They were among a trend of Americans working for foreign governments trying to build their cyberoperation abilities.
Tucker Carlson accused the government of intercepting his emails without disclosing that he had been reaching out to the Kremlin.
The National Security Agency warned government employees that hackers could take advantage of the public Wi-Fi in coffee shops, airports and hotel rooms.
The Biden administration has formally accused China of the mass-hacking of Microsoft Exchange servers earlier this year, which prompted the FBI to intervene as concerns rose that the hacks could lead to widespread destruction.
The mass-hacking campaign targeted Microsoft Exchange email servers with four previously undiscovered vulnerabilities that allowed the hackers — which Microsoft already attributed to a China-backed group of hackers called Hafnium — to steal email mailboxes and address books from tens of thousands of organizations around the United States.
Microsoft released patches to fix the vulnerabilities, but the patches did not remove any backdoor code left behind by the hackers that might be used again for easy access to a hacked server. That prompted the FBI to secure a first-of-its-kind court order to effectively hack into the remaining hundreds of U.S.-based Exchange servers to remove the backdoor code. Computer incident response teams in countries around the world responded similarly by trying to notify organizations in their countries that were also affected by the attack.
In a statement out Monday, the Biden administration said the attack, launched by hackers backed by China’s Ministry of State Security, resulted in “significant remediation costs for its mostly private sector victims.”
“We have raised our concerns about both this incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the statement read.
The National Security Agency also released details of the attacks to help network defenders identify potential routes of compromise. The Chinese government has repeatedly denied claims of state-backed or sponsored hacking.
The Biden administration also blamed China’s Ministry of State Security for contracting with criminal hackers to conduct unsanctioned operations, like ransomware attacks, “for their own personal profit.” The government said it was aware that China-backed hackers have demanded millions of dollars in ransom demands against hacked companies. Last year, the Justice Department charged two Chinese spies for their role in a global hacking campaign that saw prosecutors accuse the hackers of operating for personal gain.
Although the U.S. has publicly engaged the Kremlin to try to stop giving ransomware gangs safe harbor from operating from within Russia’s borders, the U.S. has not previously accused Beijing of launching or being involved with ransomware attacks.
“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” said Monday’s statement.
The statement also said that the China-backed hackers engaged in extortion and cryptojacking, a way of forcing a computer to run code that uses its computing resources to mine cryptocurrency, for financial gain.
The Justice Department also announced fresh charges against four China-backed hackers working for the Ministry of State Security, which U.S. prosecutors said were engaged in efforts to steal intellectual property and infectious disease research into Ebola, HIV and AIDS, and MERS against victims based in the U.S., Norway, Switzerland and the United Kingdom by using a front company to hide their operations.
“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft,” said deputy attorney general Lisa Monaco.
In 2013, eight tech companies were accused of funneling their users’ data to the U.S. National Security Agency under the so-called PRISM program, according to highly classified government documents leaked by NSA whistleblower Edward Snowden. Six months later, the tech companies formed a coalition under the name Reform Government Surveillance, which as the name would suggest was to lobby lawmakers for reforms to government surveillance laws.
The idea was simple enough: to call on lawmakers to limit surveillance to targeted threats rather than conduct a dragnet collection of Americans’ private data, provide greater oversight and allow companies to be more transparent about the kinds of secret orders for user data that they receive.
Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo and AOL (to later become Verizon Media, which owns TechCrunch — for now) were the founding members of Reform Government Surveillance, or RGS, and over the years added Amazon, Dropbox, Evernote, Snap and Zoom as members.
But then sometime in June 2019, Evernote quietly disappeared from the RGS website without warning. What’s even more strange is that nobody noticed for two years, not even Evernote.
“We hadn’t realized our logo had been removed from the Reform Government Surveillance website,” said an Evernote spokesperson, when reached for comment by TechCrunch. “We are still members.”
Evernote joined the coalition in October 2014, a year and a half after PRISM first came to public light, even though the company was never named in the leaked Snowden documents. Still, Evernote was a powerful ally to have onboard, and showed RGS that its support for reforming government surveillance laws was gaining traction outside of the companies named in the leaked NSA files. Evernote cites its membership of RGS in its most recent transparency report and that it supports efforts to “reform practices and laws regulating government surveillance of individuals and access to their information” — which makes its disappearance from the RGS website all the more bizarre.
