillance infrastructure to conduct its own about searches. Here’s an arson case where the FBI asked Google who searched for a particular street address:

Homeland Security special agent Sylvette Reynoso testified that her team began by asking Google to produce a list of public IP addresses used to google the home of the victim in the run-up to the arson. The Chocolate Factory [Google] complied with the warrant, and gave the investigators the list. As Reynoso put it:

On June 15, 2020, the Honorable Ramon E. Reyes, Jr., United States Magistrate Judge for the Eastern District of New York, authorized a search warrant to Google for users who had searched the address of the Residence close in time to the arson.

The records indicated two IPv6 addresses had been used to search for the address three times: one the day before the SUV was set on fire, and the other two about an hour before the attack. The IPv6 addresses were traced to Verizon Wireless, which told the investigators that the addresses were in use by an account belonging to Williams.

Google’s response is that this is rare:

While word of these sort of requests for the identities of people making specific searches will raise the eyebrows of privacy-conscious users, Google told The Register the warrants are a very rare occurrence, and its team fights overly broad or vague requests.

“We vigorously protect the privacy of our users while supporting the important work of law enforcement,” Google’s director of law enforcement and information security Richard Salgado told us. “We require a warrant and push to narrow the scope of these particular demands when overly broad, including by objecting in court when appropriate.

“These data demands represent less than one per cent of total warrants and a small fraction of the overall legal demands for user data that we currently receive.”

Here’s another example of what seems to be about data leading to a false arrest.

According to the lawsuit, police investigating the murder knew months before they arrested Molina that the location data obtained from Google often showed him in two places at once, and that he was not the only person who drove the Honda registered under his name.

Avondale police knew almost two months before they arrested Molina that another man ­ his stepfather ­ sometimes drove Molina’s white Honda. On October 25, 2018, police obtained records showing that Molina’s Honda had been impounded earlier that year after Molina’s stepfather was caught driving the car without a license.

Data obtained by Avondale police from Google did show that a device logged into Molina’s Google account was in the area at the time of Knight’s murder. Yet on a different date, the location data from Google also showed that Molina was at a retirement community in Scottsdale (where his mother worked) while debit card records showed that Molina had made a purchase at a Walmart across town at the exact same time.

Molina’s attorneys argue that this and other instances like it should have made it clear to Avondale police that Google’s account-location data is not always reliable in determining the actual location of a person.

“About” searches might be rare, but that doesn’t make them a good idea. We have knowingly and willingly built the architecture of a police state, just so companies can show us ads. (And it is increasingly apparent that the advertising-supported Internet is heading for a crash.)

Former NSA Director Keith Alexander Joins Amazon’s Board of Directors

About Bruce Schneier

I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer at Harvard’s Kennedy School and a board member of EFF. This personal website expresses the opinions of neither of those organizations.

NSA warns about Sandworm APT exploiting Exim flaw

The Russian APT group Sandworm has been exploiting a critical Exim flaw (CVE-2019-10149) to compromise mail servers since August 2019, the NSA has warned in a security advisory published on Thursday.

Sandworm CVE-2019-10149

“When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” they said.

The script would then attempt to add privileged users, disable network security settings, update SSH configurations to enable additional remote access, and execute an additional script to enable follow-on exploitation.

About Exim and the flaw

Exim is a mail transfer agent (MTA) that is commonly used for Unix-based systems and comes pre-installed on some Linux distributions.

It is the most widely used MTA and is deployed on over half of all Internet-facing mail servers.

While its efficient and highly configurable, its widespread use makes it a common target for attackers, who are always on the lookout for vulnerabilities that can be exploited. And, in Q2 2019, there were a few, including the most critical one: CVE-2019-10149.

Its existence was disclosed in June 2019, after a patch was provided for the supported versions and for a few that are now supported anymore.

Soon after, attackers started exploiting it to compromise Linux servers and instal cryptocoin miners on them, and Microsoft warned about a Linux worm leveraging the flaw to target Azure virtual machines (VMs) running affected versions of Exim.

Mitigation and detection

The NSA has provided mitigation advice as well as indicators of compromise so that organizations can protect themselves and check whether they’ve been targeted by the Sandworm attackers (aka the BlackEnergy APT, aka Telebots), which have in the past been linked to cyber-espionage campaigns targeting NATO, the EU, the White House, a variety of US ICS operators, and Ukranian energy companies, organizations in the financial sector and news media companies.

First and foremost, admins are advised to update their Exim installations to the latest stable release (v4.93) to mitigate this and other vulnerabilities.

“Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used,” the NSA said, and advised system administrators to continually check software versions and update as new versions become available.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message,” they explained.

Sandworm CVE-2019-10149

Admins and IT security employees can detect and/or block exploitation of the flaw by using specific Snort rules, check traffic logs for emails with a recipient containing “${run”, and routinely check for unauthorized system modifications.

The NSA provided IP addresses and domains that were associated with the Sandworm attacks and offered additional advice on how to apply multiple defensive layers to protect public facing software such as MTAs.

