AI Tools Will Inspire Hacks

Inevitable, especially as they are easier to test and use.

AI Tools like ChatGPT likely to empower hacks, NSA cyber boss warns

By Colin Demarest, Wednesday, Apr 12  in c4isrnet.com 

WASHINGTON — Generative artificial intelligence that fuels products like ChatGPT will embolden hackers and make email inboxes all the more tricky to navigate, according to the U.S. National Security Agency cybersecurity director.

While much-debated AI tools will not automate or elevate every digital assault, phishing scheme or hunt for software exploits, NSA’s Rob Joyce said April 11, what it will do is “optimize” workflows and deception in an already fast-paced environment.

“Is it going to replace hackers and be this super-AI hacking? Certainly not in the near term,” Joyce said at an event hosted by the Center for Strategic and International Studies think tank. “But it will make the hackers that use AI much more effective, and they will operate better than those who don’t.”

U.S. officials consider mastery of AI critical to long-term international competitiveness — whether that’s in defense, finance or another sector. At least 685 AI projects, including several tied to major weapons systems, were underway at the Pentagon as of early 2021.

With enough training, the technology can handle menial tasks, such as answering questions and digging up contact information, or augment military operations by parsing tides of incoming information and facilitating exploration of areas deemed too dangerous for troops.

Something as sophisticated as OpenAI’s ChatGPT, Joyce said Tuesday, can be used to “craft very believable native-language English text” that can then be applied to phishing attacks or foreign influence campaigns. ChatGPT is capable of holding humanlike conversations with enough prompting, and it can provide content like poetry, essays or computer code within seconds.

“That’s going to be a problem,” Joyce said ....'

Securing Software Supply Chains

 From Bruce Schneier, with further commentary:

The NSA (together with CISA) has published a long report on supply-chain security: “Securing the Software Supply Chain: Recommended Practices Guide for Suppliers.“:

Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.

Software suppliers will find guidance from NSA and our partners on preparing organizations by defining software security checks, protecting software, producing well-secured software, and responding to vulnerabilities on a continuous basis. Until all stakeholders seek to mitigate concerns specific to their area of responsibility, the software supply chain cycle will be vulnerable and at risk for potential compromise.'

They previously published   “Securing the Software Supply Chain: Recommended Practices Guide for Developers.” And they plan on publishing one focused on customers.

NSA Urges Shift to Memory Safe Programming Languages

Useful thoughts also mentioned in detail in current 'Security Now'

In MalwareBytes:  NSA urges shift to Memory Safe Programming Languages

See here: statement from Defense.gov,     Technical

Below Posted: November 12, 2022 by Pieter Arntz

Neal Ziring, a Technical Director at the National Security Agency (NSA), has been dropping some truth bombs:

“Memory management issues have been exploited for decades and are still entirely too common today,”

We wholeheartedly agree. Poor memory management has been the root cause for way too many vulnerabilities, for way too long. And that's before you consider all the non-exploitable errors and crashes that could have been avoided by using memory safe languages (and other protections) when developing software.   So, if it's been true for so long, why are we writing about it now? Because the NSA has published a Cybersecurity Information Sheet that provides guidance on how to protect against software memory safety issues.  The underlying reason is that many popular programming languages, such as C and C++, provide a lot of freedom and flexibility in memory management. That sounds good, but it relies heavily on the programmers writing and maintaining the code to do the right thing and perform the needed checks on memory references.

Trusting programmers to get it right...has not been good for security.

The NSA information sheet advises organizations to consider making a strategic shift from programming languages that provide little or no inherent memory protection, to a memory safe language where possible.

Memory issue examples

So, what are these memory issues?

If you ever read our posts describing security vulnerabilities you will see a lot of phrases like "buffer overflow", "failure to release memory", "use after free", "memory corruption", and "memory leak". These are all memory management issues.

We've reproduced a few examples below, from InitialCommit.com (you can see more on the page we've linked to.) In a real program—we hope—these errors would be harder to spot.

Not freeing memory after allocation

In the first example, the variable memory is used to store the output of the C malloc function, which allocates memory. However, the memory allocated to memory the first time it is used is never released.