TechCrunch also asked the other companies in the RGS coalition if they knew why Evernote was removed and all either didn’t respond, wouldn’t comment or had no idea. A spokesperson for one of the RGS companies said they weren’t all that surprised since companies “drop in and out of trade associations.”
While that may be true — companies often sign on to lobbying efforts that ultimately help their businesses; government surveillance is one of those rare thorny issues that got some of the biggest names in Silicon Valley rallying behind the cause. After all, few tech companies have openly and actively advocated for an increase in government surveillance of their users, since it’s the users themselves who are asking for more privacy baked into the services they use.
In the end, the reason for Evernote’s removal seems remarkably benign.
“Evernote has been a longtime member — but they were less active over the last couple of years, so we removed them from the website,” said an email from Monument Advocacy, a Washington, D.C. lobbying firm that represents RGS. “Your inquiry has helped to prompt new conversations between our organizations and we’re looking forward to working together more in the future.”
Monument has been involved with RGS since near the beginning after it was hired by the RGS coalition of companies to lobby for changes to surveillance laws in Congress. Monument has spent $2.2 million in lobbying to date since it began work with RGS in 2014, according to OpenSecrets, specifically on lobbying lawmakers to push for changes to bills under congressional consideration, such as changes to the Patriot Act and the Foreign Intelligence Surveillance Act, or FISA, albeit with mixed success. RGS supported the USA Freedom Act, a bill designed to curtail some of the NSA’s collection under the Patriot Act, but was unsuccessful in its opposition to the reauthorization of Section 702 of FISA, the powers that allow the NSA to collect intelligence on foreigners living outside the United States, which was reauthorized for six years in 2018.
RGS has been largely quiet for the past year — issuing just one statement on the importance of transatlantic data flows, the most recent hot-button issue to concern tech companies, fearing that anything other than the legal status quo could see vast swaths of their users in Europe cut off from their services.
“RGS companies are committed to protecting the privacy of those who use our services, and to safeguard personal data,” said the statement, which included the logos of Amazon, Apple, Dropbox, Facebook, Google, Microsoft, Snap, Twitter, Verizon Media and Zoom, but not Evernote.
In a coalition that’s only as strong as its members, the decision to remove Evernote from the website while it’s still a member hardly sends a resounding message of collective corporate unity — which these days isn’t something Big Tech can find much of.
Out on good behavior, the former National Security Agency contractor was sent to a halfway house.
The Pentagon Papers created a delicate balance of power between the press and the government. Lately, it’s being threatened.
The highest chamber of the European Court of Human Rights (ECHR) has delivered a blow to anti-surveillance campaigners in Europe by failing to find that bulk interception of digital comms is inherently incompatible with human rights law — which enshrines individual rights to privacy and freedom of expression.
Governments in Europe that fail to do so are opening such laws up to further legal challenge under the European Convention on Human Rights.
The Grand Chamber ruling also confirms that the UK’s historic surveillance regime — under the Regulation of Investigatory Powers Act 2000 (aka RIPA) — was unlawful because it lacked the necessary safeguards.
Per the court, ‘end-to-end’ safeguards means that bulk intercept powers need to involve assessments at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ‘ex post facto’ review.
The Grand Chamber judgement identified a number of deficiencies with the bulk regime operated in the UK at the time of RIPA — including that bulk interception had been authorised by the Secretary of State, rather than by a body independent of the executive; categories of search terms defining the kinds of communications that would become liable for examination had not been included in the application for a warrant; and search terms linked to an individual (e.g. specific identifiers such as an email address) had not been subject to prior internal authorisation.
The court also found that the UK’s bulk intercept regime had breached Article 10 (freedom of expression) because it had not contained sufficient protections for confidential journalistic material.
While the regime used for obtaining comms data from communication service providers was found to have violated Articles 8 (right to privacy and family life/comms) and 10 “as it had not been in accordance with the law”.
However, the court held that the regime by which the UK could request intelligence from foreign governments and/or intelligence agencies had had sufficient safeguards in place to protect against abuse and to ensure that UK authorities had not used such requests as a means of circumventing their duties under domestic law and the Convention.
“The Court considered that, owing to the multitude of threats States face in modern society, operating a bulk interception regime did not in and of itself violate the Convention,” it added in a press release.
