The Surveillance State: Presidential Policy Directive 28

Surveillance State USA. Biden quietly unleashes spymasters in dramatic Executive Order.

 

The collection of signals intelligence shall be authorized by statute or Executive Order, proclamation, or other Presidential directive, and undertaken in accordance with the Constitution and applicable statutes, Executive Orders, proclamations, and Presidential directives.

(b) Privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities. The United States shall not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion. Signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions and not for any other purposes.

(c) The collection of foreign private commercial information or trade secrets is authorized only to protect the national security of the United States or its partners and allies. It is not an authorized foreign intelligence or counterintelligence purpose to collect such information to afford a competitive advantage[4] to U.S. companies and U.S. business sectors commercially.

(d) Signals intelligence activities shall be as tailored as feasible. In determining whether to collect signals intelligence, the United States shall consider the availability of other information, including from diplomatic and public sources. Such appropriate and feasible alternatives to signals intelligence should be prioritized.[Obama White House Archives]

 

 

 

 

Sharpen Your Cyber-Skills: NSA Hacker Chief Explains How to Keep Him OUT of Your System

NSA

IT WAS THE talk most anticipated at this year’s inaugural Usenix Enigma security conference in San Francisco and one that even the other speakers were eager to hear.

Rob Joyce, the nation’s hacker-in-chief, took up the ironic task of telling a roomful of computer security professionals and academics how to keep people like him and his elite corps out of their systems.

Joyce is head of the NSA’s Tailored Access Operations—the government’s top hacking team who are responsible for breaking into the systems of its foreign adversaries, and occasionally its allies. He’s been with the NSA for more than 25 years but only became head of the TAO division in April 2013, just weeks before the first leaks from Edward Snowden were published by the Guardian andWashington Post.

Joyce acknowledged that it was “very strange” for someone in his position to stand onstage before an audience. The TAO has largely existed in the shadowy recesses of the NSA—known and unknown at the same time—until only recently when documents leaked by Snowden and others exposed the workings of this cabal as well as many of its sophisticated hacking tools.

Joyce himself did little to shine a light on the TAO’s classified operations. His talk was mostly a compendium of best security practices. But he did drop a few of the not-so-secret secrets of the NSA’s success, with many people responding to his comments on Twitter.

How the NSA Gets You

In the world of advanced persistent threat actors (APT) like the NSA, credentials are king for gaining access to systems. Not the login credentials of your organization’s VIPs, but the credentials of network administrators and others with high levels of network access and privileges that can open the kingdom to intruders. Per the words of a recently leaked NSA document, the NSA hunts sysadmins.

The NSA is also keen to find any hardcoded passwords in software or passwords that are transmitted in the clear—especially by old, legacy protocols—that can help them move laterally through a network once inside.

And no vulnerability is too insignificant for the NSA to exploit.

“Don’t assume a crack is too small to be noticed, or too small to be exploited,” he said. If you do a penetration test of your network and 97 things pass the test but three esoteric things fail, don’t think they don’t matter. Those are the ones the NSA, and other nation-state attackers will seize on, he explained. “We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”

Even temporary cracks—vulnerabilities that exist on a system for mere hours or days—are sweet spots for the NSA.

If you’ve got trouble with an appliance on your network, for example, and the vendor tells you to briefly open the network for them over the weekend so they can pop in remotely and fix it, don’t do it. Nation-state attackers are just looking for an opportunity like this, however brief, and will poke and poke your network patiently waiting for one to appear, he said.

Other vulnerabilities that are favorite attack vectors? The personal devices employees bring into the office on which they’ve allowed their kids to load Steam games, and which the workers then connect to the network.

Read the Remainder at Wired

 

Humor: New DOD Regulations Confirm that OPSEC Does Not Apply to Everyone

I always get a kick out of the Duffel Blog. This is what Everybody is thinking and this is what should be printed versus the spin and outright lies. -SF

snowden-clinton-opsec-1000x600

 

THE PENTAGON — The Department of Defense is set to release new security rules later this week, making it clear that consequences for violations don’t apply equally to everyone, sources say. The revisions will make explicit what has until recently been an informal system that occasionally treated powerful people the same as peons, and, more rarely, sometimes failed to bring the wrath of God down on regular people acting out of conscience.

