‘Shadow Brokers’ Hacker Group Claims to have Stolen NSA Cyberweapons | Aug 2016

Hacker group claims to have stolen NSA ‘cyberweapons’

– OC Register

wdc1

WASHINGTON – A mysterious group that calls itself the Shadow Brokers claims to have hacked into the National Security Agency, stolen powerful cyberweapons and surveillance tools, and put them up for auction.

If true, the claim would indicate that one of the U.S. government’s key agencies for cyberwarfare is itself vulnerable and has fallen into a pitched and escalating battle with a powerful unknown cyber foe, perhaps Russia.

News of the apparent breach came over the weekend when the Shadow Brokers released a limited number of files, claiming they were part of an arsenal “made by creators of stuxnet,” and other notorious NSA malware that helped cripple Iran’s nuclear program in 2009 and 2010 by shattering many of its centrifuges.

Neither the NSA nor the Office of the Director of National Intelligence responded to queries about whether the NSA had been penetrated. But several cybersecurity experts took the claims seriously and suggested that the penetration of the NSA marks a watershed moment and is part of rising tensions between the United States and Russia.

Among those backing that view was Edward Snowden, the former CIA employee and NSA subcontractor who in 2013 leaked a trove of secret NSA documents before seeking refuge in Russia.

Snowden tweeted Tuesday that “circumstantial evidence and conventional wisdom indicates Russian responsibility” for the apparent NSA hack, and that the public revelation of the theft is a message that a series of tit-for-tats between Washington and Moscow “could get messy fast.”

Snowden said he believed news of the apparent breach “is more diplomacy than intelligence, related to the escalation around the DNC hack.”

Last month, WikiLeaks published tens of thousands of hacked emails from the Democratic National Committee, days before the Democratic convention in Philadelphia. U.S. intelligence officials later told top members of Congress that two Russian intelligence agencies or their proxies were behind the hack, according to Reuters and other media outlets, though there has been no official determination.

The attempt at public shaming of Russia over election interference preceded this week’s developments, in which both nations appear to be “outing” the other side.

The stolen cybersurveillance tools might help foreign governments do forensics on their own computer systems to determine whether they have been targets of U.S. surveillance efforts, a potentially embarrassing development for Washington.

The files made public revealed tools to get past firewalls and embed in network equipment or software made by Fortinet, Cisco Systems and Juniper Networks in the United States, as well as TopSec, China’s largest information security vendor.

The stolen cybersurveillance tools might help foreign governments do forensics on their own computer systems to determine whether they have been targets of U.S. surveillance efforts, a potentially embarrassing development for Washington.

The files made public revealed tools to get past firewalls and embed in network equipment or software made by Fortinet, Cisco Systems and Juniper Networks in the United States, as well as TopSec, China’s largest information security vendor.

“It’s definitely significant to hack the NSA but if you look at the metadata, you would know that those files that have been provided date back to 2013. Some of the directories are very old,” said Vitali Kremez, a cybercrime intelligence analyst at Flashpoint, a New York security firm.

“One of the exploits was targeting a specific Cisco device, and it was only targeting versions that have actually been outdated and replaced with new ones,” Kremez said.”

…Continue reading @ OC Register

 

 

NSA website recovers from outage amid intrigue

– Politico

nsa1

The National Security Agency’s website was offline for almost a full day until Tuesday evening, in an unexplained outage that began shortly after hackers claimed to have stolen a collection of the agency’s prized cyber weapons.

It’s unknown if the two events are connected.

POLITICO first noticed that the agency’s website wasn’t working at 10:54 p.m. Monday. It came back online around 5 p.m. Tuesday.

The outage began a few hours after a mysterious group called the Shadow Brokers claimed to have stolen cyber weapons from the Equation Group, a sophisticated hacking group suspected of being linked to the NSA. Some cybersecurity experts, as well as fugitive NSA whistleblower Edward Snowden, suggested that the alleged thefts may be connected to the uproar over suspected Russian cyber spying on the Democratic Party — but no information has surfaced to link the two, or to connect the alleged thefts with the NSA website outage.

During the outage, the NSA homepage itself was accessible, but all links on the page led to “Service Unavailable” error pages, except for blog posts listed under the “What’s New” section. (Those may be hosted on another server.)

An NSA spokesman declined to comment on the record about the outage, as did a spokesman for the Office of the Director of National Intelligence. A spokesman for the Department of Defense, which also oversees the NSA, said he would look into the issue, but did not follow up with any information.

The White House referred POLITICO to the NSA.

An unnamed source told FedScoop that the outage was due to an ongoing “internal review.”

The Shadow Brokers’ claims to have stolen the Equation Group’s hacking tools had stirred much intrigue earlier Monday, especially when the Shadow Brokers said they were willing to sell them. The security firm Kaspersky has linked the Equation Group to digital intrusion techniques widely associated with the NSA.

Regardless of how the Shadow Brokers obtained the files — if in fact they’re real — the thieves have been holding onto their merchandise for a while, as POLITICO’s Morning Cybersecurity noted Tuesday. One of the leaked tools exploits a vulnerability from 2006.

Capital Alpha Security CEO Matt Tait hypothesized that the hackers acquired the files a long time ago and saved them for a future purpose. If so, he said, their recent unveiling — along with Monday’s release of a fresh batch of stolen Democratic documents — may be designed to hit back at the NSA for some behind-the-scenes action the agency took in response to the DNC hack.

Snowden also speculated about a connection, calling it “unprecedented” for anyone to publicize this kind of attack on the agency.

“Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack,” Snowden wroteTuesday on Twitter. He added that “circumstantial evidence and conventional wisdom indicates Russian responsibility,” and said it may be an attempt to warn the NSA that the dispute “could get messy fast.”

…Continue reading @ Politico.com

 

 

 

 

Secret Code Found in Juniper’s Firewalls Shows Risk of Govt Internet Back Doors

– Wired  |  Dec 2015

juni12

ENCRYPTION BACKDOORS HAVE been a hot topic in the last few years—and the controversial issue got even hotter after the terrorist attacks in Paris and San Bernardino, when it dominated media headlines. It even came up during this week’s Republican presidential candidate debate. But despite all the attention focused on backdoors lately, no one noticed that someone had quietly installed backdoors three years ago in a core piece of networking equipment used to protect corporate and government systems around the world.

Two Backdoors

The first backdoor Juniper found would give an attacker administrative-level or root privileges over the firewalls—essentially the highest-level of access on a system—when accessing the firewalls remotely via SSH or telnet channels. “Exploitation of this vulnerability can lead to complete compromise of the affected system,” Juniper noted.

The second backdoor would effectively allow an attacker who has already intercepted VPN traffic passing through the Juniper firewalls to decrypt the traffic without knowing the decryption keys. Juniper said that it had no evidence that this vulnerability had been exploited, but also noted that, “There is no way to detect that this vulnerability was exploited.”

– This is very bad folks, very bad./CJ

Read more of the amazingly technical and detailed article by Kim Zetter originally @  Wired  |  Dec 2016.