Doing Advance Work

News that doesn't receive the necessary attention.

Friday, April 20, 2018

DNC caused its own embarrassment, is subject to lawsuits for knowingly disregarding warnings that its computers weren’t secure. DNC paid $60,000 for computer security assessment in 2015 then failed to act on a single one of dozens of recommendations. Malware was allowed to stay on DNC computers for nearly a year-Bloomberg, July 28, 2016

Cyber-security assessments can be a mixed blessing. Legal experts say some general counsels advise organizations against doing such assessments if they don’t have the ability to quickly fix any problems the auditors find, because customers and shareholders could have cause to sue if an organization knowingly disregards such warnings.

July 28, 2016, DNC Ignored Cybersecurity Advice that May Have Prevented Recent Breach,” Bloomberg, Michael Riley, via

“The theft ultimately led to the release of almost 20,000 internal emails through WikiLeaks last week on the eve of the convention.” 

The Democratic National Committee was warned last fall [2015] that its computer network was susceptible to attacks but didn’t follow the security advice it was given, according to three people familiar with the matter. 

The missed opportunity is another blow to party officials already embarrassed by the theft and public disclosure of emails that have disrupted their presidential nominating convention in Philadelphia and led their chairwoman to resign. 

Computer security consultants hired by the DNC made dozens of recommendations after a two-month review, the people said. Following the advice, which would typically include having specialists hunt for intruders on the network, might have alerted party officials that hackers had been lurking in their network for weeks — hackers who would stay for nearly a year. 

Instead, officials didn’t discover the breach until April [2016]. The theft ultimately led to the release of almost 20,000 internal emails through WikiLeaks last week on the eve of the convention. The e-mails have devastated party leaders. Rep. Debbie Wasserman Schultz, the DNC chairwoman, has agreed to resign at the end of this week’s convention. She was booed off the stage on opening day after the leaked emails showed that party officials tried to undermine the presidential campaign of Sen. Bernie Sanders in favor of Hillary Clinton, who was formally nominated on Tuesday evening. Party officials are supposed to remain neutral on presidential nominations.... 

The consultants briefed senior DNC leaders on the security problems they found, the people familiar with the matter said. It’s unclear whether Wasserman Schultz was present. Now, she is likely to face criticism over not only the content of the emails — including one in which a party official proposes pushing stories in the news media questioning Sanders’s Jewish faith — but also the failure to take steps to stop the theft in the first place. 

Shame on them. It looks like they just did the review to check a box but didn’t do anything with it,” said Ann Barron-DiCamillo, who was director of US-Cert, the primary agency protecting U.S. government networks, until last February. If they had acted last fall [2015], instead of those thousands of emails exposed it might have been much less.”

The assessment by Good Harbor Security Risk Management, headed by the former Clinton and Bush administration official Richard Clarke, occurred over two months beginning in September 2015, the people said. It included interviews with key staff members and a detailed review of the security measures in place on the organization’s network, they said.

The review found problems ranging from an out-of-date firewall to a lack of advanced malware detection technology on individual computers, according to two of the people familiar with the matter. The firm recommended taking special precautions to protect any financial information related to donors and internal communications including emails, these people said.

The DNC paid $60,000 for the assessment, according to federal filings. 

Mark Paustenbach, a spokesman for the DNC, declined to comment on the Good Harbor report. Emilian Papadopoulos, president of Washington-based Good Harbor, said he couldn’t comment on work done for a specific client.

The security review commissioned by the DNC w,as perhaps the most detailed of a series of missed warnings. Officials at both the Republican National Committee and the DNC received government briefings on espionage and hacking threats beginning last year, and then received a more specific briefing this spring, according to another person familiar with the matter.

Cyber-security assessments can be a mixed blessing. Legal experts say some general counsels advise organizations against doing such assessments if they don’t have the ability to quickly fix any problems the auditors find, because customers and shareholders could have cause to sue if an organization knowingly disregards such warnings….

The firm typically recommends that clients conduct a so-called breach assessment to determine whether hackers are already lurking in the network, Papadopoulos said. He wouldn’t confirm whether such a recommendation was among those delivered to the DNC. 

“We give recommendations on governance, policies, technologies and crisis management,” he said.
“For organizations that have not had a compromise assessment done, that is one of the things we often recommend.”

It isn’t certain a breach assessment would have spotted the hackers, according to Barron-DiCamillo, but it would have increased the chances. “Why spend the money to have Good Harbor come in and do the recommendations and then not act on them?” she asked.”


Thursday, April 19, 2018

Sorry, John Brennan, IG review of former FBI employee McCabe began a week before Trump was sworn in. IG referred McCabe for criminal consideration to US attorney “some time ago”, Washington Post

Update: 4/19/18, Criminal referral for McCabe: “Inspector general referred findings on McCabe to U.S. attorney for consideration of criminal charges, Washington Post,  

The referral to the U.S. Attorney’s Office for the District of Columbia occurred some time ago.Inspector general concluded McCabe had lied to investigators or his boss, then-FBI Director James B. Comey, on four occasions, three of them under oath.”… 


“The report confirms that [Horowitz] opened this review [on Jan. 12, 2016] a week before Trump was sworn in.” 

4/16/18, “After The Inspector General Report, Questions Grow Over The Lack Of A Criminal Referral For McCabe, 

“Justice Department Inspector General Michael Horowitz has released his watchdog report on the conduct of former Deputy FBI Director Andrew McCabe and it is scathing…. 

“At issue is the leak to The Wall Street Journal about an FBI probe of the Clinton Foundation. 

