Category Archives: NSA Spying

DHS Officially Issues Alert on Election Hacking

Posted on by

Related reading: Hacking an election is about influence and disruption, not voting machines

DHS Issues Alert on U.S. Election Hacking

The United States Department of Homeland Security has issued an Intelligence Assessment on the Cyber Threats and Vulnerabilities to U.S. Election Infrastructure. The report, which primarily downplays the risk of hacking election systems appears to conflict with recent FBI Director testimony stating that at least 20 states have been electronically probed with four suffering hacking related intrusions. The report does note that “multiple elements of US election infrastructure are potentially vulnerable to cyber intrusions. The risk to US computer-enabled election systems varies from county to county, between types of devices used, and among processes used by polling stations.”

The key judgments also include:

  • DHS has no indication that adversaries or criminals are planning cyber operations against US election infrastructure that would change the outcome of the coming US election. Multiple checks and redundancies in US election infrastructure—including diversity of systems, non-Internet connected voting machines, pre-election testing, and processes for media, campaign, and election officials to check, audit, and validate results—make it likely that cyber manipulation of US election systems intended to change the outcome of a national election would be detected.
  • We judge cybercriminals and criminal hackers are likely to continue to target personally identifiable information (PII), such as that available in voter registration databases. We have no indication, however, that criminals are planning theft of voter information to disrupt or alter US computer-enabled election infrastructure.

Other elements of the report, note the resiliency of the voting infrastructure, but also the potential for nation-state disruption.

No Indication of Cyber Operations to Change Vote Outcome

  • DHS has no indication that adversaries or criminals are planning cyber operations against US election infrastructure that would change the outcome of the coming US election. Multiple checks and redundancies in US election infrastructure—including diversity of systems, non-Internet connected voting machines, pre-election testing, and processes for media, campaigns and election officials to check, audit, and validate results—make it likely that cyber manipulation of US election systems intended to change the outcome of a national election would be detected.
  • We assess that successfully mounting widespread cyber operations against US voting machines, enough to affect a national election, would require a multiyear effort with significant human and information technology resources available only to a nation-state. The level of effort and scale required to change the outcome of a national election, however, would make it nearly impossible to avoid detection. This assessment is based on the diversity of systems, the need for physical access to compromise voting machines, and the security and pre-election testing employed by state and local officials.* In addition, the vast majority of localities engage in logic and accuracy testing, which work to ensure voting machines operate and tabulate as expected—before, during, and after the election.
  • We judge, as a whole, voter registration databases are resilient to systemic, nationwide cyber manipulation because of the diverse systems and security measures surrounding them. Targeted intrusions against individual voter registration databases, however, are possible. Additionally, with illicit access, manipulation of voter data, or disruptions to their availability, may impact a voter’s ability to vote on Election Day. Most jurisdictions, however, still rely on paper voter rolls or electronic poll books that are not connected in real-time to voter registration databases, limiting the possible impacts in 2016.
  • Voting precincts in more than 3,100 counties across the United States use nearly 50 different types of voting machines produced by 14 different manufacturers. The diversity in voting systems and versions of voting software provides significant security by complicating attack planning. Most voting machines do not have active connections to the Internet.
  • We assess the impact of an intrusion into vote tabulation systems would likely be contained to the manipulation of unofficial Election Night reporting results, which would not impact the certified outcome of an election, but could undermine public confidence in the results. In addition, local election officials, media organizations, and political campaigns carefully monitor local voting patterns, particularly in electorally significant jurisdictions, and are likely to detect and begin investigating potential anomalies quickly.