The RIPA regime has since replaced by the UK’s Investigatory Powers Act (IPA) — which put bulk intercept powers explicitly into law (albeit with claimed layers of oversight).
The IPA has also been subject to a number of human rights challenges — and in 2018 the government was ordered by the UK High Court to revise parts of the law which had been found to be incompatible with human rights law.
Today’s Grand Chamber judgement relates specifically to RIPA and to a number of legal challenges brought against the UK’s mass surveillance regime by journalists and privacy and digital rights campaigners in the wake of the 2013 mass surveillance revelations by NSA whistleblower Edward Snowden which the ECHR heard simultaneously.
In a similar ruling back in 2018 the lower Chamber found some aspects of the UK’s regime violated human rights law — with a majority vote then finding that its bulk interception regime had violated Article 8 because there was insufficient oversight (such as of selectors and filtering; and of search and selection of intercepted communications for examination; as well as inadequate safeguards governing the selection of related comms data).
Human rights campaigners followed up by requesting and securing a referral to the Grand Chamber — which has now handed down its view.
It unanimously found there had been a violation of Article 8 in respect of the regime for obtaining communications data from communication service providers.
But by 12 votes to 5 it ruled there had been no violation of Article 8 in respect of the UK’s regime for requesting intercepted material from foreign governments and intelligence agencies.
In another unanimous vote the Grand Chamber found there had been a violation of Article 10, concerning both the bulk interception regime and the regime for obtaining communications data from comms service providers.
But, again, by 12 votes to 5 it ruled there had been no violation of Article 10 in respect of the regime for requesting intercepted material from foreign governments and intelligence agencies.
Responding to the judgement in a statement, the privacy rights group Big Brother Watch — which was one of the parties involved in the challenges — said the judgement “confirms definitively that the UK’s bulk interception practices were unlawful for decades”, thereby vindicating Snowden’s whistleblowing.
The organization also highlighted a dissenting opinion from Judge Pinto de Alburquerque, who wrote that:
“Admitting non-targeted bulk interception involves a fundamental change in how we view crime prevention and investigation and intelligence gathering in Europe, from targeting a suspect who can be identified to treating everyone as a potential suspect, whose data must be stored, analysed and profiled (…) a society built upon such foundations is more akin to a police state than to a democratic society. This would be the opposite of what the founding fathers wanted for Europe when they signed the Convention in 1950.”
In further remarks on the judgement, Silkie Carlo, director of Big Brother Watch, added: “Mass surveillance damages democracies under the cloak of defending them, and we welcome the Court’s acknowledgement of this. As one judge put it, we are at great risk of living in an electronic ‘Big Brother’ in Europe. We welcome the judgment that the UK’s surveillance regime was unlawful, but the missed opportunity for the Court to prescribe clearer limitations and safeguards mean that risk is current and real.”
“We will continue our work to protect privacy, from parliament to the courts, until intrusive mass surveillance practices are ended,” she added.
Privacy International — another party to the case — sought to put a positive spin on the outcome, saying the Grand Chamber goes further than the ECHR’s 2018 ruling by “providing for new and stronger safeguards, adding a new requirement of prior independent or judicial authorisation for bulk interception”.
“Authorisation must be meaningful, rigorous and check for proper ‘end-to-end safeguards’,” it added in a statement.
Also commenting publicly, the Open Rights Group’s executive director, Jim Killock, said: “The court has shown that the UK Government’s legal framework was weak and inadequate when we took them to court with Big Brother Watch and Constanze Kurz in 2013. The court has set out clear criteria for assessing future bulk interception regimes, but we believe these will need to be developed into harder red lines in future judgments, if bulk interception is not to be abused.”
“As the court sets out, bulk interception powers are a great power, secretive in nature, and hard to keep in check. We are far from confident that today’s bulk interception is sufficiently safeguarded, while the technical capacities continue to deepen. GCHQ continues to share technology platforms and raw data with the US,” Killock went on to say, couching the judgment as “an important step on a long journey”.
Newly disclosed episodes in which analysts improperly searched for data about Americans largely came before changes at the bureau.
If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes, and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.
It’s all about the credentials
Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the mid-pandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.
It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.
Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.
The available evidence supporting a stunning C.I.A. assessment — which President Donald J. Trump’s inaction on prompted bipartisan uproar — remains less than definitive proof.