If memory is continually allocated like this and never freed, an attacker might be able to use it to perform a denial-of-service attack on the software by causing it to run out of memory.  ... '   Continues,  (Technical) ... '

Over Surveillance Discovered

See also in Bruce Schneier for further comments. Including link to full report.

Technology Cybersecurity

NSA Watchdog Concluded One Analyst’s Surveillance Project Went Too Far

Newly unearthed inspector general’s report is coda to Snowden-era controversy over NSA surveillance methods.The National Security Agency’s headquarters in Fort Meade, Maryland.

The National Security Agency’s headquarters in Fort Meade, Maryland.   By Jason Leopold, Katrina Manson, and William Turton   in Bloomberg  November 1, 2022 

An “experienced” analyst working at the National Security Agency developed a surveillance project about a decade ago that resulted in the unauthorized targeting and collection of private communications of people or organizations in the US, newly unearthed documents show.

An investigation into the matter, which hasn’t been previously reported, found that the analyst “acted with reckless disregard” and violated numerous rules and possibly the law, according to a 2016 report by the NSA’s Office of Inspector General. The agency released the report in response to a Freedom of Information Act lawsuit. 

The inspector general’s report sheds new light on unauthorized surveillance and lax oversight at a secretive agency whose global eavesdropping methods have faced intense scrutiny for vacuuming up massive amounts of data — including on Americans, who are protected by US law from being surveilled without authorization. The IG’s investigation unfolded as the first news stories were being published based on leaked classified documents from former NSA contractor Edward Snowden.

The inspector general’s report also reveals how a single analyst was given relatively free rein to develop a surveillance technique that many of his superiors didn’t understand. And it shows the lengths to which whistleblowers inside the agency went to get their allegations taken more seriously. The full report is here.

Many details about the analyst’s project aren’t known. The inspector general deemed the analyst’s action “egregious” in hindsight but noted he got conflicting guidance, told by some officials that his activities were acceptable and told by others to stop. The February 2016 report, which spans more than 400 pages and had been classified top secret, is heavily redacted. It’s not known if the analyst—or anyone else—was held accountable for what the inspector general described as potentially illegal surveillance.

The NSA didn’t respond to specific questions about the report, including whether any action was taken against the analyst. But an NSA spokesperson provided a statement saying that the agency is “fully committed to the rigorous and independent oversight provided by the NSA Inspector General’s Office.”

“The NSA operates in a culture of compliance to ensure that NSA’s foreign intelligence mission is conducted in accordance with all applicable laws, regulations and procedures,” the spokesperson said.

The analyst said he was working on a “SIGDEV” effort, according to the report. That is short for signals intelligence development, aimed at finding and improving new avenues for eavesdropping. Two former NSA officials who reviewed the report told Bloomberg News that he appeared to be developing a new surveillance tool to improve spying methods that had scooped up Americans’ communications. The former officials asked not to be named in order to discuss sensitive intelligence information.

The inspector general’s investigation was sparked by two whistleblowers in May 2013. The analyst was taken aback by criticism of his work and vigorously defended it. Nonetheless, he told an investigator he had “been proceeding with his project in a ‘kind of [by the] seat of the pants’ mode” and that it was “kind of dangerous” and “unknown territory,” according to the report.

The probe began a month before the first news stories appeared based on Snowden’s leaks. Those stories revealed a massive, warrantless program to collect Americans’ phone records, map mobile phone locations worldwide and undermine encryption, and they came out at a time when the agency was already facing criticism for its expansion of surveillance capabilities after the Sept. 11, 2001, terrorist attacks. 

There is no indication in the inspector general’s report that the events are related to NSA activities and programs revealed in the Snowden documents, which had been secretly authorized. However, the inspector general’s investigation occurred during a period in which the NSA was under intense pressure to address alleged wrongdoings.   ....  '

NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry

 Cybersecurity as it evolves under global conditions. 

NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry

NSA Cybersecurity Directorate Director Rob Joyce spoke Wednesday at the Trellix Cybersecurity Summit. (Pixelme Studios).

