Following up on rules one and two, it seems appropriate to add a third: “You should probably worry more about being attacked online by your own government than by any other organization”.
This is really an extension of the point about how governments are more dangerous than terrorists and how institutions of armed power need oversight.
Based on the open source intelligence available, we have to assume that governments all over the world are constantly monitoring the activity of their citizens online, for reasons both reasonably benign and exceedingly nefarious. It is worth remembering that even if the official purpose of a surveillance program is acceptable, it can be abused by anyone who gains access to it for purposes that may be very dubious. Hackers and rogue government agents are well positioned to use internet surveillance to rob or blackmail people, for instance. It is also worth remembering that data is not only being monitored in real time; it is also being archived for unknown future purposes.
Tools for privacy
Thankfully, we do have some tools to make this ubiquitous surveillance more difficult to carry out. You probably cannot encrypt your hard drive well enough to protect the contents if government agents grab it, but you can encrypt your online communications sufficiently well to make it at least challenging to decrypt them. The more people streaming gigabytes of data via encrypted HTTPS connections, the less feasible it is to archive and crack internet traffic taken all in all.
You can also use tools like Tor. People should be willing to assert their right to anonymous communication.
{ 30 comments… read them below or add one }
Backdoor Found In Hacked Version of Anti-Censorship Tool Simurgh
“Simurgh, a privacy tool used in Iran and Syria to bypass Internet censorship and governmental monitoring, is being circulated with a backdoor. The compromised version has been offered on P2P networks and via web searches. Research conducted by CitizenLab.org has shown that the malicious version isn’t available from the original software source, only through third-party access, so it appears that Simurgh has been repackaged. The troubling aspect of the malicious version is that while it does install the proxy as expected, it then adds a keylogging component, and ships the recorded information off to a server hosted in the U.S. and registered to a person in Saudi Arabia. In response to this attack, the team that develops Simurgh has instituted a check that will warn the user if they are running a compromised version of the software. At present, it is unknown who developed the hijacked version of Simurgh, or why they did so.”
http://www.slashgear.com/flame-cyber-espionage-discovered-in-vast-infection-net-28230470/
A new and fast spreading malware tipped to already dwarf the notorious Stuxnet has been identified, codenamed Flame and believed to be state-run cyberespionage affecting PCs in Iran and nearby countries. Spotted by Kaspersky Lab, “Worm.Win32.Flame” blends features from backdoor, trojan and worm malware, and once surreptitiously loaded onto a target machine can monitor network traffic, local use, grab screenshots and record audio, sending all that data back to its home servers. Believed to be active from at least March 2010, Flame is tipped to be 20x more prevalent than Stuxnet.
Iran is the most common place Kaspersky have discovered Flame, but it’s also been discovered in Israel, Palestine, the Sudan, Syria, Lebanon, Saudi Arabia and Egypt; there are “probably thousands of victims worldwide” the researchers estimate. Interestingly, there’s a broad spread of targeted computers, across academia, private companies, specific individuals and others; the operators appear to be cleaning up after themselves, too, only leaving Flame active on the most interesting machines, and deleting it from those with little worth.
…
What has researchers particularly concerned is the scale of Flame’s monitoring abilities. Rather than merely recording VoIP calls, the malware can turn on the PC’s microphone and surreptitiously begin its own recordings, for instance, while screenshots are taken when “interesting” apps, such as instant messaging clients, are on-screen. Meanwhile, if the computer has Bluetooth, it can scan for nearby devices and then use the short-range wireless technology to create secret peer-to-peer connections while embedding details on Flame’s status in the “discoverable device” information.
Google adds feature to help users in China avoid Internet censorship
Google: government requests to censor content “alarming”
http://mobile.reuters.com/article/idUSBRE85H0S220120618?irpc=932
RUSSELS (Reuters) – Google has received more than 1,000 requests from authorities to take down content from its search results or YouTube video in the last six months of 2011, the company said on Monday, denouncing what it said was an alarming trend.
In its twice-yearly Transparency Report, the world’s largest web search engine said the requests were aimed at having some 12,000 items overall removed, about a quarter more than during the first half of last year.
“Unfortunately, what we’ve seen over the past couple years has been troubling, and today is no different,” Dorothy Chou, the search engine’s senior policy analyst, said in a blogpost. “We hoped this was an aberration. But now we know it’s not.”
Many of those requests targeted political speech, keeping up a trend Google said it has noticed since it started releasing its Transparency Report in 2010.
