NSA TAO Chief Rob Joyce on network defense

The above video is from the USENIX Enigma conference, in which Rob Joyce, Chief, Tailored access Operations, of the National Security Agency spoke. He spoke from the attackers perspective and gave some best practice advice and recommendations. Those that have been in the information security perspective for any extended period of time won't be surprised, but it's worth repeating.

I would recommend watching the video. It's only about 35 minutes long. If you don't have the time here are some notes I took on the talk.

BEST PRACTICES

  • Perform a third-party penetration test

  • Fix the items in the penetration test report

  • "You have to be continually defending and improving"

  • Understand the normal baseline for the traffic on the network

  • Monitor the network

  • Least privelege

  • Network segmentation

  • Enable and audit logs

  • Application white-listing (at the very least do high risk assets)

  • Anti-virus - reputation services

  • Incident response plan

 

RECOMMENDATIONS

This post first appeared on Exploring Information Security.

NSA infosec links December 30, 2014

Over 700 Million People Taking Steps to Avoid NSA Surveillance - Bruce Schneier - Schneier on Security

Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

NSA waiting until Christmas Eve to reveal its embarrassing self-audit - Kevin Collier - The Daily Dot

The report is a collection of documents, heavily redacted, arranged by quarter, and ranging from the end of 2001 to the end of 2012. They largely catalog individual instances where a National Security Agency employee illegally or mistakenly used the agency’s powerful technology to search an American or a foreigner in the U.S. without a warrant, was caught, reprimanded, and the information deleted.

Prying Eyes: Inside the NSA's War on Internet Security - SPIEGEL Staff - SPIEGEL Online International

Today, NSA spies and their allies do their best to subvert the system their own military helped conceive, as a number of documents show. Tor deanonymization is obviously high on the list of NSA priorities, but the success achieved here seems limited. One GCHQ document from 2011 even mentions trying to decrypt the agencies' own use of Tor -- as a test case.

This post first appeared on Exploring Information Security.

InfoSec links August 26, 2014

Father of PGP encryption: Telcos need to get out of bed with governments - Sean Gallagher - Ars Technica

Doing business with US government customers generally requires the use of National Institute of Standards and Technology (NIST) standards for encryption. But by default, Zimmermann said, Silent Circle uses an alternative set of encryption tools.

“It wasn’t because there was anything actually wrong with the NIST algorithms,” Zimmermann explained. “After the Snowden revelations, we felt a bit resentful that NIST had cooperated with the NSA."

Edward Snowden: The most wanted man in the world - James Bamford - Wired

Despite being the subject of a worldwide manhunt, Snowden seems relaxed and upbeat as we drink Cokes and tear away at a giant room-service pepperoni pizza. His 31st birthday is a few days away. Snowden still holds out hope that he will someday be allowed to return to the US. “I told the government I’d volunteer for prison, as long as it served the right purpose,” he says. “I care more about the country than what happens to me. But we can’t allow the law to become a political weapon or agree to scare people away from standing up for their rights, no matter how good the deal. I’m not going to be part of that.”

Why So Many Card Breaches? A Q&A - Brian Krebs - Krebs on Security

Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them.

This post first appeared on Exploring Information Security.

Def Con links August 18, 2014

Hackers Unveil Their Plan to Change Email Forever - Denver Nicks - Time

Jon Callas, chief technology officer of Silent Circle and a co-founder of the Dark Mail project, told TIME that “the biggest problem we have today with email is that it was designed in the early 1970s and it was not designed for the problems we have today. Even the standard email encryption that we have today protects the content but not the metadata.”

You cannot 'cyberhijack' an airplane, but you can create mischief - Adam Greenberg - SC Magazine

Ultimately, airlines are very safe, Polstra said, but he added that nearly every protocol used in aviation is unsecured – meaning no encryption – and that there is potential to annoy air traffic control and small aircraft.

Founder of America's Biggest Hacker Conference: 'We Understand the Threat Now' - Denver Nicks - Time

Nothing changed before or after Snowden’s revelations. The security researchers knew that of course that’s what the NSA or any government can do. If you talked to the hackers last year it was like, “Of course you can do that. I’ve been doing that for 10 years.” But now that it’s sunken in at a more policy level you can have the conversation. Before you would say something to your parents and they’d be like, “Oh hahaha. You’re paranoid.” Next thing you know your parents are like, “Oh my God. You were not crazy. You’re not my paranoid son.” Now we’re at a place where people can relate and that’s a much more healthy place for us to be.