Web shell malware continues to evade many security tools

Cyber attackers are increasingly leveraging web shell malware to get persistent access to compromised networks, the US National Security Agency and the Australian Signals Directorate warn.

Web shell malware

What are web shells?

Web shells are malicious scripts that are uploaded to target systems (usually web servers) to enable attackers to control it remotely. In affect, they create a backdoor into the target system.

The threat is not limited to internet-facing web servers, though, and can be deployed on non-internet facing internal content management systems or network device management interfaces.

Preventing web shell installation

Attackers usually manage to deploy web shells by exploiting web application vulnerabilities, weak server security configuration, or by uploading to otherwise compromised systems.

Among the web application vulnerabilities that are commonly exploited to install web shell malware are:

“This list is not intended to be exhaustive, but it provides insight on some frequently exploited cases,” the agencies noted, and advised organizations to regularly patch/update web apps and limit their permissions.

“In particular, web applications should not have permission to write directly to a web accessible directory or modify web accessible code. Attackers are unable to upload a web shell to a vulnerable application if the web server blocks access to the web accessible directory,” they pointed out.

If the latter step is not possible, they advised orgs to implement file integrity monitoring to block file changes to web accessible directories or alert when changes occur.

Finally, they should add defense layers such as Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF), and improve network segregation and harden web servers.

Detecting installed web shells

“Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation,” the agencies explained. That’s what makes them so useful to attackers and so dangerous to defenders.

There are several methods that can be used to detect their presence, such as:

  • Comparing a verified benign version of the web app against the production version (and analyzing the discrepancies)
  • Monitoring web traffic for anomalies
  • Detection based on signatures (can work for detecting popular web shells that have been minimally modified)
  • Monitoring for unexpected network flows
  • Using Endpoint Detection and Response (EDR) and logging tools such as Microsoft Sysmon or Auditd (on Linux systems) to spot system call or process lineage abnormalities

The NSA has set up a GitHub repository with tools and signatures that can help defenders implement these techniques.

Finally, the agencies warn, organizations that find a web shell on one or more of their systems should investigate how far the attacker penetrated within the network.

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

Microsoft has not yet responded to requests for comment. However, KrebsOnSecurity has heard rumblings from several sources over the past 48 hours that this Patch Tuesday (tomorrow) will include a doozy of an update that will need to be addressed immediately by all organizations running Windows.

Update 7:49 p.m. ET: Microsoft responded, saying that it does not discuss the details of reported vulnerabilities before an update is available. The company also said it does “not release production-ready updates ahead of regular Update Tuesday schedule. “Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments,” Microsoft said in a written statement. “Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.”

Original story:

Will Dormann, a security researcher who authors many of the vulnerability reports for the CERT Coordination Center (CERT-CC), tweeted today that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know…just call it a hunch?” Dormann declined to elaborate on that teaser.

It could be that the timing and topic here (cryptography) is nothing more than a coincidence, but KrebsOnSecurity today received a heads up from the U.S. National Security Agency (NSA) stating that NSA’s Director of Cybersecurity Anne Neuberger is slated to host a call on Jan. 14 with the news media that “will provide advanced notification of a current NSA cybersecurity issue.”

The NSA’s public affairs folks did not respond to requests for more information on the nature or purpose of the discussion. The invitation from the agency said only that the call “reflects NSA’s efforts to enhance dialogue with industry partners regarding its work in the cybersecurity domain.”

Stay tuned for tomorrow’s coverage of Patch Tuesday and possibly more information on this particular vulnerability.

US government is entitled to all Snowden book proceeds, judge rules

US government is entitled to all Snowden book proceeds, judge rules

Justin Sullivan/Getty Images

The US government is entitled to every cent Edward Snowden earns from publishing his memoir, Permanent Record, a federal judge ruled on Tuesday. During his employment at the CIA and NSA, Snowden signed contracts promising to seek pre-clearance from those agencies before publishing any book or other publication containing classified materials. If he failed to do so, the contracts said, Snowden would forfeit any proceeds to the federal government.

Snowden is still in exile in Russia, where he has been stranded since 2013. The classified documents Snowden leaked to multiple journalists that year sparked an intense debate over US surveillance practices and inspired some modest reforms. Snowden faces near-certain prosecution for espionage if he returns to the US.

The US Department of Justice filed a lawsuit on September 17, the day Snowden’s book first went on sale, seeking to seize Snowden’s book profits. On Tuesday, just three months later, Judge Liam O’Grady granted the government’s motion for summary judgment.

Snowden’s lawyers had asked O’Grady to allow the case to move forward to the discovery phase, where each side could conduct fact-finding related to the case. They argued that more information was needed to establish whether the US government had singled Snowden out for special treatment in administering the pre-clearance process.

But O’Grady rejected that request, arguing that the contracts were clear and the key facts of the case were not in serious dispute. The contracts required Snowden to get pre-clearance, and those requirements were still in effect, the judge held. Snowden had not sought pre-clearance, yet he published a book full of classified information anyway.

