Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

The Spywarepocalypse Cometh. Lock the Backdoor.

With last week’s Snow­den-leak that the NSA can break a large amount of the encryp­tion used across the web using a vari­ety of back­doors and secret agree­ments with man­u­fac­tur­ers, there’s now a push in Con­gress for legal restric­tions on the use of these back­doors:

The New York Times
Leg­is­la­tion Seeks to Bar N.S.A. Tac­tic in Encryp­tion

By SCOTT SHANE and NICOLE PERLROTH
Pub­lished: Sep­tem­ber 6, 2013

After dis­clo­sures about the Nation­al Secu­ri­ty Agency’s stealth cam­paign to counter Inter­net pri­va­cy pro­tec­tions, a con­gress­man has pro­posed leg­is­la­tion that would pro­hib­it the agency from installing “back doors” into encryp­tion, the elec­tron­ic scram­bling that pro­tects e‑mail, online trans­ac­tions and oth­er com­mu­ni­ca­tions.

Rep­re­sen­ta­tive Rush D. Holt, a New Jer­sey Demo­c­rat who is also a physi­cist, said Fri­day that he believed the N.S.A. was over­reach­ing and could hurt Amer­i­can inter­ests, includ­ing the rep­u­ta­tions of Amer­i­can com­pa­nies whose prod­ucts the agency may have altered or influ­enced.

“We pay them to spy,” Mr. Holt said. “But if in the process they degrade the secu­ri­ty of the encryp­tion we all use, it’s a net nation­al dis­ser­vice.”

Mr. Holt, whose Sur­veil­lance State Repeal Act would elim­i­nate much of the esca­la­tion in the government’s spy­ing pow­ers under­tak­en after the 2001 ter­ror­ist attacks, was respond­ing to news reports about N.S.A. doc­u­ments show­ing that the agency has spent bil­lions of dol­lars over the last decade in an effort to defeat or bypass encryp­tion. The reports, by The New York Times, ProP­ub­li­ca and The Guardian, were post­ed online on Thurs­day.

The agency has encour­aged or coerced com­pa­nies to install back doors in encryp­tion soft­ware and hard­ware, worked to weak­en inter­na­tion­al stan­dards for encryp­tion and employed cus­tom-built super­com­put­ers to break codes or find math­e­mat­i­cal vul­ner­a­bil­i­ties to exploit, accord­ing to the doc­u­ments, dis­closed by Edward J. Snow­den, the for­mer N.S.A. con­trac­tor.

The doc­u­ments show that N.S.A. cryp­tog­ra­phers have made major progress in break­ing the encryp­tion in com­mon use for every­day trans­ac­tions on the Web, like Secure Sock­ets Lay­er, or SSL, as well as the vir­tu­al pri­vate net­works, or VPNs, that many busi­ness­es use for con­fi­den­tial com­mu­ni­ca­tions among employ­ees.

Intel­li­gence offi­cials say that many of their most impor­tant tar­gets, includ­ing ter­ror­ist groups, use the same Web­mail and oth­er Inter­net ser­vices that many Amer­i­cans use, so it is cru­cial to be able to pen­e­trate the encryp­tion that pro­tects them. In an intense com­pe­ti­tion with oth­er sophis­ti­cat­ed cyberes­pi­onage ser­vices, includ­ing those of Chi­na and Rus­sia, the N.S.A. can­not rule large parts of the Inter­net off lim­its, the offi­cials argue.

A state­ment from the direc­tor of nation­al intel­li­gence, James R. Clap­per Jr., crit­i­cized the reports, say­ing that it was “not news” that the N.S.A. works to break encryp­tion, and that the arti­cles would dam­age Amer­i­can intel­li­gence col­lec­tion.

The reports, the state­ment said, “reveal spe­cif­ic and clas­si­fied details about how we con­duct this crit­i­cal intel­li­gence activ­i­ty.”

“Any­thing that yesterday’s dis­clo­sures add to the ongo­ing pub­lic debate,” it con­tin­ued, “is out­weighed by the road map they give to our adver­saries about the spe­cif­ic tech­niques we are using to try to inter­cept their com­mu­ni­ca­tions in our attempts to keep Amer­i­ca and our allies safe and to pro­vide our lead­ers with the infor­ma­tion they need to make dif­fi­cult and crit­i­cal nation­al secu­ri­ty deci­sions.”

But if intel­li­gence offi­cials felt a sense of betray­al by the dis­clo­sures, Inter­net secu­ri­ty experts felt a sim­i­lar let­down — at the N.S.A. actions.

“There’s wide­spread dis­ap­point­ment,” said Dan Kamin­sky, a promi­nent secu­ri­ty researcher. “This has been the stuff of wild-eyed accu­sa­tions for years. A lot of peo­ple are heart­bro­ken to find out it’s not just wild-eyed accu­sa­tions.”

Sascha Mein­rath, the direc­tor of the Open Tech­nol­o­gy Insti­tute, a research group in Wash­ing­ton, said the reports were “a star­tling indi­ca­tion that the U.S. has been a remark­ably irre­spon­si­ble stew­ard of the Inter­net,” which he said the N.S.A. was try­ing to turn into “a mas­sive plat­form for detailed, intru­sive and unre­strained sur­veil­lance.”

Com­pa­nies like Google and Face­book have been mov­ing to new sys­tems that, in prin­ci­ple, would make gov­ern­ment eaves­drop­ping more dif­fi­cult. Google is in the process of encrypt­ing all data that trav­els via fiber-optic lines between its data cen­ters. The com­pa­ny speed­ed up the process in June after the ini­tial N.S.A. dis­clo­sures, accord­ing to two peo­ple who were briefed on Google’s plans but were not autho­rized to speak pub­licly about them. The accel­er­a­tion of the process was first report­ed Fri­day by The Wash­ing­ton Post.

For ser­vices like Gmaili, once data reach­es a user’s com­put­er it has been encrypt­ed. But as mes­sages and oth­er data like search queries trav­el inter­nal­ly among Google’s data cen­ters they are not encrypt­ed, large­ly because it is tech­ni­cal­ly com­pli­cat­ed and expen­sive to do.

Face­book announced last month that it would also tran­si­tion to a nov­el encryp­tion method, called per­fect for­ward secre­cy, that makes eaves­drop­ping far more dif­fi­cult.

...

But the per­cep­tion of an N.S.A. intru­sion into the net­works of major Inter­net com­pa­nies, whether sur­rep­ti­tious or with the com­pa­nies’ coop­er­a­tion, could hurt busi­ness, espe­cial­ly in inter­na­tion­al mar­kets.

“What buy­er is going to pur­chase a prod­uct that has been delib­er­ate­ly made less secure?” asked Mr. Holt, the con­gress­man. “Even if N.S.A. does it with the purest motive, it can ruin the rep­u­ta­tions of bil­lion-dol­lar com­pa­nies.”

In addi­tion, news that the N.S.A. is insert­ing vul­ner­a­bil­i­ties into wide­ly used tech­nolo­gies could put Amer­i­can law­mak­ers and tech­nol­o­gy com­pa­nies in a bind with regard to Chi­na.

Over the last two years, Amer­i­can law­mak­ers have accused two of China’s largest telecom­mu­ni­ca­tions com­pa­nies, Huawei Tech­nolo­gies and ZTE, of doing some­thing par­al­lel to what the N.S.A. has done: plant­i­ng back doors into their equip­ment to allow for eaves­drop­ping by the Chi­nese gov­ern­ment and mil­i­tary.

Both com­pa­nies have denied col­lab­o­rat­ing with the Chi­nese gov­ern­ment, but the alle­ga­tions have elim­i­nat­ed the com­pa­nies’ hopes for sig­nif­i­cant busi­ness growth in the Unit­ed States. After an inves­ti­ga­tion last year, the House Intel­li­gence Com­mit­tee con­clud­ed that gov­ern­ment agen­cies should be barred from doing busi­ness with Huawei and ZTE, and that Amer­i­can com­pa­nies should avoid buy­ing their equip­ment.

Some for­eign gov­ern­ments and com­pa­nies have also said that they would not rely on the Chi­nese com­pa­nies’ equip­ment out of secu­ri­ty con­cerns. Last year, Aus­tralia barred Huawei from bid­ding on con­tracts in Australia’s $38 bil­lion nation­al broad­band net­work. And this year, as part of its effort to acquire Sprint Nex­tel, Soft­Bank of Japan pledged that it would not use Huawei equip­ment in Sprint’s cell­phone net­work.

Part of what makes a back­door-decryp­tion ban so intrigu­ing is that the nature of the encryp­tion tech­niques employed today is such that, with­out a back­door or some oth­er algo­rith­mic “cheat” of some sort it’s the­o­ret­i­cal­ly real­ly real­ly real­ly hard for even an intel­li­gence agency with the capa­bil­i­ties of the NSA to break the encryp­tion. It’s one of those real­i­ties of the dig­i­tal age that Ger­man secu­ri­ty offi­cials remind­ed us of in 2007, when pol­i­cy experts request­ed a back­door into user­s’s com­put­er to get around Skype’s encryp­tion:

TechDirt
Ger­man Pro­pos­al Gives A New Per­spec­tive On ‘Spy­ware’
from the big-broth­er-is-hack­ing-yo dept

by Tim­o­thy Lee

Tue, Nov 27th 2007 5:10pm

A VoIP expert has unveiled new proof-of-con­cept soft­ware that allows an attack­er to mon­i­tor oth­er peo­ples’ VoIP calls and record them for lat­er review. Unen­crypt­ed VoIP real­ly isn’t very secure; if you have access to the raw net­work traf­fic of a call, it’s not too hard to recon­struct the audio. Encrypt­ed traf­fic is anoth­er sto­ry. Ger­man offi­cials have dis­cov­ered that when sus­pects use Skype’s encryp­tion fea­ture, they aren’t able to decode calls even if they have a court order autho­riz­ing them to do so. Some law enforce­ment offi­cials in Ger­many appar­ent­ly want to deal with this prob­lem by hav­ing courts give them per­mis­sion to sur­rep­ti­tious­ly install spy­ing soft­ware on the tar­get’s com­put­er. To his cred­it, Joerg Zier­cke, pres­i­dent of Ger­many’s Fed­er­al Police Office, says that he’s not ask­ing Skype to put back doors in its soft­ware. But the pro­pos­al still rais­es some seri­ous ques­tion. Once the instal­la­tion of spy­ware becomes a stan­dard sur­veil­lance method, law enforce­ment will have a vest­ed inter­est in mak­ing sure that oper­at­ing sys­tems and VoIP appli­ca­tions have vul­ner­a­bil­i­ties they can exploit. There will inevitably be pres­sure on Microsoft, Skype, and oth­er soft­ware ven­dors to pro­vide the police with back­doors. And back­doors are prob­lem­at­ic because they can be extreme­ly dif­fi­cult to lim­it to autho­rized indi­vid­u­als. It would be a dis­as­ter if the back­door to a pop­u­lar pro­gram like Skype were dis­cov­ered by unau­tho­rized indi­vid­u­als. A sim­i­lar issue applies to anti-virus soft­ware. If anti-virus prod­ucts detect and noti­fy users when court-ordered spy­ware is found on a machine, it could obvi­ous­ly dis­rupt inves­ti­ga­tions and tip off sus­pects. On the oth­er hand, if antivirus soft­ware ignores “offi­cial” spy­ware, then spy­ware ven­dors will start try­ing to cam­ou­flage their soft­ware as gov­ern­ment-installed soft­ware to avoid detec­tion. Ulti­mate­ly, there may be no way for anti-spy­ware prod­ucts to turn a blind eye to gov­ern­ment-approved spy­ware with­out under­min­ing the effec­tive­ness of their prod­ucts.

Hence, I’m skep­ti­cal of the idea of gov­ern­ment-man­dat­ed spy­ware, although I don’t think it should be ruled out entire­ly. That may sound like grim news for law enforce­ment, which does have a legit­i­mate need to eaves­drop on crime sus­pects. But it’s impor­tant to keep in mind that law enforce­ment offi­cials do have oth­er tools at their dis­pos­al. If they’re not able to install soft­ware sur­veil­lance tools, it’s always pos­si­ble to do it the old-fash­ioned way–in hard­ware. Law enforce­ment agen­cies can always sneak into a sus­pec­t’s home (with a court order, of course) and install bug­ging devices. That tried and true method works regard­less of the com­mu­ni­ca­tions tech­nol­o­gy being used.

The bat­tle over back­doors is an ongo­ing issue that isn’t going away any time soon. And as the above arti­cle indi­cat­ed, one of the rea­sons that back­doors installed into hard­ware and soft­ware for use by law enforce­ment is guar­an­teed to be an ongo­ing issue is because encryp­tion done right can’t be cracked. At least not in a rea­son­able time frame. It’s a reflec­tion of the asym­met­ric nature of the math­e­mat­ics behind encryp­tion: it’s a lot eas­i­er to hide a nee­dle in a haystack than find it. At least in the­o­ry:

Ars Tech­ni­ca
Cryp­to experts issue a call to arms to avert the cryp­topoca­lypse
Nobody can crack impor­tant algo­rithms yet, but the world needs to pre­pare for that to hap­pen.

by Peter Bright — Aug 1 2013, 10:49pm CST

At the Black Hat secu­ri­ty con­fer­ence in Las Vegas, a quar­tet of researchers, Alex Sta­mos, Tom Rit­ter, Thomas Ptacek, and Javed Samuel, implored every­one involved in cryp­tog­ra­phy, from soft­ware devel­op­ers to cer­tifi­cate author­i­ties to com­pa­nies buy­ing SSL cer­tifi­cates, to switch to new­er algo­rithms and pro­to­cols, lest they wake up one day to find that all of their cryp­to infra­struc­ture is ren­dered use­less and inse­cure by math­e­mat­i­cal advances.

We’ve writ­ten before about asym­met­ric encryp­tion and its impor­tance to secure com­mu­ni­ca­tion. Asym­met­ric encryp­tion algo­rithms have pairs of keys: one key can decrypt data encrypt­ed with the oth­er key, but can­not decrypt data encrypt­ed with itself.

The asym­met­ric algo­rithms are built on an under­ly­ing assump­tion that cer­tain math­e­mat­i­cal oper­a­tions are “hard,” which is to say, that the time it takes to do the oper­a­tion increas­es pro­por­tion­al to some num­ber raised to the pow­er of the length of the key (“expo­nen­tial time”). This assump­tion, how­ev­er, is not actu­al­ly proven, and nobody knows for cer­tain if it is true. The risk exists that the prob­lems are actu­al­ly “easy,” where “easy” means that there are algo­rithms that will run in a time pro­por­tion­al only to the key length raised to some con­stant pow­er (“poly­no­mi­al time”).

The most wide­ly used asym­met­ric algo­rithms (Diffie Hell­man, RSA, and DSA) depend on the dif­fi­cul­ty of two prob­lems: inte­ger fac­tor­iza­tion, and the dis­crete log­a­rithm. The cur­rent state of the math­e­mat­i­cal art is that there aren’t—yet—any easy, poly­no­mi­al time solu­tions to these prob­lems; how­ev­er, after decades of rel­a­tive­ly lit­tle progress in impro­lv­ing algo­rithms relat­ed to these prob­lems, a flur­ry of activ­i­ty in the past six months has pro­duced faster algo­rithms for lim­it­ed ver­sions of the dis­crete log­a­rithm prob­lem.

At the moment, there’s no known way to gen­er­al­ize these improve­ments to make them use­ful to attack real cryp­tog­ra­phy, but the work is enough to make cryp­tog­ra­phers ner­vous. They draw an anal­o­gy with the BEAST, CRIME, and BREACH attacks used to attack SSL. The the­o­ret­i­cal under­pin­nings for these attacks are many years old, but for a long time were dis­missed as mere­ly the­o­ret­i­cal and impos­si­ble to use in prac­tice. It took new researchers and new think­ing to turn them into prac­ti­cal attacks.

When that hap­pened, it uncov­ered a soft­ware indus­try ill-pre­pared to cope. A lot of soft­ware, rather than allow­ing new algo­rithms and pro­to­cols to be eas­i­ly plugged in, has proven dif­fi­cult or impos­si­ble to change. This means that switch­ing to schemes that are immune to the BEAST, CRIME, and BREACH attacks is much more dif­fi­cult than it should be. Though there are new­er pro­to­cols and dif­fer­ent algo­rithms that avoid the prob­lems that these attacks exploit, com­pat­i­bil­i­ty con­cerns mean that they can’t be rapid­ly rolled out and used.

The attacks against SSL are at least fair­ly nar­row in scope and util­i­ty. A gen­er­al pur­pose poly­no­mi­al time algo­rithm for inte­ger fac­tor­iza­tion or the dis­crete log­a­rithm, how­ev­er, would not be nar­row in scope or util­i­ty: it would be read­i­ly adapt­ed to blow wide open almost all SSL/TLS, ssh, PGP, and oth­er encrypt­ed com­mu­ni­ca­tion. (The two math­e­mat­i­cal prob­lems, while dis­tinct, share many sim­i­lar­i­ties, so it’s like­ly that an algo­rithm that solved inte­ger fac­tor­iza­tion could be adapt­ed in some way to solve the dis­crete log­a­rithm, and vice ver­sa).

Worse, it would make updat­ing these sys­tems in a trust­wor­thy man­ner near­ly impos­si­ble: oper­at­ing sys­tems such as Win­dows and OS X depend on dig­i­tal sig­na­tures that in turn depend on these same math­e­mat­i­cal under­pin­nings to pro­tect against the instal­la­tion of fraud­u­lent or mali­cious updates. If the algo­rithms were under­mined, there would be no way of ver­i­fy­ing the authen­tic­i­ty of the updates.

While there’s no guar­an­tee that this cat­a­stro­phe will occur—it’s even pos­si­ble that one day it might be proven that the two prob­lems real­ly are hard—the risk is enough to have researchers con­cerned. The dif­fi­cul­ties of change that BEAST et al. demon­strat­ed mean that if the indus­try is to have a hope of sur­viv­ing such a rev­o­lu­tion in cryp­tog­ra­phy, it must start mak­ing changes now. If it waits for a genius math­e­mati­cian some­where to solve these prob­lems, it will be too late to do any­thing about it.

For­tu­nate­ly, a solu­tion of sorts does exist. A fam­i­ly of encryp­tion algo­rithms called ellip­tic curve cryp­tog­ra­phy (ECC) exists. ECC is sim­i­lar to the oth­er asym­met­ric algo­rithms, in that it’s based on a prob­lem that’s assumed to be hard (in this case, the ellip­tic curve dis­crete log­a­rithm). ECC, how­ev­er, has the addi­tion­al prop­er­ty that its hard prob­lem is suf­fi­cient­ly dif­fer­ent from inte­ger fac­tor­iza­tion and the reg­u­lar dis­crete log­a­rithm that break­throughs in either of those should­n’t imply break­throughs in crack­ing ECC.

How­ev­er, sup­port for ECC is still very prob­lem­at­ic. Much of the tech­nol­o­gy is patent­ed by Black­Ber­ry, and those patents are enforced. There are cer­tain nar­row licens­es avail­able for imple­men­ta­tions of ECC that meet var­i­ous US gov­ern­ment cri­te­ria, but the broad­er patent issues have led some ven­dors to refuse to sup­port the tech­nol­o­gy.

Fur­ther, sup­port of pro­to­cols that can use ECC, such as TLS 1.2 (the lat­est iter­a­tion of SSL tech­nol­o­gy) is still not wide­ly avail­able. Cer­tifi­cate author­i­ties have also been slow to offer ECC cer­tifi­cates.

As such, the researchers are call­ing for the com­put­er indus­try as a whole to do two things. First, embrace ECC today. Sec­ond, ensure that sys­tems that use cryp­tog­ra­phy are agile. They must not be lum­bered with lim­it­ed sets of algo­rithms and obso­lete pro­to­cols. They must instead make updat­ing algo­rithms and pro­to­cols quick and easy, to ensure that soft­ware sys­tems can keep pace with the math­e­mat­i­cal research and adapt quick­ly to new devel­op­ments and tech­niques. The cryp­topoca­lypse might nev­er happen—but we should be pre­pared in case it does.

Note that the above arti­cle was pub­lished August 1st, a month before the lat­est Snow­den leak about the advances in NSA tech­niques that includes both back­doors but also advances in decryp­tion algo­rithms. So the ref­er­ences to algo­rith­mic risks (because we don’t know how “hard” the under­ly­ing math­e­mat­i­cal algo­rithms tru­ly are) in the above arti­cle might relate to the recent advances in the NSA’s decryp­tion algo­rithms. This could even include turn­ing the­o­ret­i­cal­ly “hard” (non-poly­no­mi­al-time) math­e­mat­i­cal prob­lems into some­what less hard prob­lems that can be cracked with­out the NSA’s back­doors (or any­one else’s back­doors). In oth­er words, while the con­cerns about the NSA or some oth­er allied intel­li­gence agency abus­ing those encryp­tion back­doors are valid, there’s also the very real pos­si­bil­i­ty that oth­er 3rd par­ties (rival intel­li­gence agen­cies, orga­nized crime, pri­vate par­ties, etc) are also using the new algo­rith­mic hacks where no back­doors are required. The algo­rithm is effec­tive­ly defeat­ed. So even if those NSA back­doors (or any­one else’s back­doors) did­n’t exists there is still the pos­si­bil­i­ty that the under­ly­ing math­e­mat­i­cal algo­rithms cur­rent­ly used to encrypt the bulk of the inter­net com­mu­ni­ca­tions have already been math­e­mat­i­cal­ly effec­tive­ly hacked. And if those algo­rithms have already been hacked (in the sense that code-break­ers have found a method of find­ing the cor­rect keys with­in a pre­dictable time­frame) then it might just be a mat­ter of time before that algo­rithm gets out into “the wild” and any­one with the com­put­ing resources will be able to decrypt con­ven­tion­al­ly encrypt­ed data. No back­doors or secret man­u­fac­tur­er agree­ments need­ed. Just a pow­er­ful enough com­put­er and the knowl­edge about the flaws int the encryp­tion algo­rithm. That’s the ‘cryp­topoca­lypse’.

But there’s anoth­er inter­est­ing pos­si­bil­i­ty that could emerge in the medi­um-term: Right now it’s known that NSA uses cus­tom-built chips to break the encryp­tion and it’s believed that these chips can decrypt any of the traf­fic on Tor that does­n’t use the most advanced “ellip­tic curve cryp­tog­ra­phy” encryp­tion described above. Tor is sup­posed to be anony­mous.

So we should prob­a­bly expect to see a broad shift towards these new­er kinds of encryp­tion meth­ods. And if that shift towards using these new­er meth­ods takes place with­out those NSA back­doors we could start see­ing tru­ly secure encryp­tion meth­ods employed — meth­ods that no spy agency, any­where, will be able to decrypt. At least not unless there’s some super secret pow­er­ful com­put­ing tech­nol­o­gy hid­ing some­where. If that encrypt­ed future is what’s in store for us we should prob­a­bly expect a dra­mat­ic expan­sion of tra­di­tion­al spy­ing: human intel­li­gence will sim­ply become much more impor­tant because there won’t be oth­er options. Tra­di­tion­al hack­ing will also become para­mount. When a back­door clos­es, a job oppor­tu­ni­ty for a hack­er opens.

But also note that the Fin­Fish­er tool is report­ed­ly to be able to hack your Black­ber­ry which uses “ellip­tic curve cryp­tog­ra­phy”. Same with the NSA and GCHQ. So what­ev­er secure encryp­tion method the world even­tu­al­ly set­tles upon will have to be more secure that cur­rent­ly rec­om­mend­ed secure meth­ods. Give it time.

Beware Soft­ware Updates Bear­ing Gifts
If we do even­tu­al­ly see an encrypt­ed future — one where direct hack­ing with the ben­e­fit of per­va­sive back­doors or algo­rith­mic trick­ery is no longer an option — we should expect an explo­sion of Tro­jan spy­ware and cus­tom hacks. Even with the per­va­sive back­doors and algo­rith­mic trick­ery we should still expect an explo­sion of spy­ware because that’s what’s already hap­pen­ing. So whole the NSA hard­ware and soft­ware back­door net­work is the spy scan­dal of the moment, per­haps the UK/German Bun­de­stro­jan­er/FinFisher/FinSpy spy­ware scan­dals should be con­sid­ered lik­li­er spy scan­dal tem­plates for tomor­row:

Slate
U.S. and Oth­er West­ern Nations Met With Ger­many Over Shady Com­put­er-Sur­veil­lance Tac­tics

By Ryan Gal­lagher

Post­ed Tues­day, April 3, 2012, at 11:51 AM

Infect­ing a com­put­er with spy­ware in order to secret­ly siphon data is a tac­tic most com­mon­ly asso­ci­at­ed with crim­i­nals. But explo­sive new rev­e­la­tions in Ger­many sug­gest inter­na­tion­al law enforce­ment agen­cies are adopt­ing sim­i­lar meth­ods as a form of intru­sive sus­pect sur­veil­lance, rais­ing fresh civ­il lib­er­ties con­cerns.

Infor­ma­tion released last month by the Ger­man gov­ern­ment shows that between 2008–2011, rep­re­sen­ta­tives from the FBI; the U.K.’s Seri­ous Organ­ised Crime Agency (SOCA); and France’s secret ser­vice, the DCRI, were among those to have held meet­ings with Ger­man fed­er­al police about deploy­ing “mon­i­tor­ing soft­ware” used to covert­ly infil­trate com­put­ers.

The dis­clo­sure was made in response to a series of ques­tions tabled by Left Par­ty Mem­ber of Par­lia­ment Andrej Hunko and report­ed by Ger­man-lan­guage media. It comes on the heels of an exposé by the Chaos Com­put­er Club, a Berlin-based hack­er col­lec­tive, which revealed in Octo­ber that Ger­man police forces had been using a so-called “Bun­de­stro­jan­er” (fed­er­al Tro­jan) to spy on sus­pects.

The Bun­de­stro­jan­er tech­nol­o­gy could be sent dis­guised as a legit­i­mate soft­ware update and was capa­ble of record­ing Skype calls, mon­i­tor­ing Inter­net use, and log­ging mes­sen­ger chats and key­strokes. It could also acti­vate com­put­er hard­ware such as micro­phones or web­cams and secret­ly take snap­shots or record audio before send­ing it back to the author­i­ties.

Ger­man fed­er­al author­i­ties ini­tial­ly denied deploy­ing any Bun­de­stro­jan­er, but it soon tran­spired that courts had in fact approved requests from offi­cials to employ such Tro­jan horse pro­grams more than 50 times. Fol­low­ing a pub­lic out­cry over the use of the tech­nol­o­gy, which many believe breached the country’s strict pri­va­cy laws, fur­ther details have sur­faced.

Inquiries by Green Par­ty MP Kon­stan­tin von Notz revealed in Jan­u­ary that, in addi­tion to the Bun­de­stro­jan­er dis­cov­ered by the CCC, Ger­man author­i­ties had also acquired a license in ear­ly 2011 to test a sim­i­lar Tro­jan tech­nol­o­gy called “FinSpy,”manufactured by Eng­land-based firm Gam­ma Group. Fin­Spy enables clan­des­tine access to a tar­get­ed com­put­er, and was report­ed­ly used for five months by Hos­ni Mubarak’s Egypt­ian state secu­ri­ty forces in 2010 to mon­i­tor per­son­al Skype accounts and record voice and video con­ver­sa­tions over the Inter­net.

But it is the Ger­man government’s response to a series of ques­tions recent­ly sub­mit­ted by Hunko that is per­haps the most reveal­ing to date. In a let­ter from Sec­re­tary of State Ole Schröder on March 6, which I have trans­lat­ed, Hunko was informed that Ger­man fed­er­al police force, the Bun­deskrim­i­nalamt (BKA), met to dis­cuss the use of mon­i­tor­ing soft­ware with coun­ter­parts from the U.S., Britain, Israel, Lux­em­burg, Liecht­en­stein, the Nether­lands, Bel­gium, France, Switzer­land, and Aus­tria. The meet­ings took place sep­a­rate­ly between Feb. 19, 2008, and Feb. 1, 2012. While this sto­ry has been cov­ered in the Ger­man media, it hasn’t received the Eng­lish-lan­guage atten­tion it deserves.

Both the FBI and Britain’s SOCA are said to have dis­cussed with the Ger­mans the “basic legal require­ments” of using com­put­er-mon­i­tor­ing soft­ware. The meet­ing with SOCA also cov­ered the “tech­ni­cal and tac­ti­cal aspects” of deploy­ing com­put­er infil­tra­tion tech­nol­o­gy, accord­ing to Schröder’s let­ter. France’s secret ser­vice and police from Switzer­land, Aus­tria, Lux­em­burg, and Liecht­en­stein were sep­a­rate­ly briefed by the BKA on its expe­ri­ences using Tro­jan com­put­er infil­tra­tion.

Inter­est­ing­ly, at a meet­ing in Octo­ber 2010 attend­ed by police from Ger­many, the Nether­lands, and Bel­gium, rep­re­sen­ta­tives from the Gam­ma Group were present and appar­ent­ly show­cased their shad­owy prod­ucts. It is pos­si­ble that the Ger­mans decid­ed at this meet­ing to pro­ceed with the Fin­Spy tri­al we now know took place in ear­ly 2011.

If noth­ing else, these rev­e­la­tions con­firm that police inter­na­tion­al­ly are increas­ing­ly look­ing to deploy eth­i­cal­ly con­tentious com­put­er intru­sion tech­niques that exist in a legal gray area. The com­bi­na­tion of the rapid devel­op­ment of Inter­net tech­nolo­gies and per­sis­tent fears about nation­al secu­ri­ty seem to have led to a par­a­digm shift in police tactics—one that appears, wor­ry­ing­ly, to be tak­ing place almost entire­ly behind closed doors and under cov­er of state secre­cy.

...

Your Pass­words Can Be Stolen. So Can Your Spy­ware
The world con­tin­ues to freak out about NSA and UK pos­sess­ing the cen­tral­ized mass-sur­veil­lance capa­bil­i­ties that come from the pow­er to col­lect and decrypt mas­sive vol­umes of inter­net traf­fic. Such a freak out is under­stand­able because, hey, cen­tral­ized mass inter­net traf­fic sur­veil­lance is kind of creepy. It’s also under­stand­able that the glob­al debate would be almost exclu­sive­ly focused on spy­ing by the NSA because that’s been the focus of the Snow­den leaks. But it might be worth incor­po­rat­ing into an ongo­ing glob­al debate about the bal­ance pri­va­cy, secu­ri­ty, and gov­ern­ment account­abil­i­ty the fact that extreme­ly pow­er­ful spy­ware is being ped­dled by major gov­ern­ments and is cur­rent­ly used by gov­ern­ments all over the globe. It might also be used by unknown par­ties all over the globe, because spy­ware can be stolen:

Bloomberg
Fin­Fish­er Spy­ware Reach Found on Five Con­ti­nents: Report
By Ver­non Sil­ver — Aug 8, 2012 6:34 AM CT

The Fin­Fish­er spy­ware made by U.K.- based Gam­ma Group like­ly has pre­vi­ous­ly undis­closed glob­al reach, with com­put­ers on at least five con­ti­nents show­ing signs of being com­mand cen­ters that run the intru­sion tool, accord­ing to cyber­se­cu­ri­ty experts.

Fin­Fish­er can secret­ly mon­i­tor com­put­ers — inter­cept­ing Skype calls, turn­ing on Web cam­eras and record­ing every key­stroke. It is mar­ket­ed by Gam­ma for law enforce­ment and gov­ern­ment use.

Research pub­lished last month based on e‑mails obtained by Bloomberg News showed activists from the Per­sian Gulf king­dom of Bahrain were tar­get­ed by what looked like the soft­ware, spark­ing a hunt for fur­ther clues to the product’s deploy­ment.

In new find­ings, a team, led by Clau­dio Guarnieri of Boston-based secu­ri­ty risk-assess­ment com­pa­ny Rapid7, ana­lyzed how the pre­sumed Fin­Fish­er sam­ples from Bahrain com­mu­ni­cat­ed with their com­mand com­put­er. They then com­pared those attrib­ut­es with a glob­al scan of com­put­ers on the Inter­net.

The sur­vey has so far come up with what it reports as match­es in Aus­tralia, the Czech Repub­lic, Dubai, Ethiopia, Esto­nia, Indone­sia, Latvia, Mon­go­lia, Qatar and the U.S.

Guarnieri, a secu­ri­ty researcher based in Ams­ter­dam, said that the loca­tions aren’t proof that the gov­ern­ments of any of these coun­tries use Gamma’s Fin­Fish­er. It’s pos­si­ble that Gam­ma clients use com­put­ers based in oth­er nations to run their Fin­Fish­er sys­tems, he said in an inter­view.

‘Active Fin­ger­print­ing’

“They are sim­ply the results of an active fin­ger­print­ing of a unique behav­ior asso­ci­at­ed with what is believed to be the Fin­Fish­er infra­struc­ture,” he wrote in his report, which Rapid7 is pub­lish­ing today on its blog at https://community.rapid7.com/community/infosec/blog.

The emerg­ing pic­ture of the com­mer­cial­ly avail­able spyware’s reach shines a light on the grow­ing, glob­al mar­ket­place for cyber weapons with poten­tial con­se­quences.

Once any mal­ware is used in the wild, it’s typ­i­cal­ly only a mat­ter of time before it gets used for nefar­i­ous pur­pos­es,” Guarnieri wrote in his report. “It’s impos­si­ble to keep this kind of thing under con­trol in the long term.”

In response to ques­tions about Guarnieri’s find­ings, Gam­ma Inter­na­tion­al GmbH man­ag­ing direc­tor Mar­tin J. Muench said a glob­al scan by third par­ties would not reveal servers run­ning the Fin­Fish­er prod­uct in ques­tion, which is called Fin­Spy.

“The core Fin­Spy servers are pro­tect­ed with fire­walls,” he said in an Aug. 4 e‑mail.

Gam­ma Inter­na­tion­al

Muench, who is based in Munich, has said his com­pa­ny didn’t sell Fin­Fish­er spy­ware to Bahrain. He said he’s inves­ti­gat­ing whether the sam­ples used against Bahrai­ni activists were stolen demon­stra­tion copies or were sold via a third par­ty.

Gam­ma Inter­na­tion­al GmbH in Ger­many is part of U.K.-based Gam­ma Group. The group also mar­kets Fin­Fish­er through Andover, Eng­land-based Gam­ma Inter­na­tion­al UK Ltd. Muench leads the Fin­Fish­er prod­uct port­fo­lio.

Muench says that Gam­ma com­plies with the export reg­u­la­tions of the U.K., U.S. and Ger­many.

It was unclear which, if any, gov­ern­ment agen­cies in the coun­tries Guarnieri iden­ti­fied are Gam­ma clients.

A U.S. Fed­er­al Bureau of Inves­ti­ga­tion spokes­woman in Wash­ing­ton declined to com­ment.

Offi­cials in Ethiopia’s Com­mu­ni­ca­tions Min­is­ter, Qatar’s for­eign min­istry and Mongolia’s president’s office didn’t imme­di­ate­ly return phone calls seek­ing com­ment or respond to ques­tions. Dubai’s deputy com­man­der of police said he has no knowl­edge of such pro­grams when reached on his mobile phone.

