Category Archives: Department of Homeland Security

The Russians Hacked the NSA? Ah…What?

Posted on by

This is bad bad bad….and panic has struck Washington DC ….payment is to be in Bitcoins…

Graphics of files below courtesy of Arstechnica.

    

More here in further detail.

*****

Most outside experts who examined the posts, by a group calling itself the “Shadow Brokers,” said they contained what appeared to be genuine samples of the code — though somewhat outdated — used in the production of the NSA’s custom-built malware. Most of the code was designed to break through network firewalls and get inside the computer systems of competitors like Russia, China and Iran. That, in turn, allows the NSA to place “implants” in the system, which can lurk unseen for years and be used to monitor network traffic or enable a debilitating computer attack.  More here.

NSA and the No Good, Very Bad Monday

LawFare: Monday was a tough day for those in the business of computer espionage. Russia, still using the alias Guccifer2.0, dumped even more DNC documents. And on Twitter, Mikko Hypponen noted an announcement on Github that had gone overlooked for two days, a group is hosting an auction for code from the “Equation Group,” which is more commonly known as the NSA. The auctioneer’s pitch is simple, brutal, and to the point:

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

This release included two encrypted files, and the password to one was provided as proof while the other remains encrypted. The attackers claim that they will provide the password to the second file to the winner of a Bitcoin auction.

The public auction part is nonsense. Despite prevailing misconceptions on cryptocurrency, Bitcoin’s innate traceability means that no one could really expect to launder even $1M out of a high profile Bitcoin wallet like this one without risking detection, let alone the $500M being requested for a full public release. The auction is the equivalent of a criminal asking to be paid in new, marked, sequential bills. Because the actors here are certainly not amateurs, the auction is presumably a bit of “Doctor Evil” theater—the only bids will be $20 investments from Twitter jokesters.

But the proof itself appears to be very real. The proof file is 134 MB of data compressed, expanding out to a 301 MB archive. This archive appears to contain a large fraction of the NSA’s implant framework for firewalls, including what appears to be several versions of different implants, server side utility scripts, and eight apparent exploits for a variety of targets.

The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I’ve found in either the exploits or elsewhere is newer than 2013.

Because of the sheer volume and quality, it is overwhelmingly likely that this data is authentic. And it does not appear to be information taken from compromised targets. Instead, the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code—the kind that probably never leaves the NSA.

It is also unlikely that this data is from the Snowden cache. Those documents focused on PowerPoint slides and shared data, not detailed exploits. Besides NSA, the only plausible candidate for ownership is GCHQ—and the implications of stealing Top Secret data from GCHQ and modifying it to frame the NSA would themselves be startling.

All this is to say that there is relatively high confidence that these files contain genuine NSA material.

From an operational standpoint, this is not a catastrophic leak. Nothing here reveals some special “NSA magic.” Instead, this is evidence of good craftsmanship in a widely modular framework designed for ease of use. The immediate consequence is probably a lot of hours of work down the drain.

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps—which are easy to modify—the most likely date of acquisition was June 11, 2013 (see Update, however). That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks, as the NSA furiously ran down possible sources, it may have accidentally or deliberately eliminated this adversary’s access.

As with other recent cyber conflicts, the  espionage aspect is troubling but not entirely new. It’s very, very bad that someone was able to go rummaging through a TS//SCI system—or even an unclassified Internet staging system where the NSA operator unwisely uploaded all this data—and to steal 300 MB of data. But whoever stole this data now wants the world to know—and that has much graver implications. The list of suspects is short: Russia or China. And in the context of the recent conflict between the US and Russia over election interference, safe money is on the former.

Right now, I’d imagine that the folks at NSA are having rather unpleasant conversations about what the other encrypted file might contain, and what other secrets this attacker may have gained access to. Even if they were aware of the attack that resulted in this leak, there’s no way of knowing what is in the other archive. Is there evidence of another non-Snowden insider who went silent three years ago? Was a TS//SCI system remotely compromised? Was there some kind of massive screw-up at an agency which prides itself on world class OPSEC? Some combination of the three?

And—most chillingly—what else might be released before this war of leaks is over?

