The NSA’s Attention Span: Widely Focused on the Narrow

When the power of a nation-state is directed upon you, they have resources that completely boggle the mind.  This applies even if it’s a minor power: Estonia, Hungary, and Cambodia all have their own capabilities and, while very small compared to some, your ability to hide from a country that makes you Priority One is limited.  They have seasoned pros that are in all likelihood a lot better than you are, and the allies they call in when they need help are even more dangerous to you.

But of all the agencies, the National Security Administration possesses perhaps the most impressive capability for finding information on the planet.  This comes largely from being funded at a level that completely dwarfs every other nation (he NSA’s actual budget is classified, but it is believed to have received at least $10 billion and perhaps as much as $20 billion in the 2012-13 intelligence community budget) and having access to an array of locations and technologies that few if any other nations possess. Many of its listening posts (not including temporary posts on ships, in aircraft, and set up in vehicles or shacks) are known even if exactly what each does is not, and their presence around the world shows the reach the NSA has through US allies.  Their technological edge includes supercomputers, interception methods, and hacking capabilities that render most defenses nearly moot.

The previous article discussed the difficulties associated with encryption, both in getting it right and in circumventing it by accessing the data via other means when it’s not encrypted.  In short, it requires some very careful planning to make sure that your implementation, both from a technical and an operational perspective, are as solid as they can be, and this is where most people fail.

This is not to say that encryption is useless.  Far from it.  If you’re trying to secure information from competitors, random attackers, or other enemies, it’s one of the best tools available.  Even if you’re doing something that a national agency doesn’t want you doing, it’s better to encrypt than to not, if possible and practical.  And there are ways to give even the most powerful adversary a headache.  But if you come under the scrutiny of the NSA, it becomes exceptionally difficult to effectively hide the contents of the message unless you take very specific precautions and you do it without failure every single time.

From this rises the second question from the last article: how do you avoid the NSA if they’re looking for you?  This turns out to be extraordinarily difficult not only because of the NSA’s reach into the world’s communications but also the legal framework in which the NSA operates.  We’ll start by looking at how far and with what difficulty the NSA can actually look.

Continue reading “The NSA’s Attention Span: Widely Focused on the Narrow”

Trust and the NSA: They’re Not Mutually Exclusive

The National Security Administration has, for good reason, been front and center in the news for the last couple of months.  What the NSA is mostly known for is signals intelligence (intercepting someone else’s communications) and cryptography.  It was founded in 1952 out of the ineffectual Armed Forces Security Agency for that specific purpose, in fact.  That mission has led it to tapping communications lines, setting up vast antenna arrays, and putting analysts in frigid shacks on the sterns of destroyers pitching in the stormy North Sea, all dedicated at trying to get The Other Guy’s communications.  And when it does get them, it tries to crack the encryption used (if any) and succeeds a lot.

In addition to that, the NSA has been tasked to ensure that communications for the United States government are secure.  It does this in a number of ways that include preventing leakage of the signals in the first place, but it’s most famous for its work in cryptography.  And if there’s one thing that they know, it’s that crypto is hard.

It knows that for one main reason, and that is its code-breaking section.  One of that section’s first duties, of course, is to break other nations’ codes.  But it also tries to break algorithms in and from the United States.  Any time the agency tasks someone to create or improve an encryption algorithm, another group that specializes in finding weaknesses in crypto algorithms is tasked to break it.  If that happens, it gets sent back to be fixed if possible or scrapped if not.  This is a good thing: if your friend can break your algorithm, there’s a good chance that your enemy can, too.

So take a worldwide coverage and world-renowned crypto capabilities and combine them with the NSA’s mission, which has been eloquently stated, “The ability to understand the secret communications of our foreign adversaries while protecting our own communications–a capability in which the United States leads the world–gives our nation a unique advantage.”  In short, break theirs while protecting ours.  Part of protecting ours is ensuring that the encryption used, particularly by the federal government, is not breakable while taking every available opportunity to break the encryption used by others.

Take this combination, and two questions naturally rise to the top.

  • How much do you trust the NSA?
  • How hard is it to avoid them if they’re looking for you?

It turns out that these are not easy questions to answer.  While there have been a lot of suspicions about whether the NSA has looked at only foreign traffic over the years, at least without a warrant, it was hard to find proof save for the rare leak.  Even the information that has come along in the documents so far released by Edward Snowden hasn’t made the extent of surveillance completely clear, and that makes it even harder to answer the questions.  We’ll look at the first of those questions today, and the second question in the next article.

Continue reading “Trust and the NSA: They’re Not Mutually Exclusive”

Free Microsoft e-books

Here are some links I found a while back to free ebooks from Microsoft on a ton of topics including Windows (desktop and server), SQL Server, SCCM, Sharepoint, and application development.  The selection covers the range from beginners to advanced.