Australia’s depart­ment of for­eign affairs and trade said in an e‑mailed state­ment it does not use Fin­Fish­er soft­ware. A spokesman at the Czech Republic’s inte­ri­or min­istry said he has no infor­ma­tion of Gam­ma being used there, nor any knowl­edge of its use at oth­er state insti­tu­tions.

Vio­lat­ing Human Rights?

At Indonesia’s Min­istry of Com­mu­ni­ca­tions, head of pub­lic rela­tions Gatot S. Dewa Bro­to said that to his knowl­edge the gov­ern­ment doesn’t use that pro­gram, or ones that do sim­i­lar things, because it would vio­late pri­va­cy and human rights in that coun­try. The min­istry got an offer to pur­chase a sim­i­lar pro­gram about six months ago but declined, he said, unable to recall the name of the com­pa­ny pitch­ing it.

The Eston­ian Infor­ma­tion Sys­tems Author­i­ty RIA has not detect­ed any expo­sure to Fin­Spy, a spokes­woman said. Nei­ther has Latvia’s infor­ma­tion tech­nolo­gies secu­ri­ty inci­dent response insti­tu­tion, accord­ing to a tech­ni­cal expert there.

...

If the above descrip­tion of the emerg­ing glob­al spy­ware-surviel­lance state sounds a lit­tle unset­tling, keep in mind that FinFisher/FinSpy is just one toolk­it. There could be all sorts of oth­er spy­ware “prod­ucts” out there.

Also don’t for­get that the world is still learn­ing about the FinFisher/FinSpy spy­ware’s capa­bil­i­ty: For instance, it appears that a “Fin­In­tru­sion” tool made by the same com­pa­ny can be used to col­lect WiFi sig­nals. Part of the Fin­In­tru­sion suite includes decryp­tion capa­bil­i­ties so all that WiFi traf­fic can be picked up. It’s a reminder that, whether or not the cen­tral­ized mass-surviel­lance state on the wane, the glob­al decen­tral­ized spy­ware par­ty is still going strong:

ITNews.com
Fur­ther details of Fin­Fish­er govt spy­ware leaked
By Juha Saari­nen on Sep 2, 2013 6:04 AM
Filed under Secu­ri­ty

Claims it can break encryp­tion.

Sales brochures and pre­sen­ta­tions leaked online have shed fur­ther light on the Fin­Fish­er mal­ware and spy­ware toolk­it that is thought to be used by law enforce­ment agen­cies world­wide.

Fin­Fish­er is made by the Anglo-Ger­man Gam­ma Inter­na­tion­al and is mar­ket­ed to law enforce­ment agen­cies arould the world. It is also known as Fin­Spy and the sales pre­sen­ta­tion traces its ori­gins to Back­Track Lin­ux, an open source pen­e­tra­tion test­ing Lin­ux dis­tri­b­u­tion.

The spy­ware can record screen shots, Skype chats, oper­ate built-in web cams and micro­phones on com­put­ers and is able to cap­ture a large range of user data.

Last year, an inter­net scan by a secu­ri­ty com­pa­ny showed up Fin­Fish­er con­trol nodes in eleven coun­tries, includ­ing Aus­tralia. The mal­ware has been analysed [pdf] by the Cit­i­zen Lab project in which the Uni­ver­si­ty of Toron­to, Munk School of Glob­al Affairs and the Cana­da Cen­tre for Glob­al Stud­ies par­tic­i­pate in.

In July this year, the Aus­tralia Fed­er­al Police turned down a Free­dom of Infor­ma­tion Act request from the direc­tor of the Ope­nAus­tralia Foun­da­tion, Henare Degan, about the use of Fin­Fish­er by the coun­try’s top law enforce­ment agency.

The spy­ware runs on all ver­sions of Win­dows new­er than Win­dows 2000, and can infect com­put­ers via USB dri­vers, dri­ve-by web brows­er exploits or with the help of local inter­net providers that inject the mal­ware when users vis­it trust­ed sites such as Google Gmail or YouTube.

The Fin­Spy Mobile ver­sions works on Black­ber­ry, Apple IOS, Google Android and Microsoft­’s Win­dows Mobile and Win­dows Phone oper­at­ing sys­tems, the doc­u­ments claim. On these, it can record incom­ing and out­go­ing calls, track loca­tion with cel­lu­lar ID and GPS data, and sur­veil­lance by mak­ing silent calls and more.

Accord­ing to the doc­u­ments found by secu­ri­ty firm F‑Secure, the Fin­In­tru­sion portable hack­ing kit can break encryp­tion and record all traf­fic, and steal users’ online bank­ing and social media media cre­den­tials.

...

Real­ly pro­tect­ing data pri­va­cy involves a lot more than just pro­tect­ing inter­net traf­fic or stop­ping and of the NSA or GCHQ’s cus­tom back­doors. That was a intel­li­gence-con­ve­nience that’s now been thwart­ed but the spy­ing will con­tin­ue. If effec­tive­ly-unbreak­able encryp­tion is tru­ly imple­ment­ed espi­onage activ­i­ties will mere­ly shift­ed to spy­ing on data after it’s been decrypt­ed by the intend­ed recip­i­ent. And if the entire his­to­ry of spy­ing scan­dals have taught us any­thing it’s that gov­ern­ments are going to be tempt­ed to spread spy­ware around like a rapid zom­bie. Bar­ring a tru­ly pop­ulist glob­al rev­o­lu­tion that some­how leads to a gold­en age of shared pros­per­i­ty and min­i­mal suf­fer­ing Gov­ern­ments around the world will be spy­ing on oth­er coun­tries’ cit­i­zens all over the globe for a whole lot of valid and invalid rea­sons. Gov­ern­ments can be kind of crazy and so can peo­ple. So the spy­ing will con­tin­ue. And don’t for­get that as spy­ware spreads more and more it’ll be hard­er to tell apart the state-spon­sored spy­ware from their private/criminal coun­ter­parts and all that pri­vate spy­ing will war­rant more pub­lic spy­ing to stop the pri­vate spy­ing. Achiev­ing dig­i­tal pri­va­cy isn’t just a mat­ter slay­ing the NSA-mass-wire­tap­ping-drag­on in the mod­ern age and seal­ing those back­doors. The public/private glob­al spy­ware chimera also roams the for­est and it can make back­doors too.

Discussion

19 comments for “The Spywarepocalypse Cometh. Lock the Backdoor.”

  1. http://hosted.ap.org/dynamic/stories/U/US_BORDER_COMPUTER_SEARCHES?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2013–09-10–05-30–23

    Sep 10, 9:14 AM EDT

    New details in how the feds take lap­tops at bor­der

    By ANNE FLAHERTY
    Asso­ci­at­ed Press

    WASHINGTON (AP) — New­ly dis­closed U.S. gov­ern­ment files pro­vide an inside look at the Home­land Secu­ri­ty Depart­men­t’s prac­tice of seiz­ing and search­ing elec­tron­ic devices at the bor­der with­out show­ing rea­son­able sus­pi­cion of a crime or get­ting a judge’s approval.

    The doc­u­ments pub­lished Mon­day describe the case of David House, a young com­put­er pro­gram­mer in Boston who had befriend­ed Army Pvt. Chelsea Man­ning, the sol­dier con­vict­ed of giv­ing clas­si­fied doc­u­ments to Wik­iLeaks. U.S. agents qui­et­ly wait­ed for months for House to leave the coun­try then seized his lap­top, thumb dri­ve, dig­i­tal cam­era and cell­phone when he re-entered the Unit­ed States. They held his lap­top for weeks before return­ing it, acknowl­edg­ing one year lat­er that House had com­mit­ted no crime and promis­ing to destroy copies the gov­ern­ment made of House­’s per­son­al data.

    The gov­ern­ment turned over the fed­er­al records to House as part of a legal set­tle­ment agree­ment after a two-year court bat­tle with the Amer­i­can Civ­il Lib­er­ties Union, which had sued the gov­ern­ment on House­’s behalf. The ACLU said the records sug­gest that fed­er­al inves­ti­ga­tors are using bor­der cross­ings to inves­ti­gate U.S. cit­i­zens in ways that would oth­er­wise vio­late the Fourth Amend­ment.

    The Home­land Secu­ri­ty Depart­ment declined to dis­cuss the case, say­ing it was still being lit­i­gat­ed. But Cus­toms and Bor­der Pro­tec­tion spokesman Michael Friel said bor­der checks are focused on iden­ti­fy­ing nation­al secu­ri­ty or pub­lic safe­ty risks.

    “Any alle­ga­tions about the use of the CBP screen­ing process at ports of entry for oth­er pur­pos­es by DHS are false,” Friel said. “These checks are essen­tial to enforc­ing the law, and pro­tect­ing nation­al secu­ri­ty and pub­lic safe­ty, always with the shared goals of pro­tect­ing the Amer­i­can peo­ple while respect­ing civ­il rights and civ­il lib­er­ties.”

    House said he was 22 when he first met Man­ning, who now is serv­ing a 35-year sen­tence for one of the biggest intel­li­gence leaks in U.S. his­to­ry. It was a brief, unevent­ful encounter at a Jan­u­ary 2010 com­put­er sci­ence event. But when Man­ning was arrest­ed lat­er that June, that near­ly for­got­ten hand­shake came to mind. House, anoth­er tech enthu­si­ast, con­sid­ered Man­ning a bright, young, tech-savvy per­son who was try­ing to stand up to the U.S. gov­ern­ment and expose what he believed were wrong­head­ed pol­i­tics.

    House vol­un­teered with friends to set up an advo­ca­cy group they called the Bradley Man­ning Sup­port Net­work, and he went to prison to vis­it Man­ning, for­mer­ly known as Bradley Man­ning.

    It was that sum­mer that House qui­et­ly land­ed on a gov­ern­ment watch­list used by immi­gra­tions and cus­toms agents at the bor­der. His file not­ed that the gov­ern­ment was on the look­out for a sec­ond batch of clas­si­fied doc­u­ments Man­ning had report­ed­ly shared with the group Wik­iLeaks but had­n’t made pub­lic yet. Bor­der agents were told that House was “want­ed for ques­tion­ing” regard­ing the “leak of clas­si­fied mate­r­i­al.” They were giv­en explic­it instruc­tions: If House attempt­ed to cross the U.S. bor­der, “secure dig­i­tal media,” and “ID all com­pan­ions.”

    But if House had been want­ed for ques­tion­ing, why had­n’t fed­er­al agents gone back to his home in Boston? House said the Army, State Depart­ment and FBI had already inter­viewed him.

    Instead, inves­ti­ga­tors mon­i­tored pas­sen­ger flight records and wait­ed for House to leave the coun­try that Novem­ber for a Mex­i­co vaca­tion with his girl­friend. When he returned, two agents were wait­ing for him, includ­ing one who spe­cial­ized in com­put­er foren­sics. They seized House­’s lap­top and detained his com­put­er for sev­en weeks, giv­ing the gov­ern­ment enough time to try to copy every file and key­stroke House had made since declar­ing him­self a Man­ning sup­port­er.

    Pres­i­dent Barack Oba­ma and his pre­de­ces­sors have main­tained that peo­ple cross­ing into U.S. ter­ri­to­ry aren’t pro­tect­ed by the Fourth Amend­ment. That pol­i­cy is intend­ed to allow for intru­sive search­es that keep drugs, child pornog­ra­phy and oth­er ille­gal imports out of the coun­try. But it also means the gov­ern­ment can tar­get trav­el­ers for no rea­son oth­er than polit­i­cal advo­ca­cy if it wants, and obtain elec­tron­ic doc­u­ments iden­ti­fy­ing fel­low sup­port­ers.

    House and the ACLU are hop­ing his case will draw atten­tion to the issue, and show how search­ing a suit­case is dif­fer­ent than search­ing a com­put­er.

    “It was pret­ty clear to me I was being tar­get­ed for my vis­its to Man­ning (in prison) and my sup­port for him,” said House, in an inter­view last week.

    How Amer­i­cans end up get­ting their lap­tops searched at the bor­der still isn’t entire­ly clear.

    The Home­land Secu­ri­ty Depart­ment said it should be able to act on a hunch if some­one seems sus­pi­cious. But agents also rely on a mas­sive gov­ern­ment-wide sys­tem called TECS, named after its pre­de­ces­sor the Trea­sury Enforce­ment Com­mu­ni­ca­tions Sys­tem.

    Fed­er­al agen­cies, includ­ing the FBI and IRS, as well as Inter­pol, can feed TECS with infor­ma­tion and flag trav­el­ers’ files.

    In one case that reached a fed­er­al appeals court, Howard Cot­ter­man wound up in the TECS sys­tem because a 1992 child sex con­vic­tion. That “hit” encour­aged bor­der patrol agents to detain his com­put­er, which was found to con­tain child pornog­ra­phy. Cot­ter­man’s case end­ed up before the 9th Cir­cuit Court of Appeals, which ruled this spring that the gov­ern­ment should have rea­son­able sus­pi­cion before con­duct­ing a com­pre­hen­sive search of an elec­tron­ic device; but that rul­ing only applies to states that fall under that court’s juris­dic­tion, and left ques­tions about what con­sti­tutes a com­pre­hen­sive search.

    In the case of House, he showed up in TECS in July 2010, about the same time he was help­ing to estab­lish the Bradley Man­ning Sup­port Net­work. His TECS file, released as part of his set­tle­ment agree­ment, was the doc­u­ment that told bor­der agents House was want­ed in the ques­tion­ing of the leak of clas­si­fied mate­r­i­al.

    It was­n’t until late Octo­ber, though, that inves­ti­ga­tors noticed House­’s pass­port num­ber in an air­line reser­va­tion sys­tem for trav­el to Los Cabos. When he returned to Chica­go O’Hare air­port, the agents wait­ing for him took House­’s lap­top, thumb dri­ve, dig­i­tal cam­era and cell­phone. He was ques­tioned about his affil­i­a­tion with Man­ning and his vis­its to Man­ning in prison. The agents even­tu­al­ly let him go and returned his cell phone. But the oth­er items were detained and tak­en to an ICE field office in Man­hat­tan.

    Sev­en weeks after the inci­dent, House faxed a let­ter to immi­gra­tion author­i­ties ask­ing that the devices be returned. They were sent to him the next day, via Fed­er­al Express.

    By then agents had already cre­at­ed an “image” of his lap­top, accord­ing to the doc­u­ments. Because House had refused to give the agents his pass­word and appar­ent­ly had con­fig­ured his com­put­er in such a way that appeared to stump com­put­er foren­sics experts, it was­n’t until June 2011 that inves­ti­ga­tors were sat­is­fied that House­’s com­put­er did­n’t con­tain any­thing ille­gal. By then, they had already sent a sec­ond image of his hard dri­ve to Army crim­i­nal inves­ti­ga­tors famil­iar with the Man­ning case. In August 2011, the Army agreed that House­’s lap­top was clean and promised to destroy any files from House­’s com­put­er.

    Cather­ine Crump, an ACLU lawyer who rep­re­sent­ed House, said she does­n’t under­stand why Con­gress or the White House are leav­ing the debate up to the courts.

    “Ulti­mate­ly, the Supreme Court will need to address this ques­tion because unfor­tu­nate­ly nei­ther of the oth­er two branch­es of gov­ern­ment appear moti­vat­ed to do so,” said Crump.

    House, an Alaba­ma native, said he did­n’t ask for any mon­ey as part of his set­tle­ment agree­ment and said his pri­ma­ry con­cern was ensur­ing that a doc­u­ment con­tain­ing the names of Man­ning Sup­port Net­work donors did­n’t wind up in a per­ma­nent gov­ern­ment file. The court order required the destruc­tion of all his files, which House said sat­is­fied him.

    He is writ­ing a book about his expe­ri­ences and his hope to cre­ate a youth-based polit­i­cal orga­ni­za­tion. House said he sev­ered ties with the Sup­port Net­work last year after becom­ing dis­il­lu­sioned with Man­ning and Wik­iLeaks, which he said appeared more focused on destroy­ing Amer­i­ca and ruin­ing lives than chal­leng­ing pol­i­cy.

    “That era was a strange time,” House said. “I’m hop­ing we can get our coun­try to go in a bet­ter direc­tion.”

    Posted by Vanfield | September 10, 2013, 8:58 am
  2. SAIC is Oak­land’s choice to “serve and pro­tect” its cit­i­zens.

    Oak­land is quite the lab­o­ra­to­ry for many social sci­ence exper­i­ments:

    - Black Pan­thers
    — SLA — Pat­ty Hearst
    — Car bomb­ing activist Judi Bari
    — Gangs
    — “Oak­s­ter­dam”

    Now SAIC is the ven­dor of choice!

    The com­ments for this NYTimes arti­cle are reflect­ing an aware­ness and unease with these uncon­sti­tu­tion­al encroach­ments, but where is it all lead­ing to?

    Direct con­flict while these sys­tems are deployed, or prison riots in con­cen­tra­tion camps after every “unpro­duc­tive,” job­less, home­less, poor per­son is con­tained?

    Lit­er­al “panop­ti­cons” deployed in our lives and no leg­is­la­tor will­ing to uphold con­sti­tu­tion­al pro­tec­tions for cit­i­zens’ pri­va­cy?

    Octo­ber 13, 2013
    Pri­va­cy Fears Grow as Cities Increase Sur­veil­lance

    http://www.nytimes.com/2013/10/14/technology/privacy-fears-as-surveillance-grows-in-cities.html?_r=0&pagewanted=all&pagewanted=print

    By SOMINI SENGUPTA

    OAKLAND, Calif. — Fed­er­al grants of $7 mil­lion award­ed to this city were meant large­ly to help thwart ter­ror attacks at its bustling port. But instead, the mon­ey is going to a police ini­tia­tive that will col­lect and ana­lyze reams of sur­veil­lance data from around town — from gun­shot-detec­tion sen­sors in the bar­rios of East Oak­land to license plate read­ers mount­ed on police cars patrolling the city’s upscale hills.

    The new sys­tem, sched­uled to begin next sum­mer, is the lat­est exam­ple of how cities are com­pil­ing and pro­cess­ing large amounts of infor­ma­tion, known as big data, for rou­tine law enforce­ment. And the sys­tem under­scores how tech­nol­o­gy has enabled the track­ing of peo­ple in many aspects of life.

    The police can mon­i­tor a fire hose of social media posts to look for evi­dence of crim­i­nal activ­i­ties; trans­porta­tion agen­cies can track com­muters’ toll pay­ments when dri­vers use an elec­tron­ic pass; and the Nation­al Secu­ri­ty Agency, as news reports this sum­mer revealed, scooped up tele­phone records of mil­lions of cell­phone cus­tomers in the Unit­ed States.

    Like the Oak­land effort, oth­er push­es to use new sur­veil­lance tools in law enforce­ment are sup­port­ed with fed­er­al dol­lars. The New York Police Depart­ment, aid­ed by fed­er­al financ­ing, has a big data sys­tem that links 3,000 sur­veil­lance cam­eras with license plate read­ers, radi­a­tion sen­sors, crim­i­nal data­bas­es and ter­ror sus­pect lists. Police in Mass­a­chu­setts have used fed­er­al mon­ey to buy auto­mat­ed license plate scan­ners. And police in Texas have bought a drone with home­land secu­ri­ty mon­ey, some­thing that Alame­da Coun­ty, which Oak­land is part of, also tried but shelved after pub­lic protest.

    Pro­po­nents of the Oak­land ini­tia­tive, for­mal­ly known as the Domain Aware­ness Cen­ter, say it will help the police reduce the city’s noto­ri­ous­ly high crime rates. But crit­ics say the pro­gram, which will cre­ate a cen­tral repos­i­to­ry of sur­veil­lance infor­ma­tion, will also gath­er data about the every­day move­ments and habits of law-abid­ing res­i­dents, rais­ing legal and eth­i­cal ques­tions about track­ing peo­ple so close­ly.

    Lib­by Schaaf, an Oak­land City Coun­cil mem­ber, said that because of the city’s high crime rate, “it’s our respon­si­bil­i­ty to take advan­tage of new tools that become avail­able.” She added, though, that the cen­ter would be able to “paint a pret­ty detailed pic­ture of someone’s per­son­al life, some­one who may be inno­cent.”

    For exam­ple, if two men were caught on cam­era at the port steal­ing goods and dri­ving off in a black Hon­da sedan, Oak­land author­i­ties could look up where in the city the car had been in the last sev­er­al weeks. That could include stop­lights it drove past each morn­ing and whether it reg­u­lar­ly went to see Oak­land A’s base­ball games.

    For law enforce­ment, data min­ing is a big step toward more com­plete intel­li­gence gath­er­ing. The police have tra­di­tion­al­ly made arrests based on small bits of data — wit­ness tes­ti­mo­ny, logs of license plate read­ers, footage from a sur­veil­lance cam­era perched above a bank machine. The new capac­i­ty to col­lect and sift through all that infor­ma­tion gives the author­i­ties a much broad­er view of the peo­ple they are inves­ti­gat­ing.

    For the com­pa­nies that make big data tools, projects like Oakland’s are a big busi­ness oppor­tu­ni­ty. Microsoft built the tech­nol­o­gy for the New York City pro­gram. I.B.M. has sold data-min­ing tools for Las Vegas and Mem­phis.

    Oak­land has a con­tract with the Sci­ence Appli­ca­tions Inter­na­tion­al Cor­po­ra­tion, or SAIC, to build its sys­tem. That com­pa­ny has earned the bulk of its $12 bil­lion in annu­al rev­enue from mil­i­tary con­tracts. As the fed­er­al mil­i­tary bud­get has fall­en, though, SAIC has diver­si­fied to oth­er gov­ern­ment agency projects, though not with­out prob­lems.

    The company’s con­tract to help mod­ern­ize the New York City pay­roll sys­tem, using new tech­nol­o­gy like bio­met­ric read­ers, result­ed in reports of kick­backs. Last year, the com­pa­ny paid the city $500 mil­lion to avoid a fed­er­al pros­e­cu­tion. The amount was believed to be the largest ever paid to set­tle accu­sa­tions of gov­ern­ment con­tract fraud. SAIC declined to com­ment.

    Even before the ini­tia­tive, Oak­land spent mil­lions of dol­lars on traf­fic cam­eras, license plate read­ers and a net­work of sound sen­sors to pick up gun­shots. Still, the city has one of the high­est vio­lent crime rates in the coun­try. And an inter­nal audit in August 2012 found that the police had spent $1.87 mil­lion on tech­nol­o­gy tools that did not work prop­er­ly or remained unused because their ven­dors had gone out of busi­ness.

    The new cen­ter will be far more ambi­tious. From a cen­tral loca­tion, it will elec­tron­i­cal­ly gath­er data around the clock from a vari­ety of sen­sors and data­bas­es, ana­lyze that data and dis­play some of the infor­ma­tion on a bank of giant mon­i­tors.

    The city plans to staff the cen­ter around the clock. If there is an inci­dent, work­ers can ana­lyze the many sources of data to give leads to the police, fire depart­ment or Coast Guard. In the absence of an inci­dent, how the data would be used and how long it would be kept remain large­ly unclear.

    The cen­ter will col­lect feeds from cam­eras at the port, traf­fic cam­eras, license plate read­ers and gun­shot sen­sors. The cen­ter will also be inte­grat­ed next sum­mer with a data­base that allows police to tap into reports of 911 calls. Renee Domin­go, the city’s emer­gency ser­vices coor­di­na­tor, said school sur­veil­lance cam­eras, as well as video data from the region­al com­muter rail sys­tem and state high­ways, may be added lat­er.

    Far less advanced sur­veil­lance pro­grams have elicit­ed resis­tance at the local and state lev­el. Iowa City, for exam­ple, recent­ly imposed a mora­to­ri­um on some sur­veil­lance devices, includ­ing license plate read­ers. The Seat­tle City Coun­cil forced its police depart­ment to return a fed­er­al­ly financed drone to the man­u­fac­tur­er.

    In Vir­ginia, the state police purged a data­base of mil­lions of license plates col­lect­ed by cam­eras, includ­ing some at polit­i­cal ral­lies, after the state’s attor­ney gen­er­al said the method of col­lect­ing and sav­ing the data vio­lat­ed state law. But for a cash-starved city like Oak­land, the expec­ta­tion of more fed­er­al financ­ing makes the project par­tic­u­lar­ly attrac­tive. The City Coun­cil approved the pro­gram in late July, but pub­lic out­cry lat­er com­pelled the coun­cil to add restric­tions. The coun­cil instruct­ed pub­lic offi­cials to write a pol­i­cy detail­ing what kind of data could be col­lect­ed and pro­tect­ed, and how it could be used. The coun­cil expects the pri­va­cy pol­i­cy to be ready before the cen­ter can start oper­a­tions.

    The Amer­i­can Civ­il Lib­er­ties Union of North­ern Cal­i­for­nia described the pro­gram as “war­rant­less sur­veil­lance” and said “the city would be able to col­lect and stock­pile com­pre­hen­sive infor­ma­tion about Oak­land res­i­dents who have engaged in no wrong­do­ing.”

    The port’s chief secu­ri­ty offi­cer, Michael O’Brien, sought to allay fears, say­ing the cen­ter was meant to has­ten law-enforce­ment response time to crimes and emer­gen­cies. “It’s not to spy on peo­ple,” he said.

    Steve Spik­er, research and tech­nol­o­gy direc­tor at the Urban Strate­gies Coun­cil, an Oak­land non­prof­it orga­ni­za­tion that has exam­ined the effec­tive­ness of police tech­nol­o­gy tools, said he was uncom­fort­able with city offi­cials know­ing so much about his move­ments. But, he said, there is already so much pub­lic data that it makes sense to enable gov­ern­ment offi­cials to col­lect and ana­lyze it for the pub­lic good.

    Still, he would like to know how all that data would be kept and shared. “What hap­pens,” he won­dered, “when some­one doesn’t like me and has access to all that infor­ma­tion?”

    Posted by participo | October 14, 2013, 7:59 am
  3. Bob Fil­ner — the for­mer may­or of San Diego and for­mer ser­i­al-grop­er (hope­ful­ly) — and the City of San Diego recent­ly set­tled the sex­u­al harass­ment law­suit brought by Fil­ner’s ex-com­mu­ni­ca­tions direc­tor. But there’s a new Fil­ner-relat­ed scan­dal that’s been brew­ing: The ser­i­al grop­ing of democ­ra­cy by big-mon­ey for­eign donors:

    Hul­la­baloo
    For­eign .001 per­centers are peo­ple too

    by dig­by
    2/16/2014 09:00:00 AM

    It stands to rea­son that the .001% would band togeth­er to influ­ence elec­tions. There are so few of them, it also stands to rea­son they’d recruit for­eign mem­bers of their class. And why not? The poli­cies that help the Amer­i­can mega-rich will very like­ly help the for­eign mega-rich as well. And that’s what counts:

    In a first of its kind case, fed­er­al pros­e­cu­tors say a Mex­i­can busi­ness­man fun­nelled more than $500,000 into U.S. polit­i­cal races through Super PACs and var­i­ous shell com­pa­nies. The alleged finan­cial scheme is the first known instance of a for­eign nation­al exploit­ing the Supreme Court’s Cit­i­zens Unit­ed deci­sion in order to influ­ence U.S. elec­tions. If proven, the cam­paign finance scan­dal could reshape the pub­lic debate over the high court’s land­mark deci­sion.

    Until now, alle­ga­tions sur­round­ing Jose Susumo Azano Mat­sura, the own­er of mul­ti­ple con­struc­tion com­pa­nies in Mex­i­co, have not spread beyond local news out­lets in San Diego, where he’s accused of bankrolling a hand­ful of south­ern Cal­i­for­nia can­di­dates. But the scan­dal is begin­ning to attract nation­al inter­est as it ensnares a U.S. con­gress­man, a Wash­ing­ton, D.C.-based cam­paign firm and the lega­cy of one of the most impor­tant Supreme Court deci­sions in a gen­er­a­tion.

    How could this hap­pen? Well, there’s one big change in cam­paign finance law that made it pos­si­ble:

    “Before Cit­i­zens Unit­ed, in order for a for­eign nation­al to try and do this, they’d have to set up a pret­ty com­plex sys­tem of shell cor­po­ra­tions,” said Brett Kap­pel, a cam­paign finance expert at the law firm Arent Fox. “And even then, there were dol­lar lim­its in place. After Cit­i­zens Unit­ed, there are no lim­its on inde­pen­dent expen­di­tures.”

    Read on. It’s quite a sto­ry.

    But remem­ber that the real prob­lem with our elec­tions is non-exis­tent vot­er fraud.

    It is indeed quite a sto­ry that’s emerg­ing from the inves­ti­ga­tion of Azano’s adven­tures in influ­ence ped­dling. It’s espe­cial­ly inter­est­ing because Azano is described as “almost a leg­end” in Mex­i­co and that leg­endary sta­tus includes major secu­ri­ty and sur­veil­lance con­tracts with the Mex­i­can defense depart­ment. Con­tracts that report­ed­ly give the Mex­i­can gov­ern­ment remote­ly access to phone micro­phones, text mes­sages, con­tacts and mul­ti­me­dia. So the guy at the cen­ter of this lat­est Cit­i­zens Unit­ed-induced cam­paign-finance scan­dal in the US is also a pri­vate spy-mas­ter for the Mex­i­can gov­ern­ment:

    inew­source

    The “for­eign nation­al” in the San Diego cam­paign finance scan­dal is “almost a leg­end” in Mex­i­co

    By Leo Cas­tane­da
    Post­ed on Jan 24, 2014

    Jose Susumo Azano Mat­sura, the for­eign nation­al at the cen­ter of a local cam­paign finance scan­dal, is a lit­tle-known fig­ure in the U.S., but back home in Mex­i­co, he has a rep­u­ta­tion as a bil­lion­aire who report­ed­ly moves in high gov­ern­ment cir­cles.

    Mex­i­can news­pa­pers and peri­od­i­cals have for years fol­lowed Azano’s busi­ness deal­ings, his polit­i­cal con­nec­tions, and his mon­u­men­tal fight with Sem­pra Ener­gy over land for a liqui­fied nat­ur­al gas plant in Ense­na­da. El Sol de Tijua­na news­pa­per calls him “almost a leg­end.”

    He is clear­ly regard­ed as a man with pow­er.

    For exam­ple, a col­umn in the Mex­i­can news­pa­per El Uni­ver­sal report­ed on a meet­ing between incom­ing Mex­i­can Pres­i­dent Enrique Pena Nieto and Pres­i­dent Barack Oba­ma in 2012 when they dis­cussed threats to rela­tions between the two nations. The num­ber one threat iden­ti­fied by the U.S., accord­ing to the news­pa­per, was the Sem­pra Ener­gy land dis­pute alleged­ly financed by Azano. Num­ber two was the price of Mex­i­can toma­toes, and num­ber three, drug car­tels, in that order.

    inew­source reviewed the scant men­tions of Azano in U.S. media and pored through dozens of Mex­i­can news­pa­pers and web­sites, as well as per­son­al social media accounts of Azano fam­i­ly mem­bers for infor­ma­tion about a man referred to only as a “wealthy busi­ness­man” in a fed­er­al com­plaint unsealed in San Diego this week.

    Pros­e­cu­tors con­tend this man fun­neled more than $500,000 into local polit­i­cal cam­paigns, using a “straw donor” to make the dona­tions with the help of a Wash­ing­ton, D.C.-based cam­paign con­sul­tant and a for­mer San Diego cop, who are both charged with crimes. For­eign nation­als like Azano are not allowed to fund polit­i­cal cam­paigns at any lev­el in the U.S.

    Azano is not named in the com­plaint, but inew­source ver­i­fied his role as the FBI-described “wealthy busi­ness­man” after match­ing up the dona­tion amounts cit­ed in the fed­er­al com­plaint with the San Diego City Clerk’s cam­paign con­tri­bu­tions and expen­di­tures data and Sec­re­tary of State’s busi­ness reg­istry infor­ma­tion.

    Azano’s lim­it­ed-lia­bil­i­ty com­pa­ny, Air­sam N492RM, LLC, donat­ed $100,000 to a PAC named, “San Die­gans for Bon­nie Duma­n­is for May­or 2012, Spon­sored by Air­sam N492RM, LLC.” Ernesto Enci­nas, the retired police detec­tive at the cen­ter of the probe, also donat­ed $3,000 to that PAC. Those two dona­tion amounts were high­light­ed in the fed­er­al com­plaint as exam­ples of ille­gal cam­paign expen­di­tures.

    Azano is no stranger to con­tro­ver­sy or polit­i­cal intrigue.

    Mex­i­co City news­pa­per Refor­ma on Thurs­day morn­ing report­ed Azano’s com­pa­ny was impli­cat­ed in a mon­ey laun­der­ing and fraud inves­ti­ga­tion. The Mex­i­can attor­ney gen­er­al alleges that the com­pa­ny, Secu­ri­ty Track­ing Devices SA de CV, either through a pay­ment or con­tract ser­vices, deposit­ed 33 mil­lion pesos (almost $2.5 mil­lion dol­lars) into the account of a cor­po­ra­tion linked to two men who were charged with fraud and mon­ey laun­der­ing.

    Azano is of Japan­ese ances­try and grew up in the west­ern Mex­i­can state of Jalis­co. He is the son of busi­ness­man Susumo Azano Mat­sura, head of Grupo Azano, a cor­po­ra­tion that has done every­thing from con­struc­tion to man­u­fac­tur­ing license plates. One of Azano’s web­sites says he earned degrees from Uni­ver­si­ty of Mass­a­chu­setts Boston and Uni­ver­si­ty of Guadala­jara.

    He made his mon­ey in sur­veil­lance and secu­ri­ty tech­nol­o­gy. One online news out­let in Mex­i­co esti­mates the val­ue of the fam­i­ly enter­pris­es at $30 bil­lion.

    Azano report­ed­ly has a res­i­dence in Coro­n­a­do, but the large water­front home on Green Tur­tle Road is owned by a Mar­gari­ta Hes­ter de Azano, accord­ing to the coun­ty asses­sor. Also accord­ing to the coun­ty asses­sor, Azano him­self owns no prop­er­ty in San Diego Coun­ty.

    ...

    In 1998, Azano start­ed Secu­ri­ty Track­ing Devices, which today sells sur­veil­lance and secu­ri­ty tech­nol­o­gy to Mexico’s defense depart­ment, Sede­na. A 2011 deal for $5 bil­lion pesos (almost $374 mil­lion dol­lars) worth of equip­ment raised eye­brows in the U.S. and Mex­i­co.

    Accord­ing to the Mex­i­can news­pa­per Aris­tegui, the con­tract was award­ed to Azano’s com­pa­ny with­out com­pet­i­tive bid­ding. An edi­to­r­i­al by the news­pa­per El Mex­i­cano claimed Secu­ri­ty Track­ing Devices sold one of the sys­tems for an almost 800 per­cent markup.

    On this side of the bor­der, the San Fran­cis­co-based Elec­tron­ic Fron­tier Foun­da­tion warned about the tech­nol­o­gy being sold, which allowed the Mex­i­can gov­ern­ment to remote­ly access and acti­vate phone micro­phones and down­load text mes­sages, con­tacts and mul­ti­me­dia.

