Security News

From a FOIA request, over a hundred old NSA security awareness posters. Back in 1993, during the first Crypto Wars, I and a handful of other academic cryptographers visited the NSA for some meeting or another.

More than a quarter century after its introduction, the failed rollout of hardware deliberately backdoored by the NSA is still having an impact on the modern encryption debate. Known as Clipper, the encryption chipset developed and championed by the US government only lasted a few years, from 1993 to 1996.

U.S. Senator Ron Wyden, D-Ore., has called on the National Security Agency to take steps to make sure the personal devices of high-ranking Trump administration officials are secure following a report last week that Amazon CEO Jeff Bezos' smartphone had been compromised. Wyden wrote to NSA Director Paul M. Nakasone on Friday, asking if the agency was sure that the Saudi government had not used the crown prince's WhatsApp account to hack the devices of senior government officials, such as White House Senior Adviser Jared Kushner, who have reportedly had contact with Bin Salman on the Facebook-owned messaging app.

The U.S. National Security Agency has published advice on mitigating cloud vulnerabilities. The document provides four basic sections: an overview of the basic components usually delivered by cloud service providers; an explanation of the concept of shared responsibility; an analysis of the primary cloud threat actors; and an analysis and description of the main cloud vulnerabilities and their mitigations.

A newly-introduced bill is proposing sweeping privacy reforms to a controversial government surveillance program, which has been previously used by the National Security Agency to vacuum up the call records of millions of Americans. The bill closes loopholes in vague language used by Section 215 for justifying mass surveillance sans warrant.

U.S. lawmakers on Thursday introduced a bill that aims to reform the National Security Agency's surveillance programs in an effort to protect citizens' rights. The senator, a vocal critic of the NSA's surveillance programs, last year introduced a bill that sought to put an end to the mass collection of Americans' phone records.

Several industry professionals have shared thoughts with SecurityWeek about the vulnerability, its impact, and the possible reasons why the NSA disclosed it rather than using it in its own operations. "While this is a serious vulnerability that should be patched, there's no need to panic. When you look at the vulnerability and the number of affected systems, this does not reach the level of Heartbleed or WannaCry scenarios from the past. Also, our research shows that behavioral analysis of malware still detects malware as malicious, even if it's signed with an ostensibly legitimate certificate."

Was there a big, bad security bug in Microsoft Windows waiting to be announced the next day? This time, the NSA gave the bug to Microsoft to patch the hole proactively, and here we are!

Several proof-of-concept exploits have already been created - and some of them have been made public - for CVE-2020-0601, the crypto-related Windows vulnerability that Microsoft patched recently after being notified by the U.S. National Security Agency. Currently, there is no evidence that the vulnerability has been exploited in attacks, but PoC exploits have been created for CVE-2020-0601 much faster than many had anticipated.

A major Microsoft crypto-spoofing bug impacting Windows 10 made waves this Patch Tuesday, particularly as the flaw was found and reported by the U.S. National Security Agency. Microsoft's January Patch Tuesday security bulletin disclosed the "Important"-severity vulnerability, which could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.