Skip to main content

Home/ Future of the Web/ Group items tagged update hacked

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Gonzalo San Gil, PhD.

U.S. Congress must act on government hacking, reject Rule 41 - Access Now - 0 views

www.accessnow.org/ernment-hacking-reject-rule-41

stop Rule 41 government hacking rule from US to world

shared by Gonzalo San Gil, PhD. on 03 May 16 - No Cached
  • Gonzalo San Gil, PhD. on 03 May 16
     
    "Washington D.C. - Access Now today calls upon the U.S. Congress to reject a new rule that will expand the Federal Bureau of Investigation's (FBI) hacking operations. The call comes as the Supreme Court of the United States reported a change in the Federal Rules of Criminal Procedure, specifically Rule 41, to Congress. The change enables the FBI to hack into computers regardless of where they are located, and to hack into the computers belonging to the victims of botnet operations. Access Now strongly opposes the update to Rule 41."
  • Gonzalo San Gil, PhD. on 03 May 16
     
    "Washington D.C. - Access Now today calls upon the U.S. Congress to reject a new rule that will expand the Federal Bureau of Investigation's (FBI) hacking operations. The call comes as the Supreme Court of the United States reported a change in the Federal Rules of Criminal Procedure, specifically Rule 41, to Congress. The change enables the FBI to hack into computers regardless of where they are located, and to hack into the computers belonging to the victims of botnet operations. Access Now strongly opposes the update to Rule 41."
Paul Merrell

NSA Based Malware Used In Massive Cyber-Attack Hitting 74 Countries - 0 views

www.mintpressnews.com/...227763

surveillance state cyberwar NSA exploits Shadow-Brokers leak

shared by Paul Merrell on 13 May 17 - No Cached
  • Apparent National Security Agency (NSA) malware has been used in a global cyber-attack, including on British hospitals, in what whistleblower Edward Snowden described as the repercussion of the NSA’s reckless decision to build the tools. “Despite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost,” Snowden tweeted Friday. At least two hospitals in London were forced to shut down and stop admitting patients after being attacked by the malware, which operates by locking out the user, encrypting data, and demanding a ransom to release it. The attacks hit dozens of other hospitals, ambulance operators, and doctors’ offices as well.
  • The Blackpool Gazette in the northwest reported that medical staff had resorted to using pen and paper when phone and computer systems shut down. Elsewhere, journalist Ollie Cowan tweeted a photo of ambulances “backed up” at Southport Hospital as the staff attempted to cope with the crisis.
  • Other disruptions were reported in at least 74 countries, including Russia, Spain, Turkey, and Japan, and the number is “growing fast,” according to Kaspersky Lab chief Costin Raiu. Security architect Kevin Beau said it was spreading into the U.S. as well. The malware, which Microsoft tested briefly earlier this year, was leaked by a group calling itself the Shadow Brokers, which has been releasing NSA hacking tools online since last year, the New York Times reports. Times journalists Dan Bilefsky and Nicole Perlroth wrote: Microsoft rolled out a patch for the vulnerability in March, but hackers apparently took advantage of the fact that vulnerable targets—particularly hospitals—had yet to update their systems. The malware was circulated by email. Targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets. Reuters reported that the National Health Service (NHS), England’s public health system, was warned about possible hacking earlier in the day, but that by then it was already too late.
  • ...2 more annotations...
  • A Twitter account with the handle @HackerFantastic, the co-founder of the cyber security company Hacker House, tweeted that the firm had “warned the NHS with Sky news about vulnerabilities they had last year, this was inevitable and bound to happen at some stage.” “In light of today’s attack, Congress needs to be asking @NSAgov if it knows of any other vulnerabilities in software used in our hospitals,” Snowden tweeted. “If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened.” Disclosing the vulnerability when it was found would have given hospitals years, not months, to update their systems and prepare for an attack, he added.
  • witter user @MalwareTechBlog added, “Something like this is incredibly significant, we’ve not seen P2P spreading on PC via exploits at this scale in nearly a decade.” Patrick Toomey, a staff attorney with the American Civil Liberties Union’s (ACLU) National Security Project, said, “It would be shocking if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen.” “These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” Toomey said. “It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner. Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”
Paul Merrell

