Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday December 05 2017, @08:48AM   Printer-friendly
from the tinker-tailor-soldier-spy dept.

A former National Security Agency employee who worked at Tailored Access Operations has pleaded guilty to willful retention of national defense information, the same charge Harold T. Martin III faces:

A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.

Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence. Prosecutors agreed not to seek more than eight years, however, and Mr. Pho's attorney, Robert C. Bonsib, will be free to ask for a more lenient sentence. He remains free while awaiting sentencing on April 6.

Mr. Pho had been charged in secret, though some news reports had given a limited description of the case. Officials unsealed the charges on Friday, resolving the long-running mystery of the defendant's identity.

Mr. Pho, who worked as a software developer for the N.S.A., was born in Vietnam but is a naturalized United States citizen. Prosecutors withheld from the public many details of his government work and of the criminal case against him, which is linked to a continuing investigation of Russian hacking.

Related: "The Shadow Brokers" Claim to Have Hacked NSA
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
NSA Had NFI About Opsec: 2016 Audit Found Laughably Bad Security
Reality Winner NSA Leak Details Revealed by Court Transcript


Original Submission

Related Stories

"The Shadow Brokers" Claim to Have Hacked NSA 13 comments

A group is claiming that they hacked the NSA and obtained advanced malware and hacking tools (such as Stuxnet):

A mysterious hacker or hackers going by the name "The Shadow Brokers" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.

"Attention government sponsors of cyber warfare and those who profit from it!!!!" the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. "How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame."

The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.

Also at Computerworld:

The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn't appear as if many trust it enough yet to have coughed up bitcoins. Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the "free" files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the "free sample" file size is actually larger than the auction file size.

Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, "Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code." Suiche said the main targets in the dump he reviewed "appeared to be Fortigate, TopSec, Cisco and Juniper firewalls." He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is "particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog."


Original Submission

The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA 5 comments

The Shadow Brokers are back, and they have a treat for you:

"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.

[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.

Previously:

"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's 'Mistake'
NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act


Original Submission

Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools 35 comments

On Monday, The Washington Post reported one of the most stunning breaches of security ever. A former NSA contractor, the paper said, stole more than 50 terabytes of highly sensitive data. According to one source, that includes more than 75 percent of the hacking tools belonging to the Tailored Access Operations. TAO is an elite hacking unit that develops and deploys some of the world's most sophisticated software exploits.

Attorneys representing Harold T. Martin III have previously portrayed the former NSA contractor as a patriot who took NSA materials home so that he could become better at his job. Meanwhile, investigators who have combed through his home in Glen Burnie, Maryland, remain concerned that he passed the weaponized hacking tools to enemies. The theft came to light during the investigation of a series of NSA-developed exploits that were mysteriously published online by a group calling itself Shadow Brokers.

[...] An unnamed US official told the paper that Martin allegedly hoarded more than 75 percent of the TAO's library of hacking tools. It's hard to envision a scenario under which a theft of that much classified material by a single individual would be possible.

Source:

https://arstechnica.com/tech-policy/2017/02/former-nsa-contractor-may-have-stolen-75-of-taos-elite-hacking-tools/


Original Submission

Former NSA Contractor Harold Martin Indicted 24 comments

Days after the Washington Post reported on the hoarding of Tailored Access Operations tools by Harold T. Martin III, a federal grand jury has indicted the former NSA contractor:

A federal grand jury has indicted a former National Security Agency contractor on 20 counts of willful retention of national defense information.

According to prosecutors, Harold "Hal" Martin took a slew of highly classified documents out of secure facilities and kept them at his home and in his car. Earlier this week, the Washington Post reported that among those materials, Martin is alleged to have taken 75 percent of the hacking tools that were part of the Tailored Access Operations, an elite hacking unit within NSA.

The indictment outlines 20 specific documents that he is accused of having taken, including "a March 2014 NSA leadership briefing outlining the development and future plans for a specific NSA organization."

Previously: NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA


Original Submission

NSA Had NFI About Opsec: 2016 Audit Found Laughably Bad Security 20 comments

Second-rate opsec remained pervasive at the United States' National Security Agency, according to an August 2016 review now released under Freedom of Information laws.

It's almost surprising that the agency was able to cuff Reality Winner, let alone prevent a wholesale Snowden-style leak. The Department of Defense Inspector General report, first obtained by the New York Times, finds everything from unsecured servers to a lack of two-factor authentication.