The Failure of Anti-Virus Companies to Catch Military Malware
…
It isn’t just the military that tests their malware against commercial defense products; criminals do it, too. Virus and worm writers do it. Spam writers do it. This is the never-ending arms race between attacker and defender, and it’s been going on for decades. Probably the people who wrote Flame had a larger budget than a large-scale criminal organization, but their evasive techniques weren’t magically better. Note that F-Secure and others had samples of Flame; they just didn’t do anything about them.
I think the difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily. It was never a priority to understand — and then write signatures to detect — the Flame samples because they were never considered a problem. Maybe they were classified as a one-off. Or as an anomaly. I don’t know, but it seems clear that conventional non-military malware writers that want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu.
Canadian encryption software beats Syrian regime’s censors
I spy
SIR – One thing to bear in mind about cybersecurity concerns posed by telecoms-equipment firms (“The company that spooked the world”, August 4th) is that most communications surveillance is carried out by governments eavesdropping on their own citizens. Authorities are increasingly insisting that telecoms gear (and services like Skype) should allow for the lawful interception of communications. Once these rules are in place they can be subverted for unauthorised spying.
Ericsson’s phone exchanges, used by Vodafone’s network in Greece, were accessed in 2004 to spy on the Greek prime minister and other top officials. The noise Western governments make about Chinese companies like Huawei and ZTE is more about control rather than a genuine concern about privacy.
Professor Diomidis Spinellis
Athens University of Economics and Business
A good general principle would be to afford data stored in a private e-mail account as much protection as letters stored in a locked desk drawer—that is, law-enforcement agencies wanting to get a look at them should need a warrant. Internet and mobile-phone companies, and the agencies that get data from them, must be subject to proper reporting requirements. Only if people know more clearly what information is being collected about whom, and to what uses it is being put, can they judge whether the benefits of greater safety the surveillance state has brought them are worth the huge loss of privacy they have suffered as a result.
Government surveillance
Little peepers everywhere
America’s laws governing digital and mobile surveillance are an unholy mess
Jul 21st 2012 | SAN FRANCISCO AND WASHINGTON, DC | from the print edition
Big Brother on a budget: How Internet surveillance got so cheap
Deep packet inspection, petabyte-scale analytics create a “CCTV for networks.”
When Libyan rebels finally wrested control of the country last year away from its mercurial dictator, they discovered the Qaddafi regime had received an unusual gift from its allies: foreign firms had supplied technology that allowed security forces to track nearly all of the online activities of the country’s 100,000 Internet users. That technology, supplied by a subsidiary of the French IT firm Bull, used a technique called deep packet inspection (DPI) to capture e-mails, chat messages, and Web visits of Libyan citizens.
The fact that the Qaddafi regime was using deep packet inspection technology wasn’t surprising. Many governments have invested heavily in packet inspection and related technologies, which allow them to build a picture of what passes through their networks and what comes in from beyond their borders. The tools secure networks from attack—and help keep tabs on citizens.
Narus, a subsidiary of Boeing, supplies “cyber analytics” to a customer base largely made up of government agencies and network carriers. Neil Harrington, the company’s director of product management for cyber analytics, said that his company’s “enterprise” customers—agencies of the US government and large telecommunications companies—are ”more interested in what’s going on inside their networks” for security reasons. But some of Narus’ other customers, like Middle Eastern governments that own their nations’ connections to the global Internet or control the companies that provide them, “are more interested in what people are doing on Facebook and Twitter.”
FinSpy Commercial Spyware Abused By Governments
“The NY Times has a story about FinSpy, a commercial spyware package sold ‘only for law enforcement purposes,’ being used by governments to spy on dissidents, journalists, and others. Two U.S. computer experts, Morgan Marquis-Boire from Google, and Bill Marczak, a PhD student in Computer Science, have been tracking it down around the world. ‘The software proved to be the stuff of a spy film: it can grab images of computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The two men said they discovered mobile versions of the spyware customized for all major mobile phones. But what made the software especially sophisticated was how well it avoided detection. Its creators specifically engineered it to elude antivirus software made by Kaspersky Lab, Symantec, F-Secure and others.’”
