Group items tagged

Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes. Now the technique is being adopted by a different kind of a hacker—the kind with a badge. For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system. The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it’s also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants. Critics also worry about mission creep, the weakening of a technology relied on by human rights workers and activists, and the potential for innocent parties to wind up infected with government malware because they visited the wrong website. “This is such a big leap, there should have been congressional hearings about this,” says ACLU technologist Chris Soghoian, an expert on law enforcement’s use of hacking tools. “If Congress decides this is a technique that’s perfectly appropriate, maybe that’s OK. But let’s have an informed debate about it.”

The FBI’s use of malware is not new. The bureau calls the method an NIT, for “network investigative technique,” and the FBI has been using it since at least 2002 in cases ranging from computer hacking to bomb threats, child porn to extortion. Depending on the deployment, an NIT can be a bulky full-featured backdoor program that gives the government access to your files, location, web history and webcam for a month at a time, or a slim, fleeting wisp of code that sends the FBI your computer’s name and address, and then evaporates. What’s changed is the way the FBI uses its malware capability, deploying it as a driftnet instead of a fishing line. And the shift is a direct response to Tor, the powerful anonymity system endorsed by Edward Snowden and the State Department alike.

Edward Snowden has revealed that he witnessed “numerous instances” of National Security Agency (NSA) employees passing around nude photos that were intercepted “in the course of their daily work.” In a 17-minute interview with The Guardian filmed at a Moscow hotel and published on Thursday, the NSA whistleblower addressed numerous points, noting that he could “live with” being sent to the US prison facility at Guantanamo Bay, Cuba. He also again dismissed any notion that he was a Russian spy or agent—calling those allegations “bullshit.” If Snowden’s allegations of sexual photo distribution are true, they would be consistent with what the NSA has already reported. In September 2013, in a letter from the NSA’s Inspector General Dr. George Ellard to Sen. Chuck Grassley (R-IA), the agency outlined a handful of instances during which NSA agents admitted that they had spied on their former love interests. This even spawned a nickname within the agency, LOVEINT—a riff on HUMINT (human intelligence) or SIGINT (signals intelligence).

“You've got young enlisted guys, 18 to 22 years old,” Snowden said. “They've suddenly been thrust into a position of extraordinary responsibility where they now have access to all of your private records. In the course of their daily work they stumble across something that is completely unrelated to their work in any sort of necessary sense. For example, an intimate nude photo of someone in a sexually compromising position. But they're extremely attractive. “So what do they do? They turn around in their chair and show their co-worker. The co-worker says: ‘Hey that's great. Send that to Bill down the way.’ And then Bill sends it to George and George sends it to Tom. And sooner or later this person's whole life has been seen by all of these other people. It's never reported. Nobody ever knows about it because the auditing of these systems is incredibly weak. The fact that your private images, records of your private lives, records of your intimate moments have been taken from your private communications stream from the intended recipient and given to the government without any specific authorization without any specific need is itself a violation of your rights. Why is that in a government database?” Then Alan Rusbridger, The Guardian’s editor-in-chief, asked: “You saw instances of that happening?” “Yeah,” Snowden responded. “Numerous?” “It's routine enough, depending on the company that you keep, it could be more or less frequent. These are seen as the fringe benefits of surveillance positions."

In the UK earlier this month, human rights groups Liberty and Privacy International were cheered by a tribunal decision that declared GCHQ’s access to NSA spies’ data illegal. Though it was a hollow victory, as the tribunal also declared all current activities, including all those blanket surveillance projects much derided by free speech activists, entirely legal. The practices previously broke the law because the public was unaware of what safeguards were in place for the UK’s access to data from NSA programs like Prism; as soon as Snowden blew everything wide open the snoops had to explain themselves, and that was enough for the tribunal to confirm the legality of GCHQ’s operations. But the case has had one significant effect: anyone can now figure out if their data was illegally shared by the agencies. Privacy International has set up a simple webpage that anyone in the world can sign up to. You can visit the page here.

Once the UK Investigatory Powers Tribunal has determined whom was affected, it has to inform them. Though participants should find out whether their data were unlawfully obtained by GCHQ from the millions of private communications hoovered up by the NSA up until December 2014, it won’t be anytime soon. Privacy International warned in its FAQs: “Count on it being many months, and likely years before this action is completed.” And somewhat ironically Privacy International has to collect participant’s information, including their name and email address, to supply the service. They may ask for more information from willing participants once the group has determined if more is required from the IPT. Anyone who wants to submit directly to the tribunal can do so here.

NSO Group, an Israeli vendor of “lawful” hacking tools designed to infect a target’s phone with spyware, is regarded by many as a bad actor. The group claims to be shocked when its products are misused, as they have been in Mexico, Saudi Arabia and the United Arab Emirates. One incident might be excusable, but the group’s continued enabling of misbehavior has resulted in well-earned enmity. Recently, Facebook struck back. NSO Group deployed a weaponized exploit for Facebook’s WhatsApp messenger, integrated it into its Pegasus malcode system, and offered it to its customers (a mix of legitimate government agencies and nefarious government actors) interested in hacking WhatsApp users beginning in April. This was a particularly powerful exploit because it required no user interaction and the only sign of the exploit a user might discover would be a series of “missed calls” received on the user’s phone. Facebook patched the vulnerability on May 13, blocking the NSO campaign. Facebook wasn’t satisfied with simply closing the vulnerability. In cooperation with CitizenLab, Facebook identified more than 100 incidents in which NSO Group’s WhatsApp exploit appeared to target human rights activists and journalists. In total, Facebook and CitizenLab identified 1,400 targets (which apparently also included government officials in U.S. allied governments). They then filed a federal lawsuit against NSO Group, closed NSO Group member accounts, and, most damaging of all to NSO’s customers, sent a notice to all identified victims alerting them of the attack. This meant that all targets, both dissidents and drug lords alike, were notified of this surveillance. The lawsuit will be a case to watch. Facebook has already revealed a large amount of detail concerning NSO Group’s internal workings, including the hands-on nature of its business model: NSO Group actively assists countries in hacking targets. For example, we now know that while an NSO Group employee may not press the “Enter” key for a target, NSO employees do act to advise and consult on targeting; and NSO Group is largely responsible for running the infrastructure used to exploit targets and manage implants. Expect more revelations like this as the case proceeds.