    Secu­ri­ty Track­ing Devices has glob­al reach and is part of the rea­son Azano is often referred to as a bil­lion­aire. How­ev­er, Azano is not includ­ed on Forbe’s list of the wealth­i­est Mex­i­cans.

    The capa­bil­i­ties of the sur­veil­lance sys­tem Azano’s “Secu­ri­ty Track­ing Devices” sound a lot like Fin­Fish­er soft­ware that’s being sold to gov­ern­ments around the world, which rais­es the ques­tion: Was that Fin­Fish­er that Azano’s com­pa­ny was sell­ing to Mex­i­co? Maybe, assum­ing the com­pa­ny “Obses” is affil­i­at­ed with Azano, because Obses has def­i­nite­ly been sell­ing Fin­Fish­er to Mex­i­co:

    Pri­va­cy Inter­na­tion
    Cor­rup­tion scan­dal reveals use of Fin­Fish­er by Mex­i­can author­i­ties
    By: Alin­da Ver­meer
    on: 22-Jul-2013

    Fol­low­ing reports that the Mex­i­can pros­e­cu­tion author­i­ty appears to be not only using Fin­Fish­er, but also to be involved in a cor­rup­tion scan­dal sur­round­ing the pur­chase of this intru­sive sur­veil­lance tech­nol­o­gy, the Mex­i­can Per­ma­nent Com­mis­sion (com­posed of mem­bers of the Mex­i­can Sen­ate and Con­gress) has urged Mex­i­co’s Fed­er­al Insti­tute for Access to Pub­lic Infor­ma­tion and Data Pro­tec­tion (IFAI) to inves­ti­gate the use of spy­ware in Mex­i­co.

    The cor­rup­tion scan­dal, which entails the price of the sur­veil­lance tech­nol­o­gy being pur­chased at more than dou­ble the mar­ket rate, revealed that the Mex­i­can gov­ern­ment had bought Fin­Fish­er from Obses, a com­pa­ny which has been on the receiv­ing end of dozens of no-bid gov­ern­men­tal projects.

    While we don’t know if Obses pur­chased the mal­ware from Gam­ma Inter­na­tion­al, the British com­pa­ny that devel­oped Fin­Fish­er, this is the first instance we are aware of where a reseller was involved in the sale of Fin­Fish­er. The stan­dards of inter­na­tion­al respon­si­ble busi­ness con­duct of the OECD guide­lines how­ev­er remain rel­e­vant even if a reseller is sell­ing its prod­ucts.

    Fin­Fish­er in Mex­i­co

    The rev­e­la­tions fol­lowed a recent access to infor­ma­tion request of a group of Mex­i­can human rights activists and jour­nal­ists that urged the IFAI to inves­ti­gate the use of Fin­Fish­er in Mex­i­co.

    Accord­ing to the group, which includes indi­vid­u­als as well as civic organ­i­sa­tions such as Prop­ues­ta Civi­ca A.C., Al Con­sum­i­dor and Con­tin­gente MX, the mal­ware has been used to spy on jour­nal­ists and activists in the coun­try and breach­es Mex­i­co’s data pro­tec­tion law. The Fed­er­al Law for the Pro­tec­tion of Per­son­al data applies to both pri­vate and pub­lic enti­ties, and reg­u­lates the col­lec­tion, use and dis­clo­sure of per­son­al data. The law also pro­vides lim­i­ta­tions on gov­ern­ment access to data. Fin­Fish­er is par­tic­u­lar­ly intru­sive spy­ware that once installed, will gain com­plete con­trol over a com­put­er, mobile phone or oth­er device. As a result, every key­stroke can be record­ed, email and chat con­ver­sa­tions can be mon­i­tored and Skype calls can be lis­tened into.

    Fin­Fish­er has been linked to Mex­i­co by researchers of the Cit­i­zen Lab, a research cen­tre based at the Munk School of Glob­al Affairs of the Uni­ver­si­ty of Toron­to, who found Fin­Fish­er com­mand and con­trol servers with two local Inter­net ser­vice providers, IUSACELL and UNINET. Mex­i­can news­pa­per Refor­ma revealed that in Mex­i­co the Procu­raduría Gen­er­al de la Nación and sev­er­al oth­er gov­ern­men­tal organ­i­sa­tions are using Fin­Fish­er. Pri­va­cy Inter­na­tion­al sup­port­ed the acces to infor­ma­tion request via a let­ter to the IFAI.

    ...

    Exam­ple for oth­er coun­tries

    In recent years Mex­i­can author­i­ties have sought to improve their sur­veil­lance capa­bil­i­ties in an effort to com­bat drug-relat­ed vio­lence. Accord­ing to Latin Amer­i­can human rights activist Rena­ta Avi­la:

    “Mex­i­co’s pub­lic has been over­whelmed by drug-relat­ed vio­lence in recent years, a prob­lem that has left cit­i­zens fear­ing for their safe­ty and gen­er­al­ly unop­posed to aggres­sive sur­veil­lance prac­tices. As a result, the gov­ern­ment has been able to launch sophis­ti­cat­ed sur­veil­lance pro­grams with­out fac­ing sig­nif­i­cant resis­tance from civ­il soci­ety.”

    A turn­ing point seems to have been reached how­ev­er, now that civic organ­i­sa­tions have called for trans­paren­cy on the use of Fin­Fish­er in Mex­i­co, sug­gest­ing it is not only being used to com­bat crime, but also to spy on activists and jour­nal­ists. Con­cerned by the capa­bil­i­ties of Fin­Fish­er and its ram­i­fi­ca­tions for the pri­va­cy of indi­vid­u­als, the Per­ma­nent Com­mis­sion has already asked IFAI to inves­ti­gate, and has pro­posed to request full dis­clo­sure of the con­tracts on the basis of which Fin­Fish­er was bought, togeth­er with detailed infor­ma­tion on all oth­er fed­er­al pur­chas­es of sur­veil­lance tech­nolo­gies. The Per­ma­nent Com­mis­sion will meet this week to dis­cuss the pro­pos­al.

    This strong response is an exam­ple for the 36 oth­er coun­tries in which Fin­Fish­er com­mand and con­trol servers have been found.

    ...

    Posted by Pterrafractyl | February 16, 2014, 7:41 pm
  4. Remem­ber when Gam­ma, the mak­er of Fin­Fish­er, claimed that it must have been stolen copies of their super-spy soft­ware that were being used against Bahrai­ni activists? Some­one just hacked Gam­ma and stole 40 GB of doc­u­ments and, shock­er, it looks like Gam­ma was lying:

    ZDNet
    Top gov­’t spy­ware com­pa­ny hacked; Gam­ma’s Fin­Fish­er leaked

    Sum­ma­ry: The mak­er of secre­tive Fin­Fish­er spy­ware — sold exclu­sive­ly to gov­ern­ments and police agen­cies — has been hacked, reveal­ing its clients, prices and its effec­tive­ness across an unbe­liev­able span of apps, oper­at­ing sys­tems and more.
    Vio­let Blue

    By Vio­let Blue for Zero Day | August 6, 2014 — 21:01 GMT (14:01 PDT)

    The com­pa­ny that makes and sells the world’s most elu­sive cyber weapon, Fin­Fish­er spy­ware, has been hacked and a 40G file has been dumped on the inter­net.

    The slick and high­ly secret sur­veil­lance soft­ware can remote­ly con­trol any com­put­er it infects, copy files, inter­cept Skype calls, log key­strokes — and now we know it can do much, much more.
    ...

    A hack­er has announced on Red­dit and Twit­ter that they’d hacked Anglo-Ger­man com­pa­ny Gam­ma Inter­na­tion­al UK Ltd., mak­ers of Fin­Fish­er spy­ware sold exclu­sive­ly to gov­ern­ments and police agen­cies.

    The file was linked both on Red­dit and “@GammaGroupPR” — a par­o­dy Twit­ter account by the hack­er tak­ing cred­it for the breach. The Twit­ter account is still dol­ing out tid­bits from the mas­sive theft.

    The Red­dit post Gam­ma Inter­na­tion­al Leaked in self.Anarchism said,

    Two years ago their soft­ware was found being wide­ly used by gov­ern­ments in the mid­dle east, espe­cial­ly Bahrain, to hack and spy on the com­put­ers and phones of jour­nal­ists and dis­si­dents.

    Gam­ma Group (the com­pa­ny that makes Fin­Fish­er) denied hav­ing any­thing to do with it, say­ing they only sell their hack­ing tools to ‘good’ gov­ern­ments, and those author­i­tar­i­an regimes most [sic] have stolen a copy.

    ...a cou­ple days ago [when] I hacked in and made off with 40GB of data from Gam­ma’s net­works. I have hard proof they knew they were sell­ing (and still are) to peo­ple using their soft­ware to attack Bahrai­ni activists, along with a whole lot of oth­er stuff in that 40GB.

    The stolen Fin­Fish­er spoils were first leaked as a tor­rent file on Drop­box and have since been shared across the inter­net, mean­ing that con­trol­ling the infor­ma­tion leak is now impos­si­ble.

    Fin­Fish­er’s noto­ri­ety of late has come from its use in the gov­ern­ment tar­get­ing of activists, notably linked to the mon­i­tor­ing of high pro­file dis­si­dents in Bahrain.

    Accord­ing to ini­tial reports, the enor­mous file con­tains client lists, price lists, source code, details about the effec­tive­ness of Fin­fish­er mal­ware, user and sup­port doc­u­men­ta­tion, a list of classes/tutorials, and much more.

    One spread­sheet in the dump explains that Fin­Fish­er per­formed well against 35 top antivirus prod­ucts, show­ing how the sophis­ti­cat­ed mal­ware effi­cient­ly defeats detec­tion.

    ...

    A release notes doc cov­ers Gam­ma’s April 2014 patch­es to ensure its rootk­it avoids Microsoft Secu­ri­ty Essen­tials. It also explains that the mal­ware records dual screen Win­dows setups, and reports bet­ter email spy­ing with Mozil­la Thun­der­bird and Apple Mail.

    Gam­ma does note that Fin­Fish­er is detect­ed by OSX Skype (a record­ing prompt appears), and the same is for Win­dows 8 Metro — though the spy­ware goes well unde­tect­ed by the desk­top client.

    The files also con­tain lists of apps the spy­ware uti­lizes, and things it can’t use — many still to be deter­mined. There is a fake Adobe Flash Play­er updater, and a Fire­fox plu­g­in for RealPlay­er.

    One of the files con­tains exten­sive (though still unde­ter­mined) doc­u­men­ta­tion for What­sApp.

    Report­ing on just such spy­ware last month, The Econ­o­mist not­ed,

    Cur­rent­ly it is legal for gov­ern­ments to buy the spy­ware—the sale and export of sur­veil­lance tools is vir­tu­al­ly unreg­u­lat­ed by inter­na­tion­al law.

    Spy­ware providers say they sell their prod­ucts to gov­ern­ments for “law­ful pur­pos­es”.

    But activists allege that their gov­ern­ments vio­late nation­al laws in their often polit­i­cal­ly moti­vat­ed use of such soft­ware. They argue that com­pa­nies should be held account­able for sell­ing spy­ware to repres­sive gov­ern­ments.

    The Reg­is­ter report­ed:

    A price list, which appeared to be a cus­tomers’ record, revealed the Fin­Spy pro­gram cost 1.4 mil­lion Euros and a vari­ety of pen­e­tra­tion test­ing train­ing ser­vices priced at 27,000 Euros each.

    The doc­u­ment did not con­tain a date but it did show prices for mal­ware tar­get­ing the recent iOS ver­sion 7 plat­form.

    Links have appeared on Twit­ter to the GitHub repos­i­to­ry for Fin­fish­er docs, although it’s being not­ed that due to Gam­ma’s oper­a­tional secu­ri­ty prac­tices, the unencerypt­ed source code is fair­ly use­less.

    Gam­ma isn’t in the busi­ness of cre­at­ing zero-days because they are more of an “ecosys­tem” spy­ware com­pa­ny, but appar­ent­ly they do sell it to their clients.

    On the list of zero-day com­pa­nies from which Gam­ma appears to pur­chase its exploits is the con­tro­ver­sial French com­pa­ny, VUPEN.

    ...

    At only 1.4 mil­lion euros for the Fin­Spy sys­tem and vir­tu­al­ly no export con­trols for the sale of this kind of potent soft­ware, you almost have to won­der which gov­ern­ments around the world haven’t pur­chased the sys­tem by now. It seems like a bit of a bar­gain.

    Posted by Pterrafractyl | August 7, 2014, 11:39 am
  5. Get ready for the next big cyber-growth sec­tor: cor­po­rate “active defense” anti-hack­ing ser­vices. It’s an “active defense” that increas­ing­ly includes an active offense and pos­si­bly even a pre-emp­tive offense. And gen­er­al­ly seems to embrace the vig­i­lante spir­it:

    Slate
    The Mer­ce­nar­ies

    Ex-NSA hack­ers and their cor­po­rate clients are stretch­ing legal bound­aries and shap­ing the future of cyber­war.
    By Shane Har­ris
    Nov. 12 2014 1:37 PM

    Excerpt­ed from @War: The Rise of the Mil­i­tary-Inter­net Com­plex by Shane Har­ris. Out now from Houghton Mif­flin Har­court.

    Bright twen­ty- and thir­tysome­things clad in polo shirts and jeans perch on red Her­man Miller chairs in front of sil­ver Apple lap­tops and sleek, flat-screen mon­i­tors. They might be munch­ing on catered lunch—brought in once a week—or scroung­ing the ful­ly stocked kitchen for snacks, or mak­ing plans for the com­pa­ny soft­ball game lat­er that night. Their office is faux-loft indus­tri­al chic: open floor plan, high ceil­ings, strate­gi­cal­ly exposed duct­work and plumb­ing. To all out­ward appear­ances, Endgame Inc. looks like the typ­i­cal young tech start­up.

    It is any­thing but. Endgame is one of the lead­ing play­ers in the glob­al cyber arms busi­ness. Among oth­er things, it com­piles and sells zero day infor­ma­tion to gov­ern­ments and cor­po­ra­tions. “Zero days,” as they’re known in the secu­ri­ty busi­ness, are flaws in com­put­er soft­ware that have nev­er been dis­closed and can be secret­ly exploit­ed by an attack­er. And judg­ing by the prices Endgame has charged, busi­ness has been good. Mar­ket­ing doc­u­ments show that Endgame has charged up to $2.5 mil­lion for a zero day sub­scrip­tion pack­age, which promis­es 25 exploits per year. For $1.5 mil­lion, cus­tomers have access to a data­base that shows the phys­i­cal loca­tion and Inter­net address­es of hun­dreds of mil­lions of vul­ner­a­ble com­put­ers around the world. Armed with this intel­li­gence, an Endgame cus­tomer could see where its own sys­tems are vul­ner­a­ble to attack and set up defens­es. But it could also find com­put­ers to exploit. Those machines could be mined for data—such as gov­ern­ment doc­u­ments or cor­po­rate trade secrets—or attacked using mal­ware. Endgame can decide whom it wants to do busi­ness with, but it doesn’t dic­tate how its cus­tomers use the infor­ma­tion it sells, nor can it stop them from using it for ille­gal pur­pos­es, any more than Smith & Wes­son can stop a gun buy­er from using a firearm to com­mit a crime.

    Endgame is one of a small but grow­ing num­ber of bou­tique cyber mer­ce­nar­ies that spe­cial­ize in what secu­ri­ty pro­fes­sion­als euphemisti­cal­ly call “active defense.” It’s a some­what mis­lead­ing term, since this kind of defense doesn’t entail just erect­ing fire­walls or installing antivirus soft­ware. It can also mean launch­ing a pre-emp­tive or retal­ia­to­ry strike. Endgame doesn’t con­duct the attack, but the intel­li­gence it pro­vides can give clients the infor­ma­tion they need to car­ry out their own strikes. It’s ille­gal for a com­pa­ny to launch a cyber­at­tack, but not for a gov­ern­ment agency. Accord­ing to three sources famil­iar with Endgame’s busi­ness, near­ly all of its cus­tomers are U.S. gov­ern­ment agen­cies. Accord­ing to secu­ri­ty researchers and for­mer gov­ern­ment offi­cials, one of Endgame’s biggest cus­tomers is the Nation­al Secu­ri­ty Agency. The com­pa­ny is also known to sell to the CIA, Cyber Com­mand, and the British intel­li­gence ser­vices. But since 2013, exec­u­tives have sought to grow the company’s com­mer­cial busi­ness and have struck deals with mar­quee tech­nol­o­gy com­pa­nies and banks.

    Endgame was found­ed in 2008 by Chris Rouland, a top-notch hack­er who first came on the Defense Department’s radar in 1990—after he hacked into a Pen­ta­gon com­put­er. Report­ed­ly the Unit­ed States declined to pros­e­cute him in exchange for his work­ing for the gov­ern­ment. He start­ed Endgame with a group of fel­low hack­ers who worked as white-hat researchers for a com­pa­ny called Inter­net Secu­ri­ty Sys­tems, which was bought by IBM in 2006 for $1.3 bil­lion. Tech­ni­cal­ly, they were sup­posed to be defend­ing their cus­tomers’ com­put­ers and net­works. But the skills they learned and devel­oped were inter­change­able from offense.

    Rouland, described by for­mer col­leagues as dom­i­neer­ing and hot-tem­pered, has become a vocal pro­po­nent for let­ting com­pa­nies launch coun­ter­at­tacks on indi­vid­u­als, groups, or even coun­tries that attack them. “Even­tu­al­ly we need to enable cor­po­ra­tions in this coun­try to be able to fight back,” Rouland said dur­ing a pan­el dis­cus­sion at a con­fer­ence on ethics and inter­na­tion­al affairs in New York in Sep­tem­ber 2013.

    Rouland stepped down as the CEO of Endgame in 2012, fol­low­ing embar­rass­ing dis­clo­sures of the company’s inter­nal mar­ket­ing doc­u­ments by the hack­er group Anony­mous. Endgame had tried to stay qui­et and keep its name out of the press, and went so far as to take down its web­site. But Rouland provoca­tive­ly resur­faced at the con­fer­ence and, while empha­siz­ing that he was speak­ing in his per­son­al capac­i­ty, said Amer­i­can com­pa­nies would nev­er be free from cyber­at­tack unless they retal­i­at­ed. “There is no con­cept of deter­rence today in cyber. It’s a glob­al free-fire zone.” One of Rouland’s fel­low pan­elists seemed to agree. Robert Clark, a pro­fes­sor of law at the Naval Acad­e­my Cen­ter of Cyber Secu­ri­ty Stud­ies, told the audi­ence that it would be ille­gal for a com­pa­ny that had been hacked to break in to the thief ’s com­put­er and delete its own pur­loined infor­ma­tion. “This is the most asi­nine thing I can think of,” Clark said. “It’s my data, it’s here, I should be able to delete it.”

    To date, no Amer­i­can com­pa­ny has been will­ing to say that it engages in offen­sive cyber oper­a­tions designed to steal infor­ma­tion or destroy an adversary’s sys­tem. But for­mer intel­li­gence offi­cials say “hack-backs”—that is, break­ing into the intruder’s com­put­er, which is ille­gal in the Unit­ed States—are occur­ring, even if they’re not adver­tised. “It is ille­gal. It is going on,” says a for­mer senior NSA offi­cial, now a cor­po­rate con­sul­tant. “It’s hap­pen­ing with very good legal advice. But I would not advise a client to try it.”

    A for­mer mil­i­tary intel­li­gence offi­cer said the most active hack-backs are com­ing from the bank­ing indus­try. In the past sev­er­al years banks have lost bil­lions of dol­lars to cyber­crim­i­nals, pri­mar­i­ly those based in East­ern Europe and Rus­sia who use sophis­ti­cat­ed mal­ware to steal user­names and pass­words from cus­tomers and then clean out their accounts.

    In June 2013, Microsoft joined forces with some of the world’s biggest finan­cial insti­tu­tions, includ­ing Bank of Amer­i­ca, Amer­i­can Express, JPMor­gan Chase, Cit­i­group, Wells Far­go, Cred­it Suisse, HSBC, the Roy­al Bank of Cana­da, and Pay­Pal, to dis­able a huge clus­ter of hijacked com­put­ers being used for online crime. Their tar­get was a noto­ri­ous out­fit called Citadel, which had infect­ed thou­sands of machines around the world and, with­out their own­ers’ knowl­edge, con­script­ed them into armies of “bot­nets,” or clus­ters of infect­ed com­put­ers under the remote con­trol of a hack­er, which the crim­i­nals used to steal account cre­den­tials, and thus mon­ey, from mil­lions of peo­ple. In a coun­ter­strike that Microsoft code-named Oper­a­tion b54, the company’s Dig­i­tal Crimes Unit sev­ered the lines of com­mu­ni­ca­tion between Citadel’s more than 1,400 bot­nets and an esti­mat­ed 5 mil­lion per­son­al com­put­ers that Citadel had infect­ed with mal­ware. Microsoft also took over servers that Citadel was using to con­duct its oper­a­tions.

    Microsoft hacked Citadel. That would have been ille­gal had the com­pa­ny not obtained a civ­il court order bless­ing the oper­a­tion. Effec­tive­ly now in con­trol of Citadel’s victims—who had no idea that their machines had ever been infected—Microsoft could alert them to install patch­es to their vul­ner­a­ble soft­ware. In effect, Microsoft had hacked the users in order to save them. (And to save itself, since the machines had been infect­ed in the first place owing to flaws in Microsoft’s prod­ucts, which are prob­a­bly the most fre­quent­ly exploit­ed in the world.)

    It was the first time that Microsoft had teamed up with the FBI. But it was the sev­enth time it had knocked down bot­nets since 2010. The company’s lawyers had used nov­el legal argu­ments, such as accus­ing crim­i­nals who had attacked Microsoft prod­ucts of vio­lat­ing its trade­mark. This was a new legal fron­tier. Even Microsoft’s lawyers, who includ­ed a for­mer U.S. attor­ney, acknowl­edged that they’d nev­er con­sid­ered using alleged vio­la­tions of com­mon law to obtain per­mis­sion for a cyber­at­tack. For Oper­a­tion b54, Microsoft and the banks had spied on Citadel for six months before talk­ing to the FBI. The sleuths from Microsoft’s counter-hack­ing group even­tu­al­ly went to two Inter­net host­ing facil­i­ties, in Penn­syl­va­nia and New Jer­sey, where, accom­pa­nied by U.S. mar­shals, they gath­ered foren­sic evi­dence to attack Citadel’s net­work of bot­nets. The mil­i­tary would call that col­lect­ing tar­get­ing data. And in many respects, Oper­a­tion b54 looked like a mil­i­tary cyber­strike. Tech­ni­cal­ly speak­ing, it was not so dif­fer­ent from the attack that U.S. cyber forces launched on the Obelisk net­work used by al-Qai­da in Iraq.

    Microsoft also worked with law enforce­ment agen­cies in 80 coun­tries to strike at Citadel. The head of cyber­crime inves­ti­ga­tions for Europol, the Euro­pean Union’s law enforce­ment orga­ni­za­tion, declared that Oper­a­tion b54 had suc­ceed­ed in wip­ing out Citadel from near­ly all its infect­ed hosts. And a lawyer with Microsoft’s Dig­i­tal Crimes Unit declared, “The bad guys will feel the punch in the gut.”

    Microsoft has con­tin­ued to attack bot­nets, and its suc­cess has encour­aged gov­ern­ment offi­cials and com­pa­ny exec­u­tives, who see part­ner­ships between cops and cor­po­rate hack­ers as a viable way to fight cyber­crim­i­nals. But coor­di­nat­ed coun­ter­strikes like the one against Citadel take time to plan, and teams of lawyers to approve them. What hap­pens when a com­pa­ny doesn’t want to wait six months to hack back, or would just as soon not have fed­er­al law enforce­ment offi­cers look­ing over its shoul­der?

    The for­mer mil­i­tary intel­li­gence offi­cer wor­ries that the rel­a­tive tech­ni­cal ease of hack-backs will inspire banks in par­tic­u­lar to for­go part­ner­ships with com­pa­nies like Microsoft and hack back on their own—without ask­ing a court for per­mis­sion. “Banks have an appetite now to strike back because they’re sick of tak­ing it in the shorts,” he says. “It gets to the point where an indus­try won’t accept that kind of risk. And if the gov­ern­ment can’t act, or won’t, it’s only log­i­cal they’ll do it them­selves.” And hack-backs won’t be exclu­sive to big cor­po­ra­tions, he says. “If you’re a celebri­ty, would you pay some­one to find the source of some dirty pic­tures of you about to be released online? Hell yes!”

    Undoubt­ed­ly, they’ll find a ready sup­ply of tal­ent will­ing and able to do the job. A sur­vey of 181 atten­dees at the 2012 Black Hat USA con­fer­ence in Las Vegas found that 36 per­cent of “infor­ma­tion secu­ri­ty pro­fes­sion­als” said they’d engaged in retal­ia­to­ry hack-backs. That’s still a minor­i­ty of the pro­fes­sion, though one pre­sumes that some of the respon­dents weren’t being hon­est. But even those secu­ri­ty com­pa­nies that won’t engage in hack-backs have the skills and the knowhow to launch a pri­vate cyber­war.

    ...

    Over the past sev­er­al years, large defense con­trac­tors have been gob­bling up small­er tech­nol­o­gy firms and bou­tique cyber­se­cu­ri­ty out­fits, acquir­ing their per­son­nel, their pro­pri­etary soft­ware, and their con­tracts with intel­li­gence agen­cies, the mil­i­tary, and cor­po­ra­tions. In 2010, Raytheon, one of the largest U.S. defense con­trac­tors, agreed to pay $490 mil­lion for Applied Sig­nal Tech­nol­o­gy, a cyber­se­cu­ri­ty firm with mil­i­tary and gov­ern­ment clients. The price tag, while objec­tive­ly large, was a rel­a­tive pit­tance for Raytheon, which had sales the pri­or year total­ing $25 bil­lion. In 2013 the net­work-equip­ment giant Cis­co agreed to buy Source­fire for $2.7 bil­lion in cash, in a trans­ac­tion that reflect­ed what the New York Times called “the grow­ing fer­vor” for com­pa­nies that defend oth­er com­pa­nies from cyber­at­tacks and espi­onage.

    After the acqui­si­tion was announced, a for­mer mil­i­tary intel­li­gence offi­cer said he was astound­ed that Cis­co had paid so much mon­ey for a com­pa­ny whose flag­ship prod­uct is built on an open-source intru­sion detec­tion sys­tem called Snort, which any­one can use. It was a sign of just how valu­able cyber­se­cu­ri­ty exper­tise had become—either that or a mas­sive bub­ble in the mar­ket, the for­mer offi­cer said.

    But the com­pa­nies are bet­ting on a sure thing—government spend­ing on cyber­se­cu­ri­ty. The Pen­ta­gon cyber­se­cu­ri­ty bud­get for 2014 is $4.7 bil­lion, a $1 bil­lion increase over the pre­vi­ous year. The mil­i­tary is no longer buy­ing expen­sive mis­sile sys­tems. With the advent of drone air­craft many exec­u­tives believe the cur­rent gen­er­a­tion of fight­er air­craft will be the last ones built to be flown by humans. Spend­ing has plum­met­ed on the big-tick­et weapons sys­tems that kept Belt­way con­trac­tors flush through­out the Cold War, so they’re piv­ot­ing to the boom­ing cyber mar­ket.

    It should be inter­est­ing to see which com­pa­nies end up jump­ing into the counter-hack-attack-for-hire mar­ket. The com­pe­ti­tion could be fierce.

    Posted by Pterrafractyl | November 12, 2014, 2:39 pm
  6. They are only show­ing what they want us to see. I think what­ev­er
    they have now far exceeds the dense and blocky mate­r­i­al you’ll find
    in the Jacob Apple­baum video below, except for a hint you’ll find at
    56:19 or so (“Portable” con­tin­u­ous wave radar gen­er­a­tor). I think
    what they have now does­n’t use wires or have any pro­to­cols I’m
    aware of. Dave talked about this before but I don’t remem­ber which
    show. Like the holo­graph­ic pro­jec­tion sys­tem, but capa­ble of doing
    a whole lot more.

    Jacob Apple­baum: To Pro­tect And Infect, Part 2 [30c3]
    https://www.youtube.com/watch?v=vILAlhwUgIU

    Posted by My Tinfoil Hat | November 13, 2014, 3:27 pm
  7. An Ital­ian cybersecurity/antisecurity firm with a large num­ber of gov­ern­ment clients, Hack­ing Team, just got mega-hacked. 400 GB of inter­nal doc­u­ments are now released that ver­i­fy alle­ga­tions that Hack­ing Team sells its wares to gov­ern­ments with exten­sive human rights abus­es. So, assum­ing this data/PR breach results in an end to those con­tracts, it’s at least pos­si­ble that the kind of pow­er­ful soft­ware that you real­ly don’t want in the wrong hands might not stay in the wrong hands. Of course, assum­ing noth­ing hap­pens, Hack­ing Team just go a big free glob­al adver­tise­ment. Either way, it’s just one more exam­ple of the fact that efforts to gov­ern­ment hack­ing-abus­es can’t exclu­sive­ly focus on gov­ern­ment hack­ing abil­i­ties. Cyber­war­fare that goes far beyond the abil­i­ties of your nor­mal cyber-secu­ri­ty expert can be pri­va­tized too. Pri­va­tized and, or course, sold to some of the worst gov­ern­ments on the plan­et:

    Reuters
    UPDATE 1‑Surveillance soft­ware mak­er Hack­ing Team gets taste of its own med­i­cine

    (Adds that com­pa­ny is rec­om­mend­ing that cus­tomers sus­pend use of spy gear)

    By Eric Auchard and Joseph Menn
    Tue Jul 7, 2015 3:30am IST

    (Reuters) — Italy’s Hack­ing Team, which makes sur­veil­lance soft­ware used by gov­ern­ments to tap into phones and com­put­ers, found itself the vic­tim of hack­ing on a grand scale on Mon­day.

    The con­tro­ver­sial Milan-based com­pa­ny, which describes itself as a mak­er of law­ful inter­cep­tion soft­ware used by police and intel­li­gence ser­vices world­wide, has been accused by anti-sur­veil­lance cam­paign­ers of sell­ing snoop­ing tools to gov­ern­ments with poor human rights records.

    Hack­ing Team’s Twit­ter account was hijacked on Mon­day and used by hack­ers to release what is alleged to be more than 400 giga­bytes of the com­pa­ny’s inter­nal doc­u­ments, email cor­re­spon­dence, employ­ee pass­words and the under­ly­ing source code of its prod­ucts.

    “Since we have noth­ing to hide, we’re pub­lish­ing all our emails, files and source code,” posts pub­lished on the com­pa­ny’s hijacked Twit­ter account said. The tweets were sub­se­quent­ly delet­ed.

    Com­pa­ny spokesman Eric Rabe con­firmed the breach, adding that “law enforce­ment will inves­ti­gate the ille­gal tak­ing of pro­pri­etary com­pa­ny prop­er­ty.”

    ...

    Hack­ing Team cus­tomers include the U.S. FBI, accord­ing to inter­nal doc­u­ments pub­lished Mon­day. That agency did not imme­di­ate­ly respond to a request for com­ment.

    One U.S. pri­va­cy rights activist hailed the pub­li­ca­tion of the stolen Hack­ing Team doc­u­ments as the “best trans­paren­cy report ever”, while anoth­er dig­i­tal activist com­pared the dis­clo­sures to a Christ­mas gift in July for anti-sur­veil­lance cam­paign­ers.

    Among the doc­u­ments pub­lished was a spread­sheet that pur­ports to show the com­pa­ny’s active and inac­tive clients at the end of 2014.

    Those list­ed includ­ed police agen­cies in sev­er­al Euro­pean coun­tries, the U.S. Drug Enforce­ment Admin­is­tra­tion and police and state secu­ri­ty organ­i­sa­tions in coun­tries with records of human rights abus­es such as Egypt, Ethiopia, Kaza­khstan, Moroc­co, Nige­ria, Sau­di Ara­bia and Sudan.

    Sudan’s Nation­al Intel­li­gence Secu­ri­ty Ser­vice was one of two cus­tomers in the client list giv­en the spe­cial des­ig­na­tion of “not offi­cial­ly sup­port­ed”.

    How­ev­er, a sec­ond doc­u­ment, an invoice for 480,000 euros to the same secu­ri­ty ser­vice, calls into ques­tion repeat­ed denials by the Hack­ing Team that it has ever done busi­ness with Sudan, which is sub­ject to heavy trade restric­tions.

    Hack­ing Team did not dis­pute the verac­i­ty of any of the doc­u­ments, though it said some reports that claimed to be based on them con­tained mis­state­ments.

    It said it would not iden­ti­fy any cus­tomers because of still-bind­ing con­fi­den­tial­i­ty agree­ments.

    The 12-year-old Hack­ing Team was named one of five pri­vate-sec­tor “Cor­po­rate Ene­mies of the Inter­net” in a 2012 report by Reporters With­out Bor­ders.

    Cit­i­zen Lab, a dig­i­tal rights research group affil­i­at­ed with the Uni­ver­si­ty of Toron­to, has pub­lished numer­ous reports link­ing Hack­ing Team soft­ware to repres­sion of minor­i­ty and dis­si­dent groups, as well as jour­nal­ists in a num­ber of coun­tries in Africa and the Mid­dle East.

    “Sudan’s Nation­al Intel­li­gence Secu­ri­ty Ser­vice was one of two cus­tomers in the client list giv­en the spe­cial des­ig­na­tion of “not offi­cial­ly sup­port­ed”.”

    Note that if this sounds awful­ly sim­i­lar to the Fin­Fish­er hack that revealed that firm was also sell­ing its pow­er­ful ser­vices to high­ly ques­tion­able client states, this is going to make sound even more famil­iar: The same hack­er that took down Fin­Fish­er, hacked Hack­ing Team:

    Vice Moth­er­board
    Hack­er Claims Respon­si­bil­i­ty for the Hit on Hack­ing Team

    Writ­ten by
    Loren­zo Franceschi-Bic­chierai

    July 6, 2015 // 10:21 AM EST

    An online anti-sur­veil­lance cru­sad­er is back with a bang.

    Last year, a hack­er who only went by the name “Phineas­Fish­er” hacked the con­tro­ver­sial sur­veil­lance tech com­pa­ny Gam­ma Inter­na­tion­al, a British-Ger­man sur­veil­lance com­pa­ny that sells the spy­ware soft­ware Fin­Fish­er. He then went on to leak more than 40GB of inter­nal data from the com­pa­ny, which has been long crit­i­cized for sell­ing to repres­sive gov­ern­ments.

    That same hack­er has now claimed respon­si­bil­i­ty for the breach of Hack­ing Team, an Ital­ian sur­veil­lance tech com­pa­ny that sells a sim­i­lar prod­uct called Remote Con­trolled Sys­tem Galileo.

    On Sun­day night, I reached out to the hack­er while he was in con­trol of Hack­ing Team’s Twit­ter account via a direct mes­sage to @hackingteam. Ini­tial­ly, Phineas­Fish­er respond­ed with sar­casm, say­ing he was will­ing to chat because “we got such good pub­lic­i­ty from your last sto­ry!” refer­ring to a recent sto­ry I wrote about the company’s CEO claim­ing to be able to crack the dark web.