Sir Tim Berners-Lee Accuses UK Government of “Draconian Internet Snooping”
“According to British daily The Telegraph, Sir Tim Berners-Lee has warned that plans to monitor individuals’ use of the internet would result in Britain losing its reputation as an upholder of web freedom. The plans, by Home Secretary Theresa May, would force British ISPs and other service providers to keep records of every phone call, email and website visit in Britain. Sir Tim has told the Times: ‘In Britain, like in the US, there has been a series of Bills that would give government very strong powers to, for example, collect data. I am worried about that.’ Sir Tim has also warned that the UK may wind up slipping down the list of countries with the most Internet freedom, if the proposed data-snooping laws pass parliament. The draft bill extends the type of data that internet service providers must store for at least 12 months. Providers would also be required to keep details of a much wider set of data, including use of social network sites, webmail and voice calls over the internet.”
Cops might finally need a warrant to read your Gmail
Major surveillance law change arrives in the Senate—and it might well pass.
Right now, if the cops want to read my e-mail, it’s pretty trivial for them to do so. All they have to do is ask my online e-mail provider. But a new bill set to be introduced Thursday in the Senate Judiciary Committee by its chair, Sen. Patrick Leahy (D-VT), seems to stand the best chance of finally changing that situation and giving e-mail stored on remote servers the same privacy protections as e-mail stored on one’s home computer.
When Congress passed the 1986 Electronic Communications Privacy Act (ECPA), a time when massive online storage of e-mail was essentially unimaginable, it was presumed that if you hadn’t actually bothered to download your e-mail, it could be considered “abandoned” after 180 days. By that logic, law enforcement would not need a warrant to go to the e-mail provider or ISP to get the messages that are older than 180 days; police only need to show that they have “reasonable grounds to believe” the information gathered would be useful in an investigation. Many Americans and legal scholars have found this standard, in today’s world, problematic.
Leahy, who was one of ECPA’s original authors, proposed similar changes in May 2011, but that was never even brought to a vote in the committee. The new version, which keeps the most important element of the 2011 proposal, will be incorporated into a larger bill aimed at revising the 1988 Video Privacy Protection Act (VPPA).
Stellar Wind (code name)
From Wikipedia, the free encyclopedia
Stellar Wind is the open secret code name for certain information collection activities performed by the United States’ National Security Agency and revealed by Thomas M. Tamm to New York Times reporters James Risen and Eric Lichtblau. The operation was approved by President George W. Bush shortly after the September 11 attacks in 2001.
The program’s activities involve data mining of a large database of the communications of American citizens, including e-mail communications, phone conversations, financial transactions, and Internet activity.
Stratfor emails reveal secret, widespread TrapWire surveillance system
Published: 10 August, 2012, 11:23
Edited: 11 August, 2012, 01:35
Former senior intelligence officials have created a detailed surveillance system more accurate than modern facial recognition technology — and have installed it across the US under the radar of most Americans, according to emails hacked by Anonymous.
Every few seconds, data picked up at surveillance points in major cities and landmarks across the United States are recorded digitally on the spot, then encrypted and instantaneously delivered to a fortified central database center at an undisclosed location to be aggregated with other intelligence. It’s part of a program called TrapWire and it’s the brainchild of the Abraxas, a Northern Virginia company staffed with elite from America’s intelligence community. The employee roster at Arbaxas reads like a who’s who of agents once with the Pentagon, CIA and other government entities according to their public LinkedIn profiles, and the corporation’s ties are assumed to go deeper than even documented.
The details on Abraxas and, to an even greater extent TrapWire, are scarce, however, and not without reason. For a program touted as a tool to thwart terrorism and monitor activity meant to be under wraps, its understandable that Abraxas would want the program’s public presence to be relatively limited. But thanks to last year’s hack of the Strategic Forecasting intelligence agency, or Stratfor, all of that is quickly changing.
Trailblazer Project
From Wikipedia, the free encyclopedia
Trailblazer was a United States National Security Agency (NSA) program intended to develop a capability to analyze data carried on communications networks like the Internet. It was intended to track entities using communication methods such as cell phones and e-mail. It ran over budget, failed to accomplish critical goals, and was cancelled.
NSA whistleblowers J. Kirk Wiebe, William Binney, Ed Loomis, and House Permanent Select Committee on Intelligence staffer Diane Roark complained to the Department of Defense’s Inspector General (IG) about waste, fraud, and abuse in the program, and the fact that a successful operating prototype existed, but was ignored when the Trailblazer program was launched. The complaint was accepted by the IG and an investigation began that lasted until mid-2005 when the final results were issued. The results were largely hidden, as the report given to the public was heavily (90%) redacted, while the original report was heavily classified, thus restricting the ability of most people to see it.