Non-State Actors Likely To Continue Targeting PII, Potentially Attempt Disruption

  • We judge cybercriminals and criminal hackers are likely to continue to target voter PII. We have no indication, however, that cybercriminals are planning theft of voter information to disrupt or alter computer-enabled US election infrastructure voting. Politically-motivated criminal hackers could attempt temporary disruptive cyber attacks, such as denial-of-service (DoS) attacks or web defacements against election-related websites, in the lead-up to or during the election process. Disruptive attacks could target public-facing state and local government websites, potentially including election infrastructure used to report election results to the general public and media; however, we judge this activity would likely have little impact on the voting process itself.
  • Unknown cyber actors in mid-July used an open-source scanning tool to identify and exploit a structured query language (SQL) injection vulnerability and exfiltrate PII from a Midwestern state board of elections website, according to FBI sources with excellent access and information provided by a cybersecurity organization supporting states. In at least three other states, voting and non-voting related websites during the same period observed unsuccessful SQL injection attacks from unknown actors, according to the same reporting.
  • Cybercriminals routinely attempt exploitation of misconfigured and vulnerable websites and webservers via SQL injection, brute force login attempts, cross-site scripting, and other publicly known vulnerabilities, according to DHS reporting from sources with direct access.
  • Criminal hackers routinely engage in disruptive attacks such as website defacement and DoS attacks, through exploiting publicly known vulnerabilities and for-hire DoS tools, according to DHS reporting from reliable sources with direct access.

Vulnerability of Computer-Enabled Election Systems

  • We assess multiple elements of US election infrastructure are potentially vulnerable to cyber intrusions. The risk to computer-enabled election systems, however, varies from county to county, between types of devices used and among processes used by polling stations.
  • Electronic Voting Systems: Security researchers have repeatedly demonstrated in laboratory testing environments that voting machines are vulnerable to compromise, usually with physical access, and such compromises could result in the manipulation of vote totals. Election outcomes would only be impacted if the compromise happened on a large scale across multiple machines or jurisdictions—which we judge to be beyond the capability of any adversary—or in cases of smaller local elections where the margin of victory is at a smaller scale.
  • Voter Registration Databases: Online voter registration systems provide a potential point of vulnerability to enable cyber actors to gain illicit access to voter registration databases. Cyber actors have exploited these portals in the past to gain illicit access to voter information. Compromises of voter registration databases have resulted in the potential release of PII, but not the modification of records—with the exception of one unconfirmed incident of voter registration manipulation reported by US media. The exposure of voters’ information would have limited impact on the integrity of the election process; however, it could undermine confidence in the system and provide the ability to conduct further cyber operations.
  • Public Dissemination of Voting Results: State government information technology solutions generally include a public-facing Internet-connected portion that is used to report election results to the general public and media, which some states have begun migrating to the cloud due to Election Day demand. Vulnerabilities in the public-facing Internet portion could be used to display inaccurate vote results to the public and media. Election Day results are not the official results of the state or local jurisdiction.

election-hacking

NSA Hacker Secretly Arrested

Posted on by

N.S.A. Contractor Arrested in Possible New Theft of Secrets

NYT’s/ WASHINGTON— The F.B.I. secretly arrested a National Security Agency contractor in recent weeks and is investigating whether he stole and disclosed highly classified computer codes developed to hack into the networks of foreign governments, according to several senior law enforcement and intelligence officials.

The theft raises the embarrassing prospect that for the second time in three years an insider has managed to steal highly damaging secret information from the N.S.A. In 2013, Edward J. Snowden, who was also a contractor for the agency, took a vast trove of documents that were later passed to journalists, exposing N.S.A. surveillance programs in the United States and abroad.

The information believed stolen by this contractor — who like Mr. Snowden worked for the consulting firm Booz Allen Hamilton, which is responsible for building and operating many of the agency’s most sensitive cyberoperations — appears to be different in nature from Mr. Snowden’s theft.

The contractor arrested in recent weeks is suspected of taking the highly classified “source code” developed by the agency to break into computer systems of adversaries like Russia, China, Iran and North Korea. Two officials said that some of the information the contractor is suspected of taking was dated.

TheJusticeDept says it has filed charges against a govt contractor with top secret clearance, accuses him of taking classified documents

**** In the biggest hack of the NSA since the Snowden scandal in 2013, in mid-August we reported that a mysterious group calling itself the “Shadow Brokers” had managed to hack the NSA’s Equation Group –  a government cyberattack hacking group associated with the NSA, and released a bunch of the organization’s hacking tools. The “group” also notably said that if it received 1,000,000 Bitcoins, worth roughly $560 million at the time, it would release all the hacked files. As the NYT reported moments ago, an NSA contractor, Harold Thomas Martin III, age 51, from Glen Burnie, MD was arrested on August 29th, with the FBI investigating whether he is the party responsible for stealing and disclosing highly classified computer codes developed to hack into the networks of foreign governments. More here.

