Posts Tagged ‘National Security Agency’

Hillary Clinton’s Damning Emails — Democrats Don’t Seem To Care

May 1, 2016

Before the Democrats lock in their choice for President, they might want to know if Hillary Clinton broke the law with her unsecure emails and may be indicted, a question that ex-CIA analyst Ray McGovern addresses.

Then-Secretary of State Hillary Rodham Clinton preparing to testify before the House Foreign Affairs Committee in 2012.  (Photo: House Committee on Foreign Affairs/flickr/cc)

.

A few weeks after leaving office, former Secretary of State Hillary Clinton may have breathed a sigh of relief and reassurance when Director of National Intelligence James Clapper denied reports of the National Security Agency eavesdropping on Americans. After all, Clinton had been handling official business at the State Department like many Americans do with their personal business, on an unsecured server.

In sworn testimony before the Senate Intelligence Committee on March 12, 2013, Clapper said the NSA was not collecting, wittingly, “any type of data at all on millions or hundreds of millions of Americans,” which presumably would have covered Clinton’s unsecured emails.

But NSA contractor Edward Snowden’s revelations — starting on June 5, 2013 — gave the lie to Clapper’s testimony, which Clapper then retracted on June 21 – coincidentally, Snowden’s 30th birthday – when Clapper sent a letter to the Senators to whom he had, well, lied. Clapper admitted his “response was clearly erroneous – for which I apologize.”  (On the chance you are wondering what became of Clapper, he is still DNI.)

I would guess that Clapper’s confession may have come as a shock to then ex-Secretary Clinton, as she became aware that her own emails might be among the trillions of communications that NSA was vacuuming up. Nevertheless, she found Snowden’s truth-telling a safer target for her fury than Clapper’s dishonesty and NSA’s dragnet.

In April 2014, Clinton suggested that Snowden had helped terrorists by giving “all kinds of information, not only to big countries, but to networks and terrorist groups and the like.” Clinton was particularly hard on Snowden for going to China (Hong Kong) and Russia to escape a vengeful prosecution by the U.S. government.

Clinton even explained what extraordinary lengths she and her people went to in safeguarding government secrets: “When I would go to China or would go to Russia, we would leave all my electronic equipment on the plane with the batteries out, because …they’re trying to find out not just about what we do in our government, they’re … going after the personal emails of people who worked in the State Department.” Yes, she said that. (emphasis added)

Hoisted on Her Own Petard

Alas, nearly a year later, in March 2015, it became known that during her tenure as Secretary of State she had not been as diligent as she led the American people to believe. She had used a private server for official communications, rather than the usual official State Department email accounts maintained on federal servers. Thousands of those emails would retroactively be marked classified – some at the TOP SECRET/Codeword level – by the department.

During an interview last September, Snowden was asked to respond to the revelations about highly classified material showing up on Clinton’s personal server: “When the unclassified systems of the United States government, which has a full-time information security staff, regularly gets hacked, the idea that someone keeping a private server in the renovated bathroom of a server farm in Colorado is more secure is completely ridiculous.”

Hillary Clinton. Credit Andrew Burton, Getty Images

Asked if Clinton “intentionally endangered US international security by being so careless with her email,” Snowden said it was not his place to say. Nor, it would seem, is it President Barack Obama’s place to say, especially considering that the FBI is actively investigating Clinton’s security breach. But Obama has said it anyway.

“She would never intentionally put America in any kind of jeopardy,” the President said on April 10. In the same interview, Obama told Chris Wallace, “I guarantee that there is no political influence in any investigation conducted by the Justice Department, or the FBI – not just in this case, but in any case. Full stop. Period.”

But, although a former professor of Constitutional law, the President sports a checkered history when it comes to prejudicing investigations and even trials, conducted by those ultimately reporting to him. For example, more than two years before Bradley (Chelsea) Manning was brought to trial, the President stated publicly: “We are a nation of laws. We don’t let individuals make decisions about how the law operates. He [Bradley Manning] broke the law!”

Not surprisingly, the ensuing court martial found Manning guilty, just as the Commander in Chief had predicted. Though Manning’s purpose in disclosing mostly low-level classified information was to alert the American public about war crimes and other abuses by the U.S. government, Manning was sentenced to 35 years in prison.

On March 9, when presidential candidate Clinton was asked, impertinently during a debate, whether she would withdraw from the race if she were indicted for her cavalier handling of government secrets, she offered her own certain prediction: “Oh, for goodness sake! It’s not going to happen. I’m not even answering that question.”

Prosecutorial Double Standards

Merited or not, there is, sadly, some precedent for Clinton’s supreme confidence. Retired General and ex-CIA Director David Petraeus, after all, lied to the FBI (a felony for “lesser” folks) about giving his mistress/biographer highly classified information and got off with a slap on the wrist, a misdemeanor fine and probation, no jail time – a deal that Obama’s first Attorney General Eric Holder did on his way out the door.

We are likely to learn shortly whether Attorney General Loretta Lynch is as malleable as Holder or whether she will allow FBI Director James Comey, who held his nose in letting Petraeus cop a plea, to conduct an unfettered investigation this time – or simply whether Comey will be compelled to enforce Clinton’s assurance that “it’s not going to happen.”

Last week, Fox News TV legal commentator Andrew Napolitano said the FBI is in the final stages of its investigation into Clinton and her private email server. His sources tell him that “the evidence of her guilt is overwhelming,” and that the FBI has enough evidence to indict and convict.

Whether Napolitano has it right or not, it seems likely that Clinton is reading President Obama correctly – no profile in courage is he. Nor is Obama likely to kill the political fortunes of the now presumptive Democratic presidential nominee. Yet, if he orders Lynch and Comey not to hold Hillary Clinton accountable for what – in my opinion and that of most other veteran intelligence officials whom I’ve consulted – amounts to at least criminal negligence, another noxious precedent will be set.

Knowing Too Much

This time, however, the equities and interests of the powerful, secretive NSA, as well as the FBI and Justice, are deeply involved. And by now all of them know “where the bodies are buried,” as the smart folks inside the Beltway like to say. So the question becomes would a future President Hillary Clinton have total freedom of maneuver if she were beholden to those all well aware of her past infractions and the harm they have done to this country.

One very important, though as yet unmentioned, question is whether security lapses involving Clinton and her emails contributed to what Clinton has deemed her worst moment as Secretary of State, the killing of Ambassador Christopher Stevens and three other U.S. personnel at the lightly guarded U.S. “mission” (a very small, idiosyncratic, consulate-type complex not performing any consular affairs) in Benghazi, Libya, on Sept. 11, 2012.

