Data Sheet—Saturday, January 30, 2016
When Rob Joyce, head of the National Security Agency’s top hacking outfit, made an appearance at the brand new Usenix Enigma security conference in San Francisco this week, he didn’t strike the casual onlooker as an alpha predator. He had neatly parted dark brown hair with slightly graying sideburns, and he wore a light blue button-down shirt tucked into slacks. His demeanor more resembled that of a high school physics teacher than a dogged hunter.
Don’t be fooled though—the man should not be underestimated. Joyce leads the NSA’s euphemistically labeled “tailored access operations” unit, or TAO. Despite having a moniker that recalls the harmony of the universe in a similarly named ancient Chinese philosophy, Joyce’s team is all yang and no yin. It consists of the nation’s greatest and most indefatigable digital attackers. (Joyce took the reins in April 2013, shortly before Edward Snowden leaked a trove of government documents that, among other things, revealed the existence of TAO.)
On Wednesday the hacker-in-chief, as Wired has dubbed him, delivered a rare talk at the event. In case there’s any doubt, when the nation’s top information infiltrator dishes on the dark arts of breaking into and entering computer networks, cybersecurity wonks stop whatever they’re doing. Ears perk up. People pay attention. His presentation was easily the confab’s main attraction.
In this case, Joyce put on full display the awkward dual role of his employer: defending national computer systems, and exploiting the weaknesses in foreign ones. “I will admit it is very strange to be in that position up here on a stage in front of a group of people. It’s not something often done,” Joyce said, motioning toward his surrounding upon taking the floor. “My talk today is to tell you, as a nation state exploiter, what can you do to defend yourself to make my life hard,” he added.
Joyce proceeded to unload a bevy of insights upon an attentive batch of listeners. “The key to our success is knowing that network better than the people who set it up”; “don’t assume a crack is too small to be noticed or too small to be exploited”; “consider that you’re already penetrated.” He also refuted a popularly held belief that the NSA, as well as other nation state adversaries, favor zero-day vulnerabilities—previously unknown coding flaws—when compromising targets. It’s easier and less risky, he said, just to lie in wait and then to pounce on common bugs in un-patched systems.
Joyce’s advice—part common sense, part reaffirmation of IT pros’ suspicions—was made doubtlessly more interesting given that the tips were coming straight from the horse’s—or should I say lion’s—mouth. The magician did not reveal all his tricks, however. No one can say for sure how many details he may have left out; for instance, Joyce made no mention of his team’s formidable packet injection technique—stealthily inserting spoofed code into regular Internet traffic in order to hack users. Astute audience members noted this omission on Twitter during the closing session.
At the talk’s conclusion, Joyce projected a QR Code bearing the NSA’s insignia on his final slide. He pointed at the checkered box, reassuring attendees that it was indeed a real link to a website containing more information—not a trick designed to infect anyone audacious enough to scan the grid with malicious software. “Trust me,” he said with a wide grin.
Even raptors have a sense of humor.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, or however you (securely) prefer. Feedback welcome.
Google pays millions for bugs. The search giant eked out $2 million in computer bug bounties last year—bringing its total to $6 million since the bounty program's founding in 2010. The reason for the recent surge in coding flaw payouts is likely due to the program's inclusion of Android last year. (Fortune)
Wendy's data breach? The fast food restauranteur said it is investigating reports of unusual activity related to customer payment cards. If the company, which has 5,700 stores in the U.S., has been hit with a security breach, it would join sandwich chain Jimmy John's, which fell victim to one in 2014. (Fortune)
Ben Carson's cybersecurity plan. The Republican presidential hopeful said he would create, if elected, a new federal cybersecurity agency. The retired neurosurgeon drew an analogy to the U.S.'s need for NASA during the Cold War-era "space race." (Fortune)
Citizenship for spies. Law enforcement agents have pressured immigrants who are applying for green cards to become informants, according to a BuzzFeed News investigation. The coercive recruiting strategy defies national guidelines that leaves questions of alien status up to the Department of Homeland Security. (BuzzFeed)
Hacked drone feeds. A secret spy program called "anarchist" reportedly involved British and American spies tapping into the live video feeds of Israeli drones, the Intercept reports, citing leaked documents. The rare images show the supposed unmanned aerial vehicles apparently bearing missiles, though the published snapshots are grainy and inconclusive. (Intercept, Intercept)
Google Capital's latest investment. The growth equity fund of Alphabet (née Google) led a $75 million fundraising round for Pindrop Security, an Atlanta-based cybersecurity startup that aims to stop phone fraud. The company has an interest in securing voice-powered computing interfaces, especially as virtual assistants such as Google Now gain relevance. (Fortune)
Catching up with Rudy Giuliani. The former New York City mayor explains what piqued his interest in cybersecurity, and why he's now chairing that practice at the law firm Greenberg Traurig. Since leaving public office after 2001, he has founded a consultancy, run for president, and worked at two law firms. (Marketwatch)
Share today's Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Amazon customer support has a gaping security hole.
Some poor soul became the victim of a hacker’s social engineering scheme, and was livid enough to tell the tale.
Eric Springer, a former Amazon employee who worked as a software developer in the company’s search and discovery segment (as well as a self-described regular Amazon shopper and “heavy” Amazon Web Services customer), shared his experience in a post onMedium. He described—and published transcripts documenting—how imposters were able to trick Amazon customer support representatives into revealing his personal information... Read the rest on Fortune.com.
Smart toasters. Are cyber toast. (Bloomberg)
Ghost in the Shell wants you. Japanese anime cybersecurity recruiting. (Engadget)
"Cyber" is hot; "crypto" is not. (Fortune)
Crashsafari.com. A new form of "Rick Roll." (Wired)
Vulnerable webcams. There's a browser for that. (Ars Technica)
FX Networks' CEO: Stop Buying Silicon Valley's 'Baloney' by Michal Lev-Ram
You Could Soon Charge Your iPhone Wirelessly by Jonathan Chew
Facebook Says its Closing Parse by Barb Darrow
Lyft's Deal with Waze Highlight's Uber's Weakness: Relationships by David Z. Morris
MasterCard Uses a Command Center to Track its Marketing Spend by Heather Clancy
ONE MORE THING
Hacking cars is easy. So discovered Fortune's Jonathan Vanian while attending this week's Usenix Enigma security Conference in San Francisco. (Fortune)
"PGP is the NSA's friend."
Crypto expert Nicholas Weaver, speaking at the Usenix Enigma security conference this week in San Francisco. Weaver's apparently paradoxical statement refers to how the National Security Agency actually likes it when people use Pretty Good Privacy (PGP), one of the golden standards for strong encryption software. Although the PGP program is designed to block spies from reading the content of messages, its presence lights up users as potential targets for hacking. (The Register)