The formerly-classified review (PDF) was instigated after Snowden exfiltrated his million-and-a-half files from August 2012 to May 2013.

"NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms" under its "Secure-the-net" initiative, the report says.

Data centre access is supposed to be governed by two-person access controls, the report notes, and the rollout of 2FA to "all high-risk users" was incomplete at the time of writing.

The agency had too many users with admin privileges, the report continues, they're insufficiently monitored, and the NSA had not cut the number of agents authorised to carry out data transfers.

Giving the NSA more funding could probably fix it.


Original Submission

Reality Winner NSA Leak Details Revealed by Court Transcript 47 comments

Reality Winner, a former NSA contractor accused of leaking a document to The Intercept, has had her interrogation by the FBI detailed in a transcript filed by federal prosecutors:

A National Security Agency contractor accused of leaking a classified report on Russian hacking aimed at the 2016 election told FBI agents she smuggled the document out of a high security intelligence facility in her pantyhose. That and other details appear in a transcript federal prosecutors filed in court Wednesday detailing the interrogation of 25-year-old linguist Reality Winner by the FBI as they carried out a search warrant at her home in June.

[...] Winner appears to say she believed the contents of the report — which described Russian spearfishing cyberattacks aimed at U.S. voter registration databases — should be in the public debate. "I saw the article and was like, I don't understand why this isn't a thing," she said. "It made me very mad ... I guess I just didn't care about myself at that point. ... Yeah, I screwed up royally."

[...] The transcript hints at possible political motivations for the leak. Winner says she objected to her workplace tuning the TV to Fox News. She also had a signed photo of CNN Anchor Anderson Cooper, although she said the signature was fake. "I wasn't trying to be a Snowden or anything," Winner said, referring to NSA leaker Edward Snowden and his massive disclosures of details on U.S. government surveillance. "I guess it's just been hard at work because ... I've filed formal complaint about them having Fox News on, you know? Uh, at least, for God's sake, put Al Jazeera on, or a slideshow with people's pets. I've tried anything to get that changed." Despite Winner's statement to the FBI agents, prosecutors say that in a Facebook chat in March with her sister, Winner said she was on the "side" of both Snowden and WikiLeaks founder Julian Assange.

On pages 4-5 of the transcript, the FBI agents discuss letting Reality Winner (RW) put groceries in her fridge and leash up her dog. Do they teach them that technique at the Academy?

Previously: Feds Arrest NSA Contractor in Leak of Top Secret Russia Document


Original Submission

Former NSA Employee Nghia Pho Sentenced to 66 Months in Prison for Retention of Documents and Code 28 comments

NSA employee who brought hacking tools home sentenced to 66 months in prison

Nghia Hoang Pho, a 68-year-old former National Security Agency employee who worked in the NSA's Tailored Access Operations (TAO) division, was sentenced today to 66 months in prison for willful, unauthorized removal and retention of classified documents and material from his workplace—material that included hacking tools that were likely part of the code dumped by the individual or group known as Shadowbrokers in the summer of 2016.

Pho, a naturalized US citizen from Vietnam and a resident of Ellicott City, Maryland, had pleaded guilty to bringing home materials after being caught in a sweep by the NSA following the Shadowbrokers leaks. He will face three years of supervised release after serving his sentence. His attorney had requested home detention.

In a letter sent to the court in March, former NSA Director Admiral Mike Rogers told Judge George Russell that the materials removed from the NSA by Pho "had significant negative impacts on the NSA mission, the NSA workforce, and the Intelligence Community as a whole." The materials Pho removed, Rogers wrote, included:

[S]ome of NSA's most sophisticated, hard-to-achieve, and important techniques of collecting [signals intelligence] from sophisticated targets of the NSA, including collection that is crucial to decision makers when answering some of the Nation's highest-priority questions... Techniques of the kind Mr. Pho was entrusted to protect, yet removed from secure space, are force multipliers, allowing for intelligence collection in a multitude of environments around the globe and spanning a wide range of security topics. Compromise of one technique can place many opportunities for intelligence collection and national security insight at risk.

Previously: Former NSA Employee Nghia Pho Pleads Guilty to Willful Retention of National Defense Information

Related: "The Shadow Brokers" Claim to Have Hacked NSA
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
Former NSA Contractor Harold Martin Indicted


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Insightful) by Anonymous Coward on Tuesday December 05 2017, @09:57AM (5 children)

    by Anonymous Coward on Tuesday December 05 2017, @09:57AM (#605565)

    But he had installed on his home computer antivirus software made by Kaspersky Lab, a top Russian software company, and Russian hackers are believed to have exploited the software to steal the documents, the officials said.