Chris Inglis will be nominated to the new post as the president fills out his cybersecurity team and the U.S. considers responses to recent attacks.
President Biden has named two former National Security Agency veterans to senior government cybersecurity positions, including the first national cyber director.
The appointments, announced Monday, land after the discovery of two cyberattacks linked to foreign governments earlier this year — the Russian espionage campaign that planed backdoors in U.S. technology giant SolarWinds’ technology to hack into at least nine federal agencies, and the mass exploitation of Microsoft Exchange servers linked to hackers backed by China.
Jen Easterly, a former NSA official under the Obama administration who helped to launch U.S. Cyber Command, has been nominated as the new head of CISA, the cybersecurity advisory unit housed under Homeland Security. CISA has been without a head for six months after then-President Trump fired former director Chris Krebs, who Trump appointed to lead the agency in 2018, for disputing Trump’s false claims of election hacking.
Biden has also named former NSA deputy director John “Chris” Inglis as national cyber director, a new position created by Congress late last year to be housed in the White House, charged with overseeing the defense and cybersecurity budgets of civilian agencies.
Inglis is expected to work closely with Anne Neuberger, who in January was appointed as the deputy national security adviser for cyber on the National Security Council. Neuberger, a former NSA executive and its first director of cybersecurity, was tasked with leading the government’s response to the SolarWinds attack and Exchange hacks.
Biden has also nominated Rob Silvers, a former Obama-era assistant secretary for cybersecurity policy, to serve as undersecretary for strategy, policy, and plans at Homeland Security. Silvers was recently floated for the top job at CISA.
Both Easterly and Silvers’ positions are subject to Senate confirmation. The appointments were first reported by The Washington Post.
Former CISA director Krebs praised the appointments as “brilliant picks.” Dmitri Alperovitch, a former CrowdStrike executive and chair of Silverado Policy Accelerator, called the appointments the “cyber equivalent of the dream team.” In a tweet, Alperovitch said: “The administration could not have picked three more capable and experienced people to run cyber operations, policy and strategy alongside Anne Neuberger.”
Neuberger is replaced by Rob Joyce, a former White House cybersecurity czar, who returned from a stint at the U.S. Embassy in London earlier this year to serve as NSA’s new cybersecurity director.
Last week, the White House asked Congress for $110 million in new funding for next year to help Homeland Security to improve its defenses and hire more cybersecurity talent. CISA hemorrhaged senior staff last year after several executives were fired by the Trump administration or left for the private sector.
The intelligence agencies missed massive intrusions by Russia and China, forcing the administration and Congress to look for solutions, including closer partnership with private industry.
Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server, an enterprise email product built by the software giant.
The technology company said Tuesday that it believes the hacking group, which it calls Hafnium, tries to steal information from a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks.
Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data from a victim’s organization — such as email accounts and address books — and the ability to plant malware. When used together, the four vulnerabilities create an attack chain that can compromise vulnerable servers running on-premise Exchange 2013 and later.
Hafnium operates out of China, but uses servers located in the U.S. to launch its attacks, the company said. Microsoft said that Hafnium was the only threat group it has detected using these four new vulnerabilities.
Microsoft declined to say how many successful attacks it had seen, but described the number as “limited.”
Patches to fix those four security vulnerabilities are now out, a week earlier than the company’s typical patching schedule, usually reserved for the second Tuesday in each month.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” said Tom Burt, Microsoft’s vice president for customer security.
The company said it has also briefed U.S. government agencies on its findings, but that the Hafnium attacks are not related to the SolarWinds-related espionage campaign against U.S. federal agencies. In the last days of the Trump administration, the National Security Agency and the FBI said that the SolarWinds campaign was “likely Russian in origin.”
America’s biggest vulnerability in cyberwarfare is hubris.
President Biden named nearly all of his cabinet secretaries and their immediate deputies before he took office, but his real grasp on the levers of power has come several layers down.
The acting defense secretary ordered the spy agency to appoint Michael Ellis, who has been accused of having a hand in one of the Trump administration’s most contentious legal decisions.
DNS over HTTPS is a new protocol that protects domain-lookup traffic from eavesdropping and manipulation by malicious parties. Rather than an end-user device communicating with a DNS server over a plaintext channel—as DNS has done for more than three decades—DoH, as DNS over HTTPS is known, encrypts requests and responses using the same encryption websites rely on to send and receive HTTPS traffic.
Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.
“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises, including a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic,” NSA officials wrote in published recommendations. “In some cases, individual client applications may enable DoH using external resolvers, causing some of these issues automatically.”
The two appointments illustrate how the president-elect appears determined to rebuild a White House national security team to focus on threats that critics say were ignored by President Trump.
Russian hackers may have piggybacked on a tool developed by JetBrains, which is based in the Czech Republic, to gain access to federal government and private sector systems in the United States.
Those behind the widespread intrusion into government and corporate networks exploited seams in U.S. defenses and gave away nothing to American monitoring of their systems.
The unverified intelligence echoes a similar report, deemed credible by the C.I.A. but dismissed by the president, that Russian military agents had offered payments for attacks on Americans in Afghanistan.
The U.S. also uses cybertools to defend its interests. It’s the age of perpetual cyberconflict.
The disclosure was the first acknowledgment of a specific intrusion in the vast cyberattack. At the White House, national security leaders met to assess how to deal with the situation.
The Justice Department is setting a dangerous precedent that threatens reporters — and the truth.
As the government grapples with a vast hack, the Pentagon is weighing whether to separate management of the National Security Agency from the United States Cyber Command.
The broad Russian espionage attack on the U.S. government and private companies, underway since spring and detected only a few weeks ago, is among the greatest intelligence failures of modern times.
The Pentagon, intelligence agencies, nuclear labs and Fortune 500 companies use software that was found to have been compromised by Russian hackers. The sweep of stolen data is still being assessed.
In case you missed it: A ransomware attack saw patient data stolen from one of the largest U.S. fertility networks; the Supreme Court began hearing a case that may change how millions of Americans use computers and the internet; and lawmakers in Massachusetts have voted to ban police from using facial recognition across the state.
In this week’s Decrypted, we’re deep-diving into two stories beyond the headlines, including why the breach at cybersecurity giant FireEye has the cybersecurity industry in shock.
THE BIG PICTURE
Google researcher finds a major iPhone security bug, now fixed
What happens when you leave one of the best security researchers alone for six months? You get one of the most devastating vulnerabilities ever found in an iPhone — a bug so damaging that it can be exploited over-the-air and requires no interaction on the user’s part.
The vulnerability was found in Apple Wireless Direct Link (AWDL), an important part of the iPhone’s software that among other things allows users to share files and photos over Wi-Fi through Apple’s AirDrop feature.
“AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity,” wrote Google’s Ian Beer in a tweet, who found the vulnerability in November and disclosed it to Apple, which pushed out a fix for iPhones and Macs in January.
But exploiting the bug allowed Beer to gain access to the underlying iPhone software using Wi-Fi to gain control of a vulnerable device — including the messages, emails and photos — as well as the camera and microphone — without alerting the user. Beer said that the bug could be exploited over “hundreds of meters or more,” depending on the hardware used to carry out the attack. But the good news is that there’s no evidence that malicious hackers have actively tried to exploit the bug.
News of the bug drew immediate attention, though Apple didn’t comment. NSA’s Rob Joyce said the bug find is “quite an accomplishment,” given that most iOS bugs require chaining multiple vulnerabilities together in order to get access to the underlying software.
FireEye hacked by a nation-state, but the aftermath is unclear
The Silicon Valley company said hackers — almost certainly Russian — made off with tools that could be used to mount new attacks around the world.
Trump shuffles the Pentagon leadership, raising anxieties more.
So far, there is no evidence the appointees harbor a secret agenda or arrived with an action plan. But their sudden appearance amounts to a purge of the Pentagon’s top civilian hierarchy without recent precedent.
The arrival of the new officials has prompted concerns. Their backgrounds offer insights into their policies.
The 2020 election was the biggest test yet of a new approach of pre-emptive action against adversaries trying to hack election infrastructure or wage disinformation campaigns.
The former intelligence contractor still hopes to return to the United States. But the Russian authorities have given him the right to stay in Russia indefinitely.
The goal is to disrupt Russia’s well-honed information-warfare systems, whether they are poised to hack election systems or influence the minds of voters.
Fearing Russian ransomware attacks on the election, the company and U.S. Cyber Command mounted similar pre-emptive strikes. It is not clear how long they may work.