****

Harold Thomas Martin III of Glen Burnie, Maryland, was charged in a criminal complaint. Among the classified documents found with Martin, the government says, were six that contain sensitive intelligence – meaning they were produced through sensitive government sources or methods that are critical to national security issues – and date back to 2014. All the documents were clearly marked as classified information, according to the criminal complaint.

Investigators also found stolen property valued at more than $1,000 at Martin’s residence or vehicle. He voluntarily agreed to an interview, officials said.

“Martin at first denied, and later when confronted with specific documents, admitted he took documents and digital files from his work assignment to his residence and vehicle that he knew were classified,” according to the complaint, despite not having the authorization to do so.

The Justice Department’s top national security official, John Carlin, said in Boston that the arrest pointed to the threat posed by insiders.

Martin has been in custody since a court appearance in August.  Associated Press

Ah, Yahoo has Been Secretly Sweeping Your Emails

Posted on by

Primer: Report: Yahoo hack may have compromised up to 3B accounts

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence

SAN FRANCISCO (Reuters) – Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

Related reading: Verizon is buying Yahoo for $4.8 billion

According to the two former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.”Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.

Through a Facebook spokesman, Stamos declined a request for an interview.

The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.

The demand to search Yahoo Mail accounts came in the form of a classified directive sent to the company’s legal team, according to the three people familiar with the matter.

U.S. phone and Internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad directive for real-time Web collection or one that required the creation of a new computer program.

“I’ve never seen that, a wiretap in real time on a ‘selector,'” said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information.

“It would be really difficult for a provider to do that,” he added.

Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.

Reuters was unable to confirm whether the 2015 demand went to other companies, or if any complied.

Alphabet Inc’s Google and Microsoft Corp, two major U.S. email service providers, did not respond to requests for comment.

CHALLENGING THE NSA

Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.

Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led U.S. authorities to modestly scale back some of the programs, in part to protect privacy rights.

Companies including Yahoo have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal.

Some FISA experts said Yahoo could have tried to fight last year’s directive on at least two grounds: the breadth of the demand and the necessity of writing a special program to search all customers’ emails in transit.

Apple Inc made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set.

Other FISA experts defended Yahoo’s decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called “upstream” bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to Web companies’ mail.

As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies.

Former NSA General Counsel Stewart Baker said email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.”

SECRET SIPHONING PROGRAM

Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.

Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful.

Some Yahoo employees were upset about the decision not to contest the more recent directive and thought the company could have prevailed, the sources said.

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo. (http://bit.ly/2dL003k)

In a separate incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. The revelations have brought new scrutiny to Yahoo’s security practices as the company tries to complete a deal to sell its core business to Verizon Communications Inc for $4.8 billion.

(Reporting by Joseph Menn; Editing by Jonathan Weber and Tiffany Wu)

 

Russia Hacked 4 Voter Registration Systems

Posted on by

Russian Hackers Targeted Nearly Half of States’ Voter Registration Systems, Successfully Infiltrated 4

Think hackers will tip the vote? Read this first….

CSMonitorThe US election system is a massively complex tangle of technology. And some of it is insecure.

It’s rife with internet-based entry points, full of outdated infrastructure, cluttered with proprietary software from a random assortment of vendors, and lacks any standardized security safeguards.

In all, it’s a recipe for disaster. But if a malicious hacker really set out to manipulate the election, how would they actually do it and what could they really accomplish?

The most obvious target seems to be internet-enabled voting, currently used in 32 states. But, these systems aren’t what you think of when you hear “internet-enabled.”

They tend to be systems for distributing ballots that voters print out on paper, sign, and then email or fax back to the state authority for counting.

But emailing and faxing ballots introduces some problems. On a technical level, faxes and the emails used in internet voting aren’t encrypted.

That means states are passing ballots around the open internet. If an attacker is able to compromise any point along the way, they might intercept completed ballots.

Related reading: Hackers have attempted more intrusions into voter databases, FBI director says

So, not only does this system do away with any notion of secrecy, it also ignores any modern understanding of cryptographic security.

I’d much rather see online voting systems with built-in encryption. And that’s not a complex undertaking. Many websites currently use HTTPS, an encrypted protocol, to avoid leaking important things such as credit card numbers and passwords. That’s a good place to start for completed ballots.

Hard targets

But launching a full-scale attack on these systems wouldn’t be easy. First, attackers would need to target online voters (a small minority) who are scattered in various jurisdictions.

Then, once the vulnerable voters are identified, attackers would need to wait for the polling place to transmit those votes. While that kind of attack could work on one person, or a single location, it would be difficult to pull off at any meaningful scale.

Alternatively, an adversary could invent an entirely new population of phantom voters, register them to vote remotely, and stuff the ballot box with fake votes. That’s possible, but highly improbable.

So, what about servers

The easiest way to target servers that collect online ballots is with a distributed denial of service, or DDoS, attack that overwhelms a website with traffic. A totally compromised server could enable attackers to alter or destroy votes in a much sneakier way, and an attack like this could potentially avoid detection until after the election.

But this sort of attack would be pretty obvious to system maintainers, and I suspect polling administrators would quickly switch back to relying on the mail. Remember, online systems aren’t intended for use on Election Day, rather they merely collect absentee ballots.

On the bright side, however, this kind of attack appears possible for only five of the internet-enabled voting states. Only Alabama, Alaska, Arizona, North Dakota, and Missouri have a so-called internet portal.

And none of those states are battleground territories. So, regardless of their security posture, attacking these portals isn’t likely to sway the election. If Florida or Pennsylvania had one of these portals, I’d be more worried.

Voting machines

No electronic voting machine is bulletproof when it comes to cybersecurity. But if an adversary needs to physically visit voting machines in order to fiddle with results, then he or she would need a whole lot of bodies in a whole lot of polling places in order to make an impact.

Don’t get me wrong, attackers could rely on wireless networking or sophisticated antennas. But even with ideal placement and transmission power, bad guys would need to be within sight of a polling place to conduct practical attacks on a Wi-Fi-enabled voting machine.

While remote attacks are possible, it’s not like someone could affect voting from another country. They’d more likely need to be parked outside the polling place. So, although Wi-Fi voting machines are a terrible idea, they don’t appear to be an existential threat to democracy at the time being.

Voter information

Rather than attacking ballot-issuing and ballot-counting systems, attackers have more attractive targets. Voter records, for example, are tempting to cybercriminals since they contain enough personally identifiable information (PII) to kick off identity theft and identity fraud attacks at a much larger scale.

Unfortunately, some of these data sets have already been compromised. Almost 200 million voter records were accidentally leaked late in 2015, and the FBI warned in August that some state voter databases have also suffered breaches.

Altering voter registration records is a big deal since such attacks can affect voter turnout. While that’s not what’s being reported today, such an attack could not only nudge election results one way or another, but also raise serious questions about the integrity of the democratic process.

Even though rare, voter fraud has become a hot political issue. Any attack on voter records could trigger complaints about a rigged election and undermine confidence in the entire system.

Perceptions matter

Alarmingly, hacking elections may not involve the actual compromising of ballots or vote counting at all.

Just imagine that someone decided to take down a couple of voter information websites. Would this technically interfere with the election process? Maybe, if some people were trying to find the address for their polling place.

The obvious effect, though, would be to create the impression that the election is under attack, raising concerns about the credibility of the voting process and casting doubt on the results.

Solutions for securing the vote

Technology may be making elections more convenient and efficient, but that same technology can introduce new risks and it needs to be accounted for.

State election boards or commission should test their systems ahead of Election Day in November. They should even try attacking their own systems to discover what’s possible, and what can help defend their systems.