Notably, the report itself belies the allegation of McCabe that he was victim of a witch hunt loyalists. Not only was Horowitz an Obama appointee but his staff were all career officials. More importantly, the report confirms that [Horowitz] opened this review [on Jan. 12, 2016] a week before Trump was sworn in. It preceded and had no connection to Mueller. 

The report takes apart McCabe’s spin with clinical precision.  It found that McCabe, 50, lied or misled investigators on not one but four occasions. It also found that these lies were clearly meant to help McCabe alone. McCabe said that he had full authority to make the disclosures.  The IG found no evidence to support those claims. It also found that there was no evidence that then FBI Director James Comey was informed by McCabe…. 

He [McCabe] further showed no contrition and allegedly falsely implicated his superior in the improper leaking of information to the media.”…


Wednesday, April 18, 2018

With no sign of significant cyber attack or change in behavior from Russia, US and UK “allies” say Russia is hostile adversary in cyber space, is “pre-positioning.” But US and UK are doing identical “pre-positioning” in Russia-BBC, Corera, Security Correspondent

“So far, there has not been any sign of a significant cyber-attack or change of behaviour from Russia.US and UK say Russia ispre-positioning.” “It is worth saying that Britain and the US will be carrying out almost identical activities in Russia, pre-positioning in Russian networks to be able to respond.” 

4/16/18, “Could Russia and West be heading for cyber-war?” BBC, Gordon Corera, Security Correspondent 

“The latest warning of Russian intrusions is another sign that cyber-space is becoming one of the focal points for growing tension between Russia and the West.

But so far, much of the talk about cyber-war remains hypothetical rather than real. 

It is true that Britain’s National Cyber Security Centre (NCSC) is on high alert for the possibility of some kind of Russian activity.

More people and resources have been devoted to monitoring and investigation. 

There has also been outreach to companies to warn them on what to look out for and what to do. 

“Russia is our most capable hostile adversary in cyber-space, so dealing with their attacks is a major priority for the National Cyber Security Centre and our US allies,” NCSC chief Ciaran Martin said in a statement. 

But so far, there has not been any sign of a significant cyber-attack or change of behaviour from Russia. 

That is not to say that officials are not seeing any Russian activity. Quite the opposite, the reality is that they are almost always seeing Russian activity and they have done for close to 20 years. 

Russian espionage-the theft of information-dates back at least to the late 1990s. 

More recently, in the past few years, officials in the UK and US have said they have seen Russia pre-positioning in networks that are part of the critical infrastructure in a way that could be used for destructive acts of sabotage, for instance taking down parts of the electricity grid. 

It is possible that Russian intrusions may be increasing. But it is too early to know for sure if this is the case, since it takes time to spot this-if it is spotted at all-and to be sure it is Russian. 

The crucial thing is whether Russia actually employs its offensive capability to actually do something destructive. 

So far, there has been relatively little sign of this in the US or UK, although Russia is accused of launching destructive attacks against Ukraine, which spilled over into companies that did business there. 

It is worth saying that Britain and the US will be carrying out almost identical activities in Russia, pre-positioning in Russian networks to be able to respond. 

What no-one is quite sure of is whether this creates a deterrent a bit like mutually assured nuclear destruction in the Cold War.

Or if the fact that cyber-attacks are harder to trace and at least partially deniable – unlike a nuclear missile – makes the threshold for action much lower. 

It was notable though that the head of GCHQ last week made public reference to the use of Britain’s offensive cyber-capability. 

“For well over a decade, starting in the conflict in Afghanistan, GCHQ has pioneered the development and use of offensive cyber-techniques, said Jeremy Fleming.”… 

[Ed. note: Pathetic. A 17 year, never ending “conflict” in Afghanistan that does nothing but impoverish Americans is your idea of something to brag about?] 

(continuing):“And by that I mean taking action online that has direct real world impact.” 

In this case, Mr Fleming was talking about activities targeting the Islamic State group. 

“We may look to deny service, disrupt a specific online activity, deter an individual or a group, or perhaps even destroy equipment and networks,” he said. 

Talking publicly about the capability is also likely to be seen as a means of warning Russia that Britain could respond if it was targeted. 

One possibility is that Russia could take action primarily in the information space. 

It has already been accused of unleashing bots and trolls to push its narrative of the Salisbury poisoning, although such activity does not fall under the traditional definition of a cyber-attack. 

But it could use cyber-intrusions to steal compromising data and then release this into the public domain to punish those it is opposing. 

This tactic was used with information stolen from sporting anti-doping bodies…. 

Such activity is a reminder that cyber-space should not be seen as somehow completely separate from other fields of activity – whether information flows or traditional military activity.”... 

[Ed. note: For example, Obama’s 2010 Stuxnet cyber attacks on Iran’s nuclear facilities achieved the same results as an actual bombing: The United States “repeatedly used cyber weapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives.”

6/1/2012, Obama Order Sped Up Wave of Cyberattacks Against Iran, NY Times, David E. Sanger (“This article is adapted from Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, [by David E. Sanger of the New York Times] to be published by Crown on Tuesday.” (June, 2012)] 

(continuing): “Particularly in the Russian doctrine of hybrid warfare, it is simply part of a continuum. 

But as the field that is newest, the rules in cyber-space of what constitutes war and an attack are much less clear. And that may be the danger, as miscalculation could lead to escalation.” 


Added: Obama effectively bombing Iran via computer in 2010 meant the US should expect to be attacked in return: 

This is the first attack of a major nature in which a cyber attack was used to effect physical destruction, said former CIA chief Michael V. Hayden. “No country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it [the United States] becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.” 