 This post first appeared on Exploring Information Security.

InfoSec links August 6, 2014

The NSA's Cyber-King Goes Corporate - Shane Harris - Foreign Policy

Join Army -> Rise to four-star general ->Become head of NSA -> Setup surveillance state -> Retire -> Create new security software to detect “cyber-intruders” -> profit

Why the Security of USB Is Fundamentally Broken - Andy Greenberg - WIRED

Welcome to my paranoia. USB drives are a wonderful thing. They really are. Unfortunately, they can be configured or programmed to be an awful thing and that is a scary thing. Never plug an untrusted, or unknown, USB anything into your computer. Ever!

Announcing EMET 5 - Security Research and Defense Blog - Microsoft

EMET is a fantastic tool and one of the easiest, quickest and cheapest ways to improve the security on your computers. I would highly recommend downloading it and giving it a try at home and at work.

This post first appeared on Exploring Information Security.

Bruce Schneier infosec inception links July 8, 2014

Could Keith Alexander's Advice Possibly Be Worth $600K a Month? - Bruce Schneier - Schneier on Security

What does being the head of the National Security Agency (NSA) get you in retirement? A 600K asking price for security advice. And probably for good reason. Think of all the classified knowledge he has that could help an organization become secure.

NSA Targets the Privacy-Conscious for Surveillance - Bruce Schneier - Schneier on Security

If you use Tor, Tails or other privacy/anonymous types of sites and tools (or read BoingBoing), you’re likely being targeted for monitoring by the NSA.

NSA Employee Flees to Hong Kong -- You won't Believe What Happens Next - Bruce Schneier - Schneier on Security

Another batch of NSA documents have hit the media:

90% of the individuals eavesdropped on were not the targets of the surveillance.

What does the NSA do with the data once they’ve determined it’s unnecessary? Keep it.

This post first appeared on Exploring Information Security.

InfoSec links June 19, 2014

iOS 8 to stymie trackers and marketers with MAC address randomization - Lee Hutchinson - ars technica

The good: MAC address randomization when looking for a WiFi sounds fantastic.

The bad: This looks like a business move, which forces companies to use iBeacon. iBeacon (or as I like to call it, iBacon) is a "location-based service that can be used to track users and issue alerts (or ads) to iOS device." Essentially, it's a business move for Apple.

Why the iOS 'Limit Ad Tracking' setting is more important than ever - Jason D. O'Grady - ZDNet

In my search for more information on MAC address randomization, I discovered the setting in the above link. The setting is believed to add a little more privacy to your iOS devices.

Designers create a Faraday-cage cloak to foil NSA, other spies - Casey Johnston - ars technica

I love this. Not only cause it's privacy clothing, but because I would be a hat and a staff away from looking like a wizard. On a more serious note, this is awesome because it's one step closer to feasible clothing that protects your privacy.

This post first appeared on Exploring Information Security.

NSA owns your tweets May 14, 2014

This post first appeared on Exploring Information Security.

Information Security Link March 7, 2014

Surveillance by Algorithm: https://www.schneier.com/blog/archives/2014/03/surveillance_by.html

Bruce Schneier is one of industry leaders in information security and more specifically cryptographer. He is a very very intelligent individual and you will become smarter reading his works, guaranteed. In this particular blog post he takes some quotes made by the NSA and Google to task, in regards to how they handle people’s personal data.

The TL;DR version is:

The NSA version of the term ‘collect’:

“So, think of that friend of yours who has thousands of books in his house. According to the NSA, he's not actually "collecting" books. He's doing something else with them, and the only books he can claim to have "collected" are the ones he's actually read.”

Google says it’s algorithms, that read your email, is like your dog
“To wit: when you're watched by a dog, you know that what you're doing will go no further than the dog. The dog can't remember the details of what you've done. The dog can't tell anyone else. When you're watched by a computer, that's not true. “

This post first appeared on Exploring Information Security.