Large collection of Free Microsoft eBooks for you, including: SharePoint, Visual Studio, Windows Phone, Windows 8, Office 365, Office 2010, SQL Server 2012, Azure, and more.

Another large collection of Free Microsoft eBooks and Resource Kits for you, including: SharePoint 2013, Office 2013, Office 365, Duet 2.0, Azure, Cloud, Windows Phone, Lync, Dynamics CRM, and more.

Huge collection of Free Microsoft eBooks for you, including: Office, Office 365, SharePoint, SQL Server, System Center, Visual Studio, Web Development, Windows, Windows Azure, and Windows Server

Setting up gpg4win on Windows 8

A few weeks ago, when building my new computer, I decided to go with Windows 8, primarily for the under-the-hood improvements.  I won’t get into the overall experience, but I did run into a few issues getting security software installed, especially gpg4win, which I chose to enable PGP e-mail encryption.

The OpenPGP specification (encapsulated in RFC 4880) was created by Phil Zimmerman back in 1991 and is pretty much the standard for encrypting messages sent via the Internet.  However, implementing encryption is hard, and implementing encryption implementations isn’t always easy, either.  While Linux has several options built into most distros to handle this, Windows ends up with two primary options: PGP and gpg4win.  We’ll have a look at them and how to install the latter after the break.

Continue reading “Setting up gpg4win on Windows 8”

July 2013 patches for Microsoft, Adobe, Oracle

It’s the second Tuesday of the month, and that means it’s Patch Tuesday once again!  Well, for two of the companies mentioned.  Oracle still sees the need to do things their way, so their patches are out a week from today.  Still, be aware that Java might (read: probably will) be patched here in the near future.

But let’s focus on what’s out today, shall we?  I’m going to try to display the information in a useful format without getting into tables and without extending things too long.  Microsoft has 7 patches that address 33 vulnerabilities; Adobe has 3 patches that address 6 vulnerabilities.  They’re all pretty much in the “patch ASAP” category.

Microsoft

  • MS13-052 – Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution, Elevation of Privilege
    • Products Affected:
      • .NET Framework on Windows (all versions)
      • Silverlight 5 running on Mac or Windows
    • Vulnerability Count: 7
    • Public Status: 2 disclosed, none in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: Silverlight is a little like Java in that its presence as an application framework is sometimes required for business purposes, but it should be removed where possible.  Unfortunately, Netflix requires it for PC viewing on Windows, so many millions of systems have it installed.  Fortunately, even Microsoft sees an end in sight for Silverlight and has largely discontinued its use.  Here’s hoping that the remaining users also see fit to scrap it.
  • MS13-053 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution, Elevation of Privilege
    • Products Affected:
      • Windows (all versions)
    • Vulnerability Count: 8
    • Public Status: 2 disclosed, none in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: One of the public fixes is the bug that Tavis Ormandy found and published a couple of months ago.  Microsoft is downplaying the risk, saying that an attacker needs to have local access for the likely scenario to work, which presumes that a system not patched for this will be patched for everything else or that it won’t come in via e-mail or a web download.  I’ve leveraged it in a pen test through another remote vulnerability that wasn’t patched.  It’s really not hard to do.
  • MS13-054 – Vulnerability in GDI+ Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all verions)
      • Office (all except 2013)
      • Visual Studio .NET 2003
      • Lync Client for Windows (all versions)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: I considered putting this in the 30-day category, but it affects such a wide variety of software that I could not in good conscience do so.  This is probably going to be a quick target for attackers.
  • MS13-055 – Cumulative Security Update for Internet Explorer
    • Severity/Impact: Critical / Remote Code Execution, Information Disclosure
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 17
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: It’s Internet Explorer.  It needs to be patched.  Sixteen of the vulnerabilities are memory corruption reported to Microsoft by at least a dozen people.  Memory corruption is a big topic of research these days.
  • MS13-056 – Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: This has to do with specially-formed GIF files, a file format in very wide use on the Internet, hence the short patch period.
  • MS13-057 – Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: Most video is played back in Flash or HTML5, but there are still plenty of ways to get Windows Media Player to play something from the Internet.  Patch soon.
  • MS13-058 – Vulnerability in Windows Defender Could Allow Elevation of Privilege
    • Severity/Impact: Critical / Elevation of Privilege
    • Products Affected:
      • Windows Defender when installed on Windows 7 or Server 2008R2 (does not affect Security Essentials or other Microsoft security software)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: It’s antivirus software, so you should be patching it pretty much immediately.  However, my actual recommendation is to get a real AV product.  If you’re a business, you need to spend some money, but it’s worth it.  If you’re at home, there are plenty of good, free AV options to go with such as Avast or AVG if you don’t want to buy something.

Adobe

  • APSB13-17 – Critical security update for Adobe Flash Player
  • APSB13-18 – Critical security update for Adobe Shockwave Player
  • APSB13-19 – Critical security update for ColdFusion 10, Important update for 9.x