Somehow the terrorists who mounted the assault were aware of the absence of meaningful security at the facility, though obviously there were other means for them to have made that determination, including the State Department’s reliance on unreliable local militias who might well have shared that inside information with the attackers.

However, if there is any indication that Clinton’s belatedly classified emails contained information about internal State Department discussions regarding the consulate’s security shortcomings, questions may be raised about whether that information was somehow compromised by a foreign intelligence agency and shared with the attackers.

We know that State Department bureaucrats under Secretary Clinton overruled repeated requests for additional security in Benghazi. We also know that Clinton disregarded NSA’s repeated warnings against the use of unencrypted communications. One of NSA’s core missions, after all, is to create and maintain secure communications for military, diplomatic, and other government users.

Clinton’s flouting of the rules, in NSA’s face, would have created additional incentive for NSA to keep an especially close watch on her emails and telephone calls. The NSA also might know whether some intelligence service successfully hacked into Clinton’s server, but there’s no reason to think that the NSA would share that sort of information with the FBI, given the NSA’s history of not sharing its data with other federal agencies even when doing so makes sense.

The NSA arrogates to itself the prerogative of deciding what information to keep within NSA walls and what to share with the other intelligence and law enforcement agencies like the FBI. (One bitter consequence of this jealously guarded parochialism was the NSA’s failure to share very precise information that could have thwarted the attacks of 9/11, as former NSA insiders have revealed.)

It is altogether likely that Gen. Keith Alexander, head of NSA from 2005 to 2014, neglected to tell the Secretary of State of NSA’s “collect it all” dragnet collection that included the emails and telephone calls of Americans – including Clinton’s. This need not have been simply the result of Alexander’s pique at her disdain for communications security requirements, but rather mostly a consequence of NSA’s modus operandi.

With the mindset at NSA, one could readily argue that the Secretary of State – and perhaps the President himself – had no “need-to-know.” And, needless to say, the fewer briefed on the NSA’s flagrant disregard for Fourth Amendment protections against unreasonable searches and seizures the better.

So, if there is something incriminating – or at least politically damaging – in Clinton’s emails, it’s a safe bet that at least the NSA and maybe the FBI, as well, knows. And that could make life difficult for a Clinton-45 presidency. Inside the Beltway, we don’t say the word “blackmail,” but the potential will be there. The whole thing needs to be cleaned up now before the choices for the next President are locked in.

http://www.commondreams.org/views/2016/04/30/hillary-clintons-damning-emails

China Sentences Scientific Researcher to Death for Espionage, Saying He Sold Secrets

April 19, 2016

By Liu Zhen
South China Morning Post

Huang Yu handed over details of 150,000 classified papers for cash, according to state television report

PUBLISHED : Tuesday, 19 April, 2016, 12:40pm

China has sentenced to death an employee at a scientific research institution for espionage, state television reported.

Huang Yu, 41, was convicted of selling over 150,000 classified documents to foreign intelligence agencies, CCTV said.

These included 90 “top confidential”, 292 “confidential” and 1,674 “secret” files which leaked cipher codes for Communist Party, government, military and financial communications.

“This case would have led to bloodshed and cost lives if it happened in wartime,” the television report quoted a National Security Agency official as saying.

The report did not say who Huang was spying for.

Huang, a computer specialist, joined a research institute in Chengdu in Sichuan province in 1997 that develops China’s cryptographic communication codes and he kept copies of the state secrets he handled.

He offered online to sell military communication codes in 2002 and was contacted by foreign intelligence agencies, the report said.

After he was laid off in 2004 he continued to gather confidential information through his wife, relatives and former colleagues, according to state television.

 Evidence seized during the case. Photo: SCMP Pictures

He invited his family and co-workers to travel to Southeast Asia, Hong Kong and Macau with the money provided by foreign agencies and during the trips he handed over information saved on laptops and data storage devices.

He earned US$700,000 in 21 deals over 10 years, the report said.

“I bought many insurance policies for myself. In the event that I was unable to return from meetings with foreign agents, my family would have a fortune,” Huang was quoted as saying in the report.

He was caught by the authorities in 2011. As well as imposing the death sentence, the authorities have also seized the money he was given.

The report did not say whether he had already been executed.

His wife was jailed for five years and his brother-in-law for three for negligently leaking state secrets. Twenty nine of Huang’s co-workers were also punished, the report said.

http://www.scmp.com/news/china/policies-politics/article/1937023/china-sentences-scientific-researcher-death-selling

**************************

The New York Times

BEIJING — In a sign of China’s increasingly aggressive efforts to combat espionage and other security threats, the government said it had sentenced a former computer technician to death for selling 150,000 classified documents to foreign spies, according to state media reports on Tuesday.

The man, Huang Yu, 41, worked for a research institute specializing in cryptography in Chengdu, a city in southwestern China. He sold the materials, which included military codes, from 2002 to 2011, making about $700,000, the state-run broadcaster China Central Television reported. The government did not specify which spy agencies he had assisted.

Mr. Huang’s death sentence was the first known case of a Chinese citizen’s receiving the death penalty for espionage since 2008, when the government executed a biomedical researcher and a distant relative of his, accusing them of passing secrets to Taiwan.

The trove of information Mr. Huang is accused of selling, including 90 top-secret documents, represents one of the largest known leaks in China in recent years, national security experts said.

Read the rest:

http://www.nytimes.com/2016/04/20/world/asia/china-spy-death-sentence.html?ref=world&_r=0

Hillary Clinton’s Email Mess Could Still Be a “Teachable Moment” — “Hillary Clinton can serve a good purpose only if she become the sacrificial goat — and everyone in the government learns a lesson that this is unacceptable and will ruin you.”

April 19, 2016

By Bill Blum

  Hillary Clinton. Gage Skidmore / Flickr (CC-BY-SA)

.

Although the subject of Hillary Clinton’s emails did not come up during Thursday’s presidential debate, the heated controversy over the Democratic front-runner’s use of a private Internet server during her four-year stint as secretary of state is far from over.

Indeed, if recent reports published largely (though not exclusively) by right-wing news media have any credibility, the controversy is about to re-erupt with redoubled fury. Some on the right are even predicting that Clinton will soon be indicted.

The reason for the right’s breathless anticipation of Clinton’s demise is that the mysterious, eccentric and paranoid Romanian computer hacker who broke the email story back in 2013 was extradited to the United States last month pursuant to federal felony charges filed against him in 2014. The theory is that prosecutors will squeeze the hacker for incriminating evidence against Clinton. A trial date in the hacker’s case has been set for September, smack dab in the middle of the general election campaign, in federal district court in Alexandria, Va.