The director of national intelligence is said to be planning more disclosures of intelligence that undermines the Russia investigation.
Homeland Security’s cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows.
The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert late on Friday requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack by Monday, citing an “unacceptable risk” to government networks.
It’s the third emergency alert issued by CISA this year.
The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.
With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.
Security company Secura, which discovered the bug, said it takes “about three seconds in practice” to exploit the vulnerability.
Microsoft pushed out an initial fix in August to prevent exploitation. But given the complexity of the bug, Microsoft said it would have to roll out a second patch early next year to eradicate the issue completely.
But the race is on to patch systems after researchers reportedly released proof-of-concept code, potentially allowing attackers use the code to launch attacks. CISA said that Friday that it “assumes active exploitation of this vulnerability is occurring in the wild.”
Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.
The headlines aren’t always kind to the National Security Agency, a spy agency that operates almost entirely in the shadows. But a year ago, the NSA launched its new Cybersecurity Directorate, which in the past year has emerged as one of the more visible divisions of the spy agency.
At its core, the directorate focuses on defending and securing critical national security systems that the government uses for its sensitive and classified communications. But the directorate has become best known for sharing some of the more emerging, large-scale cyber threats from foreign hackers. In the past year the directorate has warned against attacks targeting secure boot features in most modern computers, and doxxed a malware operation linked to Russian intelligence. By going public, NSA aims to make it harder for foreign hackers to reuse their tools and techniques, while helping to defend critical systems at home.
But six months after the directorate started its work, COVID-19 was declared a pandemic and large swathes of the world — and the U.S. — went into lockdown, prompting hackers to shift gears and change tactics.
“The threat landscape has changed,” Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch at Disrupt 2020. “We’ve moved to telework, we move to new infrastructure, and we’ve watched cyber adversaries move to take advantage of that as well,” she said.
Publicly, the NSA advised on which videoconferencing and collaboration software was secure, and warned about the risks associated with virtual private networks, of which usage boomed after lockdowns began.
But behind the scenes, the NSA is working with federal partners to help protect the efforts to produce and distribute a vaccine for COVID-19, a feat that the U.S. government called Operation Warp Speed. News of NSA’s involvement in the operation was first reported by Cyberscoop. As the world races to develop a working COVID-19 vaccine, which experts say is the only long-term way to end the pandemic, NSA and its U.K. and Canadian partners went public with another Russian intelligence operation aimed at targeting COVID-19 research.
“We’re part of a partnership across the U.S. government, we each have different roles,” said Neuberger. “The role we play as part of ‘Team America for Cyber’ is working to understand foreign actors, who are they, who are seeking to steal COVID-19 vaccine information — or more importantly, disrupt vaccine information or shake confidence in a given vaccine.”
Neuberger said that protecting the pharma companies developing a vaccine is just one part of the massive supply chain operation that goes into getting a vaccine out to millions of Americans. Ensuring the cybersecurity of the government agencies tasked with approving a vaccine is also a top priority.
Here are more takeaways from the talk, and you can watch the interview in full below:
Why TikTok is a national security threat
TikTok is just days away from an app store ban, after the Trump administration earlier this year accused the Chinese-owned company of posing a threat to national security. But the government has been less than forthcoming about what specific risks the video sharing app poses, only alleging that the app could be compelled to spy for China. Beijing has long been accused of cyberattacks against the U.S., including the massive breach of classified government employee files from the Office of Personnel Management in 2014.
Neuberger said that the “scope and scale” of TikTok’s app’s data collection makes it easier for Chinese spies to answer “all kinds of different intelligence questions” on U.S. nationals. Neuberger conceded that U.S. tech companies like Facebook and Google also collect large amounts of user data. But that there are “greater concerns on how [China] in particular could use all that information collected against populations other than its own,” she said.
NSA is privately disclosing security bugs to companies
The NSA is trying to be more open about the vulnerabilities it finds and discloses, Neuberger said. She told TechCrunch that the agency has shared a “number” of vulnerabilities with private companies this year, but “those companies did not want to give attribution.”
One exception was earlier this year when Microsoft confirmed NSA had found and privately reported a major cryptographic flaw in Windows 10, which could have allowed hackers to run malware masquerading as a legitimate file. The bug was so dangerous that NSA reported the vulnerability to Microsoft, which patched the bug.