“When Snowden and Manning happened, releasing thousands of classified documents to civilian sources without approval, the way forward was pretty clear,” explained Col. Antonio Jimenez, who helped craft the new regulations. “Manning is in a military prison and Snowden sleeps with one eye open.”

Defense Secretary Ashton Carter says that things “get complicated” when high-level individuals start mishandling, or even deliberately leaking information to the public.

“Snowden was just a civilian analyst, and Manning was an Army private,” Carter noted. “They didn’t have a chance. Manning had the right idea, becoming a woman and all, but she did it after she was convicted, so the victim angle didn’t do her any favors. If she’d done it before she’d probably already have a book deal and a job at MSNBC.”

“When Petreaus was caught giving secret information to his mistress, my predecessors initially ignored it, because Iraq,” Carter said. “Plus she was kind of hot. Unfortunately, the new guidance from the White House says that military violations, but not political ones, must be dealt with harshly.”

Carter appointed a Committee for State Security to write new regulations to comply with the directives of the White House.

“So, we’re looking at taking a star away from him,” Jimenez said. “If he’d been a member of congress or a former first lady of the United States then it would be a different story.”

Jimenez apparently was referring to former First Lady and Senator, and current presidential candidate, Hillary Clinton.

Clinton’s use of an insecure, private server for Top Secret emails, and a complete lack of accountability, forced the Pentagon and the White House to finally address accusations that high ranking individuals are treated differently when it comes to standards for handling classified information.

“Everyone has always known that was the case,” said Jimenez. “But now we’ve clearly defined who gets away with what. If you’re a military officer you pretty much get a free pass at lieutenant general and higher. There’s a sliding scale from there down to colonel that mostly depends on who you know.”

“But we still have to nail Petraeus’ balls to the wall, because appearances.”

Jimenez discussed the progression of punishment, noting, “At the very top you can see that if you’re actually holding a Cabinet post or Congressional seat you’re also given the option to pin your own violation on someone of lesser status.”

When asked why the chart didn’t list punishments or alternatives for anyone under the rank of O-6 or GS-15, Jimenez laughed.

“Those people are still in the real military where stuff like that matters. They’re all fucked.”

 Read the Original at Duffel Blog

 

Cyber-Espionage: The Biggest Dangers are the Ones You Will Never Know About

cyber-espionage-1-1024x346

For years, I slept fitfully after a “friend” told me that it wasn’t the noisy mosquitos buzzing in my ears at night that were a problem.  Instead, it was the female mosquitos that made no noise at all but laid eggs in your ears at night.  That image wrecked my sleep until the Internet helped me to dispel the myth years later.

The cyber threat is a little like the silent mosquito.  The biggest dangers are the ones that you will never know about.

However, if you follow the public discourse on the nature of the cyber threat to the U.S., it seems that the bulk of the dialogue has to do with the issue of hackers and the thousands of daily thwarted attacks against government and private computer systems.  It is almost as if the danger is easily detected, and a better password and up-to-date antivirus software can solve the problem.

However, the far bigger threat is from foreign intelligence and terrorist groups, who have the talent, resources, and wherewithal to do serious damage to U.S. interests – damage we may never realize until it is too late.  While we publically frame the problem by citing how many attacks are observed every day, the far bigger problem is hidden.  An intelligence organization’s job is to pick your pocket without you ever knowing anything is amiss.  You won’t make it very far as an intelligence officer if your adversary becomes aware of your activities.

Of the capable organizations that are determined to do us harm, perhaps the most competent, dedicated, and focused is Russia’s Special Communications Service, the Russian equivalent of the U.S. National Security Agency (NSA).

Russia doesn’t do many things well (dancing bears, perhaps).  Spying, however, is a Russian specialty honed by decades of experience controlling its population and stealing from the West.  The U.S. has been their main enemy since WWII and remains so today.  Indeed, while we more often hear about Chinese cyber activities, the Russian cyber espionage enterprise is far more sophisticated and capable than its Chinese counterpart, according to statements by U.S. intelligence officials.