Written by AJ Vicens  OCT 19, 2022 | CYBERSCOOP

Rapidly and proactively sharing intelligence on cyberthreats with industry and critical infrastructure providers “can really make a big and decisive difference,” Rob Joyce, director of the NSA Cybersecurity Directorate, said Wednesday.

It’s one of the key lessons his agency “took away personally” from the ongoing war in Ukraine, Joyce said at the Trellix Cybersecurity Summit in Washington.

“Over time, I’ve changed my view about what it is to protect sources and methods,” Joyce said, noting that in his 30-plus years at NSA “it’s in our DNA” to protect sources and methods to ensure the ability to “know secrets into the future.”

But “what we know is often not sensitive, it is how we know it,” Joyce said. “We can make available the insights about what we know without putting at risk how we know it. That’s really an inflection point that lets us get to more prolific, more extensive and more closely sharing for operational outcomes.”

Joyce added that “it doesn’t do anybody any good if we know a thing and don’t do something. Doing is really the focus in the cybersecurity area. And if you’ve got secrets and understanding and you don’t operationalize those, they don’t count.”

Joyce pointed to what he called the “maturation” of the NSA’s Cybersecurity Collaboration Center as the venue for “working with industry to operationalize those ideas.” Information is shared with technology providers, major infrastructure providers and others, “who can then take action at scale.”

A recent example of such information sharing came earlier this month when the NSA, the FBI and the Cybersecurity and Infrastructure Security Agency released a joint advisory warning of state-aligned hackers using Impacket, an open-source toolkit to aid in network compromise, and a custom data exfiltration tool known as CovalentStealer against an unnamed defense industrial base entity.

More broadly, the U.S. government has been more aggressive about sharing intelligence about Russian plans, both in the days before the Feb. 24 invasion and since, as part of an effort to disrupt Russian attacks on Ukraine.

“When we set up that protection, protecting us protects you,” he said.  .... ' 

Re the Future of Info Warfare

Increasingly a dangerous direction. Need to  analyzse threats, determine risks and address appropriately. We have the skills, build ahead to emerging threats. 

DOD Isn't Armed to Combat Growing Threat of Info Warfare, Experts Warn  By The Washington Post

National security experts will warn Congress today that the U.S. government isn't doing enough to fight back against the growing national security threat of information warfare aimed at sowing distrust in the U.S. government at home and abroad.

"Cyber-enabled disinformation, whether domestically or foreign generated, is a national security problem, corroding our democracy and governmental institutions, and threatening our public health and, potentially, public safety," former NSA general counsel Glenn Gerstell will testify in front of the House Armed Services subcommittee on cyber, innovative technologies and information systems.

Other witnesses include Nina Jankowicz, a disinformation fellow at the Wilson Center; Herb Lin, senior research scholar at the center for international security and cooperation at Stanford University; as well as Joseph Kirschbaum, director of the defense capabilities and management team at the Government Accountability Office.

The hearing underscores how the United States has struggled to combat the emerging cyberthreat of information warfare.

From The Washington Post

Limiting Location Data Exposure

Basic cautions/mitigations on releasing location data.  From the NSA, a considerable recent update.  Instructive, but not meant to prevent data loss.   Via Schneier

Limiting Location Data Exposure
Mobile devices store and share device geolocation data by design. This data is essential to device communications and provides features—such as mapping applications—that users consider indispensable. Mobile devices determine location through any combination of Global Positioning System (GPS) and wireless signals (e.g., cellular, wireless (Wi-Fi®1), or Bluetooth®2(BT)). Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.

Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible. While the guidance in this document may be useful to a wide range of users, it is intended primarily for NSS/DoD system users. 

Mobile devices expose location data
Using a mobile device—even powering it on—exposes location data. Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network. This means a provider can track users across a wide area. In some scenarios, such as 911 calls, this capability saves lives, whereas for personnel with location sensitivities, it may incur risks. If an adversary can influence or control the provider in some way, this location data may be compromised. Public news articles have reported that providers have been known to sell data, including near-real time location data, to third-parties [1].  ... "