The hacker is one Marcel Lehel Lazar, who traffics under the nom de plume of “Guccifer”—a portmanteau or linguistic hybrid that by his own description combines the “style” of Gucci and the “light” of Lucifer. Guccifer believes the international economy is controlledby a cabal of the “Council of the Illuminati” and well-placed “radical” Jews. His self-appointed mission as a cybersleuth is to expose the Illuminati’s machinations to create a “new world order” in each of its nefarious aspects.

If all that sounds more than a tad loopy, rest assured that it is. But as zany as Guccifer’s weltanschauung may be, he’s also a devastatingly talented cyberstalker, and that’s bad news for Clinton and her backers.

So exactly who is Guccifer, and how did he come to play a central role in Clinton’s email crisis?

Now in his mid-40s, Guccifer lived with his wife and daughter in the village of Sambateni, Romania, until his conviction and ultimate imprisonment in his native land on hacking charges in 2014. An autodidact whose formal education ended with high school, he struggled with long-term unemployment, scrambling for occasional work as a taxi driver and a paint salesman, according to his statements in an exclusive interview published by the website Pando.com in March 2015.

Initially, as illustrated by both Pando and an earlier story written by New York Times reporter Andrew Higgins, Guccifer appears to have been motivated primarily by pedestrian desires for fame and an urge for self-promotion. His immediate goal was to expose and embarrass others who had achieved the notoriety he craved, but never to extort money.

He reportedly first took to hacking in 2010, equipped only with an old home computer and a cellphone. He has told Pando and the Times that his methods were, in essence, old school and low tech. Instead of using sophisticated algorithms, he would read articles and biographies about his targets and then painstakingly guess their email passwords until he gained access to their electronically stored information.

Starting small, his earliest victims were Romanian entertainers and soccer stars. But local authorities soon caught on to him, and a year later he was arrested. After pleading guilty to cybercrimes, he was given a suspended jail sentence on the condition that he go straight.

But he didn’t. As explained in the Pando exclusive, once released from custody, Guccifer trained his hacking sights on ever-bigger public figures. This time, using a proxy server based in Russia to hide his tracks, he not only began breaking into the email accounts of Romanian politicians, but he gained access to the emails and websites of such international celebrities as actor/comedian Steve Martin, “Downton Abbey” writer Julian Fellowes and journalist Carl Bernstein; business leaders like MetLife CEO Steven Kandarian; and a trove of former American government officials, such as ex-Nixon aide John Dean and Reagan-era White House chief of staff Ken Duberstein.

Guccifer’s exploits were exposed in the United States in February 2013, when The Smoking Gun website—one of a handful of Internet outlets, along with Gawker and Russia Today, that he frequently contacted to gloat about his triumphs and supply with documentation—reported that he had posted photos and correspondence from the email accounts of family members of former President George W. Bush. Among the released items were self-portraits of Bush taking a bath and standing in the shower.

Guccifer’s handiwork might have been considered little more than a series of annoying pranks had he not also turned his attention to former Secretary of State Colin Powell and longtime Clinton aide and confidant Sidney Blumenthal.

In March 2013, he managed to hack into Powell’s Facebook account, defacing it with phony status updates that insulted Bush and declaring that Powell, Bush and the Rockefellers would burn in hell. He also succeeded in compromising Powell’s AOL account, obtaining financial information and email exchanges with former government personnel.

But it was the breach of Blumenthal’s AOL email account, also in March 2013, that netted the biggest headlines for Guccifer and that now poses the greatest dangers to Clinton’s presidential ambitions.

The Smoking Gun revealed the Blumenthal hack on March 15, 2013, reporting that Guccifer had obtained emails Blumenthal had sent to Clinton during her tenure at the State Department. Some of the missives included attachments containing confidential intelligence memos Blumenthal had written on Libya and Benghazi, Syria and Bashir Assad, the Muslim Brotherhood and Egypt, Algeria and other foreign-policy topics and issues.

Five days after the Smoking Gun disclosure, Russia Today published the Blumenthal memos in their entirety.

At the time Blumenthal wrote and forwarded the memos, he was working as a full-time employee for the Clinton Foundation, pulling down a monthly salary of $10,000, according to Politico chief investigative reporter Ken Vogel. Anyone wishing to sort through and study them can do so by accessing the comprehensive searchable archive of emails sent to and from Clinton’s private server that has been published by WikiLeaks.

Although the Blumenthal memos appear to have been unsolicited by Clinton, there can be no question that she appreciated and valued them in her role as the nation’s top diplomat. For example, a day after receiving a Blumenthal memo on Egypt and the Muslim Brotherhood in August 2012, she forwarded it to State Department Director of Policy Planning Jake Sullivan, with the notation: “Best info yet. Let’s discuss before you forward [to others] this morning.”

Guccifer continued to stalk former U.S. policymakers well into 2013, breaching the personal email ledgers of one-time National Intelligence Council Chairman Christopher Kojm and ex-Defense Intelligence Agency official Roy Apseloff, among others.Blumenthal

Romanian authorities rearrested Guccifer in January 2014 for spying on national officials, including the head of the country’s intelligence service. He was convicted and sent to a maximum security prison.

In June 2014, a federal grand jury in Virginia returned a nine-count indictment against Guccifer, charging him with wire fraud, unauthorized access of a protected computer, aggravated identity theft, cyberstalking and obstruction of justice for accessing the email accounts of Powell and Blumenthal (who are referred to anonymously in the charging document as victims 3 and 5, respectively), as well as other violations. Soon thereafter, the U.S. initiated discussions with Romania aimed at securing his extradition—an effort that finally paid off late last month.

Remarkably, although Clinton installed her private email server in January 2009, a week before she was confirmed as secretary of state, the fact that she exclusively used private email in violation of State Department guidelines to conduct official business was not widely known until The New York Times ran a story about her server on March 2, 2015. Since then, speculation has been rampant that Clinton may have run afoul of several federal criminal statutes, not only for maintaining the server rather than using official government channels of communication, but for deleting over 30,000 emails that she and her staff unilaterally deemed purely personal before turning over 31,000 emails to the State Department.

The Justice Department has been investigating the email controversy at least since last July, and in February, the FBI publicly confirmed that it, too, had joined the probe. Earlier this month, FBI Director James Comey announced that the investigation was continuing and that it would be completed “well and promptly.”