The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance
Christopher Soghoian
Ph.D. Dissertation, August 2012.
Can You See Me Now: Toward Reasonable Standards for Law Enforcement Access to Location Data that Congress Could Enact
Stephanie K. Pell and Christopher Soghoian
Berkeley Technology Law Journal, Vol. 27, 2012.
The Law Enforcement Surveillance Reporting Gap
Christopher Soghoian
Unpublished Draft
An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government
Christopher Soghoian
Minnesota Journal of Law, Science & Technology Vol. 12, No. 1, 2011.
Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL
Christopher Soghoian and Sid Stamm
Financial Cryptography and Data Security ’11 March 2011.
Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era
Christopher Soghoian
Journal on Telecommunications and High Technology Law, Vol. 8, No. 2, 2010.
Pine Gap
From Wikipedia, the free encyclopedia
Pine Gap is the commonly used name for a satellite tracking station at 23.799°S 133.737°E, some 18 kilometres (11 mi) south-west of the town of Alice Springs in the centre of Australia which is operated by both Australia and the United States. The facility has become a key part of the local economy.
It consists of a large computer complex with eight radomes protecting antennas and has over 800 employees. It is officially called the Joint Defence Facility Pine Gap since 1988; previously, it was known as Joint Defence Space Research Facility.[2] It is believed to be one of the largest ECHELON ground stations and appears to be physically and operationally similar to the American signals intelligence facilities at Buckley Air Force Base, Colorado and RAF Menwith Hill, United Kingdom. United States government personnel at Pine Gap are believed to be mostly from the National Security Agency and subordinate service-associated agencies as well as the Central Intelligence Agency.
In July of this year, Morgan Marquis-Boire and Bill Marczak published analysis of what appeared to be FinSpy, a commercial trojan from the FinFisher suite of surveillance tools sold by Gamma Group International. Their report, From Bahrain with Love: FinFisher’s Spykit Exposed? (https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/) , presented evidence consistent with the use of FinSpy to target Bahraini dissidents, both within Bahrain and abroad. A range of other companies sell surveillance backdoors and vulnerabilities for what they describe as “lawful intercept tools.”
Recently, CSO magazine published an article reporting on claims by anti-virus company Dr Web that a backdoor known as “Crisis” or “DaVinci” was, in fact, the commercial surveillance tool “Remote Control System” sold by a Milan, Italy-based lawful intercept vendor known as Hacking Team. According to an article published by Slate magazine, the same backdoor was used to target the Moroccan citizen journalist group, Mamfakinch.
This report examines the targeting of Mamfakinch and evidence suggesting that the same commercial surveillance toolkit described in these articles appears to have also been used in a recent campaign targeting Ahmed Mansoor, a human rights activist based in the UAE. Additionally, it examines the possibility that a vulnerability linked to the French company, VUPEN, was used as the vector for intrusion into Ahmed Mansoor’s online presence.
————————————————————
Read the full research brief (https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/) .
Read the Bloomberg news article (http://www.bloomberg.com/news/2012-10-10/spyware-leaves-trail-to-beaten-activist-through-microsoft-flaw.html) .
Canada’s Spy Groups Divulge Secret Intelligence to Energy Companies
Documents raise fears that info on environmentalists, Indigenous groups and more shared with industry at biannual, secret-level, briefings.
by Tim Groves
TORONTO—The Canadian government has been orchestrating briefings that provide energy companies with classified intelligence from the Canadian Security Intelligence Service, the RCMP and other agencies, raising concerns that federal officials are spying on environmentalists and First Nations in order to provide information to the businesses they criticize.
The secret-level briefings have taken place twice a year since 2005, and are detailed in documents obtained under the Access to Information Act, and in publicly-available government files.
The draft agenda for one of the briefings, acquired by The Dominion, shows that the RCMP and CSIS assisted the department of Natural Resources in organizing a daylong event on November 25, 2010, at CSIS headquarters in Ottawa, and a networking reception the previous night at the Chateau Laurier.
UK surveillance bill: 19,000 letters opposing, 0 in favour
The Snooper’s Charter is Britain’s pending Internet surveillance law, which requires ISPs, online services and telcoms companies to retain enormous amounts of private online transactions, and to hand them over to government and law enforcement employees without a warrant. A public campaign on the bill had 19,000 responses, every one of which opposed the legislation. 19,000 against, 0 for. The question is, will the government (which ran in part by opposing similar legislation proposed by the previous Labour government) actually pay attention?