If you are a voter who is concerned about election hacking, local election officials should be able to tell you how they are dealing with potential cyberthreats. And if you really want to help, volunteer at the polls on Election Day.

Interesting Group Behind the Epic Yahoo Hack

Posted on by

Seems Yahoo could by lying about who actually did the hack and this may be due to the merger between Verizon and Yahoo.

 

The Yahoo hackers weren’t state-sponsored, a security firm says

CSO: Common criminals, not state-sponsored hackers, carried out the massive 2014 data breach that exposed information about millions of Yahoo user accounts, a security firm said Wednesday.

Yahoo has blamed state actors for the attack, but it was actually elite hackers-for-hire who did it, according to InfoArmor, which claims to have some of the stolen information.

The independent security firm found the alleged data as part of its investigation into “Group E,” a team of five professional hackers believed to be from Eastern Europe.

InfoArmor’s claims dispute Yahoo’s contention that a “state-sponsored actor” was behind the data breach, in which information from 500 million user accounts was stolen. Some security experts have been skeptical of Yahoo’s claim and wonder why the company isn’t offering more details.

InfoArmor also claimed that Group E was behind high-profile breaches at LinkedIn, Dropbox and Tumblr. To sell that information, the team has used other hackers, such as Tessa88 and peace_of_mind, to offer the stolen goods on the digital black market.

“The group is really unique,” Komarov said. “They’re responsible for the largest hacks in history, in term of users affected.” More details here.

**** Advice****

You don’t care who has looked at your emails? Really? Consider:

Here’s a simple exercise I invite you to do. Open your email and take a look at everything that you keep on it, both sent and received conversations. Scan all of them, every attachment you ever sent or received, every personal and work conversation, every email draft.

The truth is, we aren’t aware that we are living a big part of our lives through our email inbox.

We keep it all there, in only one place: photos, contracts, invoices, tax forms, reset passwords for every other account, sometimes even passwords or credit card PINs.

And our emails are interconnected to all our other digital accounts, from bank accounts to social networks (LinkedIn, Twitter, Facebook, etc), cloud services (Google Drive, iCloud, Dropbox), online shops (Amazon, for, ex, where you most likely saved your credit card details as well) and so on.

By simply breaching the email, a malicious hacker can easily get access to all those. They know how to do that.  Read More here…you REALLY need to.

From Digital Guardian:

Wrapping your head around the idea of a breach that affects half a billion users is a difficult task, and it’s not one that anyone has had to contemplate until now. Yahoo’s data breach is far and away the largest on record in terms of the number of users involved. The economic effect on the company will take years to calculate, and it may never be fully known, as is often the case with these breaches. Though Yahoo, already on the ropes and in the middle of a sale to Verizon, may see some rather unpleasant effects quite soon.

From the user’s perspective, too, the massive amount of data taken in the compromise – including dates of birth, email addresses, physical addresses, and security questions and answers – could have far-reaching effects. The information is an identity thief’s starter kit, even without bank account or payment card data. Yahoo has pointed the finger at a state-sponsored attacker, as is customary in these incidents.

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter,” the company said in a statement on the compromise.

As gory as they are, the public details of the Yahoo compromise aren’t what’s really interesting or important here. The intriguing part in this case is how long it took Yahoo to uncover and disclose the data breach. In its public statements, the company said it discovered the compromise recently, but the data was stolen in 2014. That fact has drawn the attention of Capitol Hill and a group of senators is asking some very uncomfortable questions of Yahoo CEO Marissa Mayer.

In their letter, Sens. Ed Markey, Patrick Leahy, Elizabeth Warren, Al Franken, Richard Blumenthal and Ron Wyden asked Mayer when and how Yahoo learned of the breach, why the company took so long to uncover it, and whether any government agencies warned Yahoo of an attack by state-sponsored attackers. The lawmakers also said that the data taken from Yahoo could be used easily in other attacks.

“The stolen data included usernames, passwords, email addresses, telephone numbers, dates of birth, and security questions and answers,” the senators said. “This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles.” Complete summary here.