    He then went on to ref­er­ence the sto­ry pub­licly on Twit­ter, post­ing a screen­shot of an inter­nal email which includ­ed the link to my sto­ry.

    ...

    After­wards, how­ev­er, he also claimed that he was Phineas­Fish­er. To prove it, he told me he would use the par­o­dy account he used last year to pro­mote the Fin­Fish­er hack to claim respon­si­bil­i­ty.

    “I am the same per­son behind that hack,” he told me before com­ing out pub­licly.

    ...

    The hack­er, how­ev­er, declined to answer to any fur­ther ques­tions.

    In any case, now at least we know who is respon­si­ble for the mas­sive hack of the con­tro­ver­sial com­pa­ny, which has been accused in repeat­ed occa­sions to sell its soft­ware to gov­ern­ments with ques­tion­able human rights records. Some of these cus­tomers were then caught using Hack­ing Team’s spy­ware against human rights activists or jour­nal­ists.

    The leak of 400GB of inter­nal files con­tains “every­thing,” accord­ing to a per­son close to the com­pa­ny, who only spoke on con­di­tion of anonymi­ty. The files con­tain inter­nal emails between employ­ees; a list of cus­tomers, includ­ing some, such as the FBI, that were pre­vi­ous­ly unknown; and alleged­ly even the source code of Hack­ing Team’s soft­ware, its crown jew­els.

    So “Phineas­Fish­er” repeat­ed their Fin­Fish­er hack, this time against an Ital­ian firm that appeared to have a very sim­i­lar busi­ness mod­el. Assum­ing Phineas­Fish­er is a well-mean­ing “hack­ivist”, the sit­u­a­tion could cer­tain­ly be worse.

    But, of course, when you read about how Vice Moth­er­board did a piece on Hack­ing Team’s asser­tion that it can now hack the dark web just last month, it’s also obvi­ous that any­one, whether its anoth­er cyber secu­ri­ty firm, anoth­er gov­ern­ment, or anoth­er hack­er out­fit, any­one with an inter­est in hack­ing would want to learn how to do that. Or how to pre­vent some­one else from doing that to them.

    In oth­er words, when you’re hack­ing an orga­ni­za­tion like Hack­ing Team, even a “black hat” hack­er is going to be incen­tivized to attempt to make it look like a “white hat” hack because it’s so easy to do giv­en Hack­ing Team’s hor­ri­ble client list. “White hat” hack­ing is a gimme cov­er even if all they want­ed was the dark net stuff. But let’s hope it was total­ly a real “hack­ivist” action by a “white hat” hack­er any­ways. It’s not only much more of a feel-good sto­ry, but the alter­na­tives involv­ing fake “white hat” hack­ers is actu­al­ly rather feel-bad-ish. That Hack­ing Team source code that was appar­ent­ly stolen sounds scary.

    Posted by Pterrafractyl | July 6, 2015, 11:23 pm
  8. Fol­low­ing yes­ter­day’s triplet of “glitch­es” that took down the New York Stock Exchange, Unit­ed Air­lines, and the Wall Street Jour­nal’s home page, a num­ber of peo­ple are scratch­ing their head and won­der­ing if Anony­mous’s tweet the pre­vi­ous day, which sim­ply stat­ed, “Won­der if tomor­row is going to be bad for Wall Street.... we can only hope,” was some­how relat­ed. Hmmm....

    US offi­cials and the impact­ed com­pa­nies, how­ev­er, strong­ly deny that the tech­ni­cal dif­fi­cul­ties were any­thing oth­er than coin­ci­den­tal:

    Haaretz
    U.S. denies cyber-attack caused tech­ni­cal glitch­es at NYSE, Unit­ed Air­lines and WSJ
    Anony­mous hack­ers sug­gest they may be behind New York Stock Exchange fail; White House says no indi­ca­tion of mali­cious actors in tech­ni­cal dif­fi­cul­ties.
    By Oded Yaron | Jul. 8, 2015 | 11:23 PM

    A series of tech­ni­cal glitch­es in the Unit­ed States on Wednes­day morn­ing East­ern Time have sparked rumors of a coor­di­nat­ed cyber-attack. The New York Stock Exchange was shut down and Unit­ed Air­lines flights were ground­ed due to tech­ni­cal dif­fi­cul­ties. In addi­tion, the home page of the Wall Street Jour­nal’s web­site tem­porar­i­ly went down. Amer­i­can offi­cials, how­ev­er, denied any con­nec­tion between the events, insist­ing the Unit­ed States was not under attack.

    U.S. Home­land Secu­ri­ty Sec­re­tary Jeh John­son said tech­ni­cal prob­lems report­ed by Unit­ed and the NYSE were appar­ent­ly not relat­ed to “nefar­i­ous” activ­i­ty.

    “I have spo­ken to the CEO of Unit­ed, Jeff Smisek, myself. It appears from what we know at this stage that the mal­func­tions at Unit­ed and the stock exchange were not the result of any nefar­i­ous actor,” John­son said dur­ing a speech at the Cen­ter for Strate­gic and Inter­na­tion­al Stud­ies, a Wash­ing­ton think tank.

    “We know less about the Wall Street Jour­nal at this point, except that their sys­tem is in fact up again,” he added.

    On Tues­day, the Twit­ter account of the hack­er group Anony­mous post­ed a Tweet that read, “Won­der if tomor­row is going to be bad for Wall Street.... we can only hope.” On Wednes­day after­noon, it tweet­ed, ” #YAN Suc­cess­ful­ly pre­dicts @NYSE fail yes­ter­day. Hmm­mm.”

    ...

    Unit­ed’s com­put­er glitch prompt­ed Amer­i­ca’s Fed­er­al Avi­a­tion Admin­is­tra­tion to ground all of the com­pa­ny’s depar­tures for almost two hours. Accord­ing to the air­line, more than 800 flights were delayed and about 60 were can­celed due to the prob­lem, which was lat­er resolved.

    In a state­ment, Unit­ed said it had suf­fered from “a net­work con­nec­tiv­i­ty issue” and a spokes­woman for the com­pa­ny said the glitch was caused by an inter­nal tech­nol­o­gy issue and not an out­side threat.

    The air­line, the sec­ond largest in the world, had a sim­i­lar issue on June 2, when it was forced to briefly halt all take­offs in the Unit­ed States due to a prob­lem in its flight-dis­patch­ing sys­tem.

    Just as Unit­ed was bring­ing its sys­tems back on-line, trad­ing on the New York Stock Exchange came to a halt because of a tech­ni­cal prob­lem and the Wall Street Jour­nal’s web­site expe­ri­enced errors.

    The New York Stock Exchange sus­pend­ed trad­ing in all secu­ri­ties on its plat­form short­ly after 11:30 A.M. for what it called an inter­nal tech­ni­cal issue, and can­celed all open orders. The exchange, a unit of Inter­con­ti­nen­tal Exchange Inc (ICE.N) said the halt was not the result of a cyber-attack. “We chose to sus­pend trad­ing on NYSE to avoid prob­lems aris­ing from our tech­ni­cal issue,” the NYSE tweet­ed about one hour after trad­ing was sus­pend­ed. Oth­er exchanges were trad­ing nor­mal­ly.

    A tech­ni­cal prob­lem at NYSE’s Arca exchange in March caused some of the most pop­u­lar exchange-trad­ed funds to be tem­porar­i­ly unavail­able for trad­ing. And in August 2013, trad­ing of all Nas­daq-list­ed stocks was frozen for three hours, lead­ing U.S. Secu­ri­ties and Exchange Com­mis­sion Chair Mary Jo White to call for a meet­ing of Wall Street exec­u­tives to insure “con­tin­u­ous and order­ly” func­tion­ing of the mar­kets.

    White House Spokesman Josh Earnest said Wednes­day that there was no indi­ca­tion of mali­cious actors involved in the tech­ni­cal dif­fi­cul­ties expe­ri­enced at the NYSE.

    ...

    Well, if Anony­mous did­n’t do the hack, it all points towards one obvi­ous and omi­nous expla­na­tion: Anony­mous has devel­oped psy­chic pre­cog­ni­tion abil­i­ties!

    Well, ok, there are non-para­nor­mal expla­na­tions, but if we are deal­ing with Anony­mous Who Stare at Goats, let’s hope they’re just lim­it­ed to the pre­cog abil­i­ties. Pre­cog Anony­mous would be messy enough on its own, but at least if it’s just the occa­sion­al pre­cog tweet that’s ok. Scan­ner Anony­mous might be a lit­tle too over the top.

    Posted by Pterrafractyl | July 9, 2015, 11:55 am
  9. Here’s an indi­ca­tion of just how sen­si­tive the client list is for a for com­pa­nies like “Hack­ing Team”, the Italy-based gov­ern­ment-spy­ware firm that was recent­ly hacked: South Kore­an intel­li­gence agency, the Nation­al Intel­li­gence Ser­vice, acknowl­edged Tues­day that it had indeed pur­chased Hack­ing Team soft­ware, but assure the pub­lic that it was only used it to mon­i­tor North Korea and for oth­er research pur­pos­es.

    A South Kore­an intel­li­gence agen­t’s dead body that was just found along­side a sui­cide note would appear to sug­gest oth­er­wise:

    Asso­ci­at­ed Press
    Dead S. Kore­an agent leaves note hint­ing at hack­ing scan­dal

    By KIM TONG-HYUNG

    July 18, 2015

    SEOUL, South Korea — A South Kore­an gov­ern­ment spy was found dead Sat­ur­day in an appar­ent sui­cide along­side a note that seemed to com­ment on the recent rev­e­la­tion that the spy agency had acquired hack­ing pro­grams capa­ble of inter­cept­ing com­mu­ni­ca­tions on cell­phones and com­put­ers, police said.

    A police offi­cial in Yon­gin city, just south of Seoul, said the 46-year-old Nation­al Intel­li­gence Ser­vice agent was found dead in his car, but would not reveal the agen­t’s name or details about the note, say­ing his fam­i­ly request­ed that the infor­ma­tion not be made pub­lic. The offi­cial spoke on con­di­tion of anonymi­ty, cit­ing office rules.

    The NIS said Tues­day that it had pur­chased the hack­ing pro­grams in 2012 from an Ital­ian com­pa­ny, Hack­ing Team, but that it used them only to mon­i­tor agents from rival North Korea and for research pur­pos­es. The sto­ry emerged ear­li­er this month when a search­able library of a mas­sive email trove stolen from Hack­ing Team, released by Wik­iLeaks, showed that South Kore­an enti­ties were among those deal­ing with the firm.

    The rev­e­la­tion is sen­si­tive because the NIS has a his­to­ry of ille­gal­ly tap­ping South Kore­ans’ pri­vate con­ver­sa­tions.

    ...

    Two NIS direc­tors who suc­ces­sive­ly head­ed the spy ser­vice from 1999 to 2003 were con­vict­ed and received sus­pend­ed prison terms for over­see­ing the mon­i­tor­ing of cell­phone con­ver­sa­tions of about 1,800 of South Kore­a’s polit­i­cal, cor­po­rate and media elite.

    On Thurs­day, South Kore­a’s Supreme Court ordered a new tri­al for anoth­er for­mer spy chief con­vict­ed of direct­ing an online cam­paign to smear a main oppo­si­tion can­di­date in the 2012 pres­i­den­tial elec­tion, won by cur­rent Pres­i­dent Park Geun-hye.

    Note that the 2012 online smear cam­paign alleged­ly direct­ed by the for­mer spy chief now fac­ing a retri­al did­n’t appear to involve the the use of any hack­ing tools, although with this Hack­ing Team rev­e­la­tion will see if that con­tin­ues to be the case (note that NIS report­ed­ly pur­chased the soft­ware in 2012). No, he was con­vict­ed of direct­ing sock-pup­petry. Lot’s and lots of sock-pup­petry.

    But also note that the NIS was­n’t the only intel­li­gence agency caught up in the scan­dal. South Kore­a’s Cyber­war­fare Com­mand was also accused the same polit­i­cal med­dling:

    The New York Times
    For­mer South Kore­an Spy Chief Con­vict­ed in Online Cam­paign Against Lib­er­als

    By CHOE SANG-HUN
    SEPT. 11, 2014

    SEOUL, South Korea — A for­mer South Kore­an intel­li­gence chief accused of direct­ing agents who post­ed online crit­i­cisms of lib­er­al can­di­dates dur­ing the 2012 pres­i­den­tial elec­tion cam­paign was con­vict­ed Thurs­day of vio­lat­ing a law that banned the spy agency from involve­ment in domes­tic pol­i­tics.

    Won Sei-hoon, who served as direc­tor of the Nation­al Intel­li­gence Ser­vice under Pres­i­dent Park Geun-hye’s pre­de­ces­sor, Lee Myung-bak, was sen­tenced to two and a half years in prison, but the Seoul Cen­tral Dis­trict Court sus­pend­ed the sen­tence. Mr. Won had just been released from prison Tues­day after com­plet­ing a 14-month sen­tence stem­ming from a sep­a­rate cor­rup­tion tri­al.

    Pros­e­cu­tors indict­ed Mr. Won in June of last year, say­ing that a secret team of Nation­al Intel­li­gence Ser­vice agents had post­ed more than 1.2 mil­lion mes­sages on Twit­ter and oth­er forums in a bid to sway pub­lic opin­ion in favor of the con­ser­v­a­tive gov­ern­ing par­ty and its leader, Ms. Park, ahead of the pres­i­den­tial and par­lia­men­tary elec­tions in 2012.

    Many of the mes­sages mere­ly laud­ed gov­ern­ment poli­cies, but many oth­ers ridiculed lib­er­al crit­ics of the gov­ern­ment and of Ms. Park, includ­ing Ms. Park’s rivals in the pres­i­den­tial elec­tion. Some mes­sages called the lib­er­al politi­cians “ser­vants” of North Korea for hold­ing views on the North that con­ser­v­a­tives con­sid­ered too con­cil­ia­to­ry, pros­e­cu­tors said.

    For the spy agency to “direct­ly inter­fere with the free expres­sion of ideas by the peo­ple with the aim of cre­at­ing a cer­tain pub­lic opin­ion can­not be tol­er­at­ed under any pre­text,” the court said in its rul­ing on Thurs­day. “This is a seri­ous crime that shakes the foun­da­tion of democ­ra­cy.”

    But though Mr. Won was con­vict­ed of vio­lat­ing the law gov­ern­ing the spy agency, the court dis­missed a sep­a­rate charge: that he had vio­lat­ed the country’s elec­tion law, which pro­hibits pub­lic ser­vants gen­er­al­ly from inter­fer­ing in elec­tions. In explain­ing that deci­sion, the court said Mr. Won had not ordered his agents to sup­port or oppose any spe­cif­ic pres­i­den­tial can­di­date.

    That find­ing spared Ms. Park a poten­tial­ly seri­ous polit­i­cal lia­bil­i­ty. Had Mr. Won been con­vict­ed of vio­lat­ing the elec­tion law, it would have pro­vid­ed fod­der for crit­ics of Ms. Park who say that the agency’s online smear cam­paign under­mined the legit­i­ma­cy of her elec­tion. Ms. Park, who was elect­ed by a mar­gin of about a mil­lion votes, has said that she nei­ther ordered nor ben­e­fit­ed from such a cam­paign.

    ...

    The intel­li­gence ser­vice has denied try­ing to dis­cred­it oppo­si­tion politi­cians, say­ing that its online mes­sages were post­ed as part of a nor­mal cam­paign of psy­cho­log­i­cal war­fare against North Korea. It said the North was increas­ing­ly using the Inter­net to spread mis­in­for­ma­tion in sup­port of the Pyongyang gov­ern­ment and to crit­i­cize South Kore­an poli­cies, forc­ing its agents to defend those poli­cies online.

    The intel­li­gence agency was cre­at­ed to spy on North Korea, which is still tech­ni­cal­ly at war with the South. But over its his­to­ry, it has been repeat­ed­ly accused of med­dling in domes­tic pol­i­tics and of being used as a polit­i­cal tool by sit­ting pres­i­dents. In recent months, courts have acquit­ted two defec­tors from North Korea who had been indict­ed on charges of spy­ing for Pyongyang; the courts said the intel­li­gence ser­vice had kept them in soli­tary con­fine­ment for sev­er­al months, failed to pro­vide the sus­pects with appro­pri­ate access to lawyers and, in one case, even fab­ri­cat­ed evi­dence to build its cas­es.

    The South Kore­an military’s Cyber­war­fare Com­mand was also accused of smear­ing oppo­si­tion politi­cians online before the 2012 elec­tions. Last month, mil­i­tary inves­ti­ga­tors for­mal­ly asked pros­e­cu­tors to con­sid­er legal action against the for­mer heads of the com­mand, which was cre­at­ed in 2010 to guard against hack­ing threats from the North.

    “The intel­li­gence agency was cre­at­ed to spy on North Korea, which is still tech­ni­cal­ly at war with the South. But over its his­to­ry, it has been repeat­ed­ly accused of med­dling in domes­tic pol­i­tics and of being used as a polit­i­cal tool by sit­ting pres­i­dents.”

    With worth not­ing that the cur­rent pres­i­dent, Park Geun-hye, is the daugh­ter of for­mer president/military strong­man Park Chung-hee, who set up the pre­de­ces­sor to the NIS in 1961.

    It’s also worth not­ing that if the South Kore­an gov­ern­ment was plan­ning on engag­ing in ille­gal domes­tic sur­veil­lance, Hack­ing Team’s soft­ware prob­a­bly was­n’t very nec­es­sary.

    Posted by Pterrafractyl | July 18, 2015, 2:50 pm
  10. A Ger­man police offi­cer recent­ly made the news after ‘arrest­ing’ a squir­rel fol­low­ing reports from a dis­tressed women that the crit­ter was aggres­sive­ly stalk­ing her. Author­i­ties deter­mined that the squir­rel was suf­fer­ing from exhaus­tion and ordered the fur­ry crim­i­nal to con­sume apples and hon­ey tea as pun­ish­ment.

    As far as stalk­er squir­rels go, it could have been worse. It could have been a robo-squir­rel. A robosquir­rel that’s inter­est­ed in a lot more than just your apples and hon­ey tea and specif­i­cal­ly inter­est­ed in your pass­words:

    Engad­get
    Boe­ing and Hack­ing Team want drones to deliv­er spy­ware

    by Jon Fin­gas
    July 18th 2015 at 9:27pm

    For­get safe­guard­ing drones against hacksif Boe­ing and Hack­ing Team have their way, robot­ic air­craft would dish out a few inter­net attacks of their own. Email con­ver­sa­tions post­ed on Wik­iLeaks reveal that the two com­pa­nies want drones to car­ry devices that inject spy­ware into tar­get com­put­ers through WiFi net­works. If a sus­pect makes the mis­take of using a com­put­er at a cof­fee shop, the drone could slip in sur­veil­lance code from a safe dis­tance.

    The con­ver­sa­tion was still in the ear­ly stages as of the leak, so you don’t have to wor­ry about drones plant­i­ng bugs any time soon. It’s also unclear as to who the cus­tomers would be. While the NSA is fond of spy­ware, there’s no cer­tain­ty that it or oth­er US agen­cies would line up as cus­tomers. Still, don’t be sur­prised if mil­i­tary recon drones are even­tu­al­ly doing a lot more than snap­ping pic­tures.

    Yes, Hack­ing Team, the gov­ern­ment spy­ware firm, just got hacked and now Wik­iLeaks is leak­ing its emails. And accord­ing those emails, Hack­ing Team and Boen­ing appar­ent­ly are thing­ing about putting a suit of hack­ing tools on a drone, and why not? That makes per­fect sense and there are probal­by plen­ty of oth­er com­pa­nies and gov­ern­ments try­ing to the same thing. It would be shock­ing if that was­n’t the case. Whether or not that involves robosquir­rels remains to be seen, but the indus­try for cryp­to­drones that blend into the envi­ron­ment and can sneak up on peo­ple is one of those inevitable tech­no­log­i­cal advances that threat­ens to turn real­i­ty into a para­noid schiz­o­phrenic’s worst night­mare some­day.

    And no gov­ern­ment will be required to cre­ate that night­mare, although they’ll sure­ly con­tribute. The pri­vate sec­tor demand for drones that can hunt some­one down and do one of any num­ber of pos­si­ble tasks that go far beyond hack­ing will pro­vide more than enough of the required demand for cre­at­ing a de fac­to cryp­to­drone sur­veil­lance state. A pub­lic and pri­vate army of stalk­er robo-squir­rels and robo-every­thing-else is just a mat­ter of time. Why? Because it’s just a mat­ter of time before that kind of drone tech­nol­o­gy is 3D print­able or some­how avail­able the mass­es through some sort of do-it-your­self drone build­ing tech­nol­o­gy. How many decades before 3D print­able micro­drones that’s are capa­ble of high­ly sophis­ti­cat­ed surveillance/hacking/whatever are just part of every­day real­i­ty because it’s all avail­able through read­i­ly do-it-your­self man­u­fac­tur­ing tech­nol­o­gy? That’s going to be real­ly amaz­ing and awe­some when we can gen­er­ate lit­tle robots on com­mand, but it also pret­ty much guar­an­tees an epi­dem­ic of pub­lic and pri­vate spy drones.

    So enjoy pub­lic wi-fi while you still can because hack­er-stalk­er robo-squir­rels are just a mat­ter of time. And if that sounds alarm­ing, just be glad the spy cyborg-squir­rel or cyborg-any-crit­ter tech­nol­o­gy isn’t going to avail­able any time soon. And hope­ful­ly nev­er. Again.

    Posted by Pterrafractyl | July 19, 2015, 10:24 pm
  11. There was a rather star­tling report last year that was nev­er proven but cer­tain­ly pos­si­ble: Did over 100,000 smart TVs, home net­work­ing routers, smart refrig­er­a­tors and oth­er “Inter­net of Things” get turned into a giant spam-spew­ing “bot­net”? If so, since we’ve nev­er seen proof that such a bot­net exists, if it exist­ed back in 2014 it pre­sum­ably exists today too:

    Ars Tech­ni­ca
    Is your refrig­er­a­tor real­ly part of a mas­sive spam-send­ing bot­net?
    Ars unrav­els the report that hack­ers have com­man­deered 100,000 smart devices.

    by Dan Good­in — Jan 17, 2014 2:25pm CST

    Secu­ri­ty researchers have pub­lished a report that Ars is hav­ing a tough time swal­low­ing, despite con­sid­er­able effort chew­ing—a bot­net of more than 100,000 smart TVs, home net­work­ing routers, and oth­er Inter­net-con­nect­ed con­sumer devices that recent­ly took part in send­ing 750,000 mali­cious e‑mails over a two-week peri­od.

    The “thing­bots,” as Sun­ny­vale, Cal­i­for­nia-based Proof­point dubbed them in a press release issued Thurs­day, were com­pro­mised by exploit­ing default admin­is­tra­tion pass­words that had­n’t been changed and oth­er mis­con­fig­u­ra­tions. A Proof­point offi­cial told Ars the attack­ers were also able to com­man­deer devices run­ning old­er ver­sions of the Lin­ux oper­at­ing sys­tem by exploit­ing crit­i­cal soft­ware bugs. The 100,000 hacked con­sumer gad­gets were then cor­ralled into a bot­net that also includ­ed infect­ed PCs, and they were then used in a glob­al cam­paign involv­ing more than 750,000 spam and phish­ing mes­sages. The report con­tin­ued:

    The attack that Proof­point observed and pro­filed occurred between Decem­ber 23, 2013 and Jan­u­ary 6, 2014 and fea­tured waves of mali­cious email, typ­i­cal­ly sent in bursts of 100,000, three times per day, tar­get­ing Enter­pris­es and indi­vid­u­als world­wide. More than 25 per­cent of the vol­ume was sent by things that were not con­ven­tion­al lap­tops, desk­top com­put­ers or mobile devices; instead, the emails were sent by every­day con­sumer gad­gets such as com­pro­mised home-net­work­ing routers, con­nect­ed mul­ti-media cen­ters, tele­vi­sions and at least one refrig­er­a­tor. No more than 10 emails were ini­ti­at­ed from any sin­gle IP address, mak­ing the attack dif­fi­cult to block based on loca­tion – and in many cas­es, the devices had not been sub­ject to a sophis­ti­cat­ed com­pro­mise; instead, mis­con­fig­u­ra­tion and the use of default pass­words left the devices com­plete­ly exposed on pub­lic net­works, avail­able for takeover and use.

    The Proof­point report quick­ly went viral, with many main­stream news out­lets breath­less­ly report­ing the find­ings. The inter­est is under­stand­able. The find­ing of a sophis­ti­cat­ed spam net­work run­ning on 100,000 com­pro­mised smart devices is extra­or­di­nary, if not unprece­dent­ed. And while the engi­neer­ing effort required to pull off such a feat would be con­sid­er­able, the bot­net Proof­point describes is pos­si­ble. After all, many Inter­net-con­nect­ed devices run on Lin­ux ver­sions that accept out­side con­nec­tions over tel­net, SSH, and Web inter­faces.

    What’s more, in an age of James Bond-like infec­tions that bug thou­sands of air-gapped com­put­ers and cryp­to­graph­ic attacks that hijack Microsoft­’s Win­dows update mech­a­nism, a bot­net of refrig­er­a­tors, ther­mostats, and oth­er smart devices is by no means impos­si­ble. Last year, an anony­mous guer­ril­la researcher pre­sent­ed cred­i­ble evi­dence that he hijacked more than 420,000 Inter­net-con­nect­ed devices. The grow­ing num­ber of these devices and their advances in pro­cess­ing pow­er also make these sce­nar­ios increas­ing­ly fea­si­ble.

    Where’s the smok­ing gun?

    Still, there’s a sig­nif­i­cant lack of tech­ni­cal detail for a report with such an extra­or­di­nary find­ing. Among oth­er things, Proof­point pro­vid­ed no details about the soft­ware the researchers say com­pro­mised the devices; it said it did­n’t “sink­hole” or oth­er­wise mon­i­tor any of the com­mand-and-con­trol servers that would have been nec­es­sary to coor­di­nate bot­net activ­i­ties; and it did­n’t con­vinc­ing­ly explain how it arrived at the deter­mi­na­tion that 100,000 smart devices were com­man­deered. My doubts lin­gered even after a one-on-one inter­view with David Knight, gen­er­al man­ag­er of Proof­point’s infor­ma­tion secu­ri­ty divi­sion.

    Knight said Proof­point knows appli­ances sent the spam direct­ly because researchers scanned the IP address­es that sent the mali­cious e‑mails and received respons­es from the Inter­net inter­faces of name-brand devices. I point­ed out that many home net­works have dozens of devices con­nect­ed to them. How, I asked, did researchers deter­mine that spam was sent by, say, an infect­ed refrig­er­a­tor? Isn’t it pos­si­ble that a home net­work with a mis­con­fig­ured smart device might also have an infect­ed Win­dows XP lap­top that was churn­ing out the mali­cious e‑mails?

    Knight’s response: in some cas­es, the researchers direct­ly queried the smart devices on IP address­es that sent spam and observed that the appli­ances were equipped with the Sim­ple Mail Trans­fer Pro­to­col or sim­i­lar capa­bil­i­ties that caused them to send spam. In oth­er cas­es, the researchers deter­mined the devices were con­nect­ed direct­ly to the Inter­net rather than through a router, mak­ing them the only pos­si­ble source of the spam that came from that IP address.

    Again, what Proof­point is report­ing is plau­si­ble, but it does­n’t add up. Expe­ri­enced bot­net researchers know that esti­mat­ing the num­ber of infect­ed machines is a vex­ing­ly impre­cise endeav­or. No tech­nique is per­fect, but the scan­ning of pub­lic IP address­es is par­tic­u­lar­ly prob­lem­at­ic. Among oth­er things, the intri­ca­cies of net­work address trans­la­tion mean that the IP address foot­print of a home router will be the same as the PC, smart TV, and ther­mo­stat con­nect­ed to the same net­work.

    It’s also hard to under­stand why some­one would go to all the trou­ble of infect­ing a smart device and then use it to send just 10 spam mes­sages. Tra­di­tion­al spam bot­nets will push infect­ed PCs to send as many mes­sages as its resources allow. The bot­net report­ed by Proof­point requires too much effort and not enough reward.

    None of this is to say that the report­ed 100,000-strong smart-device bot­net does­n’t exist. And as most stu­dents of log­ic accept, it’s not fea­si­ble to prove a neg­a­tive. Still, the lack of evi­dence doc­u­ment­ing any mal­ware sam­ple or a com­mand and con­trol serv­er should give any reporter pause before repeat­ing such an extra­or­di­nary claim. The research method­ol­o­gy is also a red flag.

    I con­tact­ed Paul Roy­al, a research sci­en­tist at Geor­gia Tech who spe­cial­izes in net­work and sys­tem secu­ri­ty, and I asked for his take on the Proof­point report and the addi­tion­al infor­ma­tion pro­vid­ed by Knight. He was skep­ti­cal, too.

    “The aggre­gate of the infor­ma­tion does­n’t paint an ade­quate­ly com­pelling pic­ture that what they’re assert­ing occurred actu­al­ly occurred,” Roy­al said. “When you ask some­thing as sim­ple as how do you know the spam came from gad­gets they say: ‘Well, we looked at the IP address­es of the sys­tems send­ing the spam and when we pre­sum­ably probed them we observed that they were com­ing from set-top-box-like devices.’ The tech­ni­cal analy­sis of that shows that there could be plen­ty of oth­er expla­na­tions.”

    ...

    Was that Christ­ma spam you got in 2011 sent by the Great Proof­point Bot­net enabled via a large num­ber of mis­con­fig­ured Inter­net-ready devices that had vul­ner­a­bil­i­ties like default pass­words still run­ning?

    ...
    The attack that Proof­point observed and pro­filed occurred between Decem­ber 23, 2013 and Jan­u­ary 6, 2014 and fea­tured waves of mali­cious email, typ­i­cal­ly sent in bursts of 100,000, three times per day, tar­get­ing Enter­pris­es and indi­vid­u­als world­wide. More than 25 per­cent of the vol­ume was sent by things that were not con­ven­tion­al lap­tops, desk­top com­put­ers or mobile devices; instead, the emails were sent by every­day con­sumer gad­gets such as com­pro­mised home-net­work­ing routers, con­nect­ed mul­ti-media cen­ters, tele­vi­sions and at least one refrig­er­a­tor. No more than 10 emails were ini­ti­at­ed from any sin­gle IP address, mak­ing the attack dif­fi­cult to block based on loca­tion – and in many cas­es, the devices had not been sub­ject to a sophis­ti­cat­ed com­pro­mise; instead, mis­con­fig­u­ra­tion and the use of default pass­words left the devices com­plete­ly exposed on pub­lic net­works, avail­able for takeover and use.
    ...

    Sad­ly, we may nev­er know. We do know, how­ev­er, that chang­ing the default pass­word for any­thing con­nect­ed to the inter­net is a real­ly good idea. And if you have a large num­ber of inter­net-ready devices all con­nect­ed to the inter­net with their default pass­words still in place and oth­er mis­con­fig­u­ra­tions, the bot­net they described does seem very pos­si­ble:

    ...
    The find­ing of a sophis­ti­cat­ed spam net­work run­ning on 100,000 com­pro­mised smart devices is extra­or­di­nary, if not unprece­dent­ed. And while the engi­neer­ing effort required to pull off such a feat would be con­sid­er­able, the bot­net Proof­point describes is pos­si­ble. After all, many Inter­net-con­nect­ed devices run on Lin­ux ver­sions that accept out­side con­nec­tions over tel­net, SSH, and Web inter­faces.
    ...

    Did some­one dis­cov­er a mas­sive num­ber of inter­net-ready devices with their default pass­words and oth­er mis­con­fig­u­ra­tions cre­at­ed the great Christ­mas spam machine ever cre­at­ed? And does it still exist, drib­bling out spam one device at a time? It’s pos­si­ble.

    And since it’s also pos­si­ble that you haven’t changed the default pass­words on your devices, per­haps that’s some­thing to look into. But while you can change your inter­net-ready devices’ pass­words eas­i­ly enough, for some inter­net-ready devices you might actu­al­ly need to change more than just the pass­word to secure it on the inter­net. You might need to change the whole device for a new one. Why? Because, as the arti­cle below points out, the emerg­ing “Inter­net of Things”, espe­cial­ly the “Inter­net of Rel­a­tive­ly Cheap Things”, might actu­al­ly be the “Inter­net of Rel­a­tive­ly Cheap Things Shar­ing the Same Set of Encryp­tion Keys”:

    eWeek
    Cryp­to­graph­ic Key Reuse Exposed, Leav­ing Users at Risk

    A lack of unique keys in embed­ded devices is revealed, leav­ing such devices sub­ject to imper­son­ation, man-in-the-mid­dle or pas­sive decryp­tion attacks.

    By Sean Michael Kern­er | Post­ed 2015-11-30

    The promise of encryp­tion is that it keeps infor­ma­tion hid­den from pub­lic view. But what hap­pens when mul­ti­ple devices share the same encryp­tion key? Accord­ing to a report from secu­ri­ty firm SEC Con­sult, mil­lions of devices are at risk because ven­dors have been reusing HTTPS and Secure Shell (SSH) encryp­tion keys.

    “Research by Ste­fan Viehböck of SEC Con­sult has found that numer­ous embed­ded devices acces­si­ble on the pub­lic Inter­net use non-unique X.509 cer­tifi­cates and SSH host keys,” CERT warns in vul­ner­a­bil­i­ty note #566724. “Vul­ner­a­ble devices may be sub­ject to imper­son­ation, man-in-the-mid­dle, or pas­sive decryp­tion attacks.”

    Viehböck looked at more than 4,000 devices from 70 ven­dors and found only 580 unique pri­vate keys were in use. There is a sig­nif­i­cant amount of reuse across keys that SEC Con­sult has esti­mat­ed to impact approx­i­mate­ly 50 ven­dors and 900 prod­ucts. CERT’s vul­ner­a­bil­i­ty note explains that for the major­i­ty of vul­ner­a­ble devices, ven­dors reused cer­tifi­cates and keys across their own prod­uct lines.

    “There are some instances where iden­ti­cal cer­tifi­cates and keys are used by mul­ti­ple ven­dors,” CERT’s vul­ner­a­bil­i­ty note states. “In these cas­es, the root cause may be due to firmware that is devel­oped from com­mon SDKs (Soft­ware Devel­op­ment Kits), or OEM (Orig­i­nal Equip­ment Man­u­fac­tur­er) devices using ISP-pro­vid­ed firmware.”

    Tod Beard­s­ley, research man­ag­er at Rapid7, is not sur­prised at the SEC Con­sult find­ings. When audit­ing inex­pen­sive embed­ded devices, his No. 1 com­plaint is when the admin­is­tra­tive inter­face isn’t encrypt­ed at all, he said.

    “How­ev­er, even when I do see that there is an encrypt­ed inter­face, they’re often vul­ner­a­ble to the shared key prob­lem detailed by VU#566724,” Beard­s­ley told eWEEK. “The prob­lem here is that it’s dif­fi­cult for low-end, low-mar­gin device man­agers to imple­ment unique key gen­er­a­tion on indi­vid­ual devices.”