European Lawmakers Demand Answers on Phone Key Theft - The Intercept - 0 views

firstlook.org/...gemalto-heist-shocks-europe

surveillance state Gemalto SIM-card-keys

shared by Paul Merrell on 24 Feb 15 - No Cached
  • European officials are demanding answers and investigations into a joint U.S. and U.K. hack of the world’s largest manufacturer of mobile SIM cards, following a report published by The Intercept Thursday. The report, based on leaked documents provided by NSA whistleblower Edward Snowden, revealed the U.S. spy agency and its British counterpart Government Communications Headquarters, GCHQ, hacked the Franco-Dutch digital security giant Gemalto in a sophisticated heist of encrypted cell-phone keys. The European Parliament’s chief negotiator on the European Union’s data protection law, Jan Philipp Albrecht, said the hack was “obviously based on some illegal activities.” “Member states like the U.K. are frankly not respecting the [law of the] Netherlands and partner states,” Albrecht told the Wall Street Journal. Sophie in ’t Veld, an EU parliamentarian with D66, the Netherlands’ largest opposition party, added, “Year after year we have heard about cowboy practices of secret services, but governments did nothing and kept quiet […] In fact, those very same governments push for ever-more surveillance capabilities, while it remains unclear how effective these practices are.”
  • “If the average IT whizzkid breaks into a company system, he’ll end up behind bars,” In ’t Veld added in a tweet Friday. The EU itself is barred from undertaking such investigations, leaving individual countries responsible for looking into cases that impact their national security matters. “We even get letters from the U.K. government saying we shouldn’t deal with these issues because it’s their own issue of national security,” Albrecht said. Still, lawmakers in the Netherlands are seeking investigations. Gerard Schouw, a Dutch member of parliament, also with the D66 party, has called on Ronald Plasterk, the Dutch minister of the interior, to answer questions before parliament. On Tuesday, the Dutch parliament will debate Schouw’s request. Additionally, European legal experts tell The Intercept, public prosecutors in EU member states that are both party to the Cybercrime Convention, which prohibits computer hacking, and home to Gemalto subsidiaries could pursue investigations into the breach of the company’s systems.
  • According to secret documents from 2010 and 2011, a joint NSA-GCHQ unit penetrated Gemalto’s internal networks and infiltrated the private communications of its employees in order to steal encryption keys, embedded on tiny SIM cards, which are used to protect the privacy of cellphone communications across the world. Gemalto produces some 2 billion SIM cards a year. The company’s clients include AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers. “[We] believe we have their entire network,” GCHQ boasted in a leaked slide, referring to the Gemalto heist.
  • ...4 more annotations...
  • While Gemalto was indeed another casualty in Western governments’ sweeping effort to gather as much global intelligence advantage as possible, the leaked documents make clear that the company was specifically targeted. According to the materials published Thursday, GCHQ used a specific codename — DAPINO GAMMA — to refer to the operations against Gemalto. The spies also actively penetrated the email and social media accounts of Gemalto employees across the world in an effort to steal the company’s encryption keys. Evidence of the Gemalto breach rattled the digital security community. “Almost everyone in the world carries cell phones and this is an unprecedented mass attack on the privacy of citizens worldwide,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology, a non-profit that advocates for digital privacy and free online expression. “While there is certainly value in targeted surveillance of cell phone communications, this coordinated subversion of the trusted technical security infrastructure of cell phones means the US and British governments now have easy access to our mobile communications.”
  • For Gemalto, evidence that their vaunted security systems and the privacy of customers had been compromised by the world’s top spy agencies made an immediate financial impact. The company’s shares took a dive on the Paris bourse Friday, falling $500 million. In the U.S., Gemalto’s shares fell as much 10 percent Friday morning. They had recovered somewhat — down 4 percent — by the close of trading on the Euronext stock exchange. Analysts at Dutch financial services company Rabobank speculated in a research note that Gemalto could be forced to recall “a large number” of SIM cards. The French daily L’Express noted today that Gemalto board member Alex Mandl was a founding trustee of the CIA-funded venture capital firm In-Q-Tel. Mandl resigned from In-Q-Tel’s board in 2002, when he was appointed CEO of Gemplus, which later merged with another company to become Gemalto. But the CIA connection still dogged Mandl, with the French press regularly insinuating that American spies could infiltrate the company. In 2003, a group of French lawmakers tried unsuccessfully to create a commission to investigate Gemplus’s ties to the CIA and its implications for the security of SIM cards. Mandl, an Austrian-American businessman who was once a top executive at AT&T, has denied that he had any relationship with the CIA beyond In-Q-Tel. In 2002, he said he did not even have a security clearance.
  • AT&T, T-Mobile and Verizon could not be reached for comment Friday. Sprint declined to comment. Vodafone, the world’s second largest telecom provider by subscribers and a customer of Gemalto, said in a statement, “[W]e have no further details of these allegations which are industrywide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations.” Deutsche Telekom AG, a German company, said it has changed encryption algorithms in its Gemalto SIM cards. “We currently have no knowledge that this additional protection mechanism has been compromised,” the company said in a statement. “However, we cannot rule out this completely.”
  • Update: Asked about the SIM card heist, White House press secretary Josh Earnest said he did not expect the news would hurt relations with the tech industry: “It’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so. So, I do think in fact that there are opportunities for the private sector and the federal government to coordinate and to cooperate on these efforts, both to keep the country safe, but also to protect our civil liberties.”
  • Paul Merrell on 24 Feb 15
     