It also has been widely reported that Clinton and several of her aides will be interviewed in the near future as part of the FBI/Justice Department probe. Clinton aide Bryan Pagliano, who helped set up the server, has been granted immunity by the Justice Department after refusing to testify before the Senate Judiciary Committee. The pressure and suspense, thus, are building.

Those calling for Clinton to be prosecuted tend to focus on two provisions of federal law—sections 1924 and 793 of Title 18 of the United States Code—dealing, respectively, with the unauthorized removal and retention of classified material, and the improper gathering, transmission or loss of information relating to the national defense. In anApril 11 interview on the Fox Business Network, former Attorney General Michael Mukasey all but accused Clinton of committing a felony.

Others, who contend that prosecution is unlikely, including Clinton herself, focus on the fact that previous secretaries of state, such as Powell, also used private email to conduct official business. More importantly, Clinton and her defenders argue that no crimes were committed because the emails contained no information that was classified at the time they were sent or received.

In a detailed analysis published last week by Politico, White House correspondent Josh Gerstein staked out something of a middle ground in the roiling debate. After reviewing dozens of recent federal investigations involving alleged mishandling of classified records—including the 2015 prosecution of Gen. David Petraeus for providing top-secret material to a woman who was his biographer and mistress—Gerstein concluded there will be no indictment against Clinton unless prosecutors are convinced she acted with the intent to violate classification rules. In addition, Gerstein wrote, prosecutors will consider whether Clinton committed other aggravating acts beyond rule infractions, such as lying under oath or endangering national security.

Whether Guccifer, now that he is stateside and awaiting his day in the dock, can provide the missing elements and incentives needed for prosecuting Clinton is, as former Defense Secretary Donald Rumsfeld might put it, a gigantic and lingering “known unknown.” In his Pando interview, Guccifer said he anticipated collaborating with American intelligence agencies “when the day is right.” He also boasted that he had “a lot more [unreleased] material saved in the cloud.”

That material, if in fact it exists, may not prove sufficient to force Clinton to swap her trademark pantsuits for a set of prison jumpers. But the flood of disclosures Guccifer has already unleashed will continue to dog Clinton until Election Day, calling her values, character, judgment and fitness for office into constant question.

http://www.truthdig.com/report/item/an_odd_cloud_rolls_toward_hillary_clintons_campaign_20160417

A U.S. government cyber expert told Peace and Freedom, “The Obama administration would get its highest award for transparency from hackers and cyber spies. Hillary Clinton can serve a good purpose only if  she become the sacrificial goat — and everyone in the government learns a lesson that this is unacceptable and will ruin you.  Then we clean this problem up once and for all.””

Related:

*************************

All the cyberattacks on the U.S. government (that we know of)

BY SERGIO HERNANDEZ
Aug 18, 2015

.
Another day, another cyberattack.

Hackers accessed tax returns belonging to more than 300,000 people — more than twice officials’ initial estimate — when they breached an Internal Revenue Service program in May, stealing taxpayers’ personal information and generating nearly $50 million in fraudulent refunds, the agency said this week.
But the IRS hack is just one of more than a dozen cyberattacks on U.S. agencies in recent years, though the exact number and scope of attacks can be hard to gauge because officials are often reluctant to disclose or discuss them, let alone point fingers at suspected perpetrators. SY Lee, a spokesman for the U.S. Department of Homeland Security, told Mashable the agency did not “have a list” of cyberattacks on U.S. agencies.

IRS Commissioner John Koskinen

“I think there’s probably some reluctance to admit the depth of the problem,” said Wayne Jackson, CEO of Sonatype. “They are way more vulnerable than they would like for us to know.”

Overall, though, federal agencies have suffered at least a dozen major data breaches or network intrusions since 2007 — many reportedly at the hands of Russian and Chinese hackers, who have successfully targeted a nuclear research laboratory, the Postal Service, weather and satellite networks, administrative agencies holding sensitive personal information and even the White House itself, according to news reports.

Such attacks — often suspected to be state-sanctioned — are distinct from the kinds of cyber-assaults that have targeted commercial entities, such as retailers or banks. But those, too, are useful and frequent targets for foreign agents. According to a National Security Agency document obtained by NBC News, for instance, Chinese hackers targeted more than 600 government, corporate and private, including big firms like Google and Lockheed Martin, in a five-year period ending in 2014.

While none of the reported hacks have managed to infiltrate government agencies’ classified networks, the slew of cyberattacks has allowed hackers to steal valuable personal data — including Social Security numbers, addresses, dates of birth, health records and emails — belonging to millions of Americans, including top government officials.

Experts say these are high-tech means toward an old-fashioned end: Espionage.

When Chinese hackers allegedly broke into the Office of Personnel Management’s computer system and stole data belonging to 21 million Americans who had applied for — or knew someone who had applied for — a background check, experts warned that foreign actors could use the information from background check interviews — which includes everything from their financial histories to details about their sex lives — to blackmail or coerce victims.

“They would leverage this data to get to diplomatic, political, military and economic intelligence that they typically target,” John Hultquist, senior manager for cyberespionage threat intelligence at iSight Partners, told the Washington Post in June.

When the hackers’ identities are known, diplomatic reasons might keep officials from naming names. But sometimes identifying the perpetrator — especially the skilled ones — is just too hard.

Known breaches of classified information, for example, are rare. That’s partly because truly sensitive information is often kept on networks that are never connected to the public internet, Jackson said. But sometimes, it’s because the hackers are just that good. Earlier this year, German magazine Der Spiegel reported — that Chinese hackers had stolen “many terabytes” of classified data regarding a new U.S. fighter jet. The theft, which was believed to have occurred in 2007, went unreported for seven years.

“The difficulty of getting to [classified information] would imply a sort of nation-state kind of skill,” Jackson said. “Someone with that kind of skill would be very hard to detect because they’d be sufficiently capable that you’d almost certainly never know that they were there.”

http://mashable.com/2015/08/18/usg-cyberattacks/#_KsRggITnaqN

.

 

Lost emails from Clinton server discovered

March 25, 2016

By Julian Hattem03/24/16 03:39 PM EDT

Conservative legal watchdogs have discovered new emails from Hillary Clinton’s private email server dating back to the first days of her tenure as secretary of State.

The previously undisclosed February 2009 emails between Clinton from her then-chief of staff, Cheryl Mills, raise new questions about the scope of emails from Clinton’s early days in office that were not handed over to the State Department for recordkeeping and may have been lost entirely.

Clinton’s presidential campaign has previously claimed that the former top diplomat did not use her personal “clintonemail.com” account before March 2009, weeks after she was sworn in as secretary of State.