    Plus, gen­er­at­ing unique keys as part of the man­u­fac­tur­ing process cuts into a ven­dor’s already thin mar­gins, and design­ing some­thing that gen­er­ates a key on first use is going to require some devel­op­ment and qual­i­ty assur­ance effort, Beard­s­ley said.

    “The prob­lem is that soft­ware devel­op­ers and secu­ri­ty archi­tects haven’t yet come togeth­er to design an easy-to-use, push but­ton library that embed­ded devices lever­age rou­tine­ly,” he said. “As tech­nol­o­gists, we need to get ahead of this prob­lem and design encryp­tion solu­tions that are not only secure, but easy to imple­ment.”

    Using hard­cod­ed pri­vate keys is a secu­ri­ty dis­as­ter, accord­ing to Dr. Yehu­da Lin­dell, co-founder and chief sci­en­tist at Dyadic. Lin­dell sees a num­ber of rea­sons why the pri­vate keys may have been left exposed and reused by mul­ti­ple ven­dors.

    “Some­times, keys are hard­wired for the pur­pose of devel­op­ment and test­ing, and are just for­got­ten when mov­ing the soft­ware into pro­duc­tion,” Lin­dell told eWEEK. “Oth­er times, devel­op­ers don’t know where to put the keys and mis­tak­en­ly think that hard­wiring them is a good idea.”

    Angel Grant, senior man­ag­er at RSA, the secu­ri­ty divi­sion of EMC, not­ed that secu­ri­ty key man­age­ment has always been a chal­lenge and will con­tin­ue to prop­a­gate as the Inter­net of things (IoT) expands.

    “There cur­rent­ly is no mod­el of trust between machines, so orga­ni­za­tions need to pause and think about the poten­tial attack vec­tors that will lever­age the poten­tial com­put­ing pow­er of IOT to cre­ate things like a Bot­net of Things (BOTOT) or Thing in the Mid­dle (TITM),” Grant told eWEEK.

    Best Prac­tices

    There are a num­ber of things that ven­dors can and should do to lim­it the risk of cryp­to­graph­ic key reuse. In many cas­es, how­ev­er, the chal­lenge lies with the actu­al end users of devices.

    The prob­lem with this sort of vul­ner­a­bil­i­ty is that the device own­er [user] actu­al­ly can’t do any­thing oth­er than replace the device,” Lin­dell said. “It’s also not nec­es­sar­i­ly the case that a ven­dor can issue a sim­ple firmware update. This is because not all of these devices may sup­port such a remote update secure­ly.”

    ...

    Kevin Bocek, vice pres­i­dent of secu­ri­ty strat­e­gy and Threat intel­li­gence at Venafi, said his com­pa­ny along with the Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy (NIST) recent­ly issued a new pub­li­ca­tion titled Secu­ri­ty of Inter­ac­tive and Auto­mat­ed Access Man­age­ment using Secure Shell (SSH). The NIST doc­u­ment pro­vides guid­ance on sev­er­al crit­i­cal aspects of SSH, includ­ing its under­ly­ing tech­nolo­gies, inher­ent vul­ner­a­bil­i­ties and best prac­tices for man­ag­ing SSH keys through­out their life cycle.

    “All SSH access depends on the prop­er man­age­ment and secu­ri­ty of SSH keys,” Bocek said. “If your orga­ni­za­tion does not have an active SSH key man­age­ment and secu­ri­ty project, it is at risk.”

    There is also a short-term fix that can help to lim­it the risk of being exposed to reused cryp­to­graph­ic keys.

    “As far as pro­tect­ing today’s vul­ner­a­ble devices, mov­ing them off the gen­er­al Inter­net and into a VPN con­trolled net­work is prob­a­bly the best short-term solu­tion,” Beard­s­ley sug­gest­ed. “VPNs are an increas­ing­ly impor­tant com­po­nent of mod­ern enter­prise net­works. There are pret­ty easy-to-use inter­faces on lap­tops, tablets and phones today, and their use is get­ting more nor­mal­ized on oth­er­wise pub­lic net­works.”

    “The prob­lem with this sort of vul­ner­a­bil­i­ty is that the device own­er [user] actu­al­ly can’t do any­thing oth­er than replace the device”
    And note that if “replace device” becomes the default option fol­low­ing a future wave of IoT Bot­net attacks, that’s going to be a lot of replaced devices:

    Viehböck looked at more than 4,000 devices from 70 ven­dors and found only 580 unique pri­vate keys were in use. There is a sig­nif­i­cant amount of reuse across keys that SEC Con­sult has esti­mat­ed to impact approx­i­mate­ly 50 ven­dors and 900 prod­ucts. CERT’s vul­ner­a­bil­i­ty note explains that for the major­i­ty of vul­ner­a­ble devices, ven­dors reused cer­tifi­cates and keys across their own prod­uct lines.”

    A lot.

    But look on the bright side. At least bot­nets don’t fly through your neigh­bor­hood seek­ing vul­ner­a­ble devices to infect with sophis­ti­cat­ed mal­ware. And when there even­tu­al­ly are bot­nets fly­ing through the neigh­bor­hood, don’t for­get that there’s always anoth­er bright side.

    Posted by Pterrafractyl | December 1, 2015, 9:26 pm
  12. Well, it’s been quite a year for the Inter­net of Hack­able Things:

    Wired

    How the Inter­net of Things Got Hacked

    Andy Green­berg and Kim Zetter
    12.28.15, 7:00 am

    There was once a time when peo­ple dis­tin­guished between cyber­space, the dig­i­tal world of com­put­ers and hack­ers, and the flesh-and-blood real­i­ty known as meat­space. Any­one over­whelmed by the hack­able per­ils of cyber­space could unplug and retreat to the reli­able, ana­log world of phys­i­cal objects.

    But today, cheap, radio-con­nect­ed com­put­ers have invad­ed meat­space. They’re now embed­ded in every­thing from our toys to our cars to our bod­ies. And this year has made clear­er than ever before that this Inter­net of Things intro­duces all the vul­ner­a­bil­i­ties of the dig­i­tal world into our real world.

    Secu­ri­ty researchers exposed holes in every­thing from Wi-Fi-enabled Bar­bie dolls to two-ton Jeep Chero­kees. For now, those demon­stra­tions have yet to man­i­fest in real-world mali­cious hacks, says secu­ri­ty entre­pre­neur Chris Rouland. But Rouland, who once ran the con­tro­ver­sial gov­ern­ment hack­ing con­trac­tor firm Endgame, has bet his next com­pa­ny, an Inter­net-of-Things-focused secu­ri­ty start­up called Bastille, on the risks of hack­able dig­i­tal objects. And he argues that pub­lic under­stand­ing of those risks is on the rise. “2015 has been the piv­otal year when we saw aware­ness and vul­ner­a­bil­i­ty dis­cov­er­ies pub­lished about ‘things’,” Rouland says. He’s added a new slo­gan to his pow­er­point pre­sen­ta­tions: “Cyber Bar­bie is now part of the kill chain.”

    Here are a few of the hacks that made 2015 the year of inse­cure inter­net things:

    Inter­net-Enabled Auto­mo­biles

    Secu­ri­ty researchers Char­lie Miller and Chris Valasek for­ev­er altered the auto­mo­bile industry’s notion of “vehi­cle safe­ty” in July when they demon­strat­ed for WIRED that they could remote­ly hack a 2014 Jeep Chero­kee to dis­able its trans­mis­sion and brakes. Their work led Fiat Chrysler to issue an unprece­dent­ed recall for 1.4 mil­lion vehi­cles, mail­ing out USB dri­ves with a patch for the vul­ner­a­ble info­tain­ment sys­tems and block­ing the attack on the Sprint net­work that con­nect­ed its cars and trucks.

    That Jeep attack turned out to be only the first in a series of car hacks that rat­tled the auto indus­try through the sum­mer. At the Def­Con hack­er con­fer­ence in August, Marc Rogers, prin­ci­pal secu­ri­ty researcher for Cloud­Flare, and Kevin Mahaf­fey, co-founder and CTO of mobile secu­ri­ty firm Look­out, revealed a suite of vul­ner­a­bil­i­ties they found in the Tes­la Mod­el S that would have allowed some­one to con­nect their lap­top to the car’s net­work cable behind the driver’s‑side dash­board, start the $100,000 vehi­cle with a soft­ware com­mand, and dri­ve off with it—or they could plant a remote-access Tro­jan on the car’s inter­nal net­work to lat­er remote­ly cut the engine while some­one was dri­ving. Oth­er vul­ner­a­bil­i­ties they found could the­o­ret­i­cal­ly have been exploit­ed remote­ly with­out need­ing phys­i­cal access to the car first, though they didn’t test these. Tes­la patched most of these in an over-the-air patch deliv­ered direct­ly to vehi­cles.

    Also at Def­con this year, secu­ri­ty researcher Samy Kamkar showed off a book-sized device he’d cre­at­ed called Own­Star, which could be plant­ed on a GM vehi­cle to inter­cept com­mu­ni­ca­tions from a driver’s OnStar smart­phone app and give the hack­er the abil­i­ty to geolo­cate the car, unlock it at will, and even turn on its engine. Kamkar soon found that sim­i­lar tricks worked for BMW and Mer­cedes Benz apps, too. Just days lat­er, researchers at the Uni­ver­si­ty of Cal­i­for­nia at San Diego showed that they could remote­ly exploit a small don­gle that insur­ance com­pa­nies ask users to plug into their dash­boards to mon­i­tor their car’s speed and accel­er­a­tion. Through that tiny gadget’s radio, they were able to send com­mands to a Corvette that dis­abled its brakes.

    All of those high-pro­file hacks were meant to send a mes­sage not only to the auto­mo­bile indus­try, but to the con­sumers and reg­u­la­tors who hold them account­able. “If con­sumers don’t real­ize this is an issue, they should, and they should start com­plain­ing to car­mak­ers,” Miller told WIRED after the Jeep hack. “This might be the kind of soft­ware bug most like­ly to kill some­one.”

    Med­ical Devices

    Hacked cars aren’t the only devices in the Inter­net of Things that are capa­ble of killing, of course. Crit­i­cal med­ical equip­ment and devices also have soft­ware and archi­tec­ture vul­ner­a­bil­i­ties that would let mali­cious actors hijack and con­trol them, with poten­tial­ly dead­ly con­se­quences. Just ask the car­di­ol­o­gist for Dick Cheney who, fear­ing that an attack­er could deliv­er a fatal shock to the for­mer vice pres­i­dent through his pace­mak­er, dis­abled the device’s Wi-Fi capa­bil­i­ty dur­ing his time in office. Stu­dents at the Uni­ver­si­ty of Alaba­ma showed why Cheney’s car­di­ol­o­gist had cause for con­cern this year when they hacked the pace­mak­er implant­ed in an iStan—a robot­ic dum­my patient used to train med­ical students—and the­o­ret­i­cal­ly killed it. “[W]e could speed the heart rate up; we could slow it down,” Mike Jacobs, direc­tor of the university’s sim­u­la­tion pro­gram told Moth­er­board. “If it had a defib­ril­la­tor, which most do, we could have shocked it repeat­ed­ly.”

    ...

    Drug infu­sion pumps—which dole out mor­phine, chemother­a­py, antibi­otics, and oth­er drugs to patients—were also in the spot­light this year. Secu­ri­ty researcher Bil­ly Rios took a spe­cial inter­est in them after he had a stint in the hos­pi­tal for emer­gency surgery. After tak­ing a close look at the ones that were used in his hos­pi­tal, Rios found seri­ous vul­ner­a­bil­i­ties in them that would allow a hack­er to sur­rep­ti­tious­ly and remote­ly change the dose of drugs admin­is­tered to patients. The pump mak­er patched some of the vul­ner­a­bil­i­ties but insist­ed oth­ers weren’t a prob­lem.

    The Fed­er­al Drug Admin­is­tra­tion, which over­sees the safe­ty approval process of med­ical equip­ment, has tak­en note of the prob­lems found in all of these devices and oth­ers and is begin­ning to take steps to rem­e­dy them. The fed­er­al agency began work­ing this year with a Cal­i­for­nia doc­tor to find a way to fix secu­ri­ty prob­lems found in insulin pumps specif­i­cal­ly. But the reme­dies they devise for these pumps could serve as a mod­el for secur­ing oth­er med­ical devices as well.

    Unfor­tu­nate­ly, many of the prob­lems with med­ical devices can’t be fixed with a sim­ple soft­ware patch—instead, they require the sys­tems to be re-archi­tect­ed. All of this takes time, how­ev­er, which means it could be years before hos­pi­tals and patients see more secure devices.

    Every­thing Else

    For any giv­en con­sumer prod­uct, there seemed to be at least one com­pa­ny this year who eager­ly added Wi-Fi to it. Secur­ing that Wi-Fi, on the oth­er hand, seemed to be a more dis­tant pri­or­i­ty.

    When Mat­tel added Wi-Fi con­nec­tiv­i­ty to its Hel­lo Bar­bie to enable what it described as real-time arti­fi­cial­ly intel­li­gent con­ver­sa­tions, it left its con­nec­tion to the Hel­lo Bar­bie smart­phone app open to spoof­ing and inter­cep­tion of all the audio the doll records. A Sam­sung “smart fridge,” designed to synch over Wi-Fi with the user’s Google Cal­en­dar, failed to val­i­date SSL cer­tifi­cates, leav­ing users’ Gmail cre­den­tials open to theft. Even baby mon­i­tors, despite the creepy risk of hack­ers spy­ing on kids, remain wor­ry­ing­ly inse­cure: A study from the secu­ri­ty firm Rapid7 found that all nine of the mon­i­tors it test­ed were rel­a­tive­ly easy to hack.

    Not even guns have been spared from the risks of hack­ing. Mar­ried hack­er cou­ple Runa Sand­vik and Michael Auger in July showed WIRED that they could take con­trol of a Wi-Fi-enabled Track­ing­Point sniper rifle. Sand­vik and Auger exploit­ed the rifle’s inse­cure Wi-Fi to change vari­ables in the gun’s self-aim­ing scope sys­tem, allow­ing them to dis­able the rifle, make it miss its tar­get, or even make it hit a tar­get of their choos­ing instead of the intend­ed one. “There’s a mes­sage here for Track­ing­Point and oth­er com­pa­nies,” Sand­vik told WIRED at the time. “When you put tech­nol­o­gy on items that haven’t had it before, you run into secu­ri­ty chal­lenges you haven’t thought about before.” That rule cer­tain­ly applies to any con­sumer-focused com­pa­ny think­ing of con­nect­ing their prod­uct to the Inter­net of Things. But for those whose prod­uct can kill—whether a gun, a med­ical implant, or a car—let’s hope the les­son is tak­en more seri­ous­ly in 2016.

    That was, uh, a bit ter­ri­fy­ing. It’s almost hard to choose the creepi­est hack from such a selec­tion, although that hack­able Bar­bie Doll just might have the great­est creep poten­tial.

    Posted by Pterrafractyl | December 29, 2015, 11:29 am
  13. If you’ve ever won­dered why it is that online web ads, which are often lit­tle pro­grams you can inter­act with, aren’t avenues for infect­ing your com­put­er with a mal­ware, here’s your answer: you were won­der­ing incor­rect­ly because online adver­tise­ments are already increas­ing­ly “malver­tise­ments”:

    Ad Age
    What You Should Know About Yahoo’s Malver­tis­ing Attack
    Mal­ware­bytes’ Jer­more Segu­ra Explains How the Attack Hap­pened and How Peo­ple Can Pro­tect Them­selves

    By Tim Peter­son. Pub­lished on August 05, 2015.

    Peo­ple often cite lethar­gic page-load speeds or gen­er­al aes­thet­ics as the rea­sons they install ad-block­ing soft­ware on their web browsers. But hack­ers are mak­ing per­haps the best case for peo­ple to block ban­ner ads — and for adver­tis­ers and pub­lish­ers to take ad-block­ing seri­ous­ly.

    Hack­ers have been exploit­ing Adobe’s Flash soft­ware, which brands use to make and dis­play visu­al­ly appeal­ing and inter­ac­tive online ads, to take over per­son­al com­put­ers entire­ly and hold them hostage, or to send fake traf­fic to sites built to siphon ad spend­ing. Accord­ing to cyber­se­cu­ri­ty com­pa­ny RiskIQ, the num­ber of ads cre­at­ed for mali­cious rea­sons — called “malver­tise­ments” — increased by 260% in the first quar­ter from the peri­od a year ear­li­er.

    On Mon­day cyber­se­cu­ri­ty com­pa­ny Mal­ware­bytes said Yahoo’s ad net­work had fall­en vic­tim to a “malver­tis­ing” attack. Yahoo said in a state­ment that its team took action as soon as it learned of the issue but that “the scale of the attack was gross­ly mis­rep­re­sent­ed in ini­tial media reports.”

    Ad Age spoke with Mal­ware­bytes’ senior secu­ri­ty researcher, Jerome Segu­ra, to under­stand why these types of attacks appear to be hap­pen­ing more often, what Flash has to do with it and what can be done to pre­vent future attacks. Adobe declined to com­ment.

    The tran­script has been con­densed for clar­i­ty and length.

    Adver­tis­ing Age: How did this hap­pen? Yahoo’s one of the biggest online pub­lish­ers out there and oper­ates one of the high­er-pro­file ad net­works, so it seems like they should be among the least vul­ner­a­ble to this kind of attack.

    Jerome Segu­ra: Right, exact­ly. It is quite unusu­al to see, in this case, the pub­lish­er and the adver­tis­er caught at the same time. We have observed mali­cious adver­tis­ing before where you have com­pa­nies like Google’s Dou­bleClick where the ads are dis­played on var­i­ous web­sites. But in this case it was on the main Yahoo site as well as some of the var­i­ous por­tals. The malver­tis­ing attack itself, the chain went through a third-par­ty ad serv­er called AdJug­gler that Yahoo had been deal­ing with already. What hap­pened is a rogue adver­tis­er basi­cal­ly abused AdJug­gler, which in turn affect­ed Yahoo because they were pub­lish­ing their ads on their main site.

    One of the big issues of malver­tis­ing: There are many lay­ers and this is due to things like real-time bid­ding where var­i­ous adver­tis­ers can bid on an ad using ad plat­forms. It’s a very com­plex sit­u­a­tion. There are bil­lions of impres­sions each day. I think Yahoo itself admit­ted in its state­ment that this is a prob­lem that comes with the busi­ness of online adver­tis­ing. You won’t be able to catch all of the attacks before they actu­al­ly hap­pen. To some extent I think that’s true.

    Ad Age: The crazy thing to me is that, from what I’ve read, it sounds like the eas­i­est part of all this is in get­ting these bad ads to run on pub­lish­ers’ sites.

    Mr. Segu­ra: There are many tech­niques that cyber­crim­i­nals are using to fool ad net­works and adver­tis­ing agen­cies. For starters it’s quite easy on a lot of ad net­works — maybe not Yahoo’s — to reg­is­ter an account as an adver­tis­er and start upload­ing your ad and bid­ding for spots. It’s very anony­mous. You can reg­is­ter with­out pro­vid­ing a lot of infor­ma­tion nec­es­sar­i­ly. There is not real­ly a very strong bar­ri­er to entry for adver­tis­ers to start going on to ad plat­forms and push­ing their ads. One of the rea­sons is they’re will­ing to give mon­ey to the ad net­works to run the ads, like any nor­mal adver­tis­er, so it is in the ad net­works’ inter­est to have the adver­tis­ers come and upload their cre­ative.

    It is def­i­nite­ly an issue that’s been shown and a lot of peo­ple have won­dered how is this pos­si­ble and isn’t there some kind of mon­i­tor­ing in place to detect these kinds of adver­tis­ers that are mali­cious in nature. There are dif­fer­ent tech­niques that are used. Some adver­tis­ers will start legit­i­mate­ly to gain the trust of the ad net­work and lat­er turn on ads that are mali­cious, but only acti­vate them a few times of day to not cre­ate too much noise.

    Oth­ers that know they will be caught, once they get into an ad net­work they push it as much as pos­si­ble in a short time frame before some­body actu­al­ly notices the irreg­u­lar activ­i­ty and shuts them down. Because it’s a very lay­ered, com­plex sys­tem and bil­lions of impres­sions, there is always room for abuse.

    Ad Age: From an audi­ence per­spec­tive, one of the scari­er pieces of this is that if I vis­it­ed one of Yahoo’s affect­ed sites while these bad ads were run­ning, my com­put­er could have been infect­ed even if I did­n’t click on any ads, right?

    Mr. Segu­ra: Exact­ly. Malver­tis­ing does not require any user inter­ac­tion. Sim­ply brows­ing in this case to Yahoo.com and the page load­ing with the ad would be enough for the code to silent­ly try to infect your com­put­er. In terms of how suc­cess­ful that is, it’s actu­al­ly pret­ty, pret­ty high. There was a report from Cis­co that showed that in 40% of cas­es users that were faced with a malver­tis­ing attack would be infect­ed because in most cas­es their com­put­ers aren’t ful­ly secured prop­er­ly. The 40% ratio of infec­tion is def­i­nite­ly some­thing that the bad guys are enjoy­ing at the moment because they know when they run one of these malver­tis­ing cam­paigns, the bud­get they ded­i­cate to it will see a good return on invest­ment.

    Ad Age: It feels like these malver­tis­ing attacks are hap­pen­ing more often. RiskIQ said that 260% more malver­tise­ments ran in the first quar­ter of this year than in the first quar­ter of last year. Why are these becom­ing more com­mon?

    Mr. Segu­ra: That’s a good ques­tion. First of all those num­bers are only attacks that have been detect­ed. There are a lot of oth­er attacks hap­pen­ing that nobody real­ly sees or is able to imme­di­ate­ly pin­point. One exam­ple of this is ear­li­er this year there was a malver­tis­ing attack that last­ed almost two months and used a zero-day exploit — exploit­ing a vul­ner­a­bil­i­ty before the soft­ware mak­er is aware of the vul­ner­a­bil­i­ty — in the Flash play­er. But over­all you’re right. The trend is that there are more attacks and the cam­paigns seem to last longer and affect sites that have high­er pro­files. I think one of the pri­ma­ry rea­sons is right now cyber­crim­i­nals have a lot of vul­ner­a­bil­i­ties and exploits that work real­ly well. In the last few months we have had sev­er­al Flash play­er zero-days or vul­ner­a­bil­i­ties where there was no patch from the ven­dor for sev­er­al days yet the exploits were already being used for malver­tis­ing attacks. The cur­rent sit­u­a­tion, espe­cial­ly due to those Flash play­er exploits, is mak­ing it increas­ing­ly attrac­tive for cyber­crim­i­nals.

    Ad Age: Why does Flash always seem to be at the root of these malver­tis­ing attacks?

    Mr. Segu­ra: Typ­i­cal­ly cyber­crim­i­nals try to exploit a piece of soft­ware that is very com­mon and also give them a good return in terms of the effort spent try­ing to find exploits. With Flash what’s inter­est­ing is we’ve seen in a few high-pro­file cas­es where you can com­bine the exploit — that is going to find the vul­ner­a­bil­i­ty in the Flash play­er and be able to open the machine for an infec­tion — and com­bine that with the advert itself in one pack­age. So not only can you have an ad that works per­fect­ly fine in Flash, but that ad con­tains the exploit code. It’s pret­ty unique. It’s not some­thing you can do with oth­er plug-ins or pieces of soft­ware. In terms of what is required from the attack­er point of view, it’s pret­ty much stream­lined. It’s a very effi­cient way to com­pro­mise sys­tems.

    ...

    Ad Age: Is this a desk­top-only prob­lem, or is it some­thing that’s also going on with the mobile web or even ads in mobile apps?

    Mr. Segu­ra: This par­tic­u­lar Yahoo case was for desk­top com­put­ers and Win­dows com­put­ers. But malver­tis­ing in gen­er­al isn’t just about mal­ware. We see actu­al­ly a lot of malver­tis­ing that tar­gets mobile devices and is not pri­mar­i­ly mal­ware-relat­ed, like down­load­ing an app you weren’t pre­pared for. More recent­ly we’ve seen malver­tis­ing attacks that have these pop-ups you could­n’t get rid of for tech-sup­port scams. That was very pop­u­lar on Apple’s iOS. You’d be brows­ing a site and this pop-up would not let you close it and ask you to call a num­ber for sup­port, which turned out to be a scam. As the num­ber of users on mobile has sur­passed desk­top users, malver­tis­ers are infect­ing or exploit­ing users in dif­fer­ent ways.

    Ad Age: What can pub­lish­ers do about this?

    Mr. Segu­ra: They don’t have a lot of con­trol in all of this unfor­tu­nate­ly. Most of them offer con­tent for free, so adver­tis­ing is part of their rev­enue and an impor­tant part of their rev­enue. In terms of how to min­i­mize this, one of the impor­tant things they can do is pick adver­tis­ers wise­ly and go for a well known, top-lev­el ad net­work, for exam­ple Google’s Dou­bleClick or Yahoo Bing Con­tex­tu­al Ads. You know, the major ones. These tra­di­tion­al­ly have more resources and stricter con­trols in terms of qual­i­ty assur­ance in terms of the type of ads that go through. So you are def­i­nite­ly min­i­miz­ing your risk by going with a pop­u­lar ad net­work.

    Ad Age: Would­n’t Yahoo’s ad net­work have been con­sid­ered in that tier, at least before this attack was revealed? And so how com­fort­able should peo­ple feel with Dou­bleClick or Bing’s net­work until some­thing poten­tial­ly hap­pens and they’re affect­ed just like Yahoo has been?

    Mr. Segu­ra: It’s per­fect­ly valid. Over­all the num­ber of inci­dents for the major ad net­works is much, much low­er than those that are less rep­utable. There’s no such thing as no inci­dent when it comes to secu­ri­ty. It’s about the fre­quen­cy but also the dura­tion of an inci­dent. So by going with a major ad net­work, you know that they’re more like­ly to respond in a time­ly man­ner. That’s what real­ly mat­ters, I think.

    Ad Age: What about adver­tis­ers and ad net­works? What can they do?

    Mr. Segu­ra: They have already have a lot of things in place to detect fraud. For exam­ple when a new adver­tis­er comes on board, they don’t let them get the full priv­i­lege of run­ning cam­paigns on major sites. They might start with a sub­set of sites that are low­er pro­file, and they also may have cer­tain fea­tures that are dis­abled by default. For exam­ple, they might only be able to car­ry text-based ads until they’ve been around for long enough that they’re trust­ed and can now intro­duce more dynam­ic ads, Flash-based ads for exam­ple. Over­all what they real­ly can do is — know­ing that inci­dents do hap­pen — they need to pre­pare them­selves for what to do when they hap­pen: what is the response, how fast can they react to an inci­dent. Each sec­ond that goes by, some­body else is get­ting infect­ed.

    Ad Age: What can peo­ple do to pro­tect them­selves from get­ting infect­ed?

    Mr. Segu­ra: Get­ting your com­put­ers patched is the pri­ma­ry piece of advice any­body can give. Obvi­ous­ly a lot of machines aren’t patched and are get­ting com­pro­mised because of that. But with what’s hap­pened this year, we’ve seen that patch­ing is not enough because there are more and more zero-day exploits out there. Peo­ple need to start think­ing of going beyond patch­ing. Tra­di­tion­al­ly we’ve been talk­ing about anti-virus and anti-mal­ware soft­ware, which is crit­i­cal.

    But the prob­lem is with a lot of these attacks, because they’re hap­pen­ing in real time, the mal­ware that is being dis­trib­uted is so nov­el that most antivirus soft­ware prod­ucts aren’t even detect­ing it at the spe­cif­ic time it’s been released. That’s because crim­i­nals are able to test the mal­ware by run­ning it against antivirus soft­ware. The next solu­tion is being able to block attacks as ear­ly as pos­si­ble. With Flash-based attacks, one of the sim­ple things you can do is to either remove Flash,which in the long term I don’t think is the best solu­tion because even­tu­al­ly attack­ers will move to some­thing else. Or there’s a fea­ture in Flash that allows the user to acti­vate Flash when they need it. That’s a major com­po­nent in your defence because of all these dri­ve-by-down­load attacks assume that Flash is enabled by default. Look­ing at the scope of the attacks, they tar­get vul­ner­a­bil­i­ties wher­ev­er they are in the brows­er. So users need to be able to use the right tools that pre­vent the vul­ner­a­bil­i­ties from being exploit­ed.

    “With Flash-based attacks, one of the sim­ple things you can do is to either remove Flash,which in the long term I don’t think is the best solu­tion because even­tu­al­ly attack­ers will move to some­thing else. Or there’s a fea­ture in Flash that allows the user to acti­vate Flash when they need it. That’s a major com­po­nent in your defence because of all these dri­ve-by-down­load attacks assume that Flash is enabled by default”
    Word to the wise.

    So don’t if you’re a Win­dows user who read goes to sites like the New York Times or the BBC and you also have Adobe Flash or Microsoft Sil­verlight installed, you prob­a­bly want to change those Adobe Flash per­mis­sions. Soon. Or bet­ter yet, yes­ter­day:

    Ars Tech­ni­ca

    Big-name sites hit by rash of mali­cious ads spread­ing cryp­to ran­somware [Updat­ed]
    New malver­tis­ing cam­paign may have exposed tens of thou­sands in the past 24 hours.

    by Dan Good­in — Mar 15, 2016 12:37pm CDT

    Main­stream web­sites, includ­ing those pub­lished by The New York Times, the BBC, MSN, and AOL, are falling vic­tim to a new rash of mali­cious ads that attempt to sur­rep­ti­tious­ly install cryp­to ran­somware and oth­er mal­ware on the com­put­ers of unsus­pect­ing vis­i­tors, secu­ri­ty firms warned.

    The taint­ed ads may have exposed tens of thou­sands of peo­ple over the past 24 hours alone, accord­ing to a blog post pub­lished Mon­day by Trend Micro. The new cam­paign start­ed last week when “Angler,” a toolk­it that sells exploits for Adobe Flash, Microsoft Sil­verlight, and oth­er wide­ly used Inter­net soft­ware, start­ed push­ing laced ban­ner ads through a com­pro­mised ad net­work.

    Accord­ing to a sep­a­rate blog post from Trust­wave’s Spi­der­Labs group, one JSON-based file being served in the ads has more than 12,000 lines of heav­i­ly obfus­cat­ed code. When researchers deci­phered the code, they dis­cov­ered it enu­mer­at­ed a long list of secu­ri­ty prod­ucts and tools it avoid­ed in an attempt to remain unde­tect­ed.

    ...

    Update: Accord­ing to a just-pub­lished post from Mal­ware­bytes, a flur­ry of malver­tis­ing appeared over the week­end, almost out of the blue. It hit some of the biggest pub­lish­ers in the busi­ness, includ­ing msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com. Affect­ed net­works includ­ed those owned by Google, App­Nex­is, AOL, and Rubi­con. The attacks are flow­ing from two sus­pi­cious domains, includ­ing trackmytraffic[c],biz and talk915[.]pw.

    The ads are also spread­ing on sites includ­ing answers.com, zerohedge.com, and infolinks.com, accord­ing to Spi­der­Labs. Legit­i­mate main­stream sites receive the mal­ware from domain names that are asso­ci­at­ed with com­pro­mised ad net­works. The most wide­ly seen domain name in the cur­rent cam­paign is brentsmedia[.]com. Whois records show it was owned by an online mar­keter until Jan­u­ary 1, when the address expired. It was snapped up by its cur­rent own­er on March 6, a day before the mali­cious ad onslaught start­ed.

    “The taint­ed ads may have exposed tens of thou­sands of peo­ple over the past 24 hours alone, accord­ing to a blog post pub­lished Mon­day by Trend Micro. The new cam­paign start­ed last week when “Angler,” a toolk­it that sells exploits for Adobe Flash, Microsoft Sil­verlight, and oth­er wide­ly used Inter­net soft­ware, start­ed push­ing laced ban­ner ads through a com­pro­mised ad net­work.
    So, all in all, it sounds like we have a cryp­to-ran­somware-mini-poca­lypse due large­ly to mali­cious ele­ments pre­dictably infil­trat­ing an online mar­ket­ing indus­try that oper­ates on trust­ed. You have to won­der if this kind of mis­placed trust is lim­it­ed to online “malver­tise­ment” ped­dlers. Hmmm...

    Posted by Pterrafractyl | March 16, 2016, 2:26 pm
  14. This prob­a­bly should go with­out say­ing, but if you own a smart­phone run­ning Google’s Android oper­at­ing, it’s real­ly not a good idea to down­load apps from any­where oth­er than the Google Play store. Even if you real­ly, real­ly, real­ly want to play Poke­mon Go:

    Proof­point

    Droid­Jack Uses Side-Load…It’s Super Effec­tive! Back­doored Poke­mon GO Android App Found

    Proof­point Staff
    Thurs­day, July 7, 2016 — 18:30

    Overview

    Poke­mon GO is the first Poke­mon game sanc­tioned by Nin­ten­do for iOS and Android devices. The aug­ment­ed real­i­ty game was first released in Aus­tralia and New Zealand on July 4th and users in oth­er regions quick­ly clam­ored for ver­sions for their devices. It was released on July 6th in the US, but the rest of the world will remain tempt­ed to find a copy out­side legit­i­mate chan­nels. To that end, a num­ber of pub­li­ca­tions have pro­vid­ed tuto­ri­als for “side-load­ing” the appli­ca­tion on Android. How­ev­er, as with any apps installed out­side of offi­cial app stores, users may get more than they bar­gained for.

    In this case, Proof­point researchers dis­cov­ered an infect­ed Android ver­sion of the new­ly released mobile game Poke­mon GO [1]. This spe­cif­ic APK was mod­i­fied to include the mali­cious remote access tool (RAT) called Droid­Jack (also known as San­dro­RAT), which would vir­tu­al­ly give an attack­er full con­trol over a victim’s phone. The Droid­Jack RAT has been described in the past, includ­ing by Syman­tec [2] and Kasper­sky [3]. Although we have not observed this mali­cious APK in the wild, it was uploaded to a mali­cious file repos­i­to­ry ser­vice at 09:19:27 UTC on July 7, 2016, less than 72 hours after the game was offi­cial­ly released in New Zealand and Aus­tralia.

    Like­ly due to the fact that the game had not been offi­cial­ly released glob­al­ly at the same time, many gamers wish­ing to access the game before it was released in their region resort­ed to down­load­ing the APK from third par­ties. Addi­tion­al­ly, many large media out­lets pro­vid­ed instruc­tions on how to down­load the game from a third par­ty [4,5,6]. Some even went fur­ther and described how to install the APK down­loaded from a third par­ty [7]:

    “To install an APK direct­ly you’ll first have to tell your Android device to accept side-loaded apps. This can usu­al­ly be done by vis­it­ing Set­tings, click­ing into the Secu­ri­ty area, and then enabling the “unknown sources” check­box.”

    Unfor­tu­nate­ly, this is an extreme­ly risky prac­tice and can eas­i­ly lead users to installing mali­cious apps on their own mobile devices.. Should an indi­vid­ual down­load an APK from a third par­ty that has been infect­ed with a back­door, such as the one we dis­cov­ered, their device would then be com­pro­mised.