Privacy app puts the spooks on edge
Ryan Gallagher
Lately, Mike Janke has been getting what he calls the “hairy eyeball” from international government agencies. The 44-year-old former Navy SEAL commando, together with two of the world’s most renowned cryptographers, was always bound to ruffle some high-level feathers with his new project – a surveillance-resistant communications platform that makes complex encryption so simple your grandmother can use it.
This week, after more than two years of preparation, the finished product has hit the market. Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications – text messages plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus and Android in the works. An email service is also soon scheduled to launch.
The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user – a bit like how “this tape will self-destruct” goes down in Mission: Impossible but without the smoke or fire.
I’ve been thinking a lot about how information technology, and the Internet in particular, is becoming a tool for oppressive governments. As Evgeny Morozov describes in his great book The Net Delusion: The Dark Side of Internet Freedom, repressive regimes all over the world are using the Internet to more efficiently implement surveillance, censorship, and propaganda. And they’re getting really good at it.
For a lot of us who imagined that the Internet would spark an inevitable wave of Internet freedom, this has come as a bit of a surprise. But it turns out that information technology is not just a tool for freedom-fighting rebels under oppressive governments, it’s also a tool for those oppressive governments. Basically, IT magnifies power; the more power you have, the more it can be magnified in IT.
There is, finally, a powerful political reason to introduce strong end-to-end encryption now, beyond the obvious benefits for individual users. The FBI, which fears that its digital wiretaps will “go dark” as encrypted communications become more popular, has been quietly but vigorously promoting an update to the Communications Assistance for Law Enforcement Act to cover providers of online communication services like Google and Skype. Just as phone companies have to build wiretap capability into their networks, they want Skype and Google to build in centralized backdoors for law enforcement: Strong end-to-end encryption would be out, as companies would be required to hold copies of the keys to all “secure” communications for police convenience. This myopic move would drastically reduce the security of everyone’s communications in the name of making it a bit easier to spy on a tiny handful of criminals. It’s also unlikely to do much good: If criminals know that Google can’t offer truly secure communications, there’s no way to stop them from simply employing their own unbreakable encryption.
On Friday morning, the Senate renewed the FISA Amendments Act (PDF), which allows for warrantless electronic eavesdropping, for an additional five years. The act, which was originally passed by Congress in 2008, allows law enforcement agencies to access private communications as long as one participant in the communications could reasonably be believed to be outside the United States. This law has been the subject of a federal lawsuit, and was argued before the Supreme Court recently. ‘The legislation does not require the government to identify the target or facility to be monitored. It can begin surveillance a week before making the request, and the surveillance can continue during the appeals process if, in a rare case, the secret FISA court rejects the surveillance application. The court’s rulings are not public.
Cyber-warfare
Hype and fear
America is leading the way in developing doctrines for cyber-warfare. Other countries may follow, but the value of offensive capabilities is overrated
While the original analog phreaker playground may be long gone, its digital descendants have evolved into playgrounds for insiders, whose activities we only hear about in whispers and leaks. In 2006, former AT&T technician Mark Klein exposed the National Security Agency’s illegal wiretapping program, which housed equipment in AT&T’s own buildings. In 2008, 50 years after retroactively legalizing the Greenstar wiretapping, Congress retroactively immunized telecom carriers for their national security wiretapping. In 2011, former NSA code breaker William Binney revealed that the NSA was working with AT&T and other telecom companies to store phone records for “everyone in the country.” (In the vaguely New Age-y sci-fi spirit of Greenstar, they even code named the program “Stellar Wind.”) The NSA is building a $4 billion data center to store this unprecedented trove of data, sifting it for interesting patterns, finding novel, unexpected things to do with it.
http://lareviewofbooks.org/article.php?type&id=1570&fulltext=1&media
Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight
http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-aircard/all/
Government data breached thousands of times in last decade, documents say
OTTAWA — The federal government has seen more than 3,000 data and privacy breaches over the past 10 years, breaches that have affected more than 725,350 Canadians, according to documents tabled in Parliament on Tuesday.
The responses from departments, given to the New Democrats in response to an order paper question, also show that less than 13 per cent of all breaches have been reported, including a handful from the Department of Fisheries and Oceans that affected more than 4,400 individuals.
Apple can decrypt iPhones for cops; Google can remotely “reset password” for Android devices
{ 1 trackback }