Archive

Posts Tagged ‘national security agency’

NSA Targeting Domestic Computer Systems

December 23rd, 2012 12:21 admin View Comments

Government

The NSA was originally supposed to handle foreign intelligence, and leave the domestic spying to other agencies, but Presto Vivace writes with this bit from CNET: “‘The National Security Agency’s Perfect Citizen program hunts for vulnerabilities in ‘large-scale’ utilities, including power grid and gas pipeline controllers, new documents from EPIC show.’ ‘Perfect Citizen?’ Who thinks up these names?” “The program is scheduled to continue through at least September 2014,” says the article.

Source: NSA Targeting Domestic Computer Systems

NCTC Gets Vast Powers To Spy On U.S. Citizens

December 13th, 2012 12:50 admin View Comments

Government

interval1066 writes “In a breathtaking new move by (another) little-known national security agency, the personal information of all U.S. citizens will be available for casual perusal. The ‘National Counterterrorism Center‘ (I’ve never heard of this org) may now ‘examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them.’ This is different from past bureaucratic practice (never mind due process) in that a government agency not in the list of agencies approved to to certain things without due process may completely bypass due process and store (for up to 5 years) these records, the organization doesn’t need a warrant, or have any kind of oversight of any kind. They will be sifting through these records looking for ‘counter-insurgency activity,’ supposedly with an eye to prevention. If this doesn’t wake you up and chill you to your very bone, not too sure there is anything that will anyway.”

Source: NCTC Gets Vast Powers To Spy On U.S. Citizens

Hacker vs. Counter-Hacker — a Legal Debate

November 18th, 2012 11:19 admin View Comments

Crime

Freddybear writes “If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. ‘The debaters are:

  • Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
  • Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
  • Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.’”

Source: Hacker vs. Counter-Hacker — a Legal Debate

Hacker vs. Counter-Hacker — a Legal Debate

November 18th, 2012 11:19 admin View Comments

Crime

Freddybear writes “If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. ‘The debaters are:

  • Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
  • Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
  • Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.’”

Source: Hacker vs. Counter-Hacker — a Legal Debate

Court Rules NSA Doesn’t Have To Confirm Or Deny Secret Relationship With Google

May 11th, 2012 05:32 admin View Comments

Google

Sparrowvsrevolution writes “A DC appeals court has ruled that the National Security Agency doesn’t need to either confirm or deny its secret relationship with Google in response to a Freedom of Information Act (FOIA) request and follow-up lawsuit filed by the Electronic Privacy Information Center. The NSA cited a FOIA exemption that covers any documents whose exposure might hinder the NSA’s national security mission, and responded to EPIC with a ‘no comment.’ Beyond merely rejecting the FOIA request, the court has agreed with the NSA that it has the right to simply not respond to the request, as even a rejection of the request might reveal details of a suspected relationship with Google that it has sought to keep secret. Google was reported to have partnered with the NSA to bolster its defenses against hackers after its breach by Chinese cyberspies in early 2010. But to the dismay of privacy advocates who fear the NSA’s surveillance measures coupled with Google’s trove of data, the company has never explained the details of that partnership.”

Source: Court Rules NSA Doesn’t Have To Confirm Or Deny Secret Relationship With Google

Whistleblower: NSA Has All of Your Email

April 21st, 2012 04:26 admin View Comments

Privacy

mspohr writes with this excerpt from Democracy Now!: “National Security Agency whistleblower William Binney reveals he believes domestic surveillance has become more expansive under President Obama than President George W. Bush. He estimates the NSA has assembled 20 trillion ‘transactions’ — phone calls, emails and other forms of data — from Americans. This likely includes copies of almost all of the emails sent and received from most people living in the United States. Binney talks about Section 215 of the USA PATRIOT Act and challenges NSA Director Keith Alexander’s assertion that the NSA is not intercepting information about U.S. citizens.” The parts about National Security Letters in particular are chilling, even though the issue is not new.

Source: Whistleblower: NSA Has All of Your Email

Innocent Or Not, the NSA Is Watching You

April 8th, 2012 04:51 admin View Comments

Government

An anonymous reader writes with this excerpt from Wired: “Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.” It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy.”

