The National Security Agency’s hacking chief reveals insights and tips to block the world’s best hackers.
Here’ how NSA’s hacker-in-chief Rob Joyce began a recent security conference in San Francisco.
I will admit it is very strange to be in that position up here on a stage in front of a group of people. It’s not something often done
My talk today is to tell you, as a nation state exploiter, what can you do to defend yourself to make my life hard.
As the head of NSA’s Tailored Access Operations – the team tasked by the government to infiltrate foreign adversaries and allies’ computer systems and networks, even Joyce made light of the awkward situation. He was in a room packed with security professionals, journalists and academics, telling them exactly how they could keep state-hackers like him away from their computers and networks.
The NSA Trap
The NSA isn’t one to look for the login credentials of any targeted firm or organization’s management. Instead, the agency looks for the credentials of network and system administrators, those with high levels of network access and privileges. The NSA, as reported by Wired, also seeks to find hardcoded passwords embedded in software. Similarly, the agency also sniffs for passwords transmitted and used by legacy protocols. Basically, the entire sphere where it detects a vulnerability, none of which goes unnoticed by the agency.
Don’t assume a crack is too small to be noticed, or too small to be exploited.
If users ran penetration tests of their network and infrastructure to see 97 devices pass the test while three failed, Joyce claimed that those three seemingly harmless vulnerabilities are the ones that the NSA or other state-sponsored attackers will see as sweet spots.
We need that first crack, that first seam,” explained Joyce, noting that every single vulnerability matters. “And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”
If a user is approached by a vendor to open the network, however brief, to fix a concern remotely, Joyce advises it. Such a situation is just one of the many opportunities that nation-state hackers are looking for as vulnerabilities, he added.
Surprisingly, Joyce also pointed to personal devices such as laptops that are used by office employees that are running gaming platform Steam, as a favorite attack target of the NSA. When the employee’s kids load Steam games on to the laptops and the works subsequently connect to the organization’s network, an attack vector is opened.
Basically, the NSA and state-sponsored spies and hackers in general are well equipped to get into a user’s network, simply because they know more about the network than most users do.
We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” he stated. “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.”