NSA Infected 50000 Systems with MALWARE


A new slide culled from the trove of documents leaked by Edward Snowden shows where the NSA placed malware on more than 50,000 computer networks worldwide, according to Dutch media outlet NRC.

The NSA management presentation slide from 2012 shows a world map spiderwebbed with "Computer Network Exploitation" access points.

Like all the NSA slides we've seen so far, this one is unlikely to win a Powerpoint beauty pageant anytime soon.

Not that this should distract anyone from the profoundly disturbing implications of this US government malware map that's being reported by a Dutch news agency -- an outlet to which the US government gave a "no comment."

Translated from Dutch:

    The American intelligence service -- NSA -- infected more than 50,000 computer networks worldwide with malicious software designed to steal sensitive information.

    Documents provided by former NSA employee Edward Snowden and seen by this newspaper, prove this.

    (...) The NSA declined to comment and referred to the US Government. A government spokesperson states that any disclosure of classified material is harmful to our national security.

An NSA Web page that outlines the agency's Computer Network Operations program describes Computer Network Exploitation, or CNE, as a key part of the program's mission and says CNE "includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks."

In late August, The Washington Post reported on the NSA's "hacking unit" called Tailored Access Operations (TAO).

The Post wrote:

    According to a profile by Matthew M. Aid for Foreign Policy, it's a highly secret but incredibly important NSA program that collects intelligence about foreign targets by hacking into their computers, stealing data, and monitoring communications.

    (...) Dean Schyvincht, who claims to currently be a TAO Senior Computer Network Operator in Texas, might reveal the most about the scope of TAO activities.

    He says the 14 personnel under his management have completed "over 54,000 Global Network Exploitation (GNE) operations in support of national intelligence agency requirements."

This is one letter away from being exact.

On the NSA's network ops page, there is no program with the acronym GNE -- only CNE and,

    Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.

    Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information.

Across the newly published slide top and bottom a stripe reads, "REL TO USA, AUS, CAN, GBR, NZL."

These are the  so-called Five Eyes nations -- the U.S., U.K., Canada, Australia, and New Zealand -- that share intelligence.

Last week, the very same Five Eyes nations moved to oppose the United Nations' anti-surveillance, right-to-privacy draft resolution called "The Right to Privacy in the Digital Age."

Security researchers online are speculating that telecoms were the most likely targets for the malware.

    Only 50k milware installations globally? Must be restricted to the telcos, ISPs, banks, etc that allow for bulk collection.
    -- the grugq (@thegrugq) November 23, 2013

They may not be too far off the mark.

NRC cites an example of Britain's NSA counterpart, GCHQ, being found to use spoofed LinkedIn pages to install surveillance malware on target computers in Belgium telecom, Belgacom (translated):

    One example of this type of hacking was discovered in September 2013 at the Belgium telecom provider Belgacom.

    For a number of years the British intelligence service -- GCHQ -- has been installing this malicious software in the Belgacom network in order to tap their customer's telephone and data traffic.

    The Belgacom network was infiltrated by GCHQ through a process of luring employees to a false Linkedin page.

NRC concludes its article by telling us that the Dutch government's intelligence service has its own hacking unit, but that it's prohibited by law from engaging in the type of operations that the CNE slide suggests the NSA carried out.

This story originally appeared as "NSA malware infected over 50,000 computer networks worldwide" on ZDNet.

Google: We're bombarded by gov't requests on user data


The US government is on a data-gathering spree at Google, new data from the search giant reveals.

Between January and June 2013, the US government issued nearly 11,000 requests to Google asking for user information, or about 42 percent of the global total. India was second with nearly 2,700 government requests.

The collective requests from governments around the world during that six-month period have more than doubled in the three-and-a-half years since Google's first government transparency report, which covered the second half of 2009. "And these numbers," Google said in a blog post Thursday, "only include the requests we're allowed to publish."

It's the things that Google can't share about those data requests that really has the company hot and bothered.

