person:chris soghoian

The NSA Has a New Disclosure Policy : Getting Hacked | Foreign Policy
▻https://foreignpolicy.com/2016/08/18/the-nsa-has-a-new-disclosure-policy-getting-hacked

On Monday, when tech executives arrived in their offices, just days after a mysterious group of hackers released what they claimed were a set of NSA hacking tools, a familiar and frustrating pattern was taking shape. America’s premier signals intelligence agency had once again discovered unknown flaws in products used to secure computer networks around the globe, but instead of telling the manufacturers, the NSA pocketed those flaws, like skeleton keys that would let them open doors to others’ networks whenever and wherever they wanted.

If the tools released by the group known as the “Shadow Brokers” are legitimately from the NSA — and security researchers and agency veterans say that they appear to be — the agency now faces a fresh round of questions about how the breach occurred and when the agency found out.

That’s because the data released by the Shadow Brokers contained what are known as “zero days,” software flaws that are unknown to the manufacturer of a piece of software or hardware, and thus flaws for which no patch is even in the works.

Stockpiling such vulnerabilities is part of an international arms race in cyberspace. Last weekend’s dump exposed what is likely a small part of the American arsenal of such high tech battering rams, and it has reignited a debate among security researchers about whether the government should be stockpiling them, or if it should be revealing those vulnerabilities to manufacturers to make American networks more robust.

Given that the hardware made by the likes of Cisco Systems and Fortinet are often the backbone of the networks used by the U.S. military and State Department, helping those companies lock the back door should be a “no-brainer,” said Jason Healey, a former cyber operator for the U.S. Air Force and now a researcher at Columbia University.

“It would disappoint me if they knew and didn’t tell” the very vendors that are outfitting critical parts of the U.S. government, he said.

But some NSA veterans tick off plenty reasons not to share the information. Tipping off the Chinese and Russians about potential weaknesses makes no sense, said Dave Aitel, a former NSA research scientist and the CEO of Immunity, a security firm. And broadcasting just what tools the NSA is using risks compromising operations both past and present, he said.

On Wednesday, Cisco and Fortinet said they had not been notified about the software flaws that had been exposed. Timestamps in the released NSA code indicate that the hacking tools were likely swiped in October of 2013, though such marks can be easily faked.

On paper, the U.S. government has a process to determine whether to tell manufacturers they’ve got a problem. The interagency process was established in 2010, fell into disuse, and was then “reinvigorated” in 2014, in the words of White House cybersecurity chief Michael Daniel.

But security experts across the political spectrum scoff at the process and the notion that it seriously considers giving away potentially valuable zero-day vulnerabilities.

“Anything that has intelligence value is not going to be released,” Aitel says.

Chris Soghoian, the chief technologist at the ACLU, agrees. “It’s clear the game is rigged” against disclosure, he said.

But thanks to the #Shadow_Brokers, the vulnerabilities have been disclosed after all — not to the manufacturers, but to the entire world. What amounts to a series of military-grade hacking tools are now freely available on the internet, on sites such as this one. These tools can be used by hackers to break into firewalls, control a network, and spy on users. Another tool may be capable of stealing a users’ encryption keys.

So far, one of the tools released stands out: #ExtraBacon. That piece of code targets Cisco’s Adaptive Security Appliance firewall, widely used widely by both the U.S. government and private sector companies. ExtraBacon allows an attacker to take control of the firewall and monitor all traffic on it — a classic NSA strategy. On Wednesday, Cisco issued a security alert for the high-severity vulnerability; The company has so far not patched it, and has only issued a “work-around” for the problem.

Excellent titre, au demeurant :-D

The PRISM spin war has begun
▻http://blog.foreignpolicy.com/posts/2013/06/07/the_prism_spin_war_has_begun

...

Google’s statement hinges on three key points: that it did not provide the government with “direct access” to its servers, that it did not set up a “back door” for the NSA, and that it provides “user data to governments only in accordance with the law.”

According to Chris Soghoian, a tech expert and privacy researcher at the American Civil Liberties Union, the phrase “direct access” connotes a very specific form of access in the IT-world: unrestricted, unfettered access to information stored on Google servers. In order to run a system such as PRISM, Soghoian explains, such access would not be required, and Google’s denial that it provided “direct access” does not necessarily imply that the company is denying having participated in the program. Typically, the only people having “direct access” to the servers of a company like Google would be its engineers. (Facebook’s Mark Zuckerberg has issued a similarly worded denial in which he says his company has not granted the government “direct access” to its servers," but his language mirrors Google’s denial about direct access.)

A similar logic applies to Google’s denial that it set up a “back door.” According to Soghoian, the phrase “back door” is a term of art that describes a way to access a system that is neither known by the system’s owner nor documented. By denying that it set up a back door, Google is not denying that it worked with the NSA to set up a system through which the agency could access the company’s data.

According to Soghoian, the NSA could have gained access to tech company servers by working with the companies to set up something similar to an API — a tool these firms use to give developers limited access to company data. Google has denied that an API was used, but that denial doesn’t exclude the possibility that a similar tool was used.

To protect itself against allegations that it inappropriately compromised user data, Google further notes in its statement that the company provides “user data to governments only in accordance with the law.” Despite the outrage directed at the NSA and the Obama administration, PRISM — as currently described — is in all likelihood within the bounds of the law. In the aftermath of the 2005 disclosure that the Bush administration had carried out a warrantless wiretapping program, Congress passed the FISA Amendments Act of 2008 and the Protect America Act of 2007. But those laws did not outlaw the kinds of actions carried out by PRISM.

As for Google’s claim to have never heard of PRISM, would the intelligence officials who reportedly collaborated with Google have used the program’s actual codename?

The tech companies alleged to have participated in PRISM aren’t the only ones who appear to be spinning PRISM to their advantage.

On Friday, U.S. government sources told Reuters that PRISM was used to foil a 2009 plot to bomb the New York City subway. In all likelihood, such counter-leaks will continue in the days ahead as intelligence officials try to portray the program as essential to national security.