Government // Cybersecurity
News
12/16/2013
11:42 AM
Connect Directly
RSS
E-Mail
50%
50%

NSA's Malware Heroics Questioned By Security Experts

NSA says it thwarted a nation state's BIOS-bricking malware plot, but info security and privacy experts say the agency is trying to snow the American public.

Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
(click image for larger view)

The National Security Agency (NSA) helped foil a "nation state" that planned to launch a BIOS-bricking malware attack against the United States.

That claim was delivered Sunday night in an Inside the NSA segment on CBS's 60 Minutes that was partially filmed inside the intelligence agency's headquarters.

The agency, of course, is struggling to repair its image -- and stave off additional oversight or curtailing of its intelligence-gathering techniques -- since documents leaked by former agency contractor Edward Snowden revealed how the NSA has created a massive digital dragnet that's been intercepting millions of Americans' communications and related tracking data. Industry analysts have said that the fallout from those revelations could cost technology businesses billions in lost revenue over the next few years.

If a classic counterinsurgency tactic is to make a "hearts and minds" appeal to the public at large (rather than adversaries), that's what the NSA appeared to be doing via 60 Minutes, in part by arguing that its tactics are required to stop foreign nations that are intent on disrupting US systems.

[Presidential advisers say government cybersecurity isn't pretty. Learn Why Fed Cybersecurity Reboot Plan Fails To Convince.]

For example, Deborah Plunkett, the NSA's information assurance director -- described in the newscast as the official who directs cyberdefense -- told CBS correspondent John Miller that the agency had foiled a malware attack that would have corrupted the BIOS inside a PC, thus turning the machine into a brick. "One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability -- to destroy computers," Plunkett said. "This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would've infected the computer."

She added: "Think about the impact of that across the entire globe. It could literally take down the US economy."

But the NSA's detailing of a BIOS-attack plot that it supposedly foiled drew a tepid response from many information security professionals. For starters, that's because during the interview, Plunkett wasn't holding the type of BIOS she described -- which would be installed on a motherboard -- but rather a serial ATA controller BIOS, according to Robert David Graham, CEO of Errata Security.

In addition, nothing Plunkett said suggested that the alleged plot was anything more than script kiddies brainstorming up potential future attacks. Furthermore, the supposed plot can't be verified, based on the details that were provided, which included an unnamed NSA official pointing the finger at China. "Same as with #badbios, there's no question it's possible, whether it happened in this case, nobody knows," tweeted computer security researcher Dan Kaminsky.

Other security professionals noted that BIOS-attacking malware isn't anything new, or really all that big of a threat. Perhaps the NSA simply couldn't come up with a scarier-sounding attack?

"We experts just aren't impressed. We know how viruses work, and see nothing special here. We know how stories get distorted. We know how paranoia makes minor things look scary," Errata Security's Graham said in a blog post. "If there were something momentous here, they would say so. But instead, they used techno mumbo jumbo to confuse the typical '60 Minutes' viewer into believing something that was never explicitly stated."

Stepping back from the BIOS plot, information security and privacy experts also criticized the entire 60 Minutes segment for failing to pose the "tough questions" promised by CBS correspondent Miller, who previously worked for both the Office of the Director of National Intelligence and the FBI.

As F-Secure chief research officer Mikko Hypponen summarized the segment via Twitter: "Turns out, NSA is doing an outstanding job and Snowden is the bad guy."

Gen. Keith Alexander

Miller's interviewees included NSA director Gen. Keith Alexander, who first approached CBS about doing the news segment. But Alexander relied on evasion and doublespeak when it came to addressing some of the NSA's more contentious practices, for example when responding to questions about whether the agency hacks into datacenters run by the likes of Google and Yahoo.

"We do target terrorist communications. And terrorists use communications from Google, from Yahoo, and from other service providers. So our objective is to collect those communications no matter where they are," Alexander said. "But we're not going into a facility or targeting Google as an entity or Yahoo as an entity. But we will collect those communications of terrorists that flow on that network."

A presidential commission is reportedly preparing to recommend that some of the NSA's mass data collection practices should be curtailed or stopped. But rather than advancing any nuanced arguments about how the NSA might respond to leading political, legal, and privacy criticisms, Alexander instead argued that the status quo should prevail. "My concern on that is [especially] what's going on in the Middle East, what you see going on in Syria, what we see going on-- Egypt, Libya, Iraq, it's much more unstable, the probability that a terrorist attack will occur is going up," he said. "And this is precisely the time that we should not step back from the tools that we've given our analysts to detect these types of attacks."