Source: Innocent Or Not, the NSA Is Watching You

NSA Building US’s Biggest Spy Center

March 16th, 2012 03:03 admin View Comments

Encryption

New submitter AstroPhilosopher writes “The National Security Agency is building a complex to monitor and store ‘all’ communications in a million-square-foot facility. One of its secret roles? Code-breaking your private, personal information. Everybody’s a target. Quoting Wired: ‘Breaking into those complex mathematical shells like the AES is one of the key reasons for the construction going on in Bluffdale. That kind of cryptanalysis requires two major ingredients: super-fast computers to conduct brute-force attacks on encrypted messages and a massive number of those messages for the computers to analyze. The more messages from a given target, the more likely it is for the computers to detect telltale patterns, and Bluffdale will be able to hold a great many messages. “We questioned it one time,” says another source, a senior intelligence manager who was also involved with the planning. “Why were we building this NSA facility? And, boy, they rolled out all the old guys—the crypto guys.” According to the official, these experts told then-director of national intelligence Dennis Blair, “You’ve got to build this thing because we just don’t have the capability of doing the code-breaking.” It was a candid admission.’”

Source: NSA Building US’s Biggest Spy Center

DOJ Asks Court To Keep Secret Google / NSA Partnership

March 13th, 2012 03:11 admin View Comments

Censorship

SonicSpike writes “The Justice Department is defending the government’s refusal to discuss — or even acknowledge the existence of — any cooperative research and development agreement between Google and the National Security Agency. The Washington based advocacy group Electronic Privacy Information Center sued in federal district court here to obtain documents about any such agreement between the Internet search giant and the security agency. The NSA responded to the suit with a so-called ‘Glomar’ response in which the agency said it could neither confirm nor deny whether any responsive records exist. U.S. District Judge Richard Leon in Washington sided with the government last July.”

Source: DOJ Asks Court To Keep Secret Google / NSA Partnership

Anatomy of a Government Phone, or, Can the NSA Build an Android?

March 5th, 2012 03:45 admin View Comments

Sectera Edge gov't approved phone (150 px).jpgThe craziest thing about a typical “top secret” U.S. Government phone is that you can probably spot it from a football field away. If your mental picture of a Hollywood-style NSA agent drives a black AMC Ambassador, wears a polyester suit and Ray-Bans, and smokes Luckies, then his phone may either be Maxwell Smart’s shoe or a General Dynamics Sectera Edge (pictured left). At any distance, it looks like one of the pocket football games my junior high school vice principal used to confiscate and collect in his back drawer.

The National Security Agency wants a real-world smartphone, not the one it has now – not the one you see here. Of course, it must fulfill the Dept. of Defense’s requirements for session encryption and data retention. But beyond that fact, the NSA wonders why its secure phone can’t have multitouch, apps, and speed just like the civilians have. Based on looks alone, you’d think the civilians are a couple of pegs ahead of the G-men. This is a story of looks being more deceptive than even a security agency could have anticipated.

Enter the Fishbowl

120229 Margaret Salter - NSA 01.JPG

The real face of the National Security Agency looks more like Margaret Salter. At the RSA Conference in San Francisco last Wednesday, Salter told attendees the story of the NSA’s Secure Mobility Strategy. She leads a department called the Information Assurance Directorate. For the better part of four decades, IAD has been tasked with securing secret government communications, and building specifications for the tools to do it. The NSA contracts with private suppliers to build a class of devices it calls GOTS (government off-the-shelf). The gestation cycle for each of these devices – from the conceptual stage, to development, to deployment – typically consumes years. Perhaps the best-known GOTS product is still in wide use today – 1987′s STU-III secure telephone, which looks about as home on an agent’s desk today as an IBM PC.

Still, as Salter told the RSA attendees, for the better part of half a century, the NSA explicitly defined its own market, a private universe of products made for its own exclusive consumption. “That was cool for us, for the longest time. We kinda had a monopoly on this from the very beginning,” she remarked. “We were mostly building things like radios for combat, [and] big link encryptors to hook one site up to another site.”

But their ease of use ranked right up there with a World War II cipher machine. “Once you get something in the hands of an individual user who’s not a cleared COMSEC custodian, someone who knows what they’re supposed to be doing with this stuff and understands all the details, ease of use became incredibly freakin’ important. And it turned out that, although our stuff was incredibly secure, it was not incredibly easy to use.”

Over time, it became more difficult over time for the agency to define “ease of use” on a comparative scale. In just the last five years, the consumer universe appeared to leave the NSA’s secure market behind. “The world everyone wants is, I want to get what I want, when I want it, where I want it.”