Only two years earlier, the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.
As a spy agency, NSA exploits flaws and vulnerabilities in software to gather intelligence on the enemy. It has to run through a process called the Vulnerabilities Equities Process, which allows the government to retain bugs that it can use for spying.
China is also growing more adept at targeting campaign workers. But contrary to Trump administration warnings, Beijing is mostly aiming at Biden campaign officials.
China is also growing more adept at targeting campaign workers. But contrary to Trump administration warnings, Beijing is mostly targeting Biden campaign officials.
A program run by the National Security Agency that collected details on billions of Americans’ phone calls was ruled illegal by a U.S. appeals court on Thursday.
The Ninth Circuit Court of Appeals found that the NSA’s “bulk collection” of call records violated the law, but the judges fell short of ruling the program unconstitutional.
The NSA used new powers in the wake of the September 11 terror attacks — known as Section 215 for its place in the law books — to scoop up billions of phone records every year by compelling U.S. phone giants to turn over daily call logs, which the agency uses to make connections between targets of interest. Those call records include who is calling who and when — but not the contents.
Details of the program were exposed by former NSA contractor Edward Snowden in 2013.
But the call records program, beset with problems, overcollection, and questions about its legality, was shut down last year.
Patrick Toomey, senior staff attorney with the ACLU’s National Security Project, said the ruling was a “victory” for privacy rights.
“The ruling makes plain that the NSA’s bulk collection of Americans’ phone records violated the Constitution. The decision also recognizes that when the government seeks to prosecute a person, it must give notice of the secret surveillance it used to gather its evidence,” said Toomey. “This protection is a vital one given the proliferation of novel spying tools the government uses today.”
The case at the Ninth Circuit involved Basaaly Moalin and three others, who were found guilty in 2013 for sending money to the militant group, Al-Shabaab. Moalin was convicted in part through call records collected by the NSA, but the role that the data played was so small that it did not undermine their convictions, reports Politico.
The NSA has long claimed that the program was vital for protecting the U.S. homeland stopping terrorist attacks. Past administrations claimed that the program stopped more than 50 attacks. But after congressional scrutiny, that figure was revised down to one identified individual — Moalin.
Although the court did not overturn Moalin’s conviction, the three-judge panel criticized the government’s previous statements and comments about the usefulness and effectiveness of the program, which the court said were “inconsistent with the contents of the classified record.”
Julian Sanchez, a civil liberties expert and senior fellow at the Cato Institute, tweeted: “The upshot of this Ninth Circuit opinion is that the NSA’s bulk phone record collection was illegal and probably unconstitutional, but it doesn’t matter because the program was also worthless.”
When asked if the NSA stood by its earlier statements, spokesperson Mike Dusak declined to comment.
In less than three months and notwithstanding intervention, TikTok will be effectively banned in the U.S. unless an American company steps in to save it, after the Trump administration declared by executive order this week that the Chinese-built video sharing app is a threat to national security.
How much of a threat TikTok poses exactly remains to be seen. U.S. officials are convinced that the app could be compelled by Beijing to vacuum up reams of Westerners’ data for intelligence. Or is the app, beloved by millions of young American voters, simply a pawn in the Trump administration’s long political standoff with China?
Really, the answer is a bit of both — even if on paper TikTok is no worse than the homegrown threat to privacy posed by the Big Tech behemoths: Facebook, Instagram, Twitter and Google . But the foreign threat from Beijing alone was enough that the Trump administration needed to crack down on the app — and the videos frequently critical of the administration’s actions.
For its part, TikTok says it will fight back against the Trump administration’s action.
This week’s Decrypted looks at TikTok amid its looming ban. We’ll look at why the ban is unlikely, even if privacy and security issues persist.
THE BIG PICTURE
Internet watchdog says a TikTok ban is a ‘seed of genuine security concern wrapped in a thick layer of censorship’
The verdict from the Electronic Frontier Foundation is clear: The U.S. can’t ban TikTok without violating the First Amendment. Banning the app would be a huge abridgment of freedom of speech, whether it’s forbidding the app stores from serving it or blocking it at the network level.
But there are still legitimate security and privacy concerns. The big issue for U.S. authorities is that the app’s parent company, ByteDance, has staff in China and is subject to Beijing’s rules.