Will Alexander's 60 Minutes appeal for business as usual at the NSA succeed? Let us know your opinion in the comments section below.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
12/24/2013 | 2:49:56 AM
Re : NSA's Malware Heroics Questioned By Security Experts
@ Shane M. O'Neill, you are absolutely right. On the NSA's side, what purpose could they have achieved by arranging such poorly crafted piece? Considering the caliber of the agency, they could have done much better than this. They should have considered that market is full of security experts who would expose the whole thing and that's exactly what happened.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
12/24/2013 | 2:49:52 AM
Re : NSA's Malware Heroics Questioned By Security Experts
It served nobody any good. It's a shame that such journalistic avenues as 60 minutesin which people put their trust should become partners in someone's public relations or propaganda campaigns.It is unethical to say the least.It amounts to flouting the very tenets upon which the whole edifice of journalism is erected.
ANON1236026178181
50%
50%
ANON1236026178181,
User Rank: Apprentice
12/21/2013 | 2:24:51 PM
fbi/cia are the terrorists
The fbi must create criminals and must also increase their numbers and magnify their dangerousness:

http://www.sosbeevfbi.com/governmentmustcr.html

http://vancouver.mediacoop.ca/story/age-madness-critical-review-fbicia-operations/9375

Out of control are fbi's own thugs advancing with arms extending, fingers pointing, mouths wide opening and evil proclivities protruding (see Living Dead: http://www.sosbeevfbi.com/statement.html )

Modus Operandi of fbi: drive a person to neuroses, or insanity; set him up for a crime using fbi operatives; prosecute the confused and disoriented human being for offenses that in fact the fbi committed.



Domestic enemies:



http://barbarahartwellvscia.blogspot.com/2011/09/consent-of-governed-not.html

'Ask not what your country can do for you'; ask what your country can do TO you.
Overthrown government of usa now controlled by very dangerous and murderous thugs (*beasts) of fbi/CIA/homeland security.

http://lissakr11humane.com/2012/09/08/collapse-of-the-constitutional-government-of-the-united-states-of-america-by-geral-sosbee/

high tech torture, ELF, by low minded thugs of fbi:

http://rudy2.wordpress.com/ex-fbi-agent-geral-sosbees-testimony-in-various-languages/

http://rudy2.wordpress.com/brain-and-satellite-surveillance/



fbi/MAFIA

http://la.indymedia.org/uploads/2013/04/20120509-mafia.jpga0lahp.jpgmid.jpg



*'Veterans Today', Dr. Preston James on usa corruption & fbi murderous evil:

http://www.veteranstoday.com/2013/11/28/alien-ets-hybrids-and-911/

Evil in focus:

The *worldwide network of friends of the accused and terrorized who struggle in intellectual and spiritual opposition against the **human monsters of our generation thanks you, each & every one in our company, for your efforts to expose the methods and identities of the torturers and assassins of our culture; surely stopping such evil is the greatest goal or ideal of our time, and our work is therefore among the most noble of human endeavors because we labor and suffer to rid our species of the demonic-like curse and degenerative affliction that punctuate the demise or downfall of our violently corrupted civilization. Respectfully, geral
*
http://sosbeevfbi.com/worldwidenetwork.html

**
http://www.gangstalkingwiki.com/
Mathew
50%
50%
Mathew,
User Rank: Moderator
12/17/2013 | 7:27:31 AM
Re: NSA puff piece
Thanks for your comment. Interesting point. But when you ask the head of the NSA if his agency is conducting a massive surveillance operation that hacks into Internet backbones or server farms to suck up millions of records from the likes of Microsoft, Google, and Yahoo, and he replies by saying "we do target terrorist communications," is that a meaningful response?

I see it a bit like asking your kid if they went to the corner grocery store and bought a Milky Way, or even 10 or 100, only to have them respond: "I do go shopping." It's a non-response. To me, it doesn't advance the discussion in any meaningful way. It's just hot air, chewing up face time on TV.
tsreyb
0%
100%
tsreyb,
User Rank: Apprentice
12/17/2013 | 6:22:25 AM
Re: NSA puff piece
The example of Gen Alexander's 'evasion and doublespeak' didn't hold water for me. His response, whether I agree with it or not, did in fact answer the question in a cohesive manner. I had no sense of evasion and/or doublespeak in his response.
WKash
100%
0%
WKash,
User Rank: Author
12/16/2013 | 6:08:55 PM
Re: NSA puff piece
Shane, I have to agree. 

NSA is just borrowing a page from the crisis managment playbook that corporations use when the media pounces on wrong doing. But it's disappointing to see 60 Minutes playing into the game.

 
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Author
12/16/2013 | 3:43:04 PM
Re: NSA puff piece
Agreed. A very one-sided piece, and it's not as if it would have been difficult to find a source with different viewpoint.
danielcawrey
100%
0%
danielcawrey,
User Rank: Ninja
12/16/2013 | 2:25:35 PM
Re: NSA puff piece
I watched the 60 Minutes piece. And it didn't seem right. Why, for example, would the ultrasecretive NSA let CBS into their building? Normally they would have no incentive to do this, but now that the public wants to see some curtials, they are on the PR offensive. 
TerryB
100%
0%
TerryB,
User Rank: Ninja
12/16/2013 | 1:20:06 PM
Not what they used to be
60 Minutes has really gone downhill. I guess you heard their report on Libya embassy massacre was flawed. They used sources without vetting them and reporter ran with things known not to be true. They were considering firing reporter, never heard if they did.

If NSA requested interview, you know darn well it was for propaganda purposes.
Shane M. O'Neill
100%
0%
Shane M. O'Neill,
User Rank: Author
12/16/2013 | 12:34:54 PM
NSA puff piece
The whole time I was watching the "60 Minutes" segment I kept waiting for a counterpoint to the NSA's FUD spreading and its denial of privacy violations. Lord knows there are plent of security experts who could have provided some balance. But it never happened. The reporter was too soft and the final result was an NSA infomercial. Seems like in return for unprecedented access to NSA facilities "60 Minutes" agreed to do a puff piece.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.