6/1/2012, Obama Order Sped Up Wave of Cyberattacks Against Iran, NY Times, David E. Sanger (“This article is adapted from Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power,” [by David E. Sanger of the New York Times] to be published by Crown on Tuesday.”)

Added: Military man close to Obama admits leaking Stuxnet details to NY Times’ David E. Sanger: 

10/17/2016, Obama’s General’ Pleads Guilty to Leaking Stuxnet Operation [to David E. Sanger of the NY Times],”  Foreign Policy

Added: In Jan. 2017 Obama pardoned his friend who lied to the FBI and leaked Stuxnet details to NY Times:

1/17/2017, “Obama Pardons James Cartwright, General Who Lied to F.B.I. in Leak,” NY Times


Tuesday, April 17, 2018

Trump bombs Middle Class who elected him on his pledge of non-interventionism, doubles down by merging with so-called UK “allies,” the same “allies” who “kickstarted” efforts to defeat Trump by sending their US intel pals alleged anti-Trump spy info. Trump thrills War Industry by citing World War I into which US soldiers went to their death based on Euro lies, as Trump re-enacts, Raimondo

April 13, 2017, British spies were first to spot Trump team’s [alleged] links with Russia, UK Guardian, Luke Harding, Stephanie Kirchgaessner, Nick Hopkins 

“Exclusive: GCHQ [UK Government Communications Headquarters] is said to have alerted US agencies after becoming aware of contacts in 2015....Britain’s spy agencies played a crucial role in alerting their counterparts in Washington to contacts between members of Donald Trump’s campaign team and Russian intelligence operatives, the Guardian has been told."

“Both UK and UK intelligence sources acknowledge that GCHQ played an early, prominent role in kickstarting the FBI’s Trump-Russia investigation which began in late July 2016….One source called the British eavesdropping agency the “principal whistleblower”."

4/16/18, Syria and the Revolt of the ‘Deplorables’,, Justin Raimondo

“Trump bombs his base."

“Surely there has never been a presidential peroration as filled with contradictions – not to mention regrettable rhetoric – as President Donald J. Trump’s speech to the nation explaining why he backtracked on his campaign promise to get us out of Syria. 

Particularly striking was this bit of doubletalk: 

“To Iran and to Russia, I ask: What kind of a nation wants to be associated with the mass murder of innocent men, women, and children? 

“The nations of the world can be judged by the friends they keep. No nation can succeed in the long run by promoting rogue states, brutal tyrants and murderous dictators.”

 This was being said even as the Saudis, our close allies, were bombing civilians in Yemen – with our active assistanceand blockading the country into one of the worst famines on record.

Ah yes, “the friends they keep” – wasn’t that Trump and Prince Mohammed bin Salman bin, the bloodthirsty tyrant who tortured his victims in an “anti-corruption” campaign and is being hailed by our media as a brave “reformer”? Here is the Prince posing with Jeff Bezos, owner of the warmongering Washington Post and Trump’s archenemy. In the swamp, however, there’s only so much room, and the creatures slither around each other out of necessity.

Our “friends” the Saudis, who assisted Mohammed Atta and his fellow hijackers – the majority of them Saudis – when they rammed a plane into the World Trade Center and attacked the Pentagon. Does Trump really want to be judged by the friends he keeps? 

Trump’s speechwriter had the nerve to invoke World War I as the point in history where atrocities involving poison gas were outlawed: this is nonsense. As recently as the Iran-Iraq war, our then-ally Saddam Hussein used poison gas, killing thousands, while the United States looked on approvingly. Agent Orange was used by US forces in the Vietnam war, to horrific effect.

Furthermore, the invocation of the Great War brings to mind the shameless British propaganda that lured us into a conflict that we should never have entered: those Belgian babies impaled on bayonets were one of the earliest examples of what Trump likes to call “fake news.” This time around the same sort of crude war propaganda – spread by the British government and its media allies, as well as the Saudis and the Israelis – blanketed the American media landscape in the run up to Trump’s folly. Perfidious Albion strikes again!

The reality is that there’s no credible evidence Bashar al-Assad’s forces dropped poison gas – an improbable “mixture” of chlorine and sarin – by helicopter no less. The “allies” make assertions but they offer no proof. It’s the sloppiest propaganda campaign since the last time Syria’s Islamist rebels used faked videos of alleged Assadist atrocities to lure us into their civil war. A child wouldn’t be fooled by it: however, it’s not surprising that they succeeded with Trump, since he’s operating on a much lower mental-emotional level than your average adolescent. Not that he’s stupid: it’s just that he craves the adulation of the media, which he pretends to hate and yet caters to incessantly – and certainly he was rewarded, at least momentarily, in that regard.

Yet the thrill will be brief. It won’t be long – indeed it’s already happening – before the NeverTrumpers who are hailing him as “presidential” will be demanding more “action” to finally take out Assad and install their favored Islamist head-choppers in power. And then no doubt we’ll see yet another alleged “gas attack” by the Assad forces, complete with videos of choking children and women – no men ever seem to be victims of these phony attacks – and New York Times editorials demanding full-scale “humanitarian” intervention.

It never ends. And that’s a lesson many of Trump’s supporters in the media are beginning to learn. The night before the attack Tucker Carlson spoke for the “deplorables” with a remarkable opening monologue that challenged the War Party on every level. Take a listen:…

He was joined by Laura Ingraham, the next day, as missiles flew: her takedown of the comic-opera warmonger Sebastian Gorka, recently kicked out of the White House, is one of those memorable moments that will live on the internet forever.