"We believe it's your right to know what kinds of requests and how many each government is making of us and other companies," Google Legal Director Richard Salgado wrote in the blog post. "However, the US Department of Justice contends that US law does not allow us to share information about some national security requests that we might receive. Specifically, the U.S. government argues that we cannot share information about the requests we receive (if any) under the Foreign Intelligence Surveillance Act. But you deserve to know."

To underscore that point, Google posted a quartet of graphs illustrating the volume and nature of the government requests. In the fourth of the four graphs, to reflect the constraints on its ability to provide transparency on national security-related FISA requests, Google drew thick black lines over a barely visible bar chart, in the manner of a heavily redacted document.

FISA has become a hot-button topic this year after former NSA contractor Edward Snowden released secrets on the US government's alleged spying activities. The US government has used FISA to block technology companies like Google from sharing what kind of requests they've received. Some of those companies brought a federal case earlier this year in an attempt to share that information. So far, those efforts have failed.

Apple last week released its latest report on government data requests, with a similar call for the US government to open up. These sorts of transparency reports have become a regular thing for tech titans, with the list also including Twitter, Yahoo, Google, and Facebook.

Google also urged Washington to take action to shore up privacy protections for US citizens:

    We strongly believe that the Electronic Communications Privacy Act (ECPA) must be updated in this Congress, and we urge Congress to expeditiously enact a bright-line, warrant-for-content rule. Governmental entities should be required to obtain a warrant--issued based on a showing of probable cause--before requiring companies like Google to disclose the content of users' electronic communications.

The American Civil Liberties Union (ACLU) has been one of the more outspoken critics of the US government's secrecy. In a statement on Thursday, the organization's legislative counsel, Christopher Calabrese, expressed much the same outrage :

Law enforcement requests to Google have tripled in four years but we're still stuck with the same Internet privacy law we had in 1986. If police need a warrant to open someone's mail than they should need one to rifle through someone's e-mail, regardless of its age or if it's stored on a company's server. It's time Congress and the president updated (the) Electronic Communications Privacy Act (ECPA) so there's only one standard for government access to the content of our electronic communications: a warrant based upon probable cause. Anything less is indefensible.

It bears noting that many government requests for user data are of a rather routine law enforcement nature. Of the 10,918 requests made by the US in the first half of 2013, for instance, 68 percent were subpoenas, and 22 percent were warrants, according to Google.

In the second half of 2009, the period covered by Google's first transparency report, the US government made 3,580 data requests, for about 28 percent of the global total of 12,539 requests.

New Internet Bug Bounty holds companies accountable, protects hackers


Hackers looking to make quick cash just got a new way to grease their bank accounts with the launch of HackerOne's Internet Bug Bounty.

Security high-hats from primary sponsors Microsoft and Facebook, along with volunteers from Etsy, Chrome and ISEC Partners calling themselves HackerOne today announced a bounty program trading cash for bugs in Open SSL, Python, Ruby, PHP, Rails, Perl and "the Internet," among others.
According to HackerOne's Disclosure, the companies behind the program are not allowed special access or rights to the submitted bugs.

Hackers can submit as anonymously as they prefer. Response Teams from affected companies and products are cautioned against taking punitive action against the hackers.

And if you're on a response team for a product that might be affected by a bug on the bounty list, you'd be wise to register with HackerOne if you want to be notified about exploits and vulnerabilities immediately.

Legit bugs affecting products will be reported to Response Teams right away through the HackerOne platform, otherwise the Internet Bug Bounty panel promises to do everything possible to reach and inform affected companies with the disclosure.

And if a company doesn't pick up the phone when HackerOne calls?

Companies have seven days to respond, then:

If we aren't able to contact the Response Team, the Bug Report will be made public 30 days after our initial contact attempt.

Regardless, all bug data is eventually shared with the public.

The Internet Bug Bounty says its aim is "Rewarding friendly hackers who contribute to a more secure internet."

Before you go off thinking the program is just for white knights, the organizers have made it clear they're also looking for bug hunters who want to remain off the books: submitters can remain anonymous, even to the point of deferring payment to a charity of their choice.