    Watch for massive class action product defect litigation to be filed against the phone companies.and mobile device manufacturers.  In most U.S. jurisdictions, proof that the vendors/manufacturers  knew of the product defect is not required, only proof of the defect. Also, this is a golden opportunity for anyone who wants to get out of a pricey cellphone contract, since providing a compromised cellphone is a material breach of warranty, whether explicit or implied..   
Paul Merrell

NSA contractors use LinkedIn profiles to cash in on national security | Al Jazeera America - 0 views

america.aljazeera.com/...tractors-linkedinprofiles.html

surveillance state NSA NSA-methods spying-on-spies

shared by Paul Merrell on 30 May 14 - No Cached
  • NSA spies need jobs, too. And that is why many covert programs could be hiding in plain sight. Job websites such as LinkedIn and Indeed.com contain hundreds of profiles that reference classified NSA efforts, posted by everyone from career government employees to low-level IT workers who served in Iraq or Afghanistan. They offer a rare glimpse into the intelligence community's projects and how they operate. Now some researchers are using the same kinds of big-data tools employed by the NSA to scrape public LinkedIn profiles for classified programs. But the presence of so much classified information in public view raises serious concerns about security — and about the intelligence industry as a whole. “I’ve spent the past couple of years searching LinkedIn profiles for NSA programs,” said Christopher Soghoian, the principal technologist with the American Civil Liberties Union’s Speech, Privacy and Technology Project.
  • On Aug. 3, The Wall Street Journal published a story about the FBI’s growing use of hacking to monitor suspects, based on information Soghoian provided. The next day, Soghoian spoke at the Defcon hacking conference about how he uncovered the existence of the FBI’s hacking team, known as the Remote Operations Unit (ROU), using the LinkedIn profiles of two employees at James Bimen Associates, with which the FBI contracts for hacking operations. “Had it not been for the sloppy actions of a few contractors updating their LinkedIn profiles, we would have never known about this,” Soghoian said in his Defcon talk. Those two contractors were not the only ones being sloppy.
  • And there are many more. A quick search of Indeed.com using three code names unlikely to return false positives — Dishfire, XKeyscore and Pinwale — turned up 323 résumés. The same search on LinkedIn turned up 48 profiles mentioning Dishfire, 18 mentioning XKeyscore and 74 mentioning Pinwale. Almost all these people appear to work in the intelligence industry. Network-mapping the data Fabio Pietrosanti of the Hermes Center for Transparency and Digital Human Rights noticed all the code names on LinkedIn last December. While sitting with M.C. McGrath at the Chaos Communication Congress in Hamburg, Germany, Pietrosanti began searching the website for classified program names — and getting serious results. McGrath was already developing Transparency Toolkit, a Web application for investigative research, and knew he could improve on Pietrosanti’s off-the-cuff methods.
  • ...2 more annotations...
  • “I was, like, huh, maybe there’s more we can do with this — actually get a list of all these profiles that have these results and use that to analyze the structure of which companies are helping with which programs, which people are helping with which programs, try to figure out in what capacity, and learn more about things that we might not know about,” McGrath said. He set up a computer program called a scraper to search LinkedIn for public profiles that mention known NSA programs, contractors or jargon — such as SIGINT, the agency’s term for “signals intelligence” gleaned from intercepted communications. Once the scraper found the name of an NSA program, it searched nearby for other words in all caps. That allowed McGrath to find the names of unknown programs, too. Once McGrath had the raw data — thousands of profiles in all, with 70 to 80 different program names — he created a network graph that showed the relationships between specific government agencies, contractors and intelligence programs. Of course, the data are limited to what people are posting on their LinkedIn profiles. Still, the network graph gives a sense of which contractors work on several NSA programs, which ones work on just one or two, and even which programs military units in Iraq and Afghanistan are using. And that is just the beginning.
  • Click on the image to view an interactive network illustration of the relationships between specific national security surveillance programs in red, and government organizations or private contractors in blue.
  • Paul Merrell on 30 May 14
     