But on Thursday, the watchdog group Judicial Watch released one message from Feb. 13, 2009, in which Mills communicated with Clinton on the account to discuss the National Security Agency’s (NSA) efforts to produce a secure BlackBerry device for her to use as secretary of State.

The discovery is likely to renew questions about Clinton’s narrative about her use of the private email server, which has come under scrutiny.

Last year, news organizations reported that Obama administration officials had discovered an email chain between Clinton and retired Gen. David Petraeus that began before Clinton entered office and continued through to Feb. 1. The chain of emails began on an earlier email system that Clinton used while serving in the Senate, but was reportedly transferred on to the clintonemail.com server.

In 2014, Clinton gave the State Department roughly 30,000 emails from her time in office that she said related to her work as the nation’s top diplomat. Another roughly 30,000 emails, which Clinton said contained personal information such as her daughter’s wedding plans and yoga routines, were deleted.

However, critics have questioned her decision to unilaterally delete the allegedly private emails without getting official input to determine which messages were personal and which were work-related.

Tom Fitton, the head of Judicial Watch, has said that he expects all of the emails to eventually come to light.

The State Department’s publicly released stash of Clinton emails begins on March 18, 2009. The new emails discovered by Judicial Watch are not contained in the State Department’s files.

A State Department official said on Thursday that Clinton “has previously acknowledged that she emailed with department officials before March 18, 2009, the date of the first email in the collection that former Secretary Clinton provided to the Department in December 2014.”

“Former Secretary Clinton has also indicated that she does not have access to work-related emails beyond those she turned over to the Department,” the official added, while noting that Clinton has confirmed in court proceedings that she gave over all the work-related messages she had.

“In September 2015, we also asked the FBI to inform us should it recover any records from Secretary Clinton’s server that we don’t already have,” the official added.

In the email released on Thursday, Mills told Clinton that an NSA official “indicated they could address our BB [BlackBerry] so that BB could work in” secure spaces, “based upon some modifications that could be done.”

“That’s good news,” Clinton responded.

Previous emails released as a result of Judicial Watch’s lawsuit have shown that the NSA dismissed initial attempts by Clinton’s team to secure her BlackBerry.

Fitton, the Judicial Watch head, described Thursday’s email as a repudiation of Clinton’s timeline.

“So now we know that, contrary to her statement under oath suggesting otherwise, Hillary Clinton did not turn over all her government emails,” he said in a statement. “We also know why Hillary Clinton falsely suggests she didn’t use clintonemail.com account prior to March, 18, 2009 — because she didn’t want Americans to know about her February 13, 2009, email that shows that she knew her Blackberry and email use was not secure.”

http://thehill.com/policy/national-security/274230-lost-emails-discovered-from-clintons-server

U.S. going after Iranian hackers tied to cyber attacks — Second country after China

March 23, 2016

Reuters

Wed Mar 23, 2016 4:35pm EDT

The Obama administration is expected to blame Iranian hackers as soon as Thursday for a coordinated campaign of cyber attacks in 2012 and 2013 on a suburban New York City dam and several other targets, possibly including multiple U.S. banks, sources familiar with the matter have told Reuters.

In one of the largest foreign cyber attack cases since 2014 when the United States charged five Chinese military hackers, the U.S. Justice Department has prepared an indictment against about a half-dozen Iranians, said four sources, who spoke on condition of anonymity due to the sensitivity of the matter.

The charges, related to unlawful access to computers and other alleged crimes, were expected to be announced publicly by U.S. officials as soon as Thursday morning at a news conference in Washington, the sources said.

 

The indictment was expected to directly link the hacking campaign to the Iranian government, one source said.

Though the breach of back-office computer systems at the Bowman Avenue Dam in Rye Brook, New York has been reported, it was only part of a hacking campaign that was broader than previously known, as the indictment will show, the sources said.

In the intrusion of the dam computers, the hackers did not gain operational control of the floodgates, and investigators believe they were attempting to test their capabilities.

The dam breach coincided roughly with attacks on U.S. financial institutions. Cyber security experts have said these, too, were perpetrated by Iranian hackers against Capital One, PNC Financial Services and SunTrust Bank. Prosecutors were considering including those breaches in the indictment, sources said.

The hackers who were expected to be named in the indictment all reside in Iran, one source said.

The Justice Department declined to comment.

The indictment would be the Obama administration’s latest step to confront foreign cyber attacks on the United States. President Barack Obama accused and publicly condemned North Korea over a 2014 hack on Sony Pictures and vowed to “respond proportionally.” No details were made public of any retaliation.

James Lewis, a cyber security expert with the Center for Strategic and International Studies think tank, said, “We need to make clear that there will be consequences for cyber-attacks and that the Wild West days are coming to an end.”

Two weeks ago, it was widely reported that U.S. prosecutors were preparing an indictment against Iranian hackers related solely to the dam attack.

The broader indictment would come at a time of reduced tensions between the United States and Iran after a landmark 2015 nuclear deal. At the same time, the Obama administration has shown a willingness to confront Tehran for bad behavior.

Charging the Iranian hackers would be the highest-profile move of its type by the Obama administration since the Justice Department in 2014 accused five members of China’s People’s Liberation Army with hacking several Pennsylvania-based companies in an alleged effort to steal trade secrets.

‘WHEN, NOT IF’

U.S. national security professionals and cyber-security experts have grown increasingly worried about attacks on infrastructure including dams, power plants and factories.

That concern has grown since a December cyber attack in the Ukraine caused a blackout that temporarily left 225,000 customers without power.

Speaking at a cyber security conference earlier this month, National Security Agency chief Michael Rogers said it was a matter of “when, not if” another country launched a successful and destructive cyber attack on U.S. critical infrastructure like the one seen in Ukraine.

Some experts have said the United States is less well-equipped to respond to a major infrastructure attack because systems are more connected and reliant on the Internet.

The United States and Israel covertly sabotaged Iran’s nuclear program in 2009 and 2010 with the now-famous Stuxnet computer virus, which destroyed Iranian centrifuges that were enriching uranium.