    Who really believes that "Russian Hackers" exploited the Kaspersky software to steal the documents?

    Seems more likely that the AV software worked as designed, detected potential malware and submitted various archives containing malware and documents[1]. Other AV software have similar features - submit samples to "Cloud".

    Conclusion: if you want to detect NSA zero-day malware you might consider adding Kaspersky software to your arsenal. And the NSA et all aren't happy with that so they'd prefer if less people use Kaspersky due to evil "Russian Hackers"...

    [1] https://betanews.com/2017/10/26/kaspersky-nsa-files/ [betanews.com]

    One of the infections in the USA consisted in what appeared to be new, unknown and debug variants of malware used by the Equation group.
    The incident where the new Equation samples were detected used our line of products for home users, with KSN enabled and automatic sample submission of new and unknown malware turned on.

    • (Score: 5, Interesting) by jcross on Tuesday December 05 2017, @02:04PM

      by jcross (4009) on Tuesday December 05 2017, @02:04PM (#605621)

      Sounds somewhat plausible. Another possible narrative I thought of (leaning in the other direction) is that the guy was compromised somehow and then instructed to install Kaspersky and take the documents home. I mean it's a great cover story if/when the leak gets found out. Maybe instead of arranging sophisticated dead drops, the spies of the future will always have their documents "stolen" from them, since unlike in the old days you'll never be expected to notice when someone copies a file and exfiltrates it over the internet.

    • (Score: 2) by DeathMonkey on Tuesday December 05 2017, @06:58PM (3 children)

      by DeathMonkey (1380) on Tuesday December 05 2017, @06:58PM (#605756) Journal

      Who really believes that "Russian Hackers" exploited the Kaspersky software to steal the documents?

      Israel's intelligence officers watched them do it. [nytimes.com]

      • (Score: 2, Insightful) by Anonymous Coward on Tuesday December 05 2017, @08:04PM (1 child)

        by Anonymous Coward on Tuesday December 05 2017, @08:04PM (#605788)

        Who believes Israeli intelligence officers?

        • (Score: 0) by Anonymous Coward on Wednesday December 06 2017, @12:49AM

          by Anonymous Coward on Wednesday December 06 2017, @12:49AM (#605923)

          Ummm.... jews?

      • (Score: 0) by Anonymous Coward on Wednesday December 06 2017, @10:08AM

        by Anonymous Coward on Wednesday December 06 2017, @10:08AM (#606061)

        That's like believing the Mossad when they claim the Russians robbed your house because they were there watching the whole thing when it happened.

  • (Score: 3, Funny) by Bot on Tuesday December 05 2017, @02:38PM (2 children)

    by Bot (3902) on Tuesday December 05 2017, @02:38PM (#605635) Journal

    - so, mr. Pho, you were not born here?
    - nyet... er... no, I am vietnamese by birth.
    (the NSA head hunter turns his notebook to a page named "Countries we have been at war with" and begins to scan the list)
    - "Yemen, Afghanistan, Pakistan, Libya, ISIS, North Korea, Iraq, Serbia, Kosovo, Bosnia, Haiti, Somalia, Panama... OK, looks clean. Welcome aboard, mr Pho."

    --
    Account abandoned.
    • (Score: 3, Informative) by PinkyGigglebrain on Tuesday December 05 2017, @06:33PM (1 child)

      by PinkyGigglebrain (4458) on Tuesday December 05 2017, @06:33PM (#605742)

      Some of us are old enough to remember that the USA was at war* with Vietnam back in the 1960's.

      *the US Congress never actually made a formal declaration of war as required under the US Constitution so the conflict was technically a "military action", just like every "war" the US has engaged in since.

      --
      "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
  • (Score: -1, Offtopic) by Anonymous Coward on Tuesday December 05 2017, @06:18PM (1 child)

    by Anonymous Coward on Tuesday December 05 2017, @06:18PM (#605735)

    Did HRC retain "national defense information"? You'd think with such an juicy target, prosecutors would bound over themselves to file charges (haha).

    • (Score: 2) by arslan on Wednesday December 06 2017, @12:52AM

      by arslan (3462) on Wednesday December 06 2017, @12:52AM (#605925)

      She wasn't using Kaspersky AV?

(1)