Press release here.

Cybersecurity Information Sheet here. (9 pages with bibliography and numerous hyperlinks)

Press release text for your convenience:

NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs

FORT MEADE, Md. – The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely. “Selecting and Hardening Remote Access VPN Solutions” also will help leaders in the Department of Defense, National Security Systems and the Defense Industrial Base better understand the risks associated with VPNs.

VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.

The Information Sheet details considerations for selecting a remote access VPN, as well as actions to harden the VPN from compromise. Top hardening recommendations include using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List, employing strong authentication methods like multi-factor authentication, promptly applying patches and updates, and reducing the VPN’s attack surface by disabling non-VPN-related features.

NSA is releasing this guidance as part of our mission to help secure the Department of Defense, National Security Systems and the Defense Industrial Base.

[...]

For more cybersecurity guidance, visit NSA.gov/Cybersecurity.

It is interesting to me that this white-paper seems to talk down against "SSL/TLS-based VPNs," in favor of "IPSec," yet in my initial reading it is not quite clear to me exactly what technologies they are referring to. They never mention "OpenVPN" by name, for example. But to my reading I can think of several other technologies that they could be talking about. For what it's worth, I emailed them to ask if they had or could write another paper which addresses these concerns. That is to say, "if this is 'the devil you know' (and it's not IPSec ...), what do we need to know to use them most securely?" We'll see.

The paper does make several specific references to practices – such as the use of signed security certificates – which lead me to believe that OpenVPN is or is among the technologies that they are talking about. And, I also want to clarify that the paper does not refer to these technologies as being "insecure."

Why would anyone trust the NSA for anything ?????????????????

2 members found this post helpful.

To quote the NSA site; "NSA Cybersecurity prevents and eradicates threats to U.S. national security systems..." From what I read, they're doing quite a job of it? The supposed focus is on military related potential problems but also on preventing "hacking" of the infrastructure of the country (USA). Of course, other countries are trying to protect themselves in the same way and the USA and allies are trying to hack these other countries to create problems for them. I was in the US Military decades ago and would see correspondence coming from and going to Ft. Meade on a regular basis. I thought it bizarre at the time but with the advances in technology, the potential problems have increased exponentially. I wouldn't trust the NSA or any other country's equivalent.

2 members found this post helpful.

Of course, if one is a supporter of any governmental unit,
there is a zero or small likelihood of being malwared. Wherein, any
or all antagonists would subject varies forms of surveillance.

Hear is a sample.

"DEITYBOUNCE provides a stealthy way to alter the loaded OS without leaving a trace on the storage device, i.e., HDD or SSD, in order to avoid being detected via “ordinary” computer forensic procedures. Why? Because the OS is manipulated when it’s loaded to RAM, the OS installation on the storage device itself is left untouched (genuine). SMM code execution provides a way to conceal the code execution from possible OS integrity checks by other-party scanners. In this respect, we can view DEITYBOUNCE as a very sophisticated malware dropper.
DEITYBOUNCE provides a way to preserve the presence of the malware in the target system because it is persistent against OS reinstallation."


Whether by backdoor or man-in-the-middle attacks, yancek, they are designed to spy on "victims"
without the ability to detect state actors, engaging in nefarious activities.

https://www.techdirt.com/articles/20...p-telcos.shtml

https://theintercept.com/2014/03/12/...uters-malware/

https://www.schneier.com/blog/archiv...a_leak_sh.html

Even more sinister is hardware modification which is almost fool prove. NSA and others
will also claim that this invasion of privacy is designed against the nation's enemies,
which will in time also include the domestic opposition.

VERY EVIL: https://www.technologyreview.com/201...lem-from-hell/

Agencies like NSA and the FISC [court] are NEVER to be trusted. To do so is an act of
self enslavement.

1 members found this post helpful.