    What a giggle, public spying on NSA and its contractors using Big Data. The interactive network graph with its sidebar display of relevant data derived from LinkedIn profiles is just too delightful. 
Paul Merrell

Hackers Prove Fingerprints Are Not Secure, Now What? | nsnbc international - 0 views

nsnbc.me/...prints-are-not-secure-now-what

surveillance state OPM-computer-breach fingerprints iPhone Galaxy Android

shared by Paul Merrell on 24 Sep 15 - No Cached
  • The Office of Personnel Management (OPM) recently revealed that an estimated 5.6 million government employees were affected by the hack; and not 1.1 million as previously assumed.
  • Samuel Schumach, spokesman for the OPM, said: “As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.” This endeavor expended the use of the Department of Defense (DoD), the Department of Homeland Security (DHS), the National Security Agency (NSA), and the Pentagon. Schumer added that “if, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.” However, we do not need to wait for the future for fingerprint data to be misused and coveted by hackers.
  • Look no further than the security flaws in Samsung’s new Galaxy 5 smartphone as was demonstrated by researchers at Security Research Labs (SRL) showing how fingerprints, iris scans and other biometric identifiers could be fabricated and yet authenticated by the Apple Touch ID fingerprints scanner. The shocking part of this demonstration is that this hack was achieved less than 2 days after the technology was released to the public by Apple. Ben Schlabs, researcher for SRL explained: “We expected we’d be able to spoof the S5’s Finger Scanner, but I hoped it would at least be a challenge. The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices.” Schlabs and other researchers discovered that “the S5 has no mechanism requiring a password when encountering a large number of incorrect finger swipes.” By rebotting the smartphone, Schlabs could force “the handset to accept an unlimited number of incorrect swipes without requiring users to enter a password [and] the S5 fingerprint authenticator [could] be associated with sensitive banking or payment apps such as PayPal.”
  • ...1 more annotation...
  • Schlab said: “Perhaps most concerning is that Samsung does not seem to have learned from what others have done less poorly. Not only is it possible to spoof the fingerprint authentication even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password. Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing.” Last year Hackers from the Chaos Computer Club (CCC) proved Apple wrong when the corporation insisted that their new iPhone 5S fingerprint sensor is “a convenient and highly secure way to access your phone.” CCC stated that it is as easy as stealing a fingerprint from a drinking glass – and anyone can do it.
Gonzalo San Gil, PhD.

Linux Security - How Can Your Linux Be Hacked Using Malware, Trojans, Worms, Web Script... - 0 views

www.linuxandubuntu.com/...-trojans-worms-web-scripts-etc

linux security hacked using malware worms web care open source free software GNU_Linux update prevention measure

shared by Gonzalo San Gil, PhD. on 08 Nov 15 - No Cached
  • Gonzalo San Gil, PhD. on 08 Nov 15
     
    " Is it possible that Linux can be infected with viruses? Probably, you heard of this in some debates. But here are some facts that you need to know to better understand how Linux is secured and what things can damage a Linux system. See how "
Gonzalo San Gil, PhD.

Reconciling Mozilla's Mission and W3C EME ✩ Mozilla Hacks - the Web developer... - 1 views

hacks.mozilla.org/...g-mozillas-mission-and-w3c-eme

Mozilla Firefo DRM

shared by Gonzalo San Gil, PhD. on 11 Jun 14 - No Cached
daniel mark liked it
  • Gonzalo San Gil, PhD. on 11 Jun 14
     
    "May 19 Update: We've added an FAQ below the text of the original post to address some of the questions and comments Mozilla has received regarding EME. With most competing browsers and the content industry embracing the W3C EME specification, Mozilla has little choice but to implement EME as well so our users can continue to access all content they want to enjoy. Read on for some background on how we got here, and details of our implementation."
Paul Merrell

CISA Security Bill: An F for Security But an A+ for Spying | WIRED - 0 views

www.wired.com/...ty-bill-gets-f-security-spying

surveillance state legislation CISA

shared by Paul Merrell on 23 Mar 15 - No Cached
  • When the Senate Intelligence Committee passed the Cybersecurity Information Sharing Act by a vote of 14 to 1, committee chairman Senator Richard Burr argued that it successfully balanced security and privacy. Fifteen new amendments to the bill, he said, were designed to protect internet users’ personal information while enabling new ways for companies and federal agencies to coordinate responses to cyberattacks. But critics within the security and privacy communities still have two fundamental problems with the legislation: First, they say, the proposed cybersecurity act won’t actually boost security. And second, the “information sharing” it describes sounds more than ever like a backchannel