To register, hackers only need provide a name, username, password, and email address; HackerOne states it deletes all access logs after 180 days.

But if you're looking for credit, HackerOne says you'll definitely get it.

HackerOne told ZDNet that hackers choosing to give their reward to charity can pick any charity they like, plus HackerOne might even throw in a little extra scratch to give the hacker's favorite charity a bit more to celebrate.

Its Disclosure Policy has some ethical guidelines for hackers to follow if they're going to play ball with HackerOne, but HackerOne has sided its policy to be clear about its stance to protect hackers who bring in bugs.

The guidelines for Response Teams that HackerOne will work with states that teams from affected products and companies have to credit the hacker for discovery, and can't threaten hackers, punish them for finding vulns, and can't turn them over to the cops.

HackerOne's Disclosure Guidelines state, "Response Teams should..."

Do no harm. Not take unreasonable punitive actions against researchers, like making legal threats or referring matters to law enforcement.

Perhaps that's because some of the people on HackerOne's interesting team have seen some action.

We’re a group of hackers and researchers who have been frustrated by the failings of vulnerability disclosure status quo.

Members of our team have managed bounty programs at Facebook, Google and Microsoft, participated in bug bounty programs, and disclosed vulnerabilities under dubious conditions.

Young hackers can join the hunt, too. There is no minimum age for submissions and payout, though in keeping with the Children's Online Privacy Protection Act hackers under 13 will need to have a parent or guardian claim the bounty.

Sandbox escapes and "the Internet" start at $5K, with Open SSL at $2500, followed by Python, Ruby, PHP, Rails and Perl coming in at $1500 per bug. Apache httpd and Nginx fetch $500 a pop, Phabricator is $300, while Django is listed at this time with no minimum bounty.

Hackers can also submit bugs via private YouTube videos, but HackerOne requires all video submissions to have bad techno playing in the background.





NSA Monitors Google, Yahoo, Microsoft's Data Centers


The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

According to a top-secret accounting dated Jan. 9, 2013, the NSA’s acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, the Government Communications Headquarters . From undisclosed interception points, the NSA and the GCHQ are copying entire data flows across fiber-optic cables that carry information among the data centers of the Silicon Valley giants.

The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.

The MUSCULAR project appears to be an unusually aggressive use of NSA tradecraft against flagship American companies. The agency is built for high-tech spying, with a wide range of digital tools, but it has not been known to use them routinely against U.S. companies.

In a statement, the NSA said it is “focused on discovering and developing intelligence about valid foreign intelligence targets only.”

“NSA applies Attorney General-approved processes to protect the privacy of U.S. persons — minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination,” it said.

In a statement, Google’s chief legal officer, David Drummond, said the company has “long been concerned about the possibility of this kind of snooping” and has not provided the government with access to its systems.

“We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he said.

A Yahoo spokeswoman said, “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”

Under PRISM, the NSA gathers huge volumes of online communications records by legally compelling U.S. technology companies, including Yahoo and Google, to turn over any data that match court-approved search terms. That program, which was first disclosed by The Washington Post and the Guardian newspaper in Britain, is authorized under Section 702 of the FISA Amendments Act and overseen by the Foreign ­Intelligence Surveillance Court (FISC).

Mac OS X Mavericks REVIEW

Everyone running a MAC has probably seen the FREE UPGRADE by now.  Take a look at the review posted on THE VERGE.

Experian Sold Consumer Credit Information to ID Theft Service

The information below was gathered and researched by KREBS ON SECURITY.


An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.
In November 2011, this publication ran a story about an underground service called Superget.info, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans. Registration was free, and accounts were funded via WebMoney and other virtual currencies that are popular in the cybercriminal underground.

Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others. I asked readers who may have a clue about the meaning or source of those abbreviations to contact me. In the weeks following that post, I heard from many readers who had guesses and ideas, but none who seemed to have conclusive information.

That changed in the past week. An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he’d gone back and reviewed my previous stories on this topic, and that he’d identified the source of the data being resold by Superget.info. The reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.

Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.

Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.


Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles