Catalog Reveals NSA Has Back Doors for Numerous Devices

Posted on December 29, 2013 by mea

There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions. “Cisco does not work with any government to modify our equipment, nor to implement any so-called security ‘back doors’ in our products,” the company said in a statement. Contacted by SPIEGEL reporters, officials at Western Digital, Juniper Networks and Huawei also said they had no knowledge of any such modifications. Meanwhile, Dell officials said the company “respects and complies with the laws of all countries in which it operates.”

via Catalog Reveals NSA Has Back Doors for Numerous Devices – SPIEGEL ONLINE.

Cooperation such that telecom equipment providers provide in support of CALEA would be needed for this to work.

Secret contract tied NSA and security industry pioneer

Posted on December 21, 2013 by mea

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

via Exclusive: Secret contract tied NSA and security industry pioneer | Reuters.

RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness.

An interesting link came up in the Slashdot comment section. From: [Cfrg] Requesting removal of CFRG co-chair

I’d like to request the removal of Kevin Igoe from CFRG co-chair.

The Crypto Forum Research Group is chartered to provide crypto advice to IETF Working Groups. As CFRG co-chair for the last 2 years, Kevin has shaped CFRG discussion and provided CFRG opinion to WGs.

Kevin’s handling of the “Dragonfly” protocol raises doubts that he is performing these duties competently. Additionally, Kevin’s employment with the National Security Agency raises conflict-of-interest concerns.

LOL. No one trusts the NSA anymore.

Academics should not remain silent on hacking

Posted on December 20, 2013 by mea

NIST’s standard for random numbers used for cryptography, published in 2006, had been weakened by the NSA. Companies such as banks and financial institutions that rely on encryption to guarantee customer privacy depend on this standard. The nature of the subversions sounds abstruse: the random-number generator, the ‘Dual EC DRBG’ standard, had been hacked by the NSA so that its output would not be as random as it should have been. That might not sound like much, but if you are trying to break an encrypted message, the knowledge that it is hundreds or thousands of times weaker than advertised is a great encouragement.

via Academics should not remain silent on hacking : Nature News & Comment.

NSA infected 50,000 computer networks with malicious software

Posted on November 23, 2013 by mea

A management presentation dating from 2012 explains how the NSA collects information worldwide. In addition, the presentation shows that the intelligence service uses ‘Computer Network Exploitation’ (CNE) in more than 50,000 locations. CNE is the secret infiltration of computer systems achieved by installing malware, malicious software.

via NSA infected 50,000 computer networks with malicious software – nrc.nl.

This article is a bit short on details. It doesn’t say what OSs or exactly how they got malware onto victim machines. The only way to infect a network would be to perhaps get control of its firewall or main router. Since most people use cheap SOHO routers that might not be very difficult to swap out firmware on them that can do all kinds of things unbeknownst to its owner. The article implies that the victim machines are PCs according to this:

One example of this type of hacking was discovered in September 2013 at the Belgium telecom provider Belgacom. For a number of years the British intelligence service – GCHQ – has been installing this malicious software in the Belgacom network in order to tap their customers’ telephone and data traffic. The Belgacom network was infiltrated by GCHQ through a process of luring employees to a false Linkedin page.

Brazil Looks to Break from U.S.-Centric Internet

Posted on September 19, 2013 by mea

Most of Brazil’s global Internet traffic passes through the United States, so Rousseff’s government plans to lay underwater fiber optic cable directly to Europe and also link to all South American nations to create what it hopes will be a network free of U.S. eavesdropping.

via Brazil Looks to Break from U.S.-Centric Internet | TIME.com.

It cited a “common understanding” between Brazil and the European Union on data privacy, and said “negotiations are underway in South America for the deployment of land connections between all nations.” It said Brazil plans to boost investment in home-grown technology and buy only software and hardware that meet government data privacy specifications.

How the NSA Spies on Smartphones Including the BlackBerry

Posted on September 10, 2013 by mea

All the images were apparently taken with smartphones. A photo taken in January 2012 is especially risqué: It shows a former senior government official of a foreign country who, according to the NSA, is relaxing on his couch in front of a TV set and taking pictures of himself — with his iPhone. To protect the person’s privacy, SPIEGEL has chosen not to reveal his name or any other details.

The access to such material varies, but much of it passes through an NSA department responsible for customized surveillance operations against high-interest targets. One of the US agents’ tools is the use of backup files established by smartphones. According to one NSA document, these files contain the kind of information that is of particular interest to analysts, such as lists of contacts, call logs and drafts of text messages. To sort out such data, the analysts don’t even require access to the iPhone itself, the document indicates. The department merely needs to infiltrate the target’s computer, with which the smartphone is synchronized, in advance.

via How the NSA Spies on Smartphones Including the BlackBerry – SPIEGEL ONLINE.

In ACLU lawsuit, scientist demolishes NSA’s “It’s just metadata” excuse

Posted on August 27, 2013 by mea

Storage and data-mining have come a long way in the past 35 years, Felten notes, and metadata is uniquely easy to analyze—unlike the complicated data of a call itself, with variations in language, voice, and conversation style. “This newfound data storage capacity has led to new ways of exploiting the digital record,” writes Felten. “Sophisticated computing tools permit the analysis of large datasets to identify embedded patterns and relationships, including personal details, habits, and behaviors.”

via In ACLU lawsuit, scientist demolishes NSA’s “It’s just metadata” excuse | Ars Technica.

I remember Ed Felton as being one of the leading researchers who uncovered the Sony rootkit fiasco. Many years ago Sony included a rootkit installer that would install whenever someone played one of their CDs on a Windows PC. Felton’s blog at the time covered that situation well.

Using Metadata to find Paul Revere

Posted on August 22, 2013 by mea

Rest assured that we only collected metadata on these people, and no actual conversations were recorded or meetings transcribed. All I know is whether someone was a member of an organization or not. Surely this is but a small encroachment on the freedom of the Crown’s subjects. I have been asked, on the basis of this poor information, to present some names for our field agents in the Colonies to work with. It seems an unlikely task.

If you want to follow along yourself, there is a secret repository containing the data and the appropriate commands for your portable analytical engine.

via Using Metadata to find Paul Revere – Kieran Healy.

Groklaw – Forced Exposure ~pj

Posted on August 20, 2013 by mea

Harvard’s Berkman Center had an online class on cybersecurity and internet privacy some years ago, and the resources of the class are still online. It was about how to enhance privacy in an online world, speaking of quaint, with titles of articles like, “Is Big Brother Listening?”

And how.

You’ll find all the laws in the US related to privacy and surveillance there. Not that anyone seems to follow any laws that get in their way these days. Or if they find they need a law to make conduct lawful, they just write a new law or reinterpret an old one and keep on going. That’s not the rule of law as I understood the term.

via Groklaw – Forced Exposure ~pj.

The evolution of the NSA’s XKeyscore

Posted on August 10, 2013 by mea

In the current generation of Narus’ system, the processing systems run on commodity Linux servers and re-assemble network sessions as they’re captured, mining them for metadata, file attachments, and other application data and then indexing and dumping that information to a searchable database.

via Building a panopticon: The evolution of the NSA’s XKeyscore | Ars Technica.

Bucktown Bell

Cut to the chase.

Tag Archives: nsa