After SolarWinds Breach, Lawmakers Ask NSA for Help in Cracking Juniper Cold Case (cyberscoop.com) 15
As the U.S. investigation into the SolarWinds hacking campaign grinds on, lawmakers are demanding answers from the National Security Agency about another troubling supply chain breach that was disclosed five years ago. From a report: A group of lawmakers led by Sen. Ron Wyden, D-Ore., are asking the NSA what steps it took to secure defense networks following a years-old breach of software made by Juniper Networks, a major provider of firewall devices for the federal government. Juniper revealed its incident in December 2015, saying that hackers had slipped unauthorized code into the firm's software that could allow access to firewalls and the ability to decrypt virtual private network connections. Despite repeated inquiries from Capitol Hill -- and concern in the Pentagon about the potential exposure of its contractors to the hack -- there has been no public U.S. government assessment of who carried out the hack, and what data was accessed.
Lawmakers are now hoping that, by cracking open the Juniper cold case, the government can learn from that incident before another big breach of a government vendor provides attackers with a foothold into U.S. networks. Members of Congress also are examining any role that the NSA may have unwittingly played in the Juniper incident by allegedly advocating for a weak encryption algorithm that Juniper and other firms used in its software. Lawmakers want to know if, more than a decade ago, the NSA pushed for a data protection scheme it could crack, only for another state-sponsored group to exploit that security weakness to gather data about the U.S. "Congress has a responsibility to determine the root cause of this supply chain compromise and the NSA's role in the design and promotion of the flawed encryption algorithm that played such a central role," Wyden and other lawmakers wrote to Gen. Paul Nakasone, head of the NSA and U.S. Cyber Command, in a letter made public Friday.
Lawmakers are now hoping that, by cracking open the Juniper cold case, the government can learn from that incident before another big breach of a government vendor provides attackers with a foothold into U.S. networks. Members of Congress also are examining any role that the NSA may have unwittingly played in the Juniper incident by allegedly advocating for a weak encryption algorithm that Juniper and other firms used in its software. Lawmakers want to know if, more than a decade ago, the NSA pushed for a data protection scheme it could crack, only for another state-sponsored group to exploit that security weakness to gather data about the U.S. "Congress has a responsibility to determine the root cause of this supply chain compromise and the NSA's role in the design and promotion of the flawed encryption algorithm that played such a central role," Wyden and other lawmakers wrote to Gen. Paul Nakasone, head of the NSA and U.S. Cyber Command, in a letter made public Friday.
But the NSA did it. (Score:2)
Obviously. *sigh*... I could write this shit.
NSA? Seriously? (Score:5, Interesting)
The NSA is almost solely repsonsible for the WannaCry attack. Insteaed of doing their job and notifying the relevant parties of the Eternal Blue zero day weakness in Windows, you know, actually helping with security, they instead weaponized it and then somehow their weaponized exploit was released. WannaCry was the result of that weaponized code and it still remains as the single most devastating cyber attack in history. The UK's National Health Service had 70,000 devices affected alone. It crippled them. The way health services there were affected, it is likely that there were a significant (but ultimately unknowable) number of deaths from this.
The NSA's leadership should have been hauled in front of congress in chains over this. The actual response was little more than a shrug. The NSA is the last organization on the earth I would ever trust to conduct any sort of malware investigation or mitigation.
Re: (Score:3)
I WISH I HAD MOD POINTS. THIS IS SOME TRUTH.
The NSA's leadership is entirely irresponsible in terms of its stated mission. They violate laws left and right and are never held to account.
Basically anyone who willing assists them is a traitor in my book. The only way to fix an organization like that is radical rip and replace of enough level of leadership to really change the culture.
Re: (Score:2)
Re: (Score:1)
Due you know a lot of the difference between the effectiveness of defence and offence in cyber activities, is inherently due to the nature of the efforts and their desirability. So on defence, you have to provide a perfect defence all of them time, cheaply and when security is broken, you are in real trouble. On the attack side, failure is routine and is ignored along as you succeed sometimes.
Now think about employees at that organisation. Work defence and inevitably you are fucked, especially with unrelia
Re: (Score:1)
PS The FBI should also have a bunch of flying tech squads. Their job to get to the hacked site as quickly and quietly as possible, to gather evidence and get system running again and leave a honeypot on location to keep the hack looking alive, all done as quickly and quietly as possible, whilst monitoring connections of staff members to catch insiders. Normally it is too late to do much but sometimes they get in quick enough to do really well.
Re: (Score:2)
The problem you describe is easily solvable through rotational assignments and properly designed personnel policies. Beyond countering what you describe, the rotational assignments also have the benefit of improving people's skills as they get to work on both sides of the equation.
This isn't to say I agree with the previous posters thesis, but it isn't unworkable.
Ban key distribution then... (Score:3)
The whole reason this crap happens is because the government *intentionally* decides to provide weak encryption that depends upon careful key selection.
Then they go and make sure only they can generate keys for the governments use of crypto, such that only strong keys are chosen.
If you or I however just randomly generate key, there is a very good chance it's not a strong one and has various weaknesses.
They will keep doing this crap as long as they can reliably ensure their users only get strong keys, i.e. they get to be the central authority to generate keys.
If a law was proposed that forced them *not* to be the sole creator of keys, this would then instantly out their scheme because they wouldn't want regular government users to be generating their own "weak" keys.
It's similar to encryption being what shirt you wear, with all colors equally strong, yet advance knowledge of the scenery lets them choose camouflage colors while your random choice of "Red" isn't secure at all.
If Solar Winds and their contractors (Score:2)
As for the NSA helping, members of congress and their staffs are not the sharpest tacks in the box. Lets have the NSA do it just sounds good in their demented world.
Been thinking of making my own solarwinds (Score:3)
So last week at work our ISSO said that techs can't use angryip to scan for free ips on a vlan of equipment that doesn't respond to icmp. So basically I wrote my own port scanner using powershell.
https://github.com/RobertMCort... [github.com]
I was honestly shocked at how stupid easy this was, and it got me to thinking there's a lot more powershell can do. Granted sccm does do machine reporting but it's not designed to do network monitoring.
I also found out last week that there are .net classes for making charts.
Maybe I'm going down a rabbit hole here, but maybe I can make a powershell monitoring system, it could get hacked, then they'll ban powershell from all networks.
Pundits don't read Wikileaks. (Score:3)
Snowden, Kiriakou and the Vault7 Whistleblower have already show us that the NSA and CIA undermines cybersecurity for EVERYONE to enable surveillance and fuckery.
Instead of protecting our IT, they are exploiting it, and putting all of us at risk.
Because they want to keep exploiting it, they don't advise vendors, and then those vendor products are subsequently compromised.
This idea of backdoors for goodguys is stupid, and even the idea of revolving backdoors (just going on the stuff observed - don't have actual proof - but my spideysenses are tingling that this is the kind of crap we're seeing in windows 10 constant patching).
Anyone remember the Blackberry Outage years back, where RIM said their production infrastructure had been compromised and subsequently collapsed when a diff patch was applied? the production executables were redirecting data to another state that they declined to detail - you can bet your bottom dollar it was a 'friendly' nation that remained unnamed.
I don't think Russia is our greatest risk - I think our own governments are - in their fear of the next big Whistleblower showing us all that we're being lied to and manipulated for the financial benefit of well positioned Elites that have thoroughly corrupted our State intelligence/security services policies (well.. let's say FURTHER than already revealed).
Re: (Score:2)
Re: (Score:2)
How much do you charge for your spamming services? I'd like to hire you to spam bomb a few companies in karachi...