Unlike in the U.S., the Russian espionage effort is central to its foreign policy, and its offensive cyber capability is a particularly powerful weapon that is used to challenge the U.S. across the board.  Indeed, the Russian NSA equivalent is used for – among other things – cyber warfare, espionage, counterintelligence, internal control of its citizens, disinformation, and propaganda.  Russia’s cyber attacks – both blatant and stealthy – are used to achieve geopolitical ends and to maintain an asymmetric ability to damage the U.S.

The Russians have shown a willingness to use the cyber weapons at their disposal, and have done so effectively.  In 2007, the Russians swamped Estonian computer systems to express their anger at perceived Estonian disrespect of Russian symbols.  A year later, they combined sophisticated cyber intrusions with their military attack against Georgian forces.  More recently, they used offensive cyber tools to support their aggressive annexation of Crimea and eastern Ukraine.  We even witnessed Russian cyber probing of top U.S. financial institutions in 2013.

Internally, the Russians use cyber weapons to maintain control over their population.  By law, all private encryption equipment in Russia is required to be licensed by Russian Intelligence.  Likewise, all internet providers in Russia have to install hardware/equipment provided by the Russian NSA equivalent (and pay for it themselves).  There is no such thing as privacy in Russia.

While the U.S. Government is probably the biggest target of Russian cyber spying, you can be confident that they go after anyone and anything that can help them get what they need.  They surely steal directly from Yahoo, Google, Facebook, and social media platforms.  If they want to collect compromising information on a person in a bank, military unit, national laboratory, or nuclear power plant, you can be sure that they are swimming in e-mail and personal data that can help them craft an approach to that individual.

At the same time, the Russians are collecting the capability to understand and possibly disrupt our power grid, air traffic control, oil and gas infrastructure, and transit networks.  Additionally, recent reports cite a significant increase in Russian submarine surveillance activity in the vicinity of the strategic underwater fiber cables that facilitate commercial and classified communications.  This aggressive effort has intensified fears of Russian efforts to tap or cut these critical deep sea communication conduits that carry trillions of dollars a day in global business.

The only real way to protect ourselves from this kind of sophisticated cyber warfare is a robust public-private partnership between our intelligence and law enforcement services, and those companies that provide the backbone of our computer networks.  In this sense, perhaps the most damaging of Edward Snowden’s many traitorous acts was to destroy the trust between the private sector and our security professionals.  We are now talking past each other, and the Russians, Chinese, Iranians, and others are having a field day.  Until those key relationships and trust is restored, we will remain in a vulnerable state.

So, the next time you hear a story about hackers attacking various computer networks, think of the buzzing mosquito, and remember that there is probably something much more dangerous happening away from public notice.

Read the Original Article at Cipher Brief

Technology and Privacy: Signal, the Crypto App Comes to Android

signal

SINCE IT FIRST appeared in Apple’s App Store last year, the free encrypted calling and texting app Signal has become the darling of the privacy community, recommended—and apparently used daily—by no less than Edward Snowden himself. Now its creator is bringing that same form of ultra-simple smartphone encryption to Android.

On Monday the privacy-focused non-profit software group Open Whisper Systems announced the release of Signal for Android, the first version of its combined calling and texting encryption app to hit Google’s Play store. It’s not actually the first time Open Whisper Systems has enabled those features on Android phones; Open Whisper Systems launched an encrypted voice app called Redphone and an encrypted texting program called TextSecure for Android back in 2010. But now the two have been combined into a Signal’s single, simple app, just as they are on the iPhone. “Mostly this was just about complexity. It’s easier to get people to install one app than two,” says Moxie Marlinspike, Open Whisper Systems’ founder. “We’re taking some existing things and merging them together to make the experience a little nicer.”

That streamlining of Redphone and TextSecure into a single app, in other words, doesn’t actually make Open Whisper System’s encryption tools available to anyone who couldn’t already access them. But it does represent a milestone in those privacy programs’ idiot-proof interface, which in Signal is just as straightforward as normal calling and texting. As Marlinspike noted when he spoke to WIRED about Signal’s initial release last year, that usability is just as important to him as the strength of Signal’s privacy protections. “In many ways the crypto is the easy part,” Marlinspike said at the time. “The hard part is developing a product that people are actually going to use and want to use. That’s where most of our effort goes.”

Read the Remainder at Wired