Trumpist radio host Michael Savage denounced the attack: “He bombed his base,” said Savage.

Savage is quite correct: the Trump base didn’t vote for this.

The key states Trump won and that gave him the margin of victory were won due to his anti-interventionist campaign rhetoric. Now they see that this was a fraud and they are bound to desert him in droves as their daughters and sons are sent to Syria to fight for – what? An Islamist state? Good media reviews from the New York Times for a childishly insecure President? 

While the left hails the Trumpist turn toward “humanitarian intervention,” the right is increasingly “isolationist,” i.e., committed to a policy of minding our own damned business and solving our many problems right here at home. This is the opening I’ve been talking about for many years, the great switching of polarities that occurs every 40 years or so: and now it is upon us, brought about by an accidental figure – Trump – who nevertheless unleashed forces he neither understands nor controls. 

Those forces – a populist movement that has rallied to the banner of “America First” – are a mass movement that rejects the Empire and longs to restore our old republic. They reject neoconservatism and the old leadership of the GOP, which is interventionist to its rotten core, which is why they put Trump in the White House. Now they must learn from his betrayal – and our job, here at, is to teach them that lesson.

That’s why all the sectarians who flew into a rage when I pointed out Trump’s value to the anti-interventionist movement were dead wrong and are still wrong. As I put it in this space months ago:

“Yes, the Trump administration will take many actions that contradict the promise of their victory: that is already occurring. And we are covering that in these pages, without regard for partisan considerations: and yet it is necessary to step back and see the larger picture, looking past the journalistic details of the day-to-day news cycle. In short, it is necessary to take the long view and try to see what the ideological victory that was won this past November augurs for the future.

“If we look past Trump and his administration and scout out what the road ahead looks like, the view is encouraging: the obstacles that loomed large in the past – the neoconservative hegemony in the GOP, the war hysteria that dominated the country post-9/11, the public’s largely unquestioning acceptance of what the “mainstream” media reported – have been swept away. What’s more, a global rebellion against regnant elites is threatening the status quo. All the elements that make for the restoration of our old republic are in place, including a growing mass movement in this country that rejects the old internationalist dogma.

“Ideas rule the world: not politicians, not parties, not range-of-the-moment fluctuations in public opinion. This isn’t about Trump, the politician, or the journalistic trivia of the moment: we are engaged in a battle of ideas – and, slowly but surely, we are winning.”

The “deplorables” had to go through this betrayal before they could begin to understand the real nature of US foreign policy – and the fact that the War Party is their greatest enemy. The virtue-signaling Beltway “libertarians,” who are even now jumping on the anti-Russian cold war bandwagon – and refusing to challenge the evidence-free claims of the US government and its British allies – are clueless as usual. They don’t care to dirty their pristine hands by joining with the Trump voters of flyover country: they’re concerned exclusively with impressing their Washington cronies with how “woke” they are – not at all like those Ron Paul-loving hillbillies!

The Beltway quasi-libertarians never cared about building a grassroots movement: they just wanted to build a box-like monstrosity of a glass-and-steel headquarters in order to impress their donors and the Washington Post. It’s a monument to their towering self-regard….

Non-interventionist foreign policy is the first thing defectors from the liberty movement throw overboard in their journey to join the Washington “mainstream.” As they merge with the political class, they acquire the social as well as the political-ideological orientation of their new allies, in this case contempt for those “deplorable” Trump voters and media figures who are in open rebellion against globalism.

This isn’t just about politics – it’s about culture. It’s Middle America versus the deracinated decadents who inhabit the Beltway. I know what side I’m on. Do you?" 


Added: UK was thrilled to “kickstart” efforts to defeat Trump by sending "crucial" anti-Trump spy data to US intel "counterparts" in Obama admin.:

April 13, 2017, British spies were first to spot Trump team’s [alleged] links with Russia, UK Guardian, Luke Harding, Stephanie Kirchgaessner, Nick Hopkins 

“Exclusive: GCHQ [UK Government Communications Headquarters] is said to have alerted US agencies after becoming aware of contacts in 2015....Britain’s spy agencies played a crucial role in alerting their counterparts in Washington to contacts between members of Donald Trump’s campaign team and Russian intelligence operatives, the Guardian has been told.“…

“Both UK and UK intelligence sources acknowledge that GCHQ played an early, prominent role in kickstarting the FBI’s Trump-Russia investigation which began in late July 2016….One source called the British eavesdropping agency the “principal whistleblower”.”…


Monday, April 16, 2018

NSA must get out of hacking business after continuous failures, negligence that has caused massive global hacking crime, attacks on UK hospitals, loss of millions, exposed Americans to online attacks. NSA elite tools now ‘in every hacker’s toolbox’-The Week, 11/14/2017, Wired, 3/7/2018

Despite the endless cavalcade of failurepeople make excuses for US gov. hacking. An NSA insider is most likely responsible for 2016 elite NSA hacking tools appearing on the internet.

Nov. 14, 2017, The NSA needs to stop hacking, The Week, Ryan Cooper 

“Since August 2016, the National Security Agency has suffered a continual stream of devastating failures. Their internal hacking group, known as Tailored Access Operations (TAO), was breached 15 months ago by hackers calling themselves the “Shadow Brokers,” which has been dribbling out the contents of the NSA’s most prized hacking tools. The result has been a wave of internet crime — ransomware, lost files, and network attacks that disrupted businesses and cost hundreds of millions of dollars. 

And as this New York Times story illustrates, the agency has been completely incapable of figuring out how the breach happened. Their computer networks could have been penetrated, or they could have someone on the inside leaking the tools. But after more than a year, they have not been able to plug the leak.