(Reporting by Dustin Volz in Washington and Nate Raymond in New York; additional reporting by Mark Hosenball in Washington and Jim Finkle in Boston; Editing by Kevin Drawbaugh and Jonathan Oatis)

Related:

Part of the building of 'Unit 61398', a secretive Chinese military unit, is seen in the outskirts of Shanghai February 19, 2013. The unit is believed to be behind a series of hacking attacks, a U.S. computer security company said, prompting a strong denial by China and accusations that it was in fact the victim of U.S. hacking. REUTERS/Carlos Barria (CHINA - Tags: POLITICS SCIENCE TECHNOLOGY MILITARY) - RTR3DZ82

Part of the building of ‘Unit 61398′, a secretive Chinese military unit, is seen in the outskirts of Shanghai February 19, 2013. The unit is believed to be behind a series of hacking attacks, a U.S. computer security company said, prompting a strong denial by China and accusations that it was in fact the victim of U.S. hacking. REUTERS/Carlos Barria

'UglyGorilla,' an alias of Chinese army official Wang Dong, allegedly controlled the computers of U.S. victims after a gang of cyber-hackers gained access by sending users fake 'spearphishing' emails that contained links to malware

‘UglyGorilla,’ an alias of Chinese army official Wang Dong, allegedly controlled the computers of U.S. victims after a gang of cyber-hackers gained access by sending users fake ‘spearphishing’ emails that contained links to malware

epa04214253 An undated handout photograph made available by the US Federal Bureau of Investiigation (FBI) shows Sun Kailiang. Reports state on 19 May 2014 that  Sun Kailiang along with four other Chinese Army Officers are being sought by the FBI after they have been charged with hacking into US companies in the first cyber-espionage case of its kind.  EPA/FBI / HANDOUT BEST QUALITY AVAILABLE HANDOUT EDITORIAL USE ONLY
.
'KandyGoo' (R) tested malicious email messages and managed domain accounts used by the Chinese

‘Jack Sun’ (Top), a Chinese Army captain, ‘was observed both sending malicious emails and controlling victim computers,’  while ‘KandyGoo’ (Bottom) tested malicious email messages and managed domain accounts used by the Chinese

epa04214251 An undated handout photograph made available by the US Federal Bureau of Investiigation (FBI) shows Wen Xinyu. Reports state on 19 May 2014 that  Wen Xinyu along with four other Chinese Army Officers are being sought by the FBI after they have been charged with hacking into US companies in the first cyber-espionage case of its kind.  EPA/FBI / HANDOUT BEST QUALITY AVAILABLE HANDOUT EDITORIAL USE ONLY
.
epa04214250 An undated handout photograph made available by the US Federal Bureau of Investiigation (FBI) shows Huang Zhenyu. Reports state on 19 May 2014 that Huang Zhenyu along with four other Chinese Army Officers are being sought by the FBI after they have been charged with hacking into US companies in the first cyber-espionage case of its kind.  EPA/FBI / HANDOUT BEST QUALITY AVAILABLE HANDOUT EDITORIAL USE ONLY

‘WinXYHappy’ may sound like an unoriginal Twitter handle, but it was the alias of an alleged Chinese army hacker (Top) who controlled Americans’ computer accounts while computer programmer ‘hzy_lhx’ (Bottom) and others managed online domains after the People’s Liberation Army got control of them

Read more: http://www.dailymail.co.uk/news/article-2633886/China-escalates-tensions-summons-U-S-envoy-U-S-brings-criminal-charges-against-Chinese-Army-officials-hacking-American-companies.html#ixzz32GoSW4NW
.

Follow us: @MailOnline on Twitter | DailyMail on Facebook

The National Security Agency Wants To Talk To Hillary Clinton

March 18, 2016

The FBI has been investigating Clinton for months—but an even more secretive Federal agency has its own important beef with her

US, EU warned of fallout if no data protection deal by January 31

January 18, 2016

AFP

Max Schrems, seen in Luxembourg on October 6, 2015, was the first to challenge the “Safe Harbour” arrangement between Washington and Brussels on the grounds it did not properly protect European data. AFP photo

BRUSSELS (AFP) – The top US and European trade groups have warned their leaders of enormous fallout for businesses and customers if the two sides fail to reach a new deal on data transfers by end January.

The European Court of Justice in October ruled that the EU-US “Safe Harbour” arrangement allowing firms to transfer European citizens’ personal information to the United States was “invalid” because it did not properly protect the data from spy agencies.

EU and US officials have held several rounds of talks for a new arrangement with European officials hoping for a new deal by the end of January, and the four business groups mentioning a “deadline” of January 31, 2016.

“We are writing to convey the critical importance of your efforts to come to a comprehensive and sustainable transatlantic agreement concerning data transfers,” the four business groups said in a letter to European Commission President Jean-Claude Juncker and US President Barack Obama.

A copy of the letter dated January 15 and obtained by AFP on Monday was signed by the heads of Business Europe, Digital Europe, the US Chamber of Commerce and the Information Technology Industry Council.

“This issue must be resolved immediately or the consequences could be enormous for the thousands of businesses and millions of users impacted,” the groups said.

EU officials said in November they were taking seriously businesses’ concerns about the legal void following the court ruling.

It has alarmed Washington which says it “put at risk the thriving transatlantic digital economy.”

The landmark verdict stemmed from a case lodged by Austrian law student Max Schrems, who challenged the deal between Washington and Brussels on the grounds it did not properly protect European data.

His concerns were raised by the scandal involving Edward Snowden, the former National Security Agency whistleblower who in 2013 revealed a worldwide US surveillance programme harvesting the data.

European Commissioner Vera Jourova said last year in the absence of “Safe Harbour,” data can still flow between the two continents under provisions of a 1995 EU directive where data protection, for example, is guaranteed by clauses in individual contracts.

But she admitted there was no substitute for a new arrangement.

A spokesman for the European Commission, the EU executive, told AFP that Juncker received the letter and that the aim was still to conclude the deal by the end of January but declined to say where negotiations stood.

House Will Look Into Whether NSA Collected Lawmakers’ Communications Ass WSJ Says

December 30, 2015

.

Getty Images

House Intelligence Committee Chairman Devin Nunes (R-Calif.) said Wednesday his committee is looking into whether the intelligence community collected communications between Israeli officials and members of Congress.

The move comes a day after the Wall Street Journal published a report that said the National Security Agency (NSA) spied on communications between Israeli Prime Minister Benjamin Netanyahu and Israeli officials, along with communcations by members of Congress.

“The Committee has requested additional information from the [intelligence community] to determine which, if any, of these allegations are true, and whether the IC followed all applicable laws, rules, and procedures,” he said in a statement.

The report also said the NSA swept up conversations with members of Congress as Israeli officials lobbied lawmakers on the Iran nuclear deal and that White House officials were initially worried when they realized it was happening.

However, the administration then decided to let the NSA decide what to share.

“We didn’t say, ‘Do it,'” a senior U.S. official told the Journal. “We didn’t say, ‘Don’t do it.'”

