Thursday, August 14, 2014

NSA Watch ( August 14 , 2014 ) - Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously , latest NSA product to understand .... ....... New Snowden Interview in Wired....... The US Intelligence Community has a Third Leaker .....

New Snowden Interview in Wired

There's a new article on Edward Snowden in Wired. It's written by longtime NSA watcher James Bamford, who interviewed Snowden is Moscow.
There's lots of interesting stuff in the article, but I want to highlight two new revelations. One is that the NSA was responsible for a 2012 Internet blackout in Syria:
One day an intelligence officer told him that TAO­ -- a division of NSA hackers­ -- had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead -- rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet -- although the public didn't know that the US government was responsible....
Inside the TAO operations center, the panicked government hackers had what Snowden calls an "oh shit" moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.
Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO's operations center, the tension was broken with a joke that contained more than a little truth: "If we get caught, we can always point the finger at Israel."
Other articles on Syria.
The other is something called MONSTERMIND, which is an automatic strike-back system for cyberattacks.
The program, disclosed here for the first time, would automate the process of hunting for the beginnings of a foreign cyberattack. Software would constantly be on the lookout for traffic patterns indicating known or suspected attacks. When it detected an attack, MonsterMind would automatically block it from entering the country -- a "kill" in cyber terminology.
Programs like this had existed for decades, but MonsterMind software would add a unique new capability: Instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement.
A bunch more articles and stories on MONSTERMIND.
And there's this 2011 photo of Snowden and former NSA Director Michael Hayden.

Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously

 Sean Gladwell/Getty
Edward Snowden has made us painfully aware of the government’s sweeping surveillance programs over the last year. But a new program, currently being developed at the NSA, suggests that surveillance may fuel the government’s cyber defense capabilities, too.
The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government’s policies around offensive digital attacks.
Although details of the program are scant, Snowden tells WIRED in an extensive interview with James Bamford that algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat.


The US Intelligence Community has a Third Leaker

Ever since the Intercept published this story about the US government's Terrorist Screening Database, the press has been writing about a "second leaker":
The Intercept article focuses on the growth in U.S. government databases of known or suspected terrorist names during the Obama administration.
The article cites documents prepared by the National Counterterrorism Center dated August 2013, which is after Snowden left the United States to avoid criminal charges.
Greenwald has suggested there was another leaker. In July, he said on Twitter "it seems clear at this point" that there was another.
Everyone's miscounting. This is the third leaker:
  • Leaker #1: Edward Snowden.
  • Leaker #2: The person who is passing secrets to Jake Appelbaum, Laura Poitras and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this is either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents. Snowden has said that he is not the source for the Merkel story, and Greenwald has confirmed that the Snowden documents are not the source for the X-KEYSCORE rules. I have also heard privately that the NSA knows that this is a second leaker.
  • Leaker #3: This new leaker, with access to a different stream of information (the NTSC is not the NSA), whom the Intercept calls "a source in the intelligence community."
Harvard Law School professor Yochai Benkler has written an excellent law-review article on the need for a whistleblower defense. And there's this excellent article by David Pozen on why government leaks are, in general, a good thing.

(  Fallout after a hack.... ) 

Tenn. Firm Sues Bank Over $327K Cyberheist

An industrial maintenance and construction firm in Tennessee that was hit by a $327,000 cyberheist is suing its financial institution to recover the stolen funds, charging the bank with negligence and breach of contract. Court-watchers say the lawsuit — if it proceeds to trial — could make it easier and cheaper for cyberheist victims to recover losses.
teciIn May, 2012, Kingsport, Tenn.-basedTennessee Electric Company Inc. (nowTEC Industrial) was the target of a corporate account takeover that saw cyber thieves use a network of more than four dozen money mules to siphon $327,804 out of the company’s accounts at TriSummit Bank.
TriSummit was able to claw back roughly $135,000 of those unauthorized transfers, leaving Tennessee Electric with a loss of $192,656. Earlier this month, the company sued TriSummit in state court, alleging negligence, breach of contract, gross negligence and fraudulent concealment.
Both companies declined to comment for this story. But as Tennessee Electric’s complaint(PDF) notes (albeit by misspelling my name), I called Tennessee Electric on May 10, 2012 to alert the company about a possible cyberheist targeting its accounts. I’d contacted the company after speaking with a money mule who’d acknowledged receiving thousands of dollars pulled from the firm’s accounts at TriSummit.
According to the complaint, the attackers first struck on May 8, after Tennessee Electric’s controller tried, unsuccessfully, to log into the bank’s site and upload that week’s payroll batch (typically from $200,000 to $240,000 per week). When the controller called TriSummit to inquire about the site problems, the bank said the site was probably undergoing maintenance and that the controller was welcome to visit the local bank branch and upload the file there. The controller did just that, uploading four payroll batches worth $202,664.47.
[SIDE NOTE: When I spoke with Tennessee Electric's controller back in 2012, the controller for the company told me she was asked for and supplied the output of a one-time token upon login. This would make sense given the controller's apparent problems accessing the bank's Web site. Cyber thieves involved in these heists typically use password-stealing malware to control what the victim sees in his or her browser; when a victim logs in at a bank that requires a one-time token, the malware will intercept that token and then redirect the victim's browser to an error page or a "down for maintenance" message -- all the while allowing the thieves to use the one-time token and the victim's credentials to log in as the legitimate user.]