It’s long past time the NSA was forced to stop hacking, and to start protecting the American people from the sort of tools they create. 

At the time of the leak last year [2016], I speculated that the NSA was exposing the American people to online attack, but I was not prepared for how bad it would be. Several huge ransomware attacks (in which a computer is infiltrated, its hard drive encrypted, and the de-encrypt key held for a bitcoin ransom) using NSA hacking tools have swept the globe, hitting companies like FedEx, Merck, and Mondelez International, as well as hospitals and telecoms in 99 countries. 

Even NSA partisans admit that this leak is creating much worse problems than the Snowden revelations (which were, after all, carefully vetted by journalists before being published). And despite a months-long internal investigation, the NSA still isn’t even sure what sort of leaks these are, let alone how the hackers are doing it. 

In theory, one could imagine a security trade-off between setting up a hacking program to spy on other countries, and a program to find and patch security vulnerabilities in American software and computer networks. 

In practice, it’s now beyond question that the benefits of developing these hacking tools pale in comparison to the danger they pose simply by existing. The NSA might be able to hire the best computer scientists in the world, but they are manifestly incapable of keeping the tools they produce secure…. 

Software and computer systems are an integral part of American society, and private individuals and companies — not to mention government agencies and election administrators — need to be protected from every single tool [not just “90%”] the NSA has ever produced. 

And after that, the TAO [Tailored Access Operations , NSA’s internal hacking group which was breached 15 months ago] needs to be shut down for the foreseeable future. Instead, the NSA should research computer vulnerabilities, and when they find one, quietly inform the afflicted party so they can fix it before word gets out. Indeed, the agency could do no small service by twisting arms to simply get people to install security patches — especially large corporations, who as a rule drag their feet about keeping their software (generally ancient and highly vulnerable versions of Windows) up to date until there is a crisis. 

I think the real reason why the NSA has a hacking program can be found in the following phrase from the Times article, about why people join the agency: “[N]owhere else can they hack without getting into legal trouble…” Breaking into foreign computer networks, creating security exploits, calling yourself an “operator,” and generally doing cool spy stuff like in the movies is exciting and stimulating. People create excuses that legitimize this practice, despite the endless cavalcade of failure. 

By contrast, stuff like walloping Equifax over the head with a metaphorical cricket bat until they fix their appallingly insecure computer systems, or helping government departments implement ironclad end-to-end encryption to protect sensitive communications, is rather dull. But until some future date when the American state has become competent enough to keep a secret again, that’s what our secret computer professionals should be doing. American national security simply can’t afford any more NSA bungling.” 


Added: An NSA insider is likely responsible for 2016 elite NSA hacking tools appearing on the internet. “It’s one more reason to question the usefulness of an agency [NSA] that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us.” 

8/21/2016,Commentary: Evidence points to another Snowden at the NSA, Reuters, James Bamford, commentary 

“Hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block….It’s one more reason to question the usefulness of an agency [NSA] that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us….NSA may prove to be one of Washington’s greatest liabilities rather than assets….“Without a doubt, they’re the keys to the kingdom, one former TAO employee told the “Washington Post.” “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.” Another added, “From what I saw, there was no doubt in my mind that it was legitimate.””… 


Added: NY Times article linked in The Week above: “N.S.A. employees say that with thousands of employees pouring in and out of the gates…it is impossible to prevent people from walking out with secrets.“…Among May 2017 WannaCry’s global targets using NSA hacking tools were UK hospitals as well as one or more hospitals in Pennsylvania. 

11/12/2017, Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core, NY Times, Scott Shane, Nicole Perlroth, David E. Sanger 

A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.”… 

“Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers [in 2016 and 2017] already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.

Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves…. 

Millions of people saw their computers shut down by ransomware [in May 2017 WannaCry global attack], with demands for payments in digital currency to have their access restored. Tens of thousands of employees at Mondelez International, the maker of Oreo cookies, had their data completely wiped. FedEx reported that an attack on a European subsidiary had halted deliveries and cost $300 million. Hospitals in Pennsylvania, Britain and Indonesia had to turn away patients. The attacks disrupted production at a car plant in France, an oil company in Brazil and a chocolate factory in Tasmania, among thousands of enterprises affected worldwide.

American officials had to explain to close allies-and to business leaders in the United States-how cyberweapons developed at Fort Meade in Maryland came to be used against them. Experts believe more attacks using the stolen N.S.A. tools are all but certain. 

Inside the agency’s Maryland headquarters and its campuses around the country, N.S.A. employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s arsenal is still being replaced, curtailing operations….

Some veteran intelligence officials believe a lopsided focus on offensive weapons and hacking tools has, for years, left American cyberdefense dangerously porous. 

“We have had a train wreck coming,” said Mike McConnell, the former N.S.A. director and national intelligence director. “We should have ratcheted up the defense parts significantly.” 

At the heart of the N.S.A. crisis is Tailored Access Operations, the group where Mr. Williams worked, which was absorbed last year [2016] into the agency’s new Directorate of Operations.
T.A.O. — the outdated name is still used informally — began years ago as a side project at the agency’s research and engineering building at Fort Meade. It was a cyber Skunk Works, akin to the special units that once built stealth aircraft and drones.

As Washington’s need for hacking capabilities grew, T.A.O. expanded into a separate office park in Laurel, Md., with additional teams at facilities in Colorado, Georgia, Hawaii and Texas. 