 

Update:  Thanks to @botherder for pointing out that a couple files have a newer date:  One file has a date of June 17th, 2013; another has a date of July 5th, 2013; three setup strips are dated September 4th, 2013; and two have dates of October 18th 2013.  One of those files (which I’m currently investigating) is the database of allocated Ethernet MAC addresses, which may be able to identify a later minimum date of compromise.  If the latter date of October 18th, 2013 is correct, this is even more worrysome, as this suggests that the compromise happened four months after the initial Snowden revelations—a period of time when the NSA’s systems should have been the most secure.

Update 2: Looking at the dates again, it now does seem somewhat likely that this was data copied on June 11th, 2013 with a few updates with a compromise after October 18th.  This does make it more likely that this was taken from a set of files deliberately moved onto a system on the Internet used for attacking others.  To my mind, this is actually an even scarier possibility than the NSA internal system compromise: This scenario would have the NSA, after the Snowden revelations, practicing some incredibly awful operational security.  Why should the NSA include five different versions of the same implant on a system used to attack other systems on the Internet?  Let alone implants which still have all the debugging strings, internal function names, and absolutely no obfuscation?

Update 3: Kaspersky confirms that the particular use of RC6 matches the unique design present in other Equation Group malcode.  XORcat apparently confirmed that the Cisco exploit works and, due to the versions it can attack, was a zero day at the time.  This exploit would generally work to take over a firewall from the inside of a target network since it did require limited access that is almost always blocked from the outside.

*****

In part from the WashingtonPost:

A cache of hacking tools with code names such as Epicbanana, Buzzdirection and Egregiousblunder appeared mysteriously online over the weekend, setting the security world abuzz with speculation over whether the material was legitimate.

The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO).

“Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.”

“Faking this information would be monumentally difficult, there is just such a sheer volume of meaningful stuff,” Nicholas Weaver, a computer security researcher at the University of California at Berkeley, said in an interview. “Much of this code should never leave the NSA.”

The tools were posted by a group calling itself the Shadow Brokers using file-sharing sites such as BitTorrent and DropBox.

At the same time, other spy services, like Russia’s, are doing the same thing to the United States.

It is not unprecedented for a TAO operator to accidentally upload a large file of tools to a redirector, one of the former employees said. “What’s unprecedented is to not realize you made a mistake,” he said. “You would recognize, ‘Oops, I uploaded that set’ and delete it.”

Critics of the NSA have suspected that the agency, when it discovers a software vulnerability, frequently does not disclose it, thereby putting at risk the cybersecurity of anyone using that product. The file disclosure shows why it’s important to tell software-makers when flaws are detected, rather than keeping them secret, one of the former agency employees said, because now the information is public, available for anyone to employ to hack widely used Internet infrastructure. Read the full article here.

That $1.3 Billion to Iran was Paid, How? Classified…

Posted on by

How was it delivered? Classified. How do you put $1.3 billion on pallets and shrink wrap it and get it to Iran? Classified. We thought the $400 million was for ransom but now it appears it was ALL of it, $1.7 billion and Iran along with Russia coupled with the Iranian militia and Hezbollah will enjoy it all.

Related reading: United States is Buying Nuclear Material from Iran

US paid Iran $1.3 billion in cash to settle old dispute

NYP: WASHINGTON — The Obama administration’s $400 million payoff to Iran was followed by a second transfer of $1.3 billion, it was reported Tuesday.

President Obama took considerable flak for the first payment, which coincided with the release in January of four Americans being held by Tehran.

Critics charged that the move smacked of ransom, which the US has pledged never to pay.

The $400 million was the first installment of a $1.7 billion settlement with Iran to resolve a dispute over a failed arms deal signed before the 1979 fall of the shah.

But there was no word about what happened to the rest of the debt — $1.3 billion.

On Tuesday, The Weekly Standard reported that the second payment was also quietly delivered.

Assistant Secretary of State for Legislative Affairs Julia Frifield sent a letter to Congress on March 17, 2016, stating, “Iran received the balance of $400 million in the Trust Fund as well as roughly $1.3 billion representing a compromise on the interest,” according to the magazine.

This payment was likely made in cash, since the US has no banking relationship with Tehran.