Salter’s team considered whether it was feasible for NSA to utilize a real, commercial smartphone – one like all the kids are using nowadays – but with software that made the device perhaps more secure than the Sectera Edge. “The phones are so popular and exploding all over the place, because we can play Angry Birds on them, and do whatever you want. But we needed enterprise management – some control over it, because honestly, we didn’t really want you to be able to go load Angry Birds on your TS [top secret] phone… That was not a business model that we could support, or even defend.”

They launched Project Fishbowl, a pilot to produce a smartphone made of mostly commercial parts and infrastructure (more COTS than GOTS), capable of supporting classified voice and data, while remaining as easy to use as its civilian counterpart and staying inexpensive. The historical significance of the NSA embracing commercial crypto standards cannot be stressed enough. Anyone familiar with how RSA came to be in the first place will recall the fights its engineers faced keeping the government from classifying it, taking its power out of the public’s hands. Perhaps the whole point of the RSA standard and the RSA conference is to promote the power of security for everyone through manageable encryption.

“So one of the things I harp on most is, why was that so hard?” remarked Salter.

120229 NSA Fishbowl Architecture 01.JPG

Alphabet Soup

The ideal Fishbowl phone would need a securable VoIP app and a securable data transfer app. If at all possible, it should not have to be tied to any single carrier. It needed to be capable of connecting to the Wi-Fi network supplied by “the Ranch” (headquarters). It would need to be remotely manageable using policy, and all of the traffic through the phone must be routed through the enterprise manager. “Because if we allowed it to go all kinds of different places, we lost all control,” Salter said.

What appeared at first to be the protocol of choice for digital voice was SRTP. “Turns out, getting the key management scheme nailed down for that was hard,” she said. Finally, IAD was able to work out a way to do this using Transport Layer Security – which it also discovered was preferable to SSL for every other conceivable purpose as well.

NSA set out to endow Fishbowl with support for public cryptographic standards that were good enough, in combination with one another, to enable Classified-level communication. NSA calls these standards Suite B. “For encryption, it’s AES at the 128- and 256-bit strength. For key exchange, it’s Elliptic Curve Diffie-Hellman – and we’ve got two NIST curves, the P256 and the P384. For the signatures, it’s Elliptic Curve DSA, with those same parameters. And we add a hash function, which is the SHA-2 series. We needed those, because they’re the cryptography that’s strong enough to protect Classified.”

None of these standards are unfamiliar to the security community. Six years ago, said Salter, NSA announced Suite B as good enough for Classified level. “Then there was a big asterisk next to that,” she added, “that said, ‘By the way, your key management has to be reasonable, and NSA has to look at it to make sure it’s all good.’ We were trying to give the industry a lead time, to say eventually, if you’ve got these algorithms in your products, we’ll be able to use them in solutions… to protect classified information.”

120229 Margaret Salter - NSA 03.JPGSalter describes the “shopping” process for commercial products capable of meeting this frankly ordinary level of encryption, as “hard… We went shopping, we had our little bag and our little list, and we were wandering around looking for stuff. And one of the things we were wandering around looking for was a Suite B IKEv2 IPsec app that ran on a phone. That was a difficult shopping list to maintain.”

Voice traffic needed to be encrypted twice – once through IPsec and once again on the VoIP layer through SRTP. This was in keeping with a design principle the NSA calls “the Rule of Two:” As Margaret Salter described it, “Two independent bad things have to go wrong in order for an adversary to take advantage of your phone or data.”

But at first, NIST suggested not SRTP but DTLS. NSA had no reason to question that recommendation, so it went shopping for a phone with both DTLS and SRTP, using the “Rule of Two” as justification for both. “We couldn’t buy one. We could pay someone to make it, but that wasn’t the plan. The plan was to be able to buy commercial components, layer them together, and get a secure solution.”

The part was not to be found, for reasons Salter attributes to the industry paying attention to a feature that NIST hadn’t considered, called session descriptors – headers that describe the content of media being exchanged in a VoIP traffic session. “Unified communications is more than just making a phone call,” she explained. “There’s presence, conference calls, and all these cool things they show you they can do… and the only way to do that really is to use that session descriptors protocol rather than break up the DTLS.”

But none of the session descriptors protocols in use supported the upgraded TLS 1.2 – the substitute for the deficient SSL – and few of these protocols enabled client authentication. This was necessary in order to avoid an engineering technique called split tunneling, which Salter described as a kind of intentional leak that might be acceptable for some businesses but not for national security.

Next page: From Logjam to Android

Page:  1   2  Next  »

Source: Anatomy of a Government Phone, or, Can the NSA Build an Android?

YOYOYOOYOYOYO