The hacking unit attracts many of the agency’s young stars, who like the thrill of internet break-ins in the name of national security, according to a dozen former government officials who agreed to describe its work on the condition of anonymity. T.A.O. analysts start with a shopping list of desired information and likely sources — say, a Chinese official’s home computer or a Russian oil company’s network. Much of T.A.O.’s work is labeled E.C.I., for “exceptionally controlled information,” material so sensitive it was initially stored only in safes…. 

The more experienced T.A.O. operators devise ways to break into foreign networks….T.A.O. operators must constantly renew their arsenal to stay abreast of changing software and hardware, examining every Windows update and new iPhone for vulnerabilities. “The nature of the business is to move with the technology,” a former T.A.O. hacker said. 

Long known mainly as an eavesdropping agency, the N.S.A. has embraced hacking as an especially productive way to spy on foreign targets. The intelligence collection is often automated, with malware implants — computer code designed to find material of interest — left sitting on the targeted system for months or even years, sending files back to the N.S.A. 

The same implant can be used for many purposes: to steal documents, tap into email, subtly change data or become the launching pad for an attack. T.A.O.’s most public success was an operation against Iran called Olympic Games, in which implants in the network of the Natanz [Iran] nuclear plant caused centrifuges enriching uranium to self-destruct. The T.A.O. was also critical to attacks on the Islamic State and North Korea. 

It was this arsenal that the Shadow Brokers got hold of, and then began to release…. 

N.S.A. analysts have tried to figure out what the Shadow Brokers took. None of the leaked files date from later than 2013 — a relief to agency officials assessing the damage. But they include a large share of T.A.O.’s collection, including three so-called ops disks — T.A.O.’s term for tool kits — containing the software to bypass computer firewalls, penetrate Windows and break into the Linux systems most commonly used on Android phones.

Evidence shows that the Shadow Brokers obtained the entire tool kits intact, suggesting that an insider might have simply pocketed a thumb drive and walked out. 

But other files obtained by the Shadow Brokers bore no relation to the ops disks and seem to have been grabbed at different times. Some were designed for a compromise by the N.S.A. of Swift, a global financial messaging system, allowing the agency to track bank transfers. There was a manual for an old system code-named UNITEDRAKE, used to attack Windows.

There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers. 

Some officials doubt that the Shadow Brokers got it all by hacking the most secure of American government agencies — hence the search for insiders. But some T.A.O. hackers think that skilled, persistent attackers might have been able to get through the N.S.A.’s defenses — because, as one put it, “I know we’ve done it to other countries.”

The Shadow Brokers have verbally attacked certain experts, including Mr. Williams. When he concluded from their Twitter hints that they knew about some of his hacks while at the N.S.A., he canceled a business trip to Singapore. The United States had named and criminally charged hackers from the intelligence agencies of China, Iran and Russia. He feared he could be similarly charged by a country he had targeted and arrested on an international warrant.

He has since resumed traveling abroad. But he says no one from the N.S.A. has contacted him about being singled out publicly by the Shadow Brokers….

For decades after its creation in 1952, the N.S.A. — No Such Agency, in the old joke — was seen as all but leakproof.... 

The Snowden trauma led to the investment of millions of dollars in new technology and tougher rules to counter what the government calls the insider threat. But N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets…. 

Because the N.S.A. hacking unit has grown so rapidly over the past decade, the pool of potential leakers has expanded into the hundreds. Trust has eroded as anyone who had access to the leaked code is regarded as the potential culprit….

[NSA employee] Mr. Martin’s gargantuan collection of stolen files included much of what the Shadow Brokers have, and he has been scrutinized by investigators as a possible source for them. Officials say they do not believe he deliberately supplied the material, though they have examined whether he might have been targeted by thieves or hackers.

But according to former N.S.A. employees who are still in touch with active workers, investigators of the Shadow Brokers thefts are clearly worried that one or more leakers may still be inside the agency.”… 


Added: NSA’s EternalBlue is “in every hacker’s toolbox. EternalBlue can mask or give false clue about geographic location of the hacker. EternalBlue’s widespread use [for at least 5 years] is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar. It is also frequently used by an array of nation state hackers….It will be years before enough computers are patched against EternalBlue.” EternalBlue can mask or give false clue about the geographic location of the hacker. 

3/7/18, The Leaked NSA Spy Tool That Hacked the World,Wired, Lily Hay Herman 

“Leaked to the public not quite a year ago, EternalBlue has joined a long line of reliable hacker favorites. The Conficker Windows worm infected millions of computers in 2008, and the Welchia remote code execution worm wreaked havoc 2003.

EternalBlue is certainly continuing that tradition—and by all indications it’s not going anywhere. If anything, security analysts only see use of the exploit diversifying as attackers develop new, clever applications, or simply discover how easy it is to deploy…. 

EternalBlue is the name of both a software vulnerability in Microsoft’s Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release of alleged NSA tools by the still mysterious group known as the Shadow Brokers. 

Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports corroborate its origin—and even Microsoft has publicly attributed its existence to the NSA. 

The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.

Microsoft released its EternalBlue patches on March 14 of last year [2017]. But security update adoption is spotty, especially on corporate and institutional networks. Within two months, EternalBlue was the centerpiece of the worldwide WannaCry ransomware attacks….As WannaCry hit, Microsoft even took the “highly unusual step” of issuing patches for the still popular, but long-unsupported Windows XP and Windows Server 2003 operating systems. 

In the aftermath of WannaCry, Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers, like the kernel backdoor known as DarkPulsar, which burrows deep into the trusted core of a computer where it can often lurk undetected. 

The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue’s profile, many attackers had already realized the exploit’s potential by then.
Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners on target devices. “WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them,” says Jérôme Segura, lead malware intelligence analyst at the security firm Malwarebytes. “There are definitely a lot of machines that are exposed in some capacity.”

Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. “EternalBlue will be a go-to tool for attackers for years to come,” says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked at the NSA. “Particularly in air-gapped and industrial networks, patching takes a lot of time and machines get missed.

 There are many XP and Server 2003 machines that were taken off of patching programs before the patch for EternalBlue was backported to these now-unsupported platforms.” 

At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker’s toolbox—much like the password extraction tool Mimikatz. But EternalBlue’s widespread use [for at least 5 years] is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar. It is also frequently used by an array of nation state hackers including those in Russia’s Fancy Bear group, who started deploying EternalBlue last year as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks. 

New examples of EternalBlue’s use in the wild still crop up frequently. In February, more attackers leveraged EternalBlue to install cryptocurrency-mining software on victim computers and servers, refining the techniques to make the attacks more reliable and effective. “EternalBlue is ideal for many attackers because it leaves very few event logs,” or digital traces, Rendition Infosec’s Williams notes. “Third-party software is required to see the exploitation attempts.”

And just last week, security researchers at Symantec published findings on the Iran-based hacking group Chafer, which has used EternalBlue as part of its expanded operations. In the past year, Chafer has attacked targets around the Middle East, focusing on transportation groups like airlines, aircraft services, industry technology firms, and telecoms. 

“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors,” says Vikram Thakur, technical director of Symantec’s security response. “To [a hacker] it’s just a tool to make their lives easier in spreading across a network. Plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three. 

It will be years before enough computers are patched against EternalBlue that hackers retire it from their arsenals. At least by now security experts know to watch for it—and to appreciate the clever innovations hackers come up with to use the exploit in more and more types of attacks.”

Added: Re: 2017 WannaCry attack, US city of Atlanta, Georgia now said to have been among those attacked per Georgia cyber security firm. City of Atlanta unable to provide comment.
“According to one security firm, last week’s cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the [2017] WannaCry outbreak [which used leaked hacking tools developed by the National Security Agency.]

New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city’s network was silently infected last year [2017] with leaked exploits developed by the National Security Agency. 

The cybersecurity firm’s founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017.

That was more than a month after Microsoft released critical patches for the exploits and urged users to install. 

The NSA exploits were stolen in 2016 in one of the biggest breaches of classified files since the Edward Snowden disclosures.

The [alleged] hackers [described as “leakers” in headline and elsewhere in this article] who stole the exploits, known as the
Shadow Brokers, attempted to auction off the files but failed. 

Microsoft learned of the theft of these tools and, fearing that they would be used or publicly released, the company quietly released security patches for the exploit in March. Weeks later, the tools were dumped online for anyone to use. 

According to Williams, the city’s networks were left unpatched for weeks — making them vulnerable to ransomware attacks.

“Based on our data, we can say for an organization of its size, the city of Atlanta had a substandard security posture in April 2017, making the scope of the ransomware attack far from surprising,” Williams told ZDNet.

Williams also wrote up his findings Tuesday in a detailed blog post. 

Just two weeks later, the WannaCry ransomware attack hit.

The attack was the biggest of its kind — spreading throughout several countries, infecting hundreds of thousands of computers. The ransomware used the leaked NSA exploit dubbed EternalBlue, which attacks a flaw in Windows SMB, and drops the DoublePulsar backdoor and waits. It’s that DoublePulsar backdoor that allows an attacker to remotely execute a malicious payload — such as ransomware.

Williams said his firm detected 148,000 infected machines at its peak — machines that were directly connected to the internet.

But that doesn’t account for the vast number of machines connected to those infected servers — likely putting the final number of machines at risk significantly higher. 

Williams stopped scanning for infected servers only by chance before the WannaCry attack, because as security patches were applied, the number of vulnerable systems was going down. 

It’s not known if Atlanta patched its network during that two week period before the WannaCry attack.

When reached, a spokesperson for the City of Atlanta was unable to comment on specific questions we had. 

Williams confirmed that as of Monday, none of Atlanta’s systems are still infected by the NSA exploits –– though, he said, it’s not known if the clean-up is a response to Thursday’s cyberattack or not.

Atlanta’s recovery efforts continue “around the clock,” said Bottoms.

CSO security reporter Steve Ragan reported earlier Tuesday that the portal used to pay the ransom — if the city decides to do so — has been pulled offline by the ransomware attacker. A screenshot of a city employee’s computer, which included the dark-web address used to access the payment portal, was publicized by local media. 

Although some of the city’s machines are slowly coming back online, many systems remain locked. For now, it’s not known when — or even if — the city will get fully back up and running.


Cyber scam: US-not Russia-is worst global hacker. WannaCry hacking virus that hit computer systems globally in May 2017 was created by NSA. Due to NSA negligence, its elite hacking tools paid for with US tax dollars were placed on the internet in 2016 and 2017. The entire world can now use the best hacking tools against the US-Washington Post, 5/16/2017

May 16, 2017, NSA officials worried about the day its potent hacking tool would get loose. Then it did. Washington Post,

“When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose. 

Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue. 

But for more than five years, the NSA kept using it — through a time period that has seen several serious security breaches and now the officials’ worst fears have been realized. The malicious code at the heart of the WannaCry virus that hit computer systems globally late last week [May 2017] was apparently stolen from the NSA, repackaged by cybercriminals and unleashed on the world for a cyberattack that now ranks as among the most disruptive in history. 

The failure to keep EternalBlue out of the hands of criminals and other adversaries casts the NSA’s decisions in a harsh new light, prompting critics to question anew whether the agency can be trusted to develop and protect such potent hacking tools.