    Indi­vid­u­als wor­ried about whether or not they down­loaded a mali­cious APK have a few options to help them deter­mine if they are now infect­ed. First, they may check the SHA256 hash of the down­loaded APK. The legit­i­mate appli­ca­tion that has been often linked to by media out­lets has a hash of 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67, although it is pos­si­ble that there are updat­ed ver­sions already released. The mali­cious APK that we ana­lyzed has a SHA256 hash of 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4.

    Anoth­er sim­ple method to check if a device is infect­ed would be to check the installed application’s per­mis­sions, which can typ­i­cal­ly be accessed by first going to Set­tings -> Apps -> Poke­mon GO and then scrolling down to the PERMISSIONS sec­tion. Fig­ure 1 shows a list of per­mis­sions grant­ed to the legit­i­mate appli­ca­tion. These per­mis­sions are sub­ject to change depend­ing on the device’s con­fig­u­ra­tion; for exam­ple the per­mis­sions “Google Play billing ser­vice” and “receive data from Inter­net” are not shown in the image but were grant­ed on anoth­er device when down­load­ing Poke­mon GO from the Google Play Store. In Fig­ures 2 and 3, the out­lined per­mis­sions have been added by Droid­Jack. See­ing those per­mis­sions grant­ed to the Poke­mon GO app could indi­cate that the device is infect­ed, although these per­mis­sions are also sub­ject to change in the future.

    ...

    Con­clu­sion

    Installing apps from third-par­ty sources, oth­er than offi­cial­ly vet­ted and sanc­tioned cor­po­rate app stores, is nev­er advis­able. Offi­cial and enter­prise app stores have pro­ce­dures and algo­rithms for vet­ting the secu­ri­ty of mobile appli­ca­tions, while side-load­ing apps from oth­er, often ques­tion­able sources, expos­es users and their mobile devices to a vari­ety of mal­ware. As in the case of the com­pro­mised Poke­mon GO APK we ana­lyzed, the poten­tial exists for attack­ers to com­plete­ly com­pro­mise a mobile device. If that device is brought onto a cor­po­rate net­work, net­worked resources are also at risk.

    Even though this APK has not been observed in the wild, it rep­re­sents an impor­tant proof of con­cept: name­ly, that cyber­crim­i­nals can take advan­tage of the pop­u­lar­i­ty of appli­ca­tions like Poke­mon GO to trick users into installing mal­ware on their devices. Bot­tom line, just because you can get the lat­est soft­ware on your device does not mean that you should. Instead, down­load­ing avail­able appli­ca­tions from legit­i­mate app stores is the best way to avoid com­pro­mis­ing your device and the net­works it access­es.

    “Even though this APK has not been observed in the wild, it rep­re­sents an impor­tant proof of con­cept: name­ly, that cyber­crim­i­nals can take advan­tage of the pop­u­lar­i­ty of appli­ca­tions like Poke­mon GO to trick users into installing mal­ware on their devices. Bot­tom line, just because you can get the lat­est soft­ware on your device does not mean that you should. Instead, down­load­ing avail­able appli­ca­tions from legit­i­mate app stores is the best way to avoid com­pro­mis­ing your device and the net­works it access­es.

    That is indeed good advice: Just so No to “side-down­load­ing”. Be safe and down­load your mal­ware apps from the Google Play store:

    Ars Tech­ni­ca

    Fake Poké­mon Go app on Google Play infects phones with screen­lock­er
    “Poke­mon Go Ulti­mate” requires bat­tery removal or Device Man­ag­er to be unin­stalled.

    by Dan Good­in — Jul 15, 2016 2:20pm CDT

    Bad­ware pur­vey­ors try­ing to cap­i­tal­ize on the ongo­ing Poké­mon Go fren­zy have achieved an impor­tant mile­stone by sneak­ing their fake wares into the offi­cial Google Play mar­ket­place, secu­ri­ty researchers said Fri­day.

    Researchers from antivirus provider Eset report find­ing at least three such apps in the Google-host­ed mar­ket­place. Of the three, the one titled “Poke­mon Go Ulti­mate” posed the biggest threat because it delib­er­ate­ly locks the screen of devices imme­di­ate­ly after being installed. In many cas­es, restart­ing an infect­ed phone isn’t enough to unlock the screen. Infect­ed phones can ulti­mate­ly be unlocked either by remov­ing the bat­tery or by using the Android Device Man­ag­er.

    Once the screen has been unlocked and the device has restart­ed, the app—which by now has the title PI Network—is removed from the device’s app menu. Still, it con­tin­ues to run in the back­ground and sur­rep­ti­tious­ly clicks on ads in an attempt to gen­er­ate rev­enue for its cre­ators.

    “This is the first obser­va­tion of lockscreen func­tion­al­i­ty being suc­cess­ful­ly used in a fake app that has land­ed on Google Play,” Eset mal­ware researcher Lukas Ste­fanko wrote in Fri­day’s post. “It is impor­tant to note that from there it takes just one small step to add a ran­som mes­sage and cre­ate the first lockscreen ran­somware on Google Play.”

    Eset dis­cov­ered two oth­er fake Poké­mon Go apps inhab­it­ing Google Play, one named “Guide & Cheats for Poke­mon Go” and the oth­er “Install Poke­mon­go.” Both deliv­er ads car­ry­ing fraud­u­lent, scary-sound­ing mes­sages that are designed to trick users into buy­ing expen­sive, unnec­es­sary ser­vices. One such mes­sage claims the device is infect­ed with mal­ware and prompts the user to spend mon­ey to get the mali­cious apps removed.

    ...

    The apps are by no means the first case of scam­mers attempt­ing to exploit the ongo­ing Poké­mon Go craze. Last week, researchers from secu­ri­ty firm Proof­point dis­cov­ered a back­doored ver­sion of the Poké­mon Go app. It con­tained all the func­tions of the legit­i­mate app, but behind the scenes it also includ­ed a remote access tool called Droid­Jack (aka San­dro­RAT), which gives an attack­er full con­trol over an infect­ed phone.

    The mali­cious app was avail­able in third-par­ty app stores. While many peo­ple right­ly avoid such mar­ket­places because of the increased chances that they include harm­ful wares, some die-hard Poké­mon fans have been tempt­ed to sus­pend the taboo against side­load­ing because the offi­cial Poké­mon Go has­n’t been avail­able in many coun­tries. The apps dis­cov­ered by Eset, by con­trast, were avail­able in Google Play. Google removed them after Eset report­ed them. The con­tin­ued pres­ence of mali­cious apps inside the offi­cial Android mar­ket­place under­scores the sig­nif­i­cant lim­its of Google’s attempts to detect mali­cious or abu­sive behav­ior before admit­ting titles.

    Peo­ple who want to run Poké­mon Go on their Android phone should down­load the app only from Google Play, and even then, they should close­ly inspect the pub­lish­er, the num­ber of down­loads, and oth­er data for signs of fraud before installing.

    “Peo­ple who want to run Poké­mon Go on their Android phone should down­load the app only from Google Play, and even then, they should close­ly inspect the pub­lish­er, the num­ber of down­loads, and oth­er data for signs of fraud before installing.

    Isn’t get­ting soft­ware in the smart­phone era fun. It’s free. And easy to access. And maybe or maybe not a mal­ware tro­jan horse. The soft­ware indus­try has always had to wor­ry about shady oper­a­tors ped­dling mali­cious soft­ware. But in the pre-inter­net age you did­n’t have to wor­ry as much about any­one with any inter­net con­nec­tion sell­ing you soft­ware. It was more of a pain in the ass to get you install mal­ware. Espe­cial­ly since the soft­ware you were installing was­n’t con­nect­ed to a glob­al inter­net that could relay your infor­ma­tion back to who­ev­er sold you the mal­ware.

    But nowa­days, trea­sure troves of our per­son­al dig­i­tal infor­ma­tion is bun­dled into one pock­et-sized device we all car­ry around that’s designed to down­load apps from trust­ed places like the Google Play store that appar­ent­ly allow in some rather nasty con­tent. But these Poke­mon Go mal­ware apps weren’t just ran­dom nasty con­tent. They were con­tent extreme­ly relat­ed to the roll­out of Poke­man Go, an app co-devel­oped by the Google spin­off Niantic. That’s dis­turb­ing. Espe­cial­ly because Google is sup­posed to man­u­al­ly review­ing all its Google Play store apps now:

    TechCrunch

    App Sub­mis­sions On Google Play Now Reviewed By Staff, Will Include Age-Based Rat­ings

    Post­ed Mar 17, 2015 by Sarah Perez (@sarahintampa)

    Google Play, Google’s mar­ket­place for Android appli­ca­tions which now reach­es a bil­lion peo­ple in over 190 coun­tries, has his­tor­i­cal­ly dif­fer­en­ti­at­ed itself from rival Apple by allow­ing devel­op­ers to imme­di­ate­ly pub­lish their mobile appli­ca­tions with­out a lengthy review process. How­ev­er, Google has today dis­closed that, begin­ning a cou­ple of months ago, it began hav­ing an inter­nal team of review­ers ana­lyze apps for pol­i­cy vio­la­tions pri­or to pub­li­ca­tion. And going for­ward, human review­ers will con­tin­ue to go hands-on with apps before they go live on Google Play.

    Addi­tion­al­ly, Google announced the roll­out of a new age-based rat­ings sys­tem for games and apps on Google Play, which will uti­lize the scales pro­vid­ed by a giv­en region’s offi­cial rat­ings author­i­ty, like the Enter­tain­ment Soft­ware Rat­ing Board (ESRB) here in the U.S.

    Accord­ing to Purn­i­ma Kochikar, Direc­tor of Busi­ness Devel­op­ment for Google Play, Google has been work­ing to imple­ment the new app review sys­tem for over half a year. The idea, she says, was to fig­ure out a way to catch pol­i­cy offend­ers ear­li­er in the process, with­out adding fric­tion and delays to the app pub­lish­ing process. To that end, Google has been suc­cess­ful, it seems – the new sys­tem actu­al­ly went live a cou­ple of months ago, and there have been no com­plaints. Today, Android apps are approved in hours, not days, despite the addi­tion of human review­ers.

    “We start­ed review­ing all apps and games before they’re pub­lished – it’s rolled out 100%,” says Kochik­car. “And devel­op­ers haven’t noticed the change.”

    The rea­son why Google’s app review team is able to process app sub­mis­sions so quick­ly is because the sys­tem also includes an auto­mat­ed ele­ment. Before app review­ers are pre­sent­ed with the appli­ca­tions, Google uses soft­ware to pre-ana­lyze the app for things like virus­es and mal­ware as well as oth­er con­tent vio­la­tions. For exam­ple, its image analy­sis sys­tems are capa­ble of auto­mat­i­cal­ly detect­ing apps that include sex­u­al con­tent, as well as those that infringe on oth­er appli­ca­tions’ copy­right.

    Google didn’t want to get into the specifics of what it’s capa­ble of in terms of automa­tion, but notes that it can iden­ti­fy a num­ber of vio­la­tions beyond just the inclu­sion of mal­ware.

    “We’re con­stant­ly try­ing to fig­ure out how machines can learn more,” explains Kochikar. “So what­ev­er the machines can catch today, the machines do. And what­ev­er we need humans to weigh in on, humans do.”

    Though Google uses more machine-aid­ed process­es in review­ing appli­ca­tions than Apple does cur­rent­ly, Kochikar admits that with regard to its human ele­ment, Google’s sys­tem may not be “as robust” as those from “rivals.” That is, Google is try­ing to bal­ance being able to catch the vio­la­tions ear­li­er with­out impact­ing the time it takes to get an app pub­lished to its Android app mar­ket­place.

    The new sys­tem also means that devel­op­ers will now be able to see their app’s pub­li­ca­tion sta­tus in more detail, and learn quick­ly if and why an app has been reject­ed or sus­pend­ed, says Google. In the Devel­op­er Con­sole, app cre­ators will see their app’s lat­est pub­lish­ing sta­tus, allow­ing them to eas­i­ly fix prob­lems and resub­mit apps after cor­rect­ing minor vio­la­tions.

    ...

    Google Play, Google’s mar­ket­place for Android appli­ca­tions which now reach­es a bil­lion peo­ple in over 190 coun­tries, has his­tor­i­cal­ly dif­fer­en­ti­at­ed itself from rival Apple by allow­ing devel­op­ers to imme­di­ate­ly pub­lish their mobile appli­ca­tions with­out a lengthy review process. How­ev­er, Google has today dis­closed that, begin­ning a cou­ple of months ago, it began hav­ing an inter­nal team of review­ers ana­lyze apps for pol­i­cy vio­la­tions pri­or to pub­li­ca­tion. And going for­ward, human review­ers will con­tin­ue to go hands-on with apps before they go live on Google Play.

    The hands-on human test­ing of the Poke­mon Go screen­lock mal­ware app must have used some pret­ty lenient cri­te­ria. But at least it was rolled out in time for the big Poke­mon Go roll­out.

    It’s one more reminder that the debates over the trade-offs between dig­i­tal secu­ri­ty and con­ve­nience isn’t just about the con­ve­nience and low­er costs for end user with pri­va­cy-infring­ing, yet con­ve­nient and free fea­tures that tan­ta­lize us. It’s also about the con­ve­nience and prof­its of app devel­op­ers and dis­trib­u­tors like Google and the con­ve­nience and prof­its of oper­at­ing sys­tem and hard­ware devel­op­ers. Like Google.

    As Google’s rival dis­trib­u­tors Apple found out in Sep­tem­ber, even trust­ed devel­op­ers can acci­den­tal­ly but inno­cent­ly end up being the mal­ware vec­tor for the through com­mon mis­takes or short­cuts that Apples human review­ers did­n’t catch. Which is to be expect­ed in some cas­es because human review­ing means human error.

    But the fact a Poke­mon Go screen­lock app made it onto the Google Play store dur­ing the week of the big Poke­mon Go roll­out indi­cates that there might be some seri­ous sys­temic issues with the app review sys­tem which rais­es seri­ous ques­tions about just how much mal­ware is real­ly float­ing around on the sup­pos­ed­ly vet­ted main­stream app stores. Prob­a­bly a lot.

    Posted by Pterrafractyl | July 16, 2016, 10:50 pm
  15. Just FYI, it turns out that Grand Theft Auto mod for Minecraft that your kid could­n’t resist down­load­ing to your Andoid smart­phone should prob­a­bly be renamed Grand Theft Smart­phone since it turns out to be a mali­cious data-steal­ing piece of mal­ware. Avail­able from the Google Play store. Along with 400 oth­er Google Play store apps car­ry­ing the same mal­ware:

    Tech Times

    Mali­cious ‘Dress­Code’ Mal­ware Now Spread­ing Across App Stores

    1 Octo­ber 2016, 7:17 am EDT By Horia Ungure­anu

    Google Play offers a myr­i­ad of great apps, but some infect­ed ones bypass the vet­ting process and end up infect­ing the mobile devices of Android users.

    A recent wave of pan­ic went through the Android com­mu­ni­ty as it was revealed that more than 400 apps trans­formed infect­ed phones into lis­ten­ing posts. What is more, the tam­pered phones are capa­ble of siphon­ing sen­si­tive data from pro­tect­ed net­works and share them with mali­cious users.

    In a blog post, secu­ri­ty researchers from Trend Micro affirm that an app car­ry­ing the so-called Dress­Code mal­ware was down­loaded between 100,000 and 500,000 times pri­or to being removed from the Google-host­ed mar­ket­place

    Specif­i­cal­ly, the app is dubbed Mod GTA 5 for Minecraft PE and it appears to be just anoth­er mobile game. How­ev­er, the devel­op­ers of the “game” embed­ded mis­chie­vous com­po­nents in its code that allow the phone to con­nect with a serv­er that is being con­trolled by the attack­er.

    Nor­mal­ly, when devices use a net­work, some­thing called net­work address trans­la­tion pro­tec­tions keep them away from harm, but the malign serv­er was craft­ed to bypass the shield­ing sys­tem.

    Trend Micro explains that via the mal­ware, threat actors get unau­tho­rized access to a user’s net­work ecosys­tem. This means that should an infect­ed device log in to an enter­prise net­work, this enables the attack­er to go around the NAT device and strike the inter­nal serv­er direct­ly. Anoth­er way to make use of the infil­trat­ed device is to use it “as a spring­board” to siphon sen­si­tive data.

    This is not the first time in recent his­to­ry wen Google Play was report­ed­ly breed­ing secu­ri­ty lia­bil­i­ties. About three weeks ago, experts with secu­ri­ty firm Check Point dis­cov­ered 40 Dress­Code-infect­ed apps in Google Play. At the time, Check Point report­ed that infect­ed apps scored between 500,000 and 2 mil­lion down­loads on the Android app plat­form.

    Accord­ing to Trend Micro, it is quite chal­leng­ing to pin­point which part of the app con­tains mali­cious func­tions.

    ...

    In 2012, Google rolled out Bounc­er, a cloud-based secu­ri­ty scan­ner that elim­i­nates mali­cious apps from its Play Store. In the four years that passed, researchers who are keep­ing an eye on Google Play Store detect­ed and report­ed on thou­sands of apps that come packed with mal­ware and oth­er secu­ri­ty exploits.

    This makes one won­der if Bounc­er is maybe in need of an update.

    “This is not the first time in recent his­to­ry when Google Play was report­ed­ly breed­ing secu­ri­ty lia­bil­i­ties. About three weeks ago, experts with secu­ri­ty firm Check Point dis­cov­ered 40 Dress­Code-infect­ed apps in Google Play. At the time, Check Point report­ed that infect­ed apps scored between 500,000 and 2 mil­lion down­loads on the Android app plat­form.

    Keep in mind that since the Dress­Code mal­ware isn’t just a data thief but also a spring­board for fur­ther attacks on the net­works the infect­ed phone is con­nect­ing to so those 2,000,000 Dress­Code down­loads pre­sum­ably trans­late into a much larg­er num­ber of infect­ed devices. It’s a reminder that the ‘how to not get dig­i­tal­ly mugged in Minecraft’ talk that par­ents have to give their kids these days prob­a­bly should­n’t be lim­it­ed to your kids or Minecraft.

    Posted by Pterrafractyl | October 2, 2016, 10:19 pm
  16. This should do won­ders for Ger­many’s brand as an anti-state-hack­ing nation: Due to con­cerns that strong encryp­tion is mak­ing inves­ti­ga­tions into dig­i­tal evi­dence impos­si­ble, the two major par­ties just pushed through a law that would expand law enforce­men­t’s author­i­ty to use state-owned tro­jan hack­ing tools to get around that encryp­tion by insert­ing mal­ware on tar­gets’ devices. These pow­ers already exist­ed for extreme cir­cum­stances, like ter­ror­ism, but under the new law the inves­ti­ga­tors could use it for any crime that allows for a wire­tap:

    ZDNet

    Police get broad phone and com­put­er hack­ing pow­ers in Ger­many

    The Ger­man par­lia­ment has waved through a mas­sive expan­sion of police hack­ing pow­ers.

    By David Mey­er
    June 23, 2017 — 12:31 GMT (05:31 PDT)

    Ger­many’s coali­tion gov­ern­ment has sig­nif­i­cant­ly increased police hack­ing pow­ers by slip­ping a last-minute amend­ment into a law that’s nom­i­nal­ly sup­posed to deal with dri­ving bans.

    While the police have so far only been allowed to hack into peo­ple’s phones and com­put­ers in extreme cas­es, such as those involv­ing ter­ror­ist plots, the change allows them to use such tech­niques when inves­ti­gat­ing dozens of less seri­ous offences.

    In Ger­many, the author­i­ties’ hack­ing tools are wide­ly known as Staat­stro­jan­ern, or state tro­jans. This term essen­tial­ly refers to mal­ware that the police can use to infect tar­gets’ devices, to give them the access they need to mon­i­tor com­mu­ni­ca­tions and con­duct search­es.

    The types of crime where inves­ti­ga­tors can now use this mal­ware are all of the vari­ety where exist­ing law would allow them to tap a sus­pec­t’s phone. These range from mur­der and han­dling stolen goods to com­put­er fraud and tax eva­sion.

    Accord­ing to the gov­ern­ment, the spread of encrypt­ed com­mu­ni­ca­tions makes tra­di­tion­al wire­tap­ping impos­si­ble, so the author­i­ties need to be able to bypass encryp­tion by direct­ly hack­ing into the com­mu­ni­ca­tions device.

    ...

    Ger­many’s gov­ern­ing coali­tion of Angela Merkel’s con­ser­v­a­tives plus Mar­tin Schulz’s social­ists used its over­whelm­ing major­i­ty to push the change through on Thurs­day, ahead of the sum­mer recess that begins in a week’s time.

    The oppo­si­tion, while too weak to do much about it, had its say. The vet­er­an Green politi­cian Hans-Chris­t­ian Strö­bele, who will retire at Sep­tem­ber’s elec­tion, decried the change as the coali­tion’s “final attack on civ­il rights”.

    He also said it would weak­en the “IT infra­struc­ture as a whole” by delib­er­ate­ly main­tain­ing the secu­ri­ty vul­ner­a­bil­i­ties need­ed for the mal­ware to work, and point­ed out the irony in hid­ing a state tro­jan mea­sure in the Tro­jan horse of a law that lets judges issue dri­ving bans for non-vehi­cle-relat­ed crim­i­nal offences.

    It remains to be seen whether the shift will stand up in the con­sti­tu­tion­al court. It’s a near-cer­tain­ty that some­one will raise a con­sti­tu­tion­al chal­lenge, and the court in Karl­sruhe has pre­vi­ous­ly been clear in strict­ly lim­it­ing the use of elec­tron­ic search­es to very seri­ous cas­es, where life and limb are at risk.

    Oth­er Euro­pean coun­tries that give the author­i­ties broad hack­ing pow­ers include the UK thanks to last year’s Inves­ti­ga­to­ry Pow­ers Act, and Spain through a 2015 update to the coun­try’s crim­i­nal pro­ce­dure law.

    ———-

    “Police get broad phone and com­put­er hack­ing pow­ers in Ger­many” by David Mey­er; ZDNet; 06/23/2017

    “Accord­ing to the gov­ern­ment, the spread of encrypt­ed com­mu­ni­ca­tions makes tra­di­tion­al wire­tap­ping impos­si­ble, so the author­i­ties need to be able to bypass encryp­tion by direct­ly hack­ing into the com­mu­ni­ca­tions device.”

    Keep in mind that there are plen­ty of legit­i­mate con­cerns over the abil­i­ty of law enforce­ment to actu­al­ly enforce law in the age of encryp­tion. If soci­ety wants impreg­nable dig­i­tal sys­tems that will no doubt avoid gov­ern­ment abus­es. But it will also allow for things like orga­nized crime get­ting a lot more, well, orga­nized. It’s a trade off. So it’s no sur­prise to see the Ger­man gov­ern­ment make the deci­sion it made. Well, ok, for most oth­er gov­ern­ments it would­n’t be sur­pris­ing. Con­sid­er­ing Berlin led the glob­al col­lec­tive out­rage over the rev­e­la­tions of the Snow­den Affair, how­ev­er, it is a lit­tle sur­pris­ing. But only a lit­tle.

    Posted by Pterrafractyl | June 29, 2017, 9:38 pm
  17. Here’s some­thing folks might want to belat­ed­ly add to their New Year’s Res­o­lu­tion lists: turn off your browser’s pass­word man­ag­er so online adver­tis­ers can’t turn it into a per­sis­tent track­ing cook­ie and maybe use it to steal your pass­words:

    The Verge

    Ad tar­geters are pulling data from your browser’s pass­word man­ag­er
    New research shows an alarm­ing new way to track web users

    By Rus­sell Bran­dom
    Dec 30, 2017, 2:30pm EST

    Near­ly every web brows­er now comes with a pass­word man­ag­er tool, a light­weight ver­sion of the same ser­vice offered by plu­g­ins like Last­Pass and 1Password. But accord­ing to new research from Prince­ton’s Cen­ter for Infor­ma­tion Tech­nol­o­gy Pol­i­cy, those same man­agers are being exploit­ed as a way to track users from site to site.

    The researchers exam­ined two dif­fer­ent scripts — AdThink and OnAu­di­ence — both of are designed to get iden­ti­fi­able infor­ma­tion out of brows­er-based pass­word man­agers. The scripts work by inject­ing invis­i­ble login forms in the back­ground of the web­page and scoop­ing up what­ev­er the browsers aut­ofill into the avail­able slots. That infor­ma­tion can then be used as a per­sis­tent ID to track users from page to page, a poten­tial­ly valu­able tool in tar­get­ing adver­tis­ing.

    The plu­g­ins focus large­ly on the user­names, but accord­ing to the researchers, there’s no tech­ni­cal mea­sure to stop scripts from col­lect­ing pass­words the same way. The only robust fix would be to change how pass­word man­agers work, requir­ing more explic­it approval before sub­mit­ting infor­ma­tion. “It won’t be easy to fix, but it’s worth doing,” says Arvind Narayanan, a Prince­ton com­put­er sci­ence pro­fes­sor who worked on the project.

    In the case of AdThink, that infor­ma­tion was also being fun­neled back to Axciom, a mas­sive con­sumer data bro­ker, pre­sum­ably to be added to the grow­ing file on who­ev­er was vis­it­ing the site. Audi­en­ceIn­sights, which oper­ates AdThink, lets users see their unique user ID for the sys­tem and attempt to opt out, although it’s unclear how robust that opt-out tru­ly is. Audi­ence Insights did not respond to a request for com­ment.

    ...

    ———-

    “Ad tar­geters are pulling data from your browser’s pass­word man­ag­er” by Rus­sell Bran­dom; The Verge; 12/30/2017

    “The researchers exam­ined two dif­fer­ent scripts — AdThink and OnAu­di­ence — both of are designed to get iden­ti­fi­able infor­ma­tion out of brows­er-based pass­word man­agers. The scripts work by inject­ing invis­i­ble login forms in the back­ground of the web­page and scoop­ing up what­ev­er the browsers aut­ofill into the avail­able slots. That infor­ma­tion can then be used as a per­sis­tent ID to track users from page to page, a poten­tial­ly valu­able tool in tar­get­ing adver­tis­ing.”

    Online ad scripts that turns the auto-filled data in your browser’s pass­word man­ag­er into a per­sis­tent ID that lets adver­tis­ers track users from page to page. Just what the inter­net need­ed.

    And notice how it’s entire­ly pos­si­ble these rogue ads could col­lect the actu­al pass­word infor­ma­tion stored in pass­word man­ag­er:

    ...
    The plu­g­ins focus large­ly on the user­names, but accord­ing to the researchers, there’s no tech­ni­cal mea­sure to stop scripts from col­lect­ing pass­words the same way. The only robust fix would be to change how pass­word man­agers work, requir­ing more explic­it approval before sub­mit­ting infor­ma­tion. “It won’t be easy to fix, but it’s worth doing,” says Arvind Narayanan, a Prince­ton com­put­er sci­ence pro­fes­sor who worked on the project.
    ...

    So we have a report about online adver­tis­ers suc­cess­ful­ly turn­ing the pass­word man­agers built into browsers into per­sis­tent track­ing IDs, and poten­tial­ly pass­word info. Not that they could do this. That they are doing this, at least these two par­tic­u­lar adver­tis­ing plat­forms, AdThink and Audi­en­ceIn­sight. And AdThink’s ads were send­ing the per­sis­tent ID infor­ma­tion back to Axciom, one of the largest con­sumer data bro­kers in the world. So it’s not just that adver­tis­ing bro­kers are already using this pass­word man­ag­er vul­ner­a­bil­i­ty. It’s that they are doing this already and already send­ing that infor­ma­tion about what pages peo­ple are read­ing back to one of the larg­er con­sumer data bro­kers in the world:

    ...
    In the case of AdThink, that infor­ma­tion was also being fun­neled back to Axciom, a mas­sive con­sumer data bro­ker, pre­sum­ably to be added to the grow­ing file on who­ev­er was vis­it­ing the site. Audi­en­ceIn­sights, which oper­ates AdThink, lets users see their unique user ID for the sys­tem and attempt to opt out, although it’s unclear how robust that opt-out tru­ly is. Audi­ence Insights did not respond to a request for com­ment.
    ...

    Yep, when these researchers stum­ble upon this vul­ner­a­bil­i­ty in pass­word man­agers, they also dis­cov­er that it’s already being exploit­ed by one of the largest data bro­kers on the plan­et. And that means one of the largest data bro­kers on the plan­et has been get­ting even more infor­ma­tion about web pages every­one is read­ing thanks to this pass­word man­ag­er exploit:

    Newsweek

    The Secre­tive World of Sell­ing Data About You

    By Paul Boutin
    On 5/30/16 at 2:30 PM

    You’ve prob­a­bly had the expe­ri­ence of receiv­ing mail, paper or elec­tron­ic, from com­pa­nies that obvi­ous­ly obtained your name from anoth­er company’s list of cus­tomers. But what if you were to have a med­ical oper­a­tion refused, with­out know­ing it was because the hos­pi­tal obtained a secret report that list­ed you as unlike­ly to pay? What if a col­lege covert­ly turned you or your child down because they sus­pect­ed you were unlike­ly to com­plete four years of pay­ment? What if you didn’t get a job, with­out know­ing it was because of a report that list­ed you as a pos­si­ble drug addict?

    Those are the claims being made by crit­ics of data bro­kers, com­pa­nies which col­lect per­son­al infor­ma­tion on peo­ple through both pub­lic and pri­vate sources—from court records to web­sites to store sales—and pro­vide it to a wide range of buy­ers. A large por­tion of data bro­ker­age is used for iden­ti­ty ver­i­fi­ca­tion or fraud pre­ven­tion. Much of it is used for tra­di­tion­al mar­ket­ing.

    But data bro­kers are serv­ing a grow­ing clien­tele eager to know a person’s eth­nic­i­ty, spend­ing habits, sex­u­al ori­en­ta­tion, and spe­cif­ic ill­ness­es such as HIV, dia­betes, depres­sion or sub­stance abuse. This infor­ma­tion may be found direct­ly in data bro­ker records, or, increas­ing­ly, it may be pre­dict­ed from oth­er data. It’s prac­ti­cal­ly impos­si­ble for any­one to find all the infor­ma­tion being passed around about them­selves, or to cor­rect it. As shady as it might sound, the entire indus­try is com­plete­ly legal.

    Data bro­kers are noto­ri­ous­ly secre­tive. Only one, Acx­iom, grant­ed Newsweek an inter­view with a com­pa­ny offi­cer, despite two months of requests to dozens of firms. “A lot of the infor­ma­tion, the deals that take place, are pro­pri­etary in nature,” says Paul Stephens, a direc­tor at Pri­va­cy Rights Clear­ing­house in San Diego, which advo­cates for con­sumer rights regard­ing per­son­al infor­ma­tion. “It’s hard to tell who’s sell­ing what to whom.” In fact, it’s unknown exact­ly how many data bro­kers oper­ate in the Unit­ed States, because so many keep a low pro­file. Cred­i­ble esti­mates range from 2,500 to 4,000. There are super­giants in the field—Acxiom, Exper­ian. But there are myr­i­ad small­er com­pa­nies that few have heard of: Exact Data, Para­mount Lists, Dat­a­logix, Statlis­tics.

    How do data bro­kers col­lect infor­ma­tion? As you might guess, Web brows­ing is a boun­ti­ful source. What sites you vis­it, what top­ics or prod­ucts you research there, what you buy, even what you post in forums can be turned into an entry in a broker’s data­base. But there are offline sources as well. Pub­lic court records are, of course, pub­lic. But retail store own­ers have found they can bring in addi­tion­al rev­enue by sell­ing their sales records to bro­ker com­pa­nies.

    The worst that may hap­pen to you in these cas­es is you’ll get junk mail you don’t want. But more insid­i­ous things can hap­pen when bro­kers go beyond names and address­es to sell­ing oth­er infor­ma­tion, which bro­kers’ clients usu­al­ly down­load from a web serv­er. Sev­er­al years ago a bro­ker named InfoUSA sold a list of 19,000 ver­i­fied elder­ly sweep­stakes play­ers to a group of expe­ri­enced scam artists, who stole over $100 mil­lion by call­ing peo­ple on the list and pre­tend­ing to be gov­ern­ment or insur­ance work­ers who need­ed bank account infor­ma­tion to ensure their pill pre­scrip­tions. The New York Times turned up one InfoUSA list whose descrip­tion read, “These peo­ple are gullible. They believe that their luck can change.”

    That’s the loom­ing threat of data bro­ker­age: While many bro­kers claim, prob­a­bly hon­est­ly, to only pro­vide pub­licly avail­able infor­ma­tion that can be used to ver­i­fy someone’s iden­ti­ty or pre­vent fraud, there’s a fast-grow­ing mar­ket for what’s called “con­sumer scores.” Instead of a straight list of names, address­es, and oth­er info, a con­sumer score is a com­put­er-gen­er­at­ed num­ber that attempts to pre­dict your like­li­hood to get sick, or to pay off a debt. Con­sumer scores are sim­i­lar to FICO cred­it scores, but aren’t reg­u­lat­ed as to what fac­tors can be used and how trans­par­ent the score and its con­tribut­ing fac­tors are to the scored indi­vid­ual.

    “Every­thing has moved to scores. Lists are a com­mod­i­ty,” says Pam Dixon, exec­u­tive direc­tor of World Pri­va­cy Forum, an advo­ca­cy orga­ni­za­tion also in San Diego. “We’re mov­ing into a very dif­fer­ent world.” In the 1950s, cred­it agen­cies began cre­at­ing scores on poten­tial lenders that includ­ed fac­tors, such as race, that were lat­er banned by fed­er­al reg­u­la­tion.

    Today, con­sumer scores have no such reg­u­la­tion for accu­ra­cy, trans­paren­cy or fair­ness. With mod­ern com­put­ers, scores can include thou­sands of fac­tors. You might be sur­prised what can go into a score for your health: How much mer­chan­dise you buy, how much online shop­ping you do, and your eth­nic­i­ty, which can be guessed by a com­put­er pro­gram based on the oth­er infor­ma­tion avail­able about you.

    “We’re liv­ing in a world where busi­ness­es and impor­tant life oppor­tu­ni­ties are being decid­ed based on this amal­ga­mat­ed data,” Dixon says. “Most col­leges and uni­ver­si­ties use some sort of pre­dic­tive ana­lyt­ics to fig­ure out if a stu­dent will be able to pay for the full four years. There’s a score for that. Com­pa­nies are apply­ing aggre­gate cred­it scores (not FICO scores) to indi­vid­u­als. It affects what work you get, how much you pay for health insur­ance, and poten­tial­ly what schools you get accept­ed to.”

    World Pri­va­cy Forum has pre­pared a lengthy report on con­sumer scor­ing. Dixon sum­ma­rizes a key sto­ry in the report: “A major nation­al health plan came to the quants want­i­ng to know how they could fig­ure out how much to charge peo­ple. If a woman did a lot of online shop­ping, she was pre­dict­ed to be a much high­er health risk. If a cou­ple bought hik­ing boots, that was con­sid­ered a good fac­tor. I doubt that when some­one goes online to buy a scarf they think, ‘This is going to affect my health­care.’ Peo­ple could be pay­ing more for health­care, but we’ll nev­er know. Acx­iom and Exper­ian sell lists of peo­ple with dis­eases. They claim it’s a propen­si­ty [instead of a numer­ic score], but there’s your name.”