Wooden pallets stacked with euros, Swiss francs and other currencies were flown into Iran in an unmarked cargo plane to cover the first $400 million.

“The reason that we had to give them cash is precisely because we are so strict in maintaining sanctions — and we don’t have a banking relationship with Iran — that we couldn’t send them a check,” Obama said in an Aug. 4 press conference.

Although he insisted there was no connection to the hostages, one of them described waiting for “another plane” to land before being freed from Iran.

“I just remember the night at the airport sitting for hours and hours there, and I asked police, ‘Why are you not letting us go?’” former hostage Pastor Saeed Abedini told Fox Business.

“He said, ‘We are waiting for another plane, so if that plane doesn’t come, we never let [you] go.’”

In part from Reuters:

The White House announced on Jan. 17, a day after the prisoner exchange, it was releasing $400 million in funds frozen since 1981, plus $1.3 billion in interest owed to Iran. The remaining interest has since been fully paid from the U.S. Treasury-administered Judgment Fund, according to a U.S. official.

The funds were part of a trust fund Iran used before its 1979 Islamic Revolution to buy U.S. military equipment that was tied up for decades in litigation at the tribunal.

The Treasury Judgment Fund?

The Judgment Fund was established to pay court judgments and Justice Department compromise settlements of actual or imminent lawsuits against the government.

It is administered by the Judgment Fund Branch, which is a part of the United States Department of the Treasury, Bureau of the Fiscal Service. The Judgment Fund Internet Claims System (JFICS) is the application used to process all Judgment Fund claims.

The Judgment Fund is a permanent, indefinite appropriation available to pay judicially and administratively ordered monetary awards against the United States. The Judgment Fund is also available to pay amounts owed under compromise agreements negotiated by the U.S. Department of Justice in settlement of claims arising under actual or imminent litigation, if a judgment on the merits would be payable from the Judgment Fund. The statutory authority for the Judgment Fund is 31 U.S.C. 1304.

If funds for paying an award are otherwise provided for in the appropriations of the defendant agency, the Judgment Fund may not pay an award. A federal agency may request that payment of an award be made on its behalf from the Judgment Fund only in those instances where funds are not legally available to pay the award from the agency’s own appropriations.

Amounts paid vary significantly from year-to-year. Federal agencies are not required to reimburse the Judgment Fund except when cases are filed under the Contract Disputes Act (CDA) or the No FEAR Act (Notification and Federal Employee Antidiscrimination and Retaliation Act).

 

The Authority of the Internet is Turned Over in 2 Months

Posted on by

This is surrender of the one place in the world where there is some freedom, the internet. The transfer date is September 30, 2016. Is this a big deal? Yes…..China and Russia don’t have a 1st amendment and it appears only one senator is waging the war to stop the transfer, Ted Cruz.

“From the very first days of the internet, the American government has maintained domain names and ensured equal access to everyone with no censorship whatsoever,” Cruz says in the video. “Obama wants to give that power away.”

That move poses a “great threat” to national security, Cruz said. Starting on the transfer date of Sept. 30, ICANN control could allow foreign governments to prohibit speech that they don’t agree with, he added.

Cruz has added an amendment to the Senate’s Highway Bill that would require an up-or-down vote on the administration’s plan to give ICANN control over names and numbers. And Cruz’s Protecting Internet Freedom Act, proposed with Republican Rep. Sean Duffy (Wis.), would prevent the transfer of authority to the global group. More from The Blaze.

*****

Twenty-five advocacy groups and some individuals have told leaders in the Senate and the House of Representatives that key issues about the transition are “not expected to be fully resolved until summer 2017.”

“Without robust safeguards, Internet governance could fall under the sway of governments hostile to freedoms protected by the First Amendment,” wrote the groups, which include TechFreedom, Heritage Action for America and Taxpayers Protection Alliance. “Ominously, governments will gain a formal voting role in ICANN for the first time when the new bylaws are implemented.” Read more here from PCWorld.

America to hand off Internet in under two months

WashingtonExaminer: The Department of Commerce is set to hand off the final vestiges of American control over the Internet to international authorities in less than two months, officials have confirmed.

The department will finalize the transition effective October 1, Assistant Secretary Lawrence Strickling wrote on Tuesday, barring what he called “any significant impediment.”