Current and former officials defended the agency’s handling of EternalBlue, saying that the NSA must use such volatile tools to fulfill its mission of gathering foreign intelligence. In the case of EternalBlue, the intelligence haul was “unreal,” said one former employee….

The NSA did not respond to several requests for comment for this article. 

The consequences of the NSA’s decision to keep the flaw secret, combined with its failure to keep the tool secure, became clear Friday when reports began spreading of a massive cyberattack in which the WannaCry software encrypted data on hundreds of thousands of computers and demanded a ransom to decrypt it. 

The attack spread virally because the criminal hackers combined EternalBlue’s ability to penetrate systems with other code that caused it to spread quickly, like a computer worm, something the NSA never intended. The resulting digital concoction snarled hospitals in Britain, the Interior Ministry in Russia and tax offices in Brazil. 

An unlikely combination of voices, ranging from the American Civil Liberties Union to a top Microsoft official to Russian President Vladmir Putin, has singled out the NSA for its role in creating and eventually losing control of computer code. Microsoft President Brad Smith, in a blog post Sunday, compared the mishap to “the U.S. military having some of its Tomahawk missiles stolen.”

Putin, for his part, echoed Microsoft: “They said that the first sources of this virus were the United States intelligence agencies. Russia has absolutely nothing to do with this.”

While few critics are saying that the NSA should never develop malicious software — cracking into the computers of surveillance targets is key to its work — the WannaCry incident has revived concerns about internal security at an agency that in 2013 lost massive troves of secret documents to contractor Edward Snowden. 

“They’ve absolutely got to do a better job protecting [the hacking tools]. You can’t argue against that,” said former NSA director Keith B. Alexander, who ran the agency from 2005 to 2014 but said he was unable to comment on any particular tool. “You had somebody stealing you blind. The government has got to do better at that.”

The global backlash to the Snowden revelations added urgency to the government’s efforts to revamp rules on when to report flaws to companies and when to use them for surveillance. Alexander said that about 90 percent of discovered flaws are reported to the companies that make the software.... 

In August [2016], a mysterious group calling itself the Shadow Brokers dumped a set of exploits — or hacking tools — online. The exploits are built to take advantage of software flaws. 

The [NSA] agency eventually warned Microsoft after learning about EternalBlue’s theft, allowing the company to prepare a software patch issued in March. But the Shadow Brokers did not just release the flaw, which would take time and talent to turn into a tool. They released the exploits, which means even a novice hacker could use them to cause damage. 

After fashioning their own tool, WannaCry hackers deployed it last week, causing an immediate outcry. The White House convened an emergency meeting of Cabinet-level heads led by Trump administration homeland security adviser Thomas Bossert. 

U.S. systems were mostly spared, but the damage could have been far worse. Since the NSA began using EternalBlue, which targets some versions of Microsoft Windows, the U.S. military and many other institutions have updated software that was especially vulnerable…. 

To mitigate its instability in the early days, the NSA hackers were under strict usage rules that required approval from a senior supervisor on a target-by-target basis to use the exploit, the employees recalled.

After a few years, its stability was improved, but NSA was still mindful of the potential for harm if the tool somehow was breached. 

If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable, the second employee said. “You just have to have a foothold inside the network and you can compromise everything.” 

The Shadow Brokers’ first dump of exploits in August [2016] sparked a robust discussion within the Obama administration. “By that point, the intelligence value” of the exploits was “degraded,” so it was decided that NSA would alert whatever vendors were affected, a former senior administration official said….

But critics say the government got off easy this time. What if the Shadow Brokers had dumped the exploits in 2014, before the government had begun to upgrade software on its computers? 

What if they had released them and Microsoft had no ready patch? Vulnerabilities that are found in widely used software can also provide some of the most valuable intelligence because “they may enable access to a larger number of targets,” said Samir Jain, a former senior White House cyber official. “But the fact that a vulnerability is widely used and therefore the harm could be broad should be a significant factor. At the end of the day, it’s a balancing act.” 

Governments around the world will continue using these hacking tools, so the issue is that NSA needs to do a much better job of securing them, current and former officials said. 

It is not clear how the Shadow Brokers obtained the hacking tools, which are identical to those breached by former NSA contractor Harold T. Martin III, according to former officials. Martin was arrested in October after the FBI found evidence that he had over the years stolen a massive quantity of classified data from a variety of agencies. The most damaging breach was at the NSA, where Martin allegedly had filched virtually the entire library of hacking tools. Martin has been charged with stealing government property and retaining classified information. 

When the [NSA] breach was discovered last summer [2016], NSA Director Michael S. Rogers told President Obama that he considered himself accountable for it.

“The NSA certainly failed to build an environment that protected these extraordinary secrets that we’ve got,” said a former senior U.S. official. “We’ve got extraordinary capabilities, and it’s a huge responsibility to manage them on behalf of the nation.””

Among comments: “Computer security” is the latest scam. Computer infections are impossible to avoid. They often result from one random human being mistakenly clicking on the wrong link: 

5/17/2017 9:54 AM EDT 

It seems most computer viruses and malware infect computers by gaining entry through a very simple method. You or someone in your organization downloads an attachment or clicks on a link and the computer or computer network is now infected. It’s as simple and easy as that. Despite multiple warnings on not clicking on links or opening attachments from senders you don’t know, people do that every day.”



Blog Archive

About Me

My photo
I'm the daughter of an Eagle Scout (fan of the Brooklyn Dodgers and Mets) and a Beauty Queen.