    It’s easy to see why an insur­er, a col­lege, or anoth­er high-price busi­ness would want scores on those they are con­sid­er­ing doing busi­ness with. Just like a FICO score, a con­sumer score could save a busi­ness from los­ing mon­ey. It could save an insur­er from under­charg­ing some­one who then needs expen­sive cov­er­age. But con­sumer scores could also cre­ate a secret black­list.

    In that shad­ow, there are three caus­es for con­cern. First, con­sumer scores are a secret. If those who sell them are eva­sive about explain­ing details, those who use them usu­al­ly are almost total­ly unknown. Sec­ond, col­lect­ed data is often incor­rect. “We found a 50 per­cent accu­ra­cy rate in Acx­iom data we looked at,” says Dixon, “and they are con­sid­ered among the best.”

    Stephens agrees: “For the most part, the infor­ma­tion is not vet­ted. The cost of vet­ting it would be pro­hib­i­tive. There’s a recog­ni­tion with­in the indus­try and among the peo­ple who buy the data that the infor­ma­tion is not 100% cor­rect.” Clients use it any­way, because inac­cu­rate data is more help­ful than no data. But you don’t have to be a com­put­er sci­en­tist to real­ize that a score cal­cu­lat­ed from incor­rect data can be mis­lead­ing.

    Third, and most dis­turb­ing, there’s noth­ing con­sumers can do about any of this. They don’t know what data is being col­lect­ed, or by whom. They don’t know what’s being done with it. They don’t know where it is going. They prob­a­bly imag­ine spe­cif­ic lists being sent around, not cal­cu­lat­ed scores that may seem unre­lat­ed to the orig­i­nal data. And if they are con­cerned, there’s no way to see or cor­rect the infor­ma­tion about them­selves being passed around.

    To that end, Sen­a­tor Edward Markey (D‑Mass) intro­duced a bill last year called the Data Bro­ker Account­abil­i­ty and Trans­paren­cy Act of 2015. The Sen­a­tor told Newsweek, “What was a busi­ness of data keep­ing has mor­phed into data reap­ing, result­ing in the covert col­lec­tion of dossiers on hun­dreds of mil­lions of Amer­i­cans. Con­sumers, not cor­po­ra­tions, should be in con­trol of their pri­vate data.” The bill would require data bro­kers to let con­sumers review their per­son­al data for free, and to pro­vide a means to seek cor­rec­tion. In the case of pub­lic records, con­sumers could also learn the source of mis­in­for­ma­tion, although this would leave many unknown sources a secret. The bill would also pro­hib­it the use of fraud or mis­rep­re­sen­ta­tion to obtain col­lect­ed records or indi­vid­ual infor­ma­tion.

    The fed­er­al government’s focus on data bro­kers has been ongo­ing for sev­er­al years. In 2013, the Sen­ate Com­merce Com­mit­tee issued a report not­ing that of nine com­pa­nies it looked into, three refused to divulge their data sources and one, Exper­ian, also refused to name its cus­tomers. More recent­ly, the Sen­ate Sub­com­mit­tee on Pri­va­cy, Tech­nol­o­gy, and the Law has held two hear­ings at which Dixon tes­ti­fied along­side rep­re­sen­ta­tives from Acx­iom, Exper­ian, the Direct Mar­ket­ing Asso­ci­a­tion and the Fed­er­al Trade Com­mis­sion. The industry’s lack of trans­paren­cy irks law­mak­ers. “Right now, many Amer­i­cans don’t know that their per­son­al infor­ma­tion is being col­lect­ed and sold on the Inter­net,” Sen­a­tor Al Franken (D‑Minn), a mem­ber of the com­mit­tee and co-spon­sor of the bill, told Newsweek. “Data bro­kers trade on the pri­va­cy of con­sumers and oper­ate in the shad­ows.”

    There’s one more wor­ry about thou­sands of tid­bits of infor­ma­tion about hun­dreds of mil­lions of peo­ple being passed around through the Inter­net: What if some­one breaks into a major data broker’s com­put­ers? In Octo­ber, Experian’s cred­it arm had 15 mil­lion cus­tomers’ infor­ma­tion, includ­ing social secu­ri­ty num­bers, breached. If that can hap­pen to Exper­ian, what about the thou­sands of less­er-known, pos­si­bly less well-pro­tect­ed bro­kers? Has it hap­pened already, and we just don’t know?

    Get­ting answers from the data bro­kers them­selves, as Con­gress found, is next to impos­si­ble, except for those who’ll briefly claim that they only pro­vide basic iden­ti­fi­ca­tion ser­vices and don’t sell mar­ket­ing lists or con­sumer scores. The one com­pa­ny that pro­vid­ed Newsweek with a tele­phone inter­view was Acx­iom, prob­a­bly the largest, which claims to have an aver­age 1,500 pieces of infor­ma­tion on more than 200 mil­lion Amer­i­cans. “In any indus­try you have big play­ers with high rep­u­ta­tion­al risks,” the company’s Chief Pri­va­cy Offi­cer Emer­i­tus, Jen­nifer Glas­gow, tells Newsweek. “They tend to act more respon­si­bly.”

    Acx­iom has set up a web­site, AboutTheData.com, where those who sign up can see what infor­ma­tion the com­pa­ny has on them and edit it. Glas­gow point­ed out the oth­er side of the trans­paren­cy issue: How many peo­ple will now edit their records to low­er their age? What oth­er data might they fal­si­fy giv­en the chance?

    But Glas­gow doesn’t dis­miss the wor­ries over what Sen­a­tor Markey called data reap­ing. She says even more sen­si­tive, more per­son­al data may be scooped up in the future. “We have cam­era data, the Inter­net of Things [gad­gets such as ther­mostats and health-mon­i­tor bracelets], a tremen­dous amount of data com­ing on the scene. Loca­tion data is far more reveal­ing of who you are and what you do, even your health issues.” Anoth­er wor­ry is what she calls “sur­ro­gates for pro­tect­ed infor­ma­tion,” such as using someone’s address, pur­chas­es, and oth­er info to let a com­put­er cal­cu­late their race where the law pre­vents obtain­ing it direct­ly.

    What can be done? The big data bro­kers are averse to gov­ern­ment reg­u­la­tion, claim­ing that it’ll run up their expens­es and slow down their work, even as small­er scofflaws ignore the rules and hide from pros­e­cu­tion. As for let­ting you take charge, Acxiom’s con­sumer site is a bold ges­ture, but even if thou­sands of oth­er com­pa­nies did the same, who would be able to find them all and do the work of going through one’s records every­where?

    A one-stop site for every data bro­ker in Amer­i­ca sounds great, but it’s a project on a scale beyond HealthCare.gov, what with thou­sands of com­pa­nies’ sys­tems to keep in sync. For now a web­site, StopDataMining.me, offers links and instruc­tions to opt out of what it claims are the 50 top data bro­kers.

    ...

    ———-


    “The Secre­tive World of Sell­ing Data About You” by Paul Boutin; Newsweek; 05/30/2016

    “How do data bro­kers col­lect infor­ma­tion? As you might guess, Web brows­ing is a boun­ti­ful source. What sites you vis­it, what top­ics or prod­ucts you research there, what you buy, even what you post in forums can be turned into an entry in a broker’s data­base. But there are offline sources as well. Pub­lic court records are, of course, pub­lic. But retail store own­ers have found they can bring in addi­tion­al rev­enue by sell­ing their sales records to bro­ker com­pa­nies”

    What data do data bro­kers col­lect? Every­thing they pos­si­bly can col­lect. Online and offline. Includ­ing all the brows­ing infor­ma­tion the indus­try can get its hands on. And all that indus­try is result in some­thing much more than just lists of con­sumers for sale like the data bro­ker indus­try of decades past. Today’s data bro­ker indus­try sells “con­sumer scores”. Scores for all sorts of things — like the propen­si­ty to get a dis­ease — that are gen­er­at­ing using the increas­ing­ly data-inten­sive per­son­al­ized pro­files the indus­try is build­ing for every­one:

    ...
    That’s the loom­ing threat of data bro­ker­age: While many bro­kers claim, prob­a­bly hon­est­ly, to only pro­vide pub­licly avail­able infor­ma­tion that can be used to ver­i­fy someone’s iden­ti­ty or pre­vent fraud, there’s a fast-grow­ing mar­ket for what’s called “con­sumer scores.” Instead of a straight list of names, address­es, and oth­er info, a con­sumer score is a com­put­er-gen­er­at­ed num­ber that attempts to pre­dict your like­li­hood to get sick, or to pay off a debt. Con­sumer scores are sim­i­lar to FICO cred­it scores, but aren’t reg­u­lat­ed as to what fac­tors can be used and how trans­par­ent the score and its con­tribut­ing fac­tors are to the scored indi­vid­ual.

    “Every­thing has moved to scores. Lists are a com­mod­i­ty,” says Pam Dixon, exec­u­tive direc­tor of World Pri­va­cy Forum, an advo­ca­cy orga­ni­za­tion also in San Diego. “We’re mov­ing into a very dif­fer­ent world.” In the 1950s, cred­it agen­cies began cre­at­ing scores on poten­tial lenders that includ­ed fac­tors, such as race, that were lat­er banned by fed­er­al reg­u­la­tion.

    Today, con­sumer scores have no such reg­u­la­tion for accu­ra­cy, trans­paren­cy or fair­ness. With mod­ern com­put­ers, scores can include thou­sands of fac­tors. You might be sur­prised what can go into a score for your health: How much mer­chan­dise you buy, how much online shop­ping you do, and your eth­nic­i­ty, which can be guessed by a com­put­er pro­gram based on the oth­er infor­ma­tion avail­able about you.

    “We’re liv­ing in a world where busi­ness­es and impor­tant life oppor­tu­ni­ties are being decid­ed based on this amal­ga­mat­ed data,” Dixon says. “Most col­leges and uni­ver­si­ties use some sort of pre­dic­tive ana­lyt­ics to fig­ure out if a stu­dent will be able to pay for the full four years. There’s a score for that. Com­pa­nies are apply­ing aggre­gate cred­it scores (not FICO scores) to indi­vid­u­als. It affects what work you get, how much you pay for health insur­ance, and poten­tial­ly what schools you get accept­ed to.”
    ...

    And these “con­sumer scores” are going sold for all sort of things, despite the fact that they’re wild­ly inac­cu­rate, with a review of Acx­iom’s data show­ing a 50 per­cent error rate:

    ...
    World Pri­va­cy Forum has pre­pared a lengthy report on con­sumer scor­ing. Dixon sum­ma­rizes a key sto­ry in the report: “A major nation­al health plan came to the quants want­i­ng to know how they could fig­ure out how much to charge peo­ple. If a woman did a lot of online shop­ping, she was pre­dict­ed to be a much high­er health risk. If a cou­ple bought hik­ing boots, that was con­sid­ered a good fac­tor. I doubt that when some­one goes online to buy a scarf they think, ‘This is going to affect my health­care.’ Peo­ple could be pay­ing more for health­care, but we’ll nev­er know. Acx­iom and Exper­ian sell lists of peo­ple with dis­eases. They claim it’s a propen­si­ty [instead of a numer­ic score], but there’s your name.”

    It’s easy to see why an insur­er, a col­lege, or anoth­er high-price busi­ness would want scores on those they are con­sid­er­ing doing busi­ness with. Just like a FICO score, a con­sumer score could save a busi­ness from los­ing mon­ey. It could save an insur­er from under­charg­ing some­one who then needs expen­sive cov­er­age. But con­sumer scores could also cre­ate a secret black­list.

    In that shad­ow, there are three caus­es for con­cern. First, con­sumer scores are a secret. If those who sell them are eva­sive about explain­ing details, those who use them usu­al­ly are almost total­ly unknown. Sec­ond, col­lect­ed data is often incor­rect. “We found a 50 per­cent accu­ra­cy rate in Acx­iom data we looked at,” says Dixon, “and they are con­sid­ered among the best.”

    Stephens agrees: “For the most part, the infor­ma­tion is not vet­ted. The cost of vet­ting it would be pro­hib­i­tive. There’s a recog­ni­tion with­in the indus­try and among the peo­ple who buy the data that the infor­ma­tion is not 100% cor­rect.” Clients use it any­way, because inac­cu­rate data is more help­ful than no data. But you don’t have to be a com­put­er sci­en­tist to real­ize that a score cal­cu­lat­ed from incor­rect data can be mis­lead­ing.
    ...

    ““We found a 50 per­cent accu­ra­cy rate in Acx­iom data we looked at,” says Dixon, “and they are con­sid­ered among the best.””

    And that’s the data that could be gen­er­at­ing secret ille­gal black­lists. Data that’s maybe 50 per­cent accu­rate with Acx­iom, the indus­try leader.

    And now, thanks to this pass­word man­ag­er exploit, com­pa­nies like Acx­iom can add even more brows­ing his­to­ry data to their per­son­al­ized mod­els of each of us. So, on the plus side, all that web brows­ing data Acx­iom has been col­lect­ing on you with with pass­word man­ag­er loop­hole will prob­a­bly improve the accu­ra­cy of the “con­sumer scores” its sell­ing about you. Unless you hap­pen to be brows­ing very iron­i­cal­ly. Yay?

    Also keep in mind that, while the web brows­ing his­to­ry that the pass­word man­ag­er vul­ner­a­bil­i­ty make avail­able to com­pa­nies like Acx­iom would be extreme­ly use­ful for giv­ing the data bro­ker­age indus­try a bet­ter idea of our indi­vid­ual inter­ests and things like health his­to­ries, there’s anoth­er crit­i­cal ben­e­fit to com­pa­nies like Acx­iom for to turn­ing pass­word man­agers into per­sis­tent IDs: those per­sis­tent IDs will like­ly be the same across dif­fer­ent devices, enabling com­pa­nies like Acx­iom to deter­mine, for instance, that the same indi­vid­ual owns a giv­en smart­phone, lap­top, and desk­top devices because they all have the same default info set up for the pass­word man­ag­er.

    So with that handy device deanonymiza­tion-tech­nique in mind, check out the ser­vice Acx­iom was hyp­ing in this recent inter­view: thanks to Acx­iom’s 2014 buy­out of Liv­eR­amp — a com­pa­ny spe­cial­iz­ing in “using both per­son­al­ly iden­ti­fi­able and anony­mous infor­ma­tion from device ID’s and cook­ies to pro­vide a sin­gle iden­ti­ty graph—for peo­ple or households—across all plat­forms” — Acx­iom is now posi­tioned “to be the pre­dom­i­nate provider of iden­ti­ty graphs across dig­i­tal and tele­vi­sion”:

    Beet.tv

    Acxiom’s Craig Berkley On The Val­ue Of A Sin­gle Source of Iden­ti­ty Data

    Acxiom’s Craig Berkley On The Val­ue Of A Sin­gle Source of Iden­ti­ty Data

    By Steve Ell­wanger on Decem­ber 18, 2017

    MIAMI – When the cur­rent-day Acx­iom was found­ed in 1969 as Demo­graph­ics, “peo­ple-based mar­ket­ing” was basi­cal­ly direct mail. Hav­ing acquired Liv­eR­amp in 2014, Acx­iom is look­ing to be the pre­dom­i­nate provider of iden­ti­ty graphs across dig­i­tal and tele­vi­sion.

    Liv­eR­amp has long been active in the dig­i­tal space, using both per­son­al­ly iden­ti­fi­able and anony­mous infor­ma­tion from device ID’s and cook­ies to pro­vide a sin­gle iden­ti­ty graph—for peo­ple or households—across all plat­forms. Acx­iom, mean­while, worked with pay-TV oper­a­tors to cre­ate a safe haven for match­ing sub­scriber files.

    “Now we have a sce­nario where Acx­iom and Liv­eR­amp are, in fact one com­pa­ny and so we have these capa­bil­i­ties across all of these plat­forms,” Craig Berkley, VP, Tele­vi­sion Part­ner Devel­op­ment at Acx­iom, says in this inter­view at the recent Beet Retreat Mia­mi 2017.

    ...

    Acxiom’s ratio­nale for adver­tis­ers need­ing a sin­gle source of iden­ti­ty data, pro­vid­ing undu­pli­cat­ed reach among oth­er goals, is ease and uni­for­mi­ty of match­ing.

    “Oth­er­wise, if you’re using var­i­ous and sundry com­pa­nies for iden­ti­ty in this space and iden­ti­ty in this space, then often­times you’re not going to have an accu­ra­cy across all of those,” says Berkley.

    What’s the dif­fer­ence between omni-chan­nel and cross-chan­nel? Acx­iom believes that “omni-chan­nel is what cross-chan­nel will be when it grows up.” For a full expla­na­tion, see this blog post.

    ———-

    “Acxiom’s Craig Berkley On The Val­ue Of A Sin­gle Source of Iden­ti­ty Data” by Steve Ell­wanger; Beet.tv; 12/18/2017

    “Liv­eR­amp has long been active in the dig­i­tal space, using both per­son­al­ly iden­ti­fi­able and anony­mous infor­ma­tion from device ID’s and cook­ies to pro­vide a sin­gle iden­ti­ty graph—for peo­ple or households—across all plat­forms. Acx­iom, mean­while, worked with pay-TV oper­a­tors to cre­ate a safe haven for match­ing sub­scriber files.”

    A sin­gle iden­ti­ty graph—for peo­ple or households—across all plat­forms using cook­ies and device ID’s. That sure sounds like the kind of prod­uct that could ben­e­fit from a brows­er vul­ner­a­bil­i­ty that turns the pass­word man­agers into a per­sis­tent cook­ies.

    And that ‘iden­ti­ty graph’ tech­nol­o­gy is just one of the ser­vices offered by one of the largest data bro­kers in the world. A com­pa­ny that oper­ates in near com­plete secre­cy and yet is more open than almost all of the thou­sands of oth­er com­pa­nies oper­at­ing in this same data-bro­ker space. A com­pa­ny with almost no reg­u­la­to­ry over­sight and a demon­strat­ed will­ing­ness to exploit the pass­word man­ag­er vul­ner­a­bil­i­ty — a vul­ner­a­bil­i­ty that could, in the­o­ry, allow for the steal­ing of pass­words. And it’s the com­pa­ny that just got caught exploit­ing that pass­word man­ag­er loop­hole and is simul­ta­ne­ous­ly super excit­ed about being the pre­dom­i­nate provider of iden­ti­ty graphs across dig­i­tal and tele­vi­sion plat­forms.

    So, yeah, you prob­a­bly want to dis­able those pass­word man­agers on your brows­er at some point in 2018. Good luck! And yes, giv­en that the GOP­ers in Con­gress already vot­ed to allow US inter­net ser­vice providers to sell their users brows­ing his­to­ry to adver­tis­ers, it’s not like pre­vent­ing the web brows­ing track­ing that this pass­word man­ag­er vul­ner­a­bil­i­ty enables will lead to a huge increase in online pri­va­cy for most Amer­i­cans. But there’s also the pos­si­bil­i­ty of pass­words being stolen from the exploit, so it’s still an impor­tant fix for 2018. One of many impor­tant inter­net-pri­va­cy fix­es for 2018.

    Posted by Pterrafractyl | January 1, 2018, 10:47 pm
  18. It’s that time again. Time to change your pass­words: One of the largest data­base ever seen of hacked emails and pass­words was just released to the pub­lic by some­one. A cache of files con­tain­ing almost 773 mil­lion unique email address and 21 mil­lion unique pass­words were briefly post­ed to the MEGA upload site and made avail­able to the pub­lic for any­one to down. After the files were tak­en down they showed up again on a hack­er forum.

    The emails and pass­words don’t appear to have come from a sin­gle breach. Instead, they appear to be a com­pi­la­tion of large num­ber of dif­fer­ent data­bas­es of pre­vi­ous­ly hacked emails and pass­words. So much of this data was already ‘in the wild’ which for­tu­nate­ly means the dam­age is like­ly to be lim­it­ed.

    That said, the per­son who dis­cov­ered this, Troy Hunt, the guy who main­tains the “Have I Been Pwned” web­site, says that around 140 mil­lion of the email accounts and over 10 mil­lion unique pass­words are ones he has­n’t seen before. So around half of the pass­words released in this cache might be new­ly released, or at least pre­vi­ous­ly only acces­si­ble to hack­ers on the dark web.

    Adding to the secu­ri­ty per­il is that these pass­words are NOT hashed. It’s the raw text of the pass­words. And that makes this infor­ma­tion ide­al for cre­den­tial-stuff­ing attacks, where hack­ers repeat­ed­ly try email and pass­word com­bi­na­tions. So this is clear­ly hor­ri­ble secu­ri­ty news. But for peo­ple who reuse the same pass­words over and over on dif­fer­ent web­sites this could be dev­as­tat­ing (if they haven’t already been dev­as­tat­ed):

    Wired

    Hack Brief: An Aston­ish­ing 773 Mil­lion Records Exposed in Mon­ster Breach

    Bri­an Bar­rett
    01.16.19 08:12 pm

    There are breach­es, and there are megabreach­es, and there’s Equifax. But a new­ly revealed trove of leaked data tops them all for sheer vol­ume: 772,904,991 unique email address­es, over 21 mil­lion unique pass­words, all recent­ly post­ed to a hack­ing forum.

    The data set was first report­ed by secu­ri­ty researcher Troy Hunt, who main­tains Have I Been Pwned, a way to search whether your own email or pass­word has been com­pro­mised by a breach at any point. (Trick ques­tion: It has.) The so-called Col­lec­tion #1 is the largest breach in Hunt’s menagerie, and it’s not par­tic­u­lar­ly close.

    The Hack

    If any­thing, the above num­bers belie the real vol­ume of the breach, as they reflect Hunt’s effort to clean up the data set to account for dupli­cates and to strip out unus­able bits. In raw form, it com­pris­es 2.7 bil­lion rows of email address­es and pass­words, includ­ing over a bil­lion unique com­bi­na­tions of email address­es and pass­words.

    The trove appeared briefly on MEGA, the cloud ser­vice, and per­sist­ed on what Hunt refers to as “a pop­u­lar hack­ing forum.” It sat in a fold­er called Col­lec­tion #1, which con­tained over 12,000 files that weigh in at over 87 giga­bytes. While it’s dif­fi­cult to con­firm exact­ly where all that info came from, it appears to be some­thing of a breach of breach­es; that is to say, it claims to aggre­gate over 2,000 leaked data­bas­es that con­tain pass­words whose pro­tec­tive hash­ing has been cracked.

    “It just looks like a com­plete­ly ran­dom col­lec­tion of sites pure­ly to max­i­mize the num­ber of cre­den­tials avail­able to hack­ers,” Hunt tells WIRED. “There’s no obvi­ous pat­terns, just max­i­mum expo­sure.”

    That sort of Voltron breach has hap­pened before, but nev­er on this scale. In fact, not only is this the largest breach to become pub­lic, it’s sec­ond only to Yahoo’s pair of inci­dents—which affect­ed 1 bil­lion and 3 bil­lion users, respectively—in size. For­tu­nate­ly, the stolen Yahoo data hasn’t sur­faced. Yet.

    Who’s Affect­ed?

    The accu­mu­lat­ed lists seem designed for use in so-called cre­den­tial-stuff­ing attacks, in which hack­ers throw email and pass­word com­bi­na­tions at a giv­en site or ser­vice. These are typ­i­cal­ly auto­mat­ed process­es that prey espe­cial­ly on peo­ple who reuse pass­words across the whole wide inter­net.

    The sil­ver lin­ing in Col­lec­tion #1 going pub­lic is that you can defin­i­tive­ly find out if your email and pass­word were among the impact­ed accounts. Hunt has already loaded them into Have I Been Pwned; just type in your email address and keep those fin­gers crossed. While you’re there you can also find out how many pre­vi­ous breach­es you’ve been a vic­tim of. What­ev­er pass­word you’re using on those accounts, change it.

    Have I Been Pwned also intro­duced a pass­word-search fea­ture a year and a half ago; you can just type in what­ev­er pass­words go with your most sen­si­tive accounts to see if they’re out in the open. If they are, change them.

    And while you’re at it, get a pass­word man­ag­er. It’s well past time.

    How Seri­ous Is This?

    Pret­ty darn seri­ous! While it does­n’t appear to include more sen­si­tive infor­ma­tion, like cred­it card or Social Secu­ri­ty num­bers, Col­lec­tion #1 is his­toric for scale alone. A few ele­ments also make it espe­cial­ly unnerv­ing. First, around 140 mil­lion email accounts and over 10 mil­lion unique pass­words in Col­lec­tion #1 are new to Hunt’s data­base, mean­ing they’re not just dupli­cates from pri­or megabreach­es.

    Then there’s the way in which those pass­words are saved in Col­lec­tion #1. “These are all plain text pass­words. If we take a breach like Drop­box, there may have been 68 mil­lion unique email address­es in there, but the pass­words were cryp­to­graph­i­cal­ly hash­es mak­ing them very dif­fi­cult to use,” says Hunt. Instead, the only tech­ni­cal prowess some­one with access to the fold­ers needs to break into your accounts is the abil­i­ty to scroll and click.

    And last­ly, Hunt also notes that all of these records were sit­ting not in some dark web back­wa­ter, but on one of the most pop­u­lar cloud stor­age sites—until it got tak­en down—and then on a pub­lic hack­ing site. They weren’t even for sale; they were just avail­able for any­one to take.

    ...

    ———-

    “Hack Brief: An Aston­ish­ing 773 Mil­lion Records Exposed in Mon­ster Breach” by Bri­an Bar­rett; Wired; 01/16/2019

    “There are breach­es, and there are megabreach­es, and there’s Equifax. But a new­ly revealed trove of leaked data tops them all for sheer vol­ume: 772,904,991 unique email address­es, over 21 mil­lion unique pass­words, all recent­ly post­ed to a hack­ing forum.”

    21 mil­lion unique pass­words and almost 773 mil­lion email address. And since log­ging into web­sites typ­i­cal­ly involves inputting an email address and a pass­word, that makes this release per­fect for cre­den­tial-stuff­ing attacks on a glob­al scale:

    ...
    If any­thing, the above num­bers belie the real vol­ume of the breach, as they reflect Hunt’s effort to clean up the data set to account for dupli­cates and to strip out unus­able bits. In raw form, it com­pris­es 2.7 bil­lion rows of email address­es and pass­words, includ­ing over a bil­lion unique com­bi­na­tions of email address­es and pass­words.

    ...

    The accu­mu­lat­ed lists seem designed for use in so-called cre­den­tial-stuff­ing attacks, in which hack­ers throw email and pass­word com­bi­na­tions at a giv­en site or ser­vice. These are typ­i­cal­ly auto­mat­ed process­es that prey espe­cial­ly on peo­ple who reuse pass­words across the whole wide inter­net.
    ...

    And they key rea­son this release is so incred­i­bly use­ful for not just hack­ers but any­one who wants to try to log into your web­site accounts is that the pass­words aren’t hashed. They’re in plain text:

    ...
    The data set was first report­ed by secu­ri­ty researcher Troy Hunt, who main­tains Have I Been Pwned, a way to search whether your own email or pass­word has been com­pro­mised by a breach at any point. (Trick ques­tion: It has.) The so-called Col­lec­tion #1 is the largest breach in Hunt’s menagerie, and it’s not par­tic­u­lar­ly close.

    ...

    The trove appeared briefly on MEGA, the cloud ser­vice, and per­sist­ed on what Hunt refers to as “a pop­u­lar hack­ing forum.” It sat in a fold­er called Col­lec­tion #1, which con­tained over 12,000 files that weigh in at over 87 giga­bytes. While it’s dif­fi­cult to con­firm exact­ly where all that info came from, it appears to be some­thing of a breach of breach­es; that is to say, it claims to aggre­gate over 2,000 leaked data­bas­es that con­tain pass­words whose pro­tec­tive hash­ing has been cracked.

    ...

    Then there’s the way in which those pass­words are saved in Col­lec­tion #1. “These are all plain text pass­words. If we take a breach like Drop­box, there may have been 68 mil­lion unique email address­es in there, but the pass­words were cryp­to­graph­i­cal­ly hash­es mak­ing them very dif­fi­cult to use,” says Hunt. Instead, the only tech­ni­cal prowess some­one with access to the fold­ers needs to break into your accounts is the abil­i­ty to scroll and click.
    ...

    And while it might seem like the poten­tial dam­age should be lim­it­ed because this appears to be a com­pi­la­tion of a large num­ber of dif­fer­ent data­bas­es of emails and pass­words from pre­vi­ous hacks — so many of these pass­words have like­ly already been updat­ed — the fact that 10 mil­lion of the 21 mil­lion unique pass­words haven’t been seen before sug­gests that there are 10 mil­lion peo­ple who prob­a­bly haven’t updat­ed their pass­words yet and real­ly, real­ly, real­ly need to do so soon. Espe­cial­ly if they use the same pass­word on dif­fer­ent sites:

    ...
    Pret­ty darn seri­ous! While it does­n’t appear to include more sen­si­tive infor­ma­tion, like cred­it card or Social Secu­ri­ty num­bers, Col­lec­tion #1 is his­toric for scale alone. A few ele­ments also make it espe­cial­ly unnerv­ing. First, around 140 mil­lion email accounts and over 10 mil­lion unique pass­words in Col­lec­tion #1 are new to Hunt’s data­base, mean­ing they’re not just dupli­cates from pri­or megabreach­es.
    ...

    So it does­n’t sound like this release is a super mas­sive dis­as­ter. But if those 10 mil­lion pass­words are pass­words that were fresh­ly stolen and haven’t been updat­ed, that’s still poten­tial­ly quite bad for those 10 mil­lion peo­ple.

    For­tu­nate­ly, accord­ing to Bri­an Krebs, it sounds like those 10 mil­lion pass­words might also be from old hacks and have like­ly been updat­ed. Krebs inter­viewed Alex Hold­en, CTO of a com­pa­ny that spe­cial­izes in trawl­ing under­ground spaces for intel­li­gence about mali­cious actors and their stolen data dumps. Accord­ing to Hold­en, the data appears to have first been post­ed to under­ground forums in Octo­ber 2018 and it’s just a sub­set of a much larg­er tranche of pass­words being ped­dled by a shad­owy sell­er online. Hold­en also asserts that his com­pa­ny has already account­ed for 99 per­cent of the released data from pre­vi­ous hacks. So that hope­ful­ly means those 10 mil­lion pass­words that Troy Hunt had­n’t seen before have indeed been stolen a while ago and already updat­ed.

    The bad news is that the hacker(s) appear to have a much larg­er cache of data for sale and that data is much new­er. Krebs sort of con­firmed this after con­tact­ing the hack­er via Telegram. That hack­er, who goes by the name Sanix­er, told Krebs that this release is 2–3 years old and that he has oth­er pass­word pack­ages total­ing more than 4 ter­abytes in size that are less than a year old.

    Inter­est­ing­ly, while the above arti­cle notes that the released data was avail­able for any­one to down­load for free, the hack­er had a price of $45 for the cache when Krebs con­tact­ed him. Still, that’s pret­ty cheap all things con­sid­ered.

    And that like­ly explains the pur­pose of this mas­sive release of free/cheap data that’s already large­ly known by the hack­er com­mu­ni­ty: It’s a teas­er designed to solic­it cus­tomers for the new­er, more use­ful, and pre­sum­ably more expen­sive pass­word pack­ages for sale:

    Krebs on Secu­ri­ty

    773M Pass­word ‘Megabreach’ is Years Old

    Bri­an Krebs
    01/19/2019

    My inbox and Twit­ter mes­sages pos­i­tive­ly lit up today with peo­ple for­ward­ing sto­ries from Wired and oth­er pub­li­ca­tions about a sup­pos­ed­ly new trove of near­ly 773 mil­lion unique email address­es and 21 mil­lion unique pass­words that were post­ed to a hack­ing forum. A sto­ry in The Guardian breath­less­ly dubbed it “the largest col­lec­tion ever of breached data found.” But in an inter­view with the appar­ent sell­er, Kreb­sOn­Se­cu­ri­ty learned that it is not even close to the largest gath­er­ing of stolen data, and that it is at least two to three years old.

    The dump, labeled “Col­lec­tion #1” and approx­i­mate­ly 87GB in size, was first detailed ear­li­er today by Troy Hunt, who oper­ates the HaveIBeen­Pwned breach noti­fi­ca­tion ser­vice. Hunt said the data cache was like­ly “made up of many dif­fer­ent indi­vid­ual data breach­es from lit­er­al­ly thou­sands of dif­fer­ent sources.”

    Kreb­sOn­Se­cu­ri­ty sought per­spec­tive on this dis­cov­ery from Alex Hold­en, CTO of Hold Secu­ri­ty, a com­pa­ny that spe­cial­izes in trawl­ing under­ground spaces for intel­li­gence about mali­cious actors and their stolen data dumps. Hold­en said the data appears to have first been post­ed to under­ground forums in Octo­ber 2018, and that it is just a sub­set of a much larg­er tranche of pass­words being ped­dled by a shad­owy sell­er online.

    Here’s a screen­shot of a sub­set of that seller’s cur­rent offer­ings, which total almost 1 Ter­abyte of stolen and hacked pass­words:
    [see image]
    As we can see above, Col­lec­tion #1 offered by this sell­er is indeed 87GB in size. He also adver­tis­es a Telegram user­name where he can be reached — “Sanix­er.” So, nat­u­ral­ly, Kreb­sOn­Se­cu­ri­ty con­tact­ed Sanix­er via Telegram to find out more about the ori­gins of Col­lec­tion #1, which he is present­ly sell­ing for the bar­gain price of just $45.

    Sanix­er said Collection#1 con­sists of data pulled from a huge num­ber of hacked sites, and was not exact­ly his “fresh­est” offer­ing. Rather, he sort of steered me away from that archive, sug­gest­ing that — unlike most of his oth­er wares — Col­lec­tion #1 was at least 2–3 years old. His oth­er pass­word pack­ages, which he said are not all pic­tured in the above screen shot and total more than 4 ter­abytes in size, are less than a year old, Sanix­er explained.

    By way of explain­ing the prove­nance of Col­lec­tion #1, Sanix­er said it was a mix of “dumps and leaked bases,” and then he offered an inter­est­ing screen shot of his addi­tion­al col­lec­tions. Click on the image below and notice the open Web brows­er tab behind his pur­loined pass­word trove (which is appar­ent­ly stored at Mega.nz): Troy Hunt’s pub­lished research on this 773 mil­lion Col­lec­tion #1.
    [see screen­shot]
    Hold­en said the habit of col­lect­ing large amounts of cre­den­tials and post­ing it online is not new at all, and that the data is far more use­ful for things like phish­ing, black­mail and oth­er indi­rect attacks — as opposed to plun­der­ing inbox­es. Hold­en added that his com­pa­ny had already derived 99 per­cent of the data in Col­lec­tion #1 from oth­er sources.

    “It was pop­u­lar­ized sev­er­al years ago by Russ­ian hack­ers on var­i­ous Dark Web forums,” he said. “Because the data is gath­ered from a num­ber of breach­es, typ­i­cal­ly old­er data, it does not present a direct dan­ger to the gen­er­al user com­mu­ni­ty. Its sheer vol­ume is impres­sive, yet, by account of many hack­ers the data is not great­ly use­ful.”