The NSA reportedly found Netanyahu and his aides leaking details of the negotiation, coordinating talking points with Jewish-American groups against the deal and asked lawmakers how they could get their vote against the deal.

Netanyahu spoke out against a potentially unsatisfactory nuclear deal during a speech to a joint session of Congress in March. Although he communicated with members of Congress about the speech in advance, the administration was allegedly surprised when it was announced.

The report also said that the Obama administration decided to keep monitoring Netanyahu and Israel even as German Chancellor Angela Merkel and other NATO heads of state were considered off limits.

The administration decided that monitoring Netanyahu served a “compelling national security purpose,” according to the Journal, which cited unnamed current and former U.S. officials.

http://thehill.com/policy/national-security/264448-house-panel-looking-into-nsa-collecting-communications-between-israel-and

Related:

Did An NSA Backdoor Bring Down Security of U.S. Government and Corporate Computer Systems?

December 23, 2015

.

By Kim Zetter

Security researchers believe they have finally solved the mystery around how a sophisticated backdoor embedded in Juniper firewalls works. Juniper Networks, a tech giant that produces networking equipment used by an array of corporate and government systems, announced on Thursday that it had discovered two unauthorized backdoors in its firewalls, including one that allows the attackers to decrypt protected traffic passing through Juniper’s devices.

The researchers’ findings suggest that the NSA may be responsible for that backdoor, at least indirectly. Even if the NSA did not plant the backdoor in the company’s source code, the spy agency may in fact be indirectly responsible for it by having created weaknesses the attackers exploited.

Evidence uncovered by Ralf-Philipp Weinmann, founder and CEO of Comsecuris, a security consultancy in Germany, suggests that the Juniper culprits repurposed an encryption backdoor previously believed to have been engineered by the NSA, and tweaked it to use for their own spying purposes. Weinmann reported his findings in an extensive post published late Monday.

They did this by exploiting weaknesses the NSA allegedly placed in a government-approved encryption algorithm known as Dual_EC, a pseudo-random number generator that Juniper uses to encrypt traffic passing through the VPN in its NetScreen firewalls. But in addition to these inherent weaknesses, the attackers also relied on a mistake Juniper apparently made in configuring the VPN encryption scheme in its NetScreen devices, according to Weinmann and other cryptographers who examined the issue. This made it possible for the culprits to pull off their attack.

Weinmann says the Juniper backdoor is a textbook example of how someone can exploit the existing weaknesses in the Dual_EC algorithm, noting that the method they used matches exactly a method the security community warned about back in 2007.

The new information about how the backdoor works also suggests that a patch Juniper sent to customers last week doesn’t entirely fix the backdoor problem, since the major configuration error Juniper made still exists.

“One [more] line of code could fix this,” Weinmann says. He’s not sure why Juniper didn’t add this fix to the patch it sent to customers last week.

Although the party behind the Juniper backdoor could be the NSA or an NSA spying partner like the UK or Israel, news reports last week quoted unnamed US officials saying they don’t believe the US intelligence community is behind it, and that the FBI is investigating the issue. Other possible culprits behind the sophisticated attack, of course, could be Russia or China.

If someone other than the US did plant the backdoor, security experts say the attack on Juniper firewalls underscores precisely why they have been saying for a long time that government backdoors in systems are a bad idea—because they can be hijacked and repurposed by other parties.

How the Backdoor Works

According to Weinmann, to make their scheme work, the attackers behind the Juniper backdoor altered Juniper’s source code to change a so-called constant or point that the Dual_EC algorithm uses to randomly generate a key for encrypting data. It’s assumed the attackers also possess a second secret key that only they know. This secret key, combined with the point they changed in Juniper’s software, the inherent weaknesses in Dual_EC, and the configuration error Juniper made, would allow them to decrypt Juniper’s VPN traffic.

The weaknesses in Dual_EC have been known for at least eight years. In 2007, a Microsoft employee named Dan Shumow gave a five-minute talk at a cryptography conference in California discussing discoveries that he and a Microsoft colleague named Niels Ferguson had made in the algorithm. The algorithm had recently been approved by the National Institute of Standards and Technology, along with three other random number generators, for inclusion in a standard that could be used to encrypt government classified communication. Each of the four approved generators are based on a different cryptographic design. The Dual_EC is based on elliptic curves. The NSA had long championed elliptic curve cryptography in general and publicly championed the inclusion of Dual_EC specifically for inclusion in the standard.

Random number generators play a crucial role in creating cryptographic keys. But Shumow and Ferguson found that problems with the Dual_EC made it possible to predict what the random number generator would generate, making the encryption produced with it susceptible to cracking. But this wasn’t the only problem.

The NIST standard also included guidelines for implementing the algorithm and recommended using specific constants or points—static numbers—for the elliptic curve that the random number generator relies on to work. These constants serve as a kind of public key for the algorithm. Dual_EC needs two parameters or two points on the elliptic curve; Shumow and Ferguson referred to them as P and Q.

They showed that if Q is not a true randomly generated point, and the party responsible for generating Q also generates a secret key, what they referred to as “e”, then whoever has the secret key can effectively break the generator. They determined that anyone who possessed this secret key could predict the output of the random number generator with only a very small sample of data produced by the generator—just 32 bytes of output from it. With that small amount, the party in possession of the secret key could crack the entire encryption system.

No one knew who had produced the constants, but people in the security community assumed the NSA had produced them because the spy agency had been so instrumental in having the Dual_EC algorithm included in the standard. If the NSA did produce the constants, there was concern that the spy agency might have also generated a secret key.

Cryptographer Bruce Schneier called it “scary stuff” in a piece he wrote for WIRED in 2007, but he said the flaws must have been accidental because they were too obvious—therefore developers of web sites and software applications wouldn’t use it to secure their products and systems.

The only problem with this is that major companies, like Cisco, RSA, and Juniper did use Dual_EC. The companies believed this was okay because for years no one in the security community could agree if the weakness in Dual_EC was actually an intentional backdoor. But in September 2013, the New York Times seemed to confirm this when it asserted that Top Secret memos leaked by Edward Snowden showed that the weaknesses in Dual_EC were intentional and had been created by the NSA as part of a $250-million, decade-long covert operation to weaken and undermine the integrity of encryption systems in general.

Despite questions about the accuracy of the Times story, it raised enough concerns about the security of the algorithm that NIST subsequently withdrew support for it. Security and crypto companies around the world scrambled to examine their systems to determine if the compromised algorithm played a role in any of their products.
In an announcement posted to its web site after the Times story, Juniper acknowledged that the ScreenOS software running on its NetScreen firewalls does use the Dual_EC_DRBG algorithm. But the company apparently believed it had designed its system securely so that the inherent weakness in Dual_EC was not a problem.