The judge also ruled that Snowden had breached his contractual responsibilities by giving speeches at the TED conference and other venues. Each of these speeches included slides with materials that were marked as classified. Snowden argued that he shouldn’t be held responsible for re-publishing information that was already in the public domain, but the judge rejected that argument, saying that there was no such limitation in the agreement.

“Both the CIA and NSA secrecy agreements prohibit unauthorized publication of certain information, and Permanent Record discusses those types of information,” O’Grady wrote. As a result, “the government is entitled to summary judgment.”

Speakers announced for CSA Summit at RSA Conference 2020

The Cloud Security Alliance (CSA) announced its headlining speakers for the 11th annual CSA Summit at RSA Conference 2020 (Feb. 24, San Francisco).

CSA Summit RSA Conference 2020

Phil Venables, Board Director and Senior Advisor (Risk and Cybersecurity) for Goldman Sachs, will be joining National Security Agency and Central Security Service General Counsel Glenn Gerstell, In-Q-Tel Chief Information Security Officer and industry legend Dan Geer, and Intuit Information Security’s Directory of Adversary Management and Threat Intelligence Shannon Lietz as top speakers for the event.

“2019 has been a milestone year for cloud computing in every respect. Massive expansion in cloud adoption and breakthroughs in cloud security solutions have been tempered by record cloud data breaches and punitive fines for privacy regulation violations. The good news is that there is an extensive body of knowledge to successfully navigate the security and privacy challenges for the decade ahead. For the forthcoming CSA Summit 2020, we have doubled down on the number of sessions presented by enterprise end users and CISOs as they are truly the stewards of our industry. The speakers we have assembled are among the most admired leaders within cybersecurity, and we are very fortunate to have them all in one room on this special day. This event will set the tone for 2020 and provide a roadmap for where we intend to lead the industry in the years ahead,” said CSA Co-founder and CEO Jim Reavis.

Venables will share his expertise and insight gleaned from his years of leading Goldman Sachs’ Information Security, Technology Risk, Technology Governance and Business Continuity programs. As a senior advisor, he supports the firm’s executive leadership and client franchise on cybersecurity, technology risk, digital business risk, and operational resilience. Additionally, he spearheads the firm’s work with industry associations and initiatives to reduce systemic risk and serves as a member of the Firmwide Enterprise Risk Committee, Firmwide Technology Risk Committee, and Global Business Resilience Committee.

Attendees also will learn from thought leaders from multi-national enterprises, government, cloud providers and the information security industry, who will share best practices in cloud privacy and security. Among them will be some of the cloud industry’s most prominent enterprise leaders and experts:

Dan Geer, CISO of In-Q-Tel. Geer is the creator of the Index of Cyber Security and the Cyber Security Decision Maker, as well as a co-founder of SecurityMetrics.Org. His 1998 speech, “Risk Management Is Where the Money Is,” changed the focus of security, and he was the first to call for the eclipse of authentication by accountability in 2002. Geer is a widely noted author in scientific journals and a co-author of several books on risk management and information security, including “Cyberinsecurity: The Cost of Monopoly,” “Economics & Strategies of Data Security,” and “Cybersecurity & National Policy.”

Glenn Gerstell, General Counsel, National Security Agency (NSA) and Central Security Service. Gerstell was appointed in August 2015 as the General Counsel of the National Security Agency and Central Security Service. Prior to joining NSA, Gerstell practiced law for almost 40 years at Milbank, Tweed, Hadley & McCloy LLP, where he served as the managing partner of the firm’s Washington, D.C., Singapore, and Hong Kong offices. Earlier in his career, he was an Adjunct Law Professor at the Georgetown University School of Law and New York Law School. He has served on the President’s National Infrastructure Advisory Council, which reports to the President and the Secretary of Homeland Security on security threats to the nation’s infrastructure, as well as on the District of Columbia Homeland Security Commission.

Shannon Lietz, Director Adversary Management and Threat Intelligence for Intuit Information Security. Lietz is an award-winning innovator with more than 20 years of experience pursuing advanced security defenses and next-generation security solutions. She is currently the DevSecOps Leader for Intuit, where she is responsible for setting and driving the company’s security engineering strategy and cloud security support for product innovation. She is passionate about leading the charge for security transformation and change management in large environments, leveraging Agile and Rugged principles.

Panels and presentations will focus on privacy and information security with an eye to artificial intelligence, quantum supremacy, blockchain, and fog computing.

Rich Mogull, CCSK Authorized Instructor and a prominent industry analyst and sought-after speaker, will be teaching the Certificate of Cloud Security Knowledge (CCSK) Plus training course on Feb. 23-24. The class will provide students a comprehensive review of cloud security fundamentals, prepare them to take the CCSK v4 certificate exam and guide them through six hands-on labs that tie cloud security best practices to real world applications.