    A core rea­son so many accounts get com­pro­mised is that far too many peo­ple have the nasty habit(s) of choos­ing poor pass­words, re-using pass­words and email address­es across mul­ti­ple sites, and not tak­ing advan­tage of mul­ti-fac­tor authen­ti­ca­tion options when they are avail­able.

    If this Col­lec­tion #1 has you spooked, chang­ing your password(s) cer­tain­ly can’t hurt — unless of course you’re in the habit of re-using pass­words. Please don’t do that. As we can see from the offer­ing above, your pass­word is prob­a­bly worth way more to you than it is to cyber­crim­i­nals (in the case of Col­lec­tion #1, just .000002 cents per pass­word).

    For most of us, by far the most impor­tant pass­words are those pro­tect­ing our email inbox(es). That’s because in near­ly all cas­es, the per­son who is in con­trol of that email address can reset the pass­word of any ser­vices or accounts tied to that email address – mere­ly by request­ing a pass­word reset link via email. For more on this dynam­ic, please see The Val­ue of a Hacked Email Account.

    And instead of think­ing about pass­words, con­sid­er using unique, lengthy passphras­es — col­lec­tions of words in an order you can remem­ber — when a site allows it. In gen­er­al, a long, unique passphrase takes for more effort to crack than a short, com­plex one. Unfor­tu­nate­ly, many sites do not let users choose pass­words or passphras­es that exceed a small num­ber of char­ac­ters, or they will oth­er­wise allow long passphras­es but ignore any­thing entered after the char­ac­ter lim­it is reached.

    If you are the type of per­son who likes to re-use pass­words, then you def­i­nite­ly need to be using a pass­word man­ag­er, which helps you pick and remem­ber strong and unique passwords/passphrases and essen­tial­ly lets you use the same strong mas­ter password/passphrase across all Web sites.

    ...

    ———–

    “773M Pass­word ‘Megabreach’ is Years Old” by Bri­an Krebs; Krebs on Secu­ri­ty; 01/19/2019

    “Kreb­sOn­Se­cu­ri­ty sought per­spec­tive on this dis­cov­ery from Alex Hold­en, CTO of Hold Secu­ri­ty, a com­pa­ny that spe­cial­izes in trawl­ing under­ground spaces for intel­li­gence about mali­cious actors and their stolen data dumps. Hold­en said the data appears to have first been post­ed to under­ground forums in Octo­ber 2018, and that it is just a sub­set of a much larg­er tranche of pass­words being ped­dled by a shad­owy sell­er online.

    Yep, those 773 mil­lion emails and 21 mil­lion pass­words are just a sub­set of a much large tranche of cre­den­tials for sale. But at least there’s the good news: cyber­se­cu­ri­ty firms have already seen the vast major­i­ty of this released data from oth­er sources, with Alex Hold­en claim­ing his com­pa­ny can account for 99 per­cent of it. And the fact that the hack­er basi­cal­ly gave this data away, and is now sell­ing it for $45, under­scores the rel­a­tive­ly low util­i­ty of it:

    ...
    As we can see above, Col­lec­tion #1 offered by this sell­er is indeed 87GB in size. He also adver­tis­es a Telegram user­name where he can be reached — “Sanix­er.” So, nat­u­ral­ly, Kreb­sOn­Se­cu­ri­ty con­tact­ed Sanix­er via Telegram to find out more about the ori­gins of Col­lec­tion #1, which he is present­ly sell­ing for the bar­gain price of just $45.

    ...

    Hold­en said the habit of col­lect­ing large amounts of cre­den­tials and post­ing it online is not new at all, and that the data is far more use­ful for things like phish­ing, black­mail and oth­er indi­rect attacks — as opposed to plun­der­ing inbox­es. Hold­en added that his com­pa­ny had already derived 99 per­cent of the data in Col­lec­tion #1 from oth­er sources.

    ...

    If this Col­lec­tion #1 has you spooked, chang­ing your password(s) cer­tain­ly can’t hurt — unless of course you’re in the habit of re-using pass­words. Please don’t do that. As we can see from the offer­ing above, your pass­word is prob­a­bly worth way more to you than it is to cyber­crim­i­nals (in the case of Col­lec­tion #1, just .000002 cents per pass­word).
    ...

    But the bad news is pret­ty bad if the claims of the hack­er of true: the hacker(s) claim they have 4 ter­abytes of hacked cre­den­tials that are less than a year old:

    ...
    Sanix­er said Collection#1 con­sists of data pulled from a huge num­ber of hacked sites, and was not exact­ly his “fresh­est” offer­ing. Rather, he sort of steered me away from that archive, sug­gest­ing that — unlike most of his oth­er wares — Col­lec­tion #1 was at least 2–3 years old. His oth­er pass­word pack­ages, which he said are not all pic­tured in the above screen shot and total more than 4 ter­abytes in size, are less than a year old, Sanix­er explained.
    ...

    Keep in mind that it’s pos­si­ble that ‘Sanix­er’ does­n’t have 4 ter­abytes of rel­a­tive­ly ‘fresh’ and use­ful cre­den­tials and that this whole thing is designed to entice peo­ple into pay­ing big mon­ey for anoth­er tranche of rel­a­tive­ly use­less data. That’s a real pos­si­bil­i­ty. After all, it’s not like there’s a return pol­i­cy when you buy stolen mate­r­i­al over the dark web. So let’s hope that’s the case. But giv­en the rate at which major hacks are announced these days, it would­n’t be too sur­pris­ing if Sanix­er real­ly does have a lot more ‘fresh’ emails and pass­words for sale.

    It’s all a reminder to avoid reusing pass­words when­ev­er pos­si­ble and con­sid­er using a pass­word man­ag­er.

    In relat­ed news, a 2017 study found that 9 of the most pop­u­lar pass­word man­ag­er apps avail­able on the Google Play store had soft­ware vul­ner­a­bil­i­ties that would poten­tial­ly allow hack­ers to to steal the stored pass­words. And while those vul­ner­a­bil­i­ties have since been fixed, it’s impor­tant to keep in mind that pass­word man­agers aren’t nec­es­sar­i­ly a defense against malware/spyware on your sys­tems. And the spy­ware­poca­lypse rolls on...

    Posted by Pterrafractyl | January 17, 2019, 10:42 pm
  19. The issue of pri­va­cy and secu­ri­ty vul­ner­a­bil­i­ties in What­sApp, the wild­ly pop­u­lar encrypt­ed tex­ting app owned by Face­book, was once again in the news this week. The par­ent com­pa­ny of NSO Group — the Israel-base hack­ing tool com­pa­ny that pro­vid­ed the spy­ware used to spy on the encrypt­ed com­mu­ni­ca­tions of Sau­di dis­si­dent (and Mus­lim Broth­er­hood asso­ciate) Jamal Khashog­gi — respond­ed to peti­tions by Amnesty Inter­na­tion­al to have NSO Group’s export license revoked by pledg­ing to do what­ev­er is nec­es­sary to ensure that the com­pa­ny’s soft­ware isn’t used to vio­late human rights and “ensure that NSO tech­nol­o­gy is used for the pur­pose for which it is intend­ed – the pre­ven­tion of harm to fun­da­men­tal human rights aris­ing from ter­ror­ism and seri­ous crime – and not abused in a man­ner that under­mines oth­er equal­ly fun­da­men­tal human rights.”

    Giv­en NSO Group is the kind of com­pa­ny that know­ing­ly sold its soft­ware to the Sau­di gov­ern­ment (and may have hired pri­vate inves­ti­ga­tors itself to harass the activist at City­Lab after those activists start­ed inves­ti­gat­ing NSO Group’s ties to the Saud­is) it’s hard to take the com­pa­ny’s pledges seri­ous­ly. But as the fol­low­ing arti­cle reminds us, while NSO Group may not be the kind of enti­ty one should trust to address seri­ous crime on What­sApp there needs to at least be some­one with the abil­i­ty to address seri­ous crime on the plat­form and oth­er ful­ly-encrypt­ed plat­forms. Which, of course, is the fun­da­men­tal para­dox of these plat­forms: they secure the human rights of pri­va­cy and simul­ta­ne­ous­ly facil­i­tate all sorts of oth­er human rights vio­la­tions. Like the traf­fick­ing of child porn. If NSO Group’s What­sApp hack­ing soft­ware was used to crack down on child porn that would be a lot less con­tro­ver­sial than when the same hack­ing soft­ware is used for hack­ing Sau­di dis­si­dents.

    And yet, with­in the con­text of the con­tem­po­rary encryp­tion and dig­i­tal pri­va­cy debates, it would still be some­what con­tro­ver­sial for NSO Group’s hack­ing soft­ware to get used for crack­ing down on child porn over What­sApp sim­ply because plat­forms like What­sAp­p’s encryp­tion is sup­posed to be uncrack­able for every­one, includ­ing What­sApp itself and the NSA. Accept­ing that plat­forms like What­sApp will be used for the untrack­able exchange of things like child porn is part of the pack­age and accord­ing to the Cypher­punk world­view it’s a small price to pay. Recall Jacob Apple­baum mak­ing this exact point dur­ing a 2012 pan­el dis­cus­sion with Julian Assange (at 1 hour 7 min­utes). The book Cypher­punks: Free­dom and the Future of the Inter­net was based on that pan­el dis­cus­sion. And that’s a key aspect of this top­ic to keep in mind in the con­text of the con­tro­ver­sy over NSO Group’s spy­ware suc­cess­ful­ly hack­ing What­sApp (by plant­i­ng spy­ware on the vic­tim’s phone, not by hack­ing the encryp­tion). Clients like the Sau­di gov­ern­ment are the kinds of clients who are guar­an­teed to abuse pow­er­ful hack­ing tools. But as the fol­low­ing arti­cle remind us, it’s not like seri­ous abus­es that are tak­ing place on these plat­forms specif­i­cal­ly because they are (most­ly) unhack­able aren’t seri­ous.

    At the same time, one argu­ment often used by the Cypher­punk com­mu­ni­ty in defense of unbreak­able com­mu­ni­ca­tion plat­forms that no one can police is that there are oth­er ways of polic­ing them with­out break­ing the encryp­tion. That’s not true in all cas­es, but in this case of What­sApp it’s trag­i­cal­ly true. At least at this point it’s true. Because it turns out that What­sAp­p’s child porn prob­lem has been right out in the open: In late 2016, What­sApp start­ed offer­ing the abil­i­ty of strangers to join What­sApp groups with­out hav­ing to know a mem­ber first. This led to the explo­sion in a new mar­ket­place of What­sApp pri­vate groups for all sorts of top­ics and some­thing entire­ly pre­dictable hap­pened. Peo­ple start­ed set­ting up What­sApp child porn exchange groups. That’s the find­ings of two Israeli NGO’s that dis­cov­ered this prob­lem last year.

    And it was obvi­ous these were child porn groups based on names with “cp” in them or oth­er bare­ly veiled known codes. The only bar­ri­er for turn­ing this into a night­mare for child porn dis­tri­b­u­tion was a search­able data­base of groups. So of course var­i­ous smart­phone apps offer­ing search­able data­bas­es of What­sApp groups were made avail­able on the Google Play store and these apps includ­ed these child porn groups with obvi­ous names. Appar­ent­ly no one at these apps or Google or What­sApp was mod­er­at­ing to see if these search­able data­base start­ed adver­tis­ing child porn group because it turns out there were numer­ous groups with obvi­ous child porn names found by the two NGOs. There were groups with names like “child porn only no adv” and “child porn xvideos” found in these dis­cov­ery apps.

    Here’s per­haps the most chill­ing part of this sto­ry: When it broke last Decem­ber, a What­sApp spokesper­son respond­ed by declar­ing that What­sApp banned 130,000 accounts in a recent 10-day peri­od for vio­lat­ing its poli­cies against child exploita­tion. So there were 130,000 accounts What­sApp was sud­den­ly able to find after these two NGOs point­ed out that the plat­form had a child porn prob­lem. That’s not an encryp­tion prob­lem. That’s some sort of basic mod­er­a­tion prob­lem.

    So we’ll see if address­ing future child porn dis­tri­b­u­tion prob­lems on What­sApp require weak­en­ing its encryp­tion. That seems like­ly if they get these mod­er­a­tion prob­lems fixed where peo­ple can’t just open­ly adver­tise child porn What­sApp groups. But in terms of today’s What­sApp child porn prob­lem there’s no weak­en­ing of encryp­tion required. The only thing required is pub­lic group name mod­er­a­tors from one of the major stake­hold­ers (WhatsApp(Facebook) or Google) which was appar­ent­ly too much to ask for:

    TechCrunch

    What­sApp has an encrypt­ed child porn prob­lem
    Face­book fails to pro­vide enough mod­er­a­tors

    Josh Con­s­tine
    12/20/2018

    What­sApp chat groups are being used to spread ille­gal child pornog­ra­phy, cloaked by the app’s end-to-end encryp­tion. With­out the nec­es­sary num­ber of human mod­er­a­tors, the dis­turb­ing con­tent is slip­ping by WhatsApp’s auto­mat­ed sys­tems. A report from two Israeli NGOs reviewed by TechCrunch details how third-par­ty apps for dis­cov­er­ing What­sApp groups include “Adult” sec­tions that offer invite links to join rings of users trad­ing images of child exploita­tion. TechCrunch has reviewed mate­ri­als show­ing many of these groups are cur­rent­ly active.

    TechCrunch’s inves­ti­ga­tion shows that Face­book could do more to police What­sApp and remove this kind of con­tent. Even with­out tech­ni­cal solu­tions that would require a weak­en­ing of encryp­tion, WhatsApp’s mod­er­a­tors should have been able to find these groups and put a stop to them. Groups with names like “child porn only no adv” and “child porn xvideos” found on the group dis­cov­ery app “Group Links For Whats” by Lisa Stu­dio don’t even attempt to hide their nature. And a screen­shot pro­vid­ed by anti-exploita­tion start­up Anti­Tox­in reveals active What­sApp groups with names like “Chil­dren ??????” or “videos cp” — a known abbre­vi­a­tion for ‘child pornog­ra­phy’.

    [Update 12/27/18: Google Play removed at least six of these third-par­ty apps from Google Play in the wake of our report and request for com­ment.]

    Bet­ter man­u­al inves­ti­ga­tion of these group dis­cov­ery apps and What­sApp itself should have imme­di­ate­ly led these groups to be delet­ed and their mem­bers banned. While Face­book dou­bled its mod­er­a­tion staff from 10,000 to 20,000 in 2018 to crack down on elec­tion inter­fer­ence, bul­ly­ing and oth­er pol­i­cy vio­la­tions, that staff does not mod­er­ate What­sApp con­tent. With just 300 employ­ees, What­sApp runs semi-inde­pen­dent­ly, and the com­pa­ny con­firms it han­dles its own mod­er­a­tion efforts. That’s prov­ing inad­e­quate for polic­ing a 1.5 bil­lion-user com­mu­ni­ty.

    ...

    The find­ings from the NGOs Screen Savers and Netivei Reshet were writ­ten about today by Finan­cial Times, but TechCrunch is pub­lish­ing the full report, their trans­lat­ed let­ter to Face­book, trans­lat­ed emails with Face­book, their police report, plus the names of child pornog­ra­phy groups on What­sApp and group dis­cov­ery apps list­ed above. A start­up called Anti­Tox­in Tech­nolo­gies that research­es the top­ic has backed up the report, pro­vid­ing the screen­shot above and say­ing it’s iden­ti­fied more than 1,300 videos and pho­tographs of minors involved in sex­u­al acts on What­sApp groups. Giv­en that Tumblr’s app was recent­ly tem­porar­i­ly removed from the Apple App Store for alleged­ly har­bor­ing child pornog­ra­phy, we’ve asked Apple if it will tem­porar­i­ly sus­pend What­sApp, but have not heard back.

    Uncov­er­ing a night­mare

    In July 2018, the NGOs became aware of the issue after a man report­ed to one of their hot­lines that he’d seen hard­core pornog­ra­phy on What­sApp. In Octo­ber, they spent 20 days cat­a­loging more than 10 of the child pornog­ra­phy groups, their con­tent and the apps that allow peo­ple to find them.

    The NGOs began con­tact­ing Facebook’s head of Pol­i­cy, Jor­dana Cut­ler, start­ing Sep­tem­ber 4th. They request­ed a meet­ing four times to dis­cuss their find­ings. Cut­ler asked for email evi­dence but did not agree to a meet­ing, instead fol­low­ing Israeli law enforcement’s guid­ance to instruct researchers to con­tact the author­i­ties. The NGO report­ed their find­ings to Israeli police but declined to pro­vide Face­book with their research. What­sApp only received their report and the screen­shot of active child pornog­ra­phy groups today from TechCrunch.

    What­sApp tells me it’s now inves­ti­gat­ing the groups vis­i­ble from the research we pro­vid­ed. A Face­book spokesper­son tells TechCrunch, “Keep­ing peo­ple safe on Face­book is fun­da­men­tal to the work of our teams around the world. We offered to work togeth­er with police in Israel to launch an inves­ti­ga­tion to stop this abuse.” A state­ment from the Israeli Police’s head of the Child Online Pro­tec­tion Bureau, Meir Hay­oun, notes that: “In past meet­ings with Jor­dana, I instruct­ed her to always tell any­one who want­ed to report any pedophile con­tent to con­tact the Israeli police to report a com­plaint.”

    A What­sApp spokesper­son tells me that while legal adult pornog­ra­phy is allowed on What­sApp, it banned 130,000 accounts in a recent 10-day peri­od for vio­lat­ing its poli­cies against child exploita­tion. In a state­ment, What­sApp wrote that:

    What­sApp has a zero-tol­er­ance pol­i­cy around child sex­u­al abuse. We deploy our most advanced tech­nol­o­gy, includ­ing arti­fi­cial intel­li­gence, to scan pro­file pho­tos and images in report­ed con­tent, and active­ly ban accounts sus­pect­ed of shar­ing this vile con­tent. We also respond to law enforce­ment requests around the world and imme­di­ate­ly report abuse to the Nation­al Cen­ter for Miss­ing and Exploit­ed Chil­dren. Sad­ly, because both app stores and com­mu­ni­ca­tions ser­vices are being mis­used to spread abu­sive con­tent, tech­nol­o­gy com­pa­nies must work togeth­er to stop it.

    But it’s that over-reliance on tech­nol­o­gy and sub­se­quent under-staffing that seems to have allowed the prob­lem to fes­ter. AntiToxin’s CEO Zohar Lev­kovitz tells me, “Can it be argued that Face­book has unwit­ting­ly growth-hacked pedophil­ia? Yes. As par­ents and tech exec­u­tives we can­not remain com­pla­cent to that.”

    Auto­mat­ed mod­er­a­tion doesn’t cut it

    What­sApp intro­duced an invite link fea­ture for groups in late 2016, mak­ing it much eas­i­er to dis­cov­er and join groups with­out know­ing any mem­bers. Com­peti­tors like Telegram had ben­e­fit­ed as engage­ment in their pub­lic group chats rose. What­sApp like­ly saw group invite links as an oppor­tu­ni­ty for growth, but didn’t allo­cate enough resources to mon­i­tor groups of strangers assem­bling around dif­fer­ent top­ics. Apps sprung up to allow peo­ple to browse dif­fer­ent groups by cat­e­go­ry. Some usage of these apps is legit­i­mate, as peo­ple seek com­mu­ni­ties to dis­cuss sports or enter­tain­ment. But many of these apps now fea­ture “Adult” sec­tions that can include invite links to both legal pornog­ra­phy-shar­ing groups as well as ille­gal child exploita­tion con­tent.

    A What­sApp spokesper­son tells me that it scans all unen­crypt­ed infor­ma­tion on its net­work — basi­cal­ly any­thing out­side of chat threads them­selves — includ­ing user pro­file pho­tos, group pro­file pho­tos and group infor­ma­tion. It seeks to match con­tent against the Pho­toD­NA banks of indexed child pornog­ra­phy that many tech com­pa­nies use to iden­ti­fy pre­vi­ous­ly report­ed inap­pro­pri­ate imagery. If it finds a match, that account, or that group and all of its mem­bers, receive a life­time ban from What­sApp.

    If imagery doesn’t match the data­base but is sus­pect­ed of show­ing child exploita­tion, it’s man­u­al­ly reviewed. If found to be ille­gal, What­sApp bans the accounts and/or groups, pre­vents it from being uploaded in the future and reports the con­tent and accounts to the Nation­al Cen­ter for Miss­ing and Exploit­ed Chil­dren. The one exam­ple group report­ed to What­sApp by Finan­cial Times was already flagged for human review by its auto­mat­ed sys­tem, and was then banned along with all 256 mem­bers.

    To dis­cour­age abuse, What­sApp says it lim­its groups to 256 mem­bers and pur­pose­ful­ly does not pro­vide a search func­tion for peo­ple or groups with­in its app. It does not encour­age the pub­li­ca­tion of group invite links and the vast major­i­ty of groups have six or few­er mem­bers. It’s already work­ing with Google and Apple to enforce its terms of ser­vice against apps like the child exploita­tion group dis­cov­ery apps that abuse What­sApp. Those kind of groups already can’t be found in Apple’s App Store, but remain avail­able on Google Play. We’ve con­tact­ed Google Play to ask how it address­es ille­gal con­tent dis­cov­ery apps and whether Group Links For Whats by Lisa Stu­dio will remain avail­able, and will update if we hear back. [Update 3pm PT: Google has not pro­vid­ed a com­ment but the Group Links For Whats app by Lisa Stu­dio has been removed from Google Play. That’s a step in the right direc­tion.]

    But the larg­er ques­tion is that if What­sApp was already aware of these group dis­cov­ery apps, why wasn’t it using them to track down and ban groups that vio­late its poli­cies. A spokesper­son claimed that group names with “CP” or oth­er indi­ca­tors of child exploita­tion are some of the sig­nals it uses to hunt these groups, and that names in group dis­cov­ery apps don’t nec­es­sar­i­ly cor­re­late to the group names on What­sApp. But TechCrunch then pro­vid­ed a screen­shot show­ing active groups with­in What­sApp as of this morn­ing, with names like “Chil­dren ??????” or “videos cp”. That shows that WhatsApp’s auto­mat­ed sys­tems and lean staff are not enough to pre­vent the spread of ille­gal imagery.

    The sit­u­a­tion also rais­es ques­tions about the trade-offs of encryp­tion as some gov­ern­ments like Aus­tralia seek to pre­vent its usage by mes­sag­ing apps. The tech­nol­o­gy can pro­tect free speech, improve the safe­ty of polit­i­cal dis­si­dents and pre­vent cen­sor­ship by both gov­ern­ments and tech plat­forms. How­ev­er, it also can make detect­ing crime more dif­fi­cult, exac­er­bat­ing the harm caused to vic­tims.

    WhatsApp’s spokesper­son tells me that it stands behind strong end-to-end encryp­tion that pro­tects con­ver­sa­tions with loved ones, doc­tors and more. They said there are plen­ty of good rea­sons for end-to-end encryp­tion and it will con­tin­ue to sup­port it. Chang­ing that in any way, even to aid catch­ing those that exploit chil­dren, would require a sig­nif­i­cant change to the pri­va­cy guar­an­tees it’s giv­en users. They sug­gest­ed that on-device scan­ning for ille­gal con­tent would have to be imple­ment­ed by phone mak­ers to pre­vent its spread with­out ham­per­ing encryp­tion.

    But for now, What­sApp needs more human mod­er­a­tors will­ing to use proac­tive and unscal­able man­u­al inves­ti­ga­tion to address its child pornog­ra­phy prob­lem. With Face­book earn­ing bil­lions in prof­it per quar­ter and staffing up its own mod­er­a­tion ranks, there’s no rea­son WhatsApp’s sup­posed auton­o­my should pre­vent it from apply­ing ade­quate resources to the issue. What­sApp sought to grow through big pub­lic groups, but failed to imple­ment the nec­es­sary pre­cau­tions to ensure they didn’t become havens for child exploita­tion. Tech com­pa­nies like What­sApp need to stop assum­ing cheap and effi­cient tech­no­log­i­cal solu­tions are suf­fi­cient. If they want to make mon­ey off huge user bases, they must be will­ing to pay to pro­tect and police them.

    ———–

    “What­sApp has an encrypt­ed child porn prob­lem” by Josh Con­s­tine; TechCrunch; 12/20/2018

    “But it’s that over-reliance on tech­nol­o­gy and sub­se­quent under-staffing that seems to have allowed the prob­lem to fes­ter. AntiToxin’s CEO Zohar Lev­kovitz tells me, “Can it be argued that Face­book has unwit­ting­ly growth-hacked pedophil­ia? Yes. As par­ents and tech exec­u­tives we can­not remain com­pla­cent to that.””

    Whoops. Growth-hack­ing pedophil­ia is def­i­nite­ly up there on Face­book’s list of crimes and that’s one hel­lu­va list. But there’s no deny­ing that the high­ly pre­dictable and avoid­able explo­sion of child porn What­sApp pub­lic groups was a dis­as­ter even by Face­book’s nor­mal­ly dis­as­trous stan­dards.

    And the fact that Face­book owns What­sApp appar­ent­ly did­n’t prompt What­sApp to hire an ade­quate num­ber of employ­ees. It has just 300 employ­ees despite the fact that over a bil­lion peo­ple use the app and Face­book owns it:

    ...
    Bet­ter man­u­al inves­ti­ga­tion of these group dis­cov­ery apps and What­sApp itself should have imme­di­ate­ly led these groups to be delet­ed and their mem­bers banned. While Face­book dou­bled its mod­er­a­tion staff from 10,000 to 20,000 in 2018 to crack down on elec­tion inter­fer­ence, bul­ly­ing and oth­er pol­i­cy vio­la­tions, that staff does not mod­er­ate What­sApp con­tent. With just 300 employ­ees, What­sApp runs semi-inde­pen­dent­ly, and the com­pa­ny con­firms it han­dles its own mod­er­a­tion efforts. That’s prov­ing inad­e­quate for polic­ing a 1.5 bil­lion-user com­mu­ni­ty.
    ...

    And note how the names of What­sApp groups made avail­able on these What­sApp group dis­cov­ery apps were com­plete­ly explic­it in some cas­es with names like “child porn only no adv” and “child porn xvideos”. So What­sApp was appar­ent­ly mak­ing basi­cal­ly no attempt to mon­i­tor for this after mak­ing this pub­lic group fea­ture in late 2016. Nor were the app mak­ers. And it was mul­ti­ple apps. Google Pay removed at least six apps for car­ry­ing links to child porn What­sApp groups. So Google also was­n’t pay­ing atten­tion. There was a whole bunch of no one watch­ing for this obvi­ous abuse of this tech­nol­o­gy. Giv­en what a pre­dictable PR dis­as­ter this is it’s kind of amaz­ing they weren’t watch­ing for this more:

    ...
    TechCrunch’s inves­ti­ga­tion shows that Face­book could do more to police What­sApp and remove this kind of con­tent. Even with­out tech­ni­cal solu­tions that would require a weak­en­ing of encryp­tion, WhatsApp’s mod­er­a­tors should have been able to find these groups and put a stop to them. Groups with names like “child porn only no adv” and “child porn xvideos” found on the group dis­cov­ery app “Group Links For Whats” by Lisa Stu­dio don’t even attempt to hide their nature. And a screen­shot pro­vid­ed by anti-exploita­tion start­up Anti­Tox­in reveals active What­sApp groups with names like “Chil­dren ??????” or “videos cp” — a known abbre­vi­a­tion for ‘child pornog­ra­phy’.

    [Update 12/27/18: Google Play removed at least six of these third-par­ty apps from Google Play in the wake of our report and request for com­ment.]
    ...

    And note how unin­ter­est­ed Face­book appar­ent­ly was when these NGOs approached the com­pa­ny with their find­ings: Facebook’s head of Pol­i­cy, Jor­dana Cut­ler, start­ing Sep­tem­ber 4th. They request­ed a meet­ing four times to dis­cuss their find­ings. Cut­ler asked for email evi­dence but did not agree to a meet­ing, instead fol­low­ing Israeli law enforcement’s guid­ance to instruct researchers to con­tact the author­i­ties. And while rec­om­mend­ing the researchers con­tact author­i­ties is good advice, it seems like Face­book should have want­ed to meet with them too. But nope. Maybe it’s the prop­er legal move but that still seems dis­turb­ing:

    ...
    Uncov­er­ing a night­mare

    In July 2018, the NGOs became aware of the issue after a man report­ed to one of their hot­lines that he’d seen hard­core pornog­ra­phy on What­sApp. In Octo­ber, they spent 20 days cat­a­loging more than 10 of the child pornog­ra­phy groups, their con­tent and the apps that allow peo­ple to find them.

    The NGOs began con­tact­ing Facebook’s head of Pol­i­cy, Jor­dana Cut­ler, start­ing Sep­tem­ber 4th. They request­ed a meet­ing four times to dis­cuss their find­ings. Cut­ler asked for email evi­dence but did not agree to a meet­ing, instead fol­low­ing Israeli law enforcement’s guid­ance to instruct researchers to con­tact the author­i­ties. The NGO report­ed their find­ings to Israeli police but declined to pro­vide Face­book with their research. What­sApp only received their report and the screen­shot of active child pornog­ra­phy groups today from TechCrunch.
    ...

    And What­sApp told reporters they were now inves­ti­gat­ing the groups vis­i­ble from the research pro­vid­ed by the researcher. It’s impor­tant to keep in mind that these groups were already vis­i­ble to What­sApp had it actu­al­ly been watch­ing for this stuff which it clear­ly was­n’t. Which, again, is amaz­ing. It’s not like it would have been that hard for What­sApp to watch for this. But What­sApp was only start­ing to look into this when the NGOs told them about it in Decem­ber and end­ed up ban­ning 130,000 accounts in a 10-day peri­od that month:

    ...
    What­sApp tells me it’s now inves­ti­gat­ing the groups vis­i­ble from the research we pro­vid­ed. A Face­book spokesper­son tells TechCrunch, “Keep­ing peo­ple safe on Face­book is fun­da­men­tal to the work of our teams around the world. We offered to work togeth­er with police in Israel to launch an inves­ti­ga­tion to stop this abuse.” A state­ment from the Israeli Police’s head of the Child Online Pro­tec­tion Bureau, Meir Hay­oun, notes that: “In past meet­ings with Jor­dana, I instruct­ed her to always tell any­one who want­ed to report any pedophile con­tent to con­tact the Israeli police to report a com­plaint.”

    A What­sApp spokesper­son tells me that while legal adult pornog­ra­phy is allowed on What­sApp, it banned 130,000 accounts in a recent 10-day peri­od for vio­lat­ing its poli­cies against child exploita­tion. In a state­ment, What­sApp wrote that:

    What­sApp has a zero-tol­er­ance pol­i­cy around child sex­u­al abuse. We deploy our most advanced tech­nol­o­gy, includ­ing arti­fi­cial intel­li­gence, to scan pro­file pho­tos and images in report­ed con­tent, and active­ly ban accounts sus­pect­ed of shar­ing this vile con­tent. We also respond to law enforce­ment requests around the world and imme­di­ate­ly report abuse to the Nation­al Cen­ter for Miss­ing and Exploit­ed Chil­dren. Sad­ly, because both app stores and com­mu­ni­ca­tions ser­vices are being mis­used to spread abu­sive con­tent, tech­nol­o­gy com­pa­nies must work togeth­er to stop it.

    ...

    But the larg­er ques­tion is that if What­sApp was already aware of these group dis­cov­ery apps, why wasn’t it using them to track down and ban groups that vio­late its poli­cies. A spokesper­son claimed that group names with “CP” or oth­er indi­ca­tors of child exploita­tion are some of the sig­nals it uses to hunt these groups, and that names in group dis­cov­ery apps don’t nec­es­sar­i­ly cor­re­late to the group names on What­sApp. But TechCrunch then pro­vid­ed a screen­shot show­ing active groups with­in What­sApp as of this morn­ing, with names like “Chil­dren ??????” or “videos cp”. That shows that WhatsApp’s auto­mat­ed sys­tems and lean staff are not enough to pre­vent the spread of ille­gal imagery.
    ...

    It’s also notable that the What­sApp group dis­cov­ery apps avail­able throuhg Apple’s app store did block child exploita­tion groups. Only the Google Play store apps showed them. It under­scores the role Google could be play­ing but choos­es not to:

    ...
    To dis­cour­age abuse, What­sApp says it lim­its groups to 256 mem­bers and pur­pose­ful­ly does not pro­vide a search func­tion for peo­ple or groups with­in its app. It does not encour­age the pub­li­ca­tion of group invite links and the vast major­i­ty of groups have six or few­er mem­bers. It’s already work­ing with Google and Apple to enforce its terms of ser­vice against apps like the child exploita­tion group dis­cov­ery apps that abuse What­sApp. Those kind of groups already can’t be found in Apple’s App Store, but remain avail­able on Google Play. We’ve con­tact­ed Google Play to ask how it address­es ille­gal con­tent dis­cov­ery apps and whether Group Links For Whats by Lisa Stu­dio will remain avail­able, and will update if we hear back. [Update 3pm PT: Google has not pro­vid­ed a com­ment but the Group Links For Whats app by Lisa Stu­dio has been removed from Google Play. That’s a step in the right direc­tion.]
    ...

    Beyond that, as the fol­low­ing arti­cle notes, both Google and Face­book were allow­ing their ad respec­tive net­works to serve up ads on these What­sApp group dis­cov­ery apps found to be serv­ing up child porn groups. Face­book blamed Google by point­ing out that its ad net­work agreed to adver­tise on any apps on Google Play and there­fore it was Google’s respon­si­bil­i­ty, which would be a ok-ish excuse if Face­book did­n’t own What­sApp.

    Note that Mark Zucker­berg announced in Jan­u­ary that Face­book would be merg­ing the com­mu­ni­ca­tions infra­struc­tures of Face­book Mes­sen­ger, What­sApp, and Insta­gram, so it’s pos­si­ble that Face­book’s much larg­er army of con­tent mod­er­a­tors will be able to address What­sAp­p’s seem­ing­ly com­plete lack over mod­er­a­tion of its pub­lic groups. But since we’re talk­ing about Face­book it’s still going to be hor­ri­bly botched some­how.

    And when What­sApp hope­ful­ly cracks down on the open traf­fick­ing of pub­lic child porn groups on its plat­form some­day, let’s not for­get that this is just going to dri­ve the traf­fick­ing of those links more under­ground. It’s just not going to be open­ly mar­ket­ed with obvi­ous group names. But it’s still going to exist. And that’s why there’s still ulti­mate­ly going to be a need for some­one to have a way to get around What­sAp­p’s encryp­tion in order to real­ly pre­vent the plat­form from remain­ing a child porn haven. But, of course, that can’t hap­pen with­out fun­da­men­tal­ly under­min­ing the What­sApp mod­el.

    And that’s all why the sto­ry of the NSO Group laugh­ably pledg­ing to ensure its super hack­ing prod­ucts won’t be abused by its clients like Sau­di Ara­bia is part of the same larg­er sto­ry about the costs and ben­e­fits of strong encryp­tion that includes sto­ries like What­sAp­p’s casu­al­ly turn­ing its plat­form into an open child porn dis­tri­b­u­tion net­work.

    Posted by Pterrafractyl | May 19, 2019, 10:27 pm

Post a comment