Juniper wrote that its encryption scheme does not use Dual_EC as its primary random number generator and that it had also implemented the generator in a secure way so that its inherent vulnerabilities didn’t matter. It did this by generating its own constant, or Q point, to use with the generator instead of the questionable one that had been attributed to the NSA. Juniper also used a second random number generator known as ANSI X.9.31. The Dual_EC generated initial output that was supposed to then be run through the ANSI generator. The output from the second random generator would theoretically cancel out any vulnerabilities that were inherent in the Dual_EC output.

Except Juniper’s system contained a bug, according to Willem Pinckaers, an independent security researcher in the San Francisco area who examined the system with Weinmann. Instead of using the second generator, it ignored this one and used only the output from the bad Dual_EC generator.

“What’s happening is they managed to screw it up in all the firmware, such that the ANSI code is there but it’s never used,” Weinmann told WIRED. “That’s a catastrophic fail.”

This put the output at risk of being compromised if an attacker also possessed a secret key that could be used with the Q point to unlock the encryption.

Weinmann and others discovered that the attackers altered Juniper’s Q and changed it to a Q they had generated. The attackers appear to have made that change in August 2012—at least that’s when Juniper started shipping a version of its ScreenOS firmware with a Q point that was different than previous versions used.

So essentially, although Juniper used its own Q point instead of using the one allegedly generated by the NSA, in an effort to make the Dual_EC more secure, the company hadn’t anticipated that attackers might break into Juniper’s network, gain access to critical systems used to build its source code, and change the Q again to something of their own choosing. And presumably, they also possess the secret key that works with the Q to unlock the encryption, otherwise they would not have gone to the trouble of changing Q. “It stands to reason that whoever managed to slip in their own Q [into the software] will also know the corresponding e,” Weinmann says.
This would not have been enough to make the backdoor work, however, if Juniper had indeed configured its system the way it said it did—using two random number generators and relying only on the second one, the ANSI generator, for the final output. But we now know it failed to do that. The backdoor remained undetected for at least three years, until Juniper recently discovered it during a code review.

Matthew Green, a cryptographer and professor at Johns Hopkins University, says that the ANSI failure raises additional questions about Juniper. “I don’t want to say that Juniper did this on purpose. But if you wanted to create a deliberate backdoor based on Dual_EC and make it look safe, while also having it be vulnerable, this is the way you’d do it. The best backdoor is a backdoor that looks like a bug, where you look at the thing and say, ‘Whoops, someone forgot a line of code or got a symbol wrong.’ … It makes it deniable. But this bug happens to be sitting there right next to this incredibly dangerous NSA-designed random number generator, and it makes that generator actually dangerous where it might not have been otherwise.”

The evidence that someone intentionally changed the Q parameter in Juniper’s software confirms what Shumow and Ferguson had warned: The inherent weaknesses in Dual_EC provide the perfect backdoor to the algorithm. Even if the algorithm was not intended to create a backdoor for the NSA, it made it possible for someone to piggyback on its weaknesses to turn it into a backdoor for themselves.

Even more worrisome is that Juniper systems are still essentially insecure. Juniper didn’t patch the problem by removing Dual_EC altogether or by altering the configuration so that the VPN encryption scheme relies on output from the ANSI generator; instead Juniper patched it simply by changing the Q point back to what the company originally had in the system. This leaves the firewalls susceptible to attack again if attackers can change the points a second time without Juniper detecting it.

The company, Weinmann says, should at least issue a new patch that makes the system use the ANSI generator and not the Dual_EC one.

“It would take one line of code to fix this,” he says.

And there’s another problem, he notes.

Juniper admitted that it had generated its own Q for Dual_EC, but it has not revealed how it generated Q—so others can’t verify that Juniper did it in a truly random way that would ensure its security. And in generating its own Q, it raises questions about whether Juniper also generated its own secret key, or “e” for the generator, which would essentially give Juniper a backdoor to the encrypted VPN traffic. This should worry customers just as much as the NSA holding a key to the backdoor, Weinmann says.

“It now depends on whether you trust them to have generated this point randomly or not. I would probably not do that at this point,” he says, given the other mistakes the company made.

Green says because of the weakness inherent in Dual_EC, Juniper should have removed it back in 2013 after the Times story published and should do so now to protect customers. “There’s no legitimate reason to put Dual_EC in a product,” he says. “There never was. This is an incredibly powerful and dangerous code and you put it in your system and it creates a capability that would not have been there otherwise. There’s no way to use it safely.”

http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/

*******************************

Juniper Networks announced a serious security flaw on 17 December but said there was ‘no way to detect that this vulnerability was exploited’. Photograph: Oliver Berg/DPA/Corbis

Juniper Networks security flaw may have exposed US government data

Secure networking devices used by the US Defense Department and the FBI could have been targeted by a vulnerability that lay undetected for three years

Two security flaws that lay undiscovered in Juniper Networks’ widely used corporate virtual private network (VPN) software for three years could have exposed sensitive informative to foreign governments or criminal groups, researchers have said.

The vulnerabilities were in the form of “unauthorised code” discovered during a recent internal code review and announced on 17 December. One of the flaws could have allowed hackers to decrypt information passing through Juniper’s devices, including equipment for a secure network used by companies internally.

“Whoever planted it would have access to all the VPN traffic,” said Seth Rosenblatt, managing editor of the security and privacy site the Parallax. “Data that the VPN user thought was protected from prying eyes may have been spied on.”

The FBI is reportedly investigating the breach, which could be the work of a foreign government, though the investigation is ongoing.

German security researcher Ralf-Philipp Weinmann suggested the hack took advantage of weaknesses in the password encryption algorithm “Dual_EC” that were reportedly engineered by the NSA, which then promoted the tool as a standard.

“Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” said Bob Worrall, SVP and chief information officer at Juniper Networks.

Read the rest:

http://www.theguardian.com/technology/2015/dec/22/juniper-networks-flaw-vpn-government-data

Related:

Obama administration had “secret policy” to not include social media reviews in vetting for entry to the U.S. because of a fear of “bad public relations” — Fourteen Americans died in San Bernardino, in part, because of that policy

December 14, 2015

By Brian Ross, Rhonda Schwartz, James Gordon Meek and Josh Margolin

ABC News


Follow

Get every new post delivered to your Inbox.

Join 1,017 other followers