The move means the Internet Assigned Numbers Authority, which is responsible for interpreting numerical addresses on the Web to a readable language, will move from U.S. control to the Internet Corporation for Assigned Names and Numbers, a multistakeholder body that includes countries like China and Russia.

Critics of the move, most prominently Texas Republican Sen. Ted Cruz, have pointed out the agency could be used by totalitarian governments to shut down the Web around the globe, either in whole or in part.

Opponents similarly made the case that Congress has passed legislation to prohibit the federal government from using tax dollars to allow the transition, and pointed out that the feds are constitutionally prohibited from transferring federal property without approval from Congress. A coalition of 25 advocacy groups like Americans for Tax Reform, the Competitive Enterprise Institute, and Heritage Action sent a letter to Congress making those points last week.

While those issues could, in theory, lead to a legal challenge being filed in the days following the transfer, the administration has expressed a desire to finish it before the president leaves office, a position that Strickling reiterated.

“This multistakeholder model is the key reason why the Internet has grown and thrived as a dynamic platform for innovation, economic growth and free expression,” Strickling wrote. “We appreciate the hard work and dedication of all the stakeholders involved in this effort and look forward to their continuing engagement.”

The Larger Covert Actions by Soros, Access, Policy, Chaos

Posted on by
Go here for communications regarding the United StatesGo here for global actions by Soros.
The manipulation is epic as is his influence on policy, money and mandates. His access to powerbrokers can never fully be known or understood. Bottom-line is chaos. Below should help.
Full list of Soros NGOs manipulating elections in all EU member states

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Mass Transfer out of Gitmo: Detainees to UAE

Posted on by

PORT-AU-PRINCE, Haiti (AP) – Fifteen prisoners at Guantanamo Bay have been released to the United Arab Emirates in the single largest transfer of detainees during the Obama administration.

The release of 12 Yemeni nationals and three Afghans comes amid a renewed push to whittle down the number of detainees held at the U.S. base in Cuba. The men have been cleared for transfer by U.S. government departments and agencies.

The Pentagon says 61 detainees remain at Guantanamo.

President Barack Obama has been seeking to close the detention center amid opposition from Congress.

Naureen Shah is Amnesty International USA’s director of national security and human rights. She says Monday’s transfers are a “powerful sign that President Obama is serious about closing Guantanamo before he leaves office.”

**** Photo from Miami Herald, click here for more details.

ABC: The latest batch of released prisoners had mostly been held without charge for some 14 years at Guantanamo. They were cleared for release by the Periodic Review Board, comprised of representatives from six U.S. government agencies.

The UAE successfully resettled five detainees transferred there last year, according to the Pentagon.

Lee Wolosky, the State Department’s special envoy for Guantanamo’s closure, said the U.S. was grateful to the United Arab Emirates for accepting the latest group of 15 men and helping pave the way for the detention center’s closure.

“The continued operation of the detention facility weakens our national security by draining resources, damaging our relationships with key allies and partners, and emboldening violent extremists,” Wolosky said.

Obama has been seeking to close the detention center amid opposition from Congress, which has prohibited transferring detainees to the U.S. for any reason. The administration has been working with other countries to resettle detainees who have been cleared for transfer.

According to Amnesty, one of the Afghans released to the UAE alleged that he was “tortured and subjected to other cruel treatment” while in U.S. military custody. The man, identified only as Obaidullah, was captured by U.S. special forces in July 2002 and allegedly admitted to acquiring and planting anti-tank mines to target U.S. and other coalition forces in eastern Afghanistan.

In clearing him for transfer, the review board said he hasn’t expressed any anti-U.S. sentiment or intent to re-engage in militant activities. However, a Pentagon detainee profile also said he provided little information and they had little “insight into his current mindset.”

One of the Yemeni men sent to the UAE was identified as Zahir Umar Hamis bin Hamdun, who traveled to Afghanistan in 1999 and later apparently acted as a weapons and explosives trainer.

A Pentagon profile from September 2015 said he expressed dislike of the U.S., which they identified as “an emotion that probably is motivated more by frustration over his continuing detention than by a commitment to global jihad.”

***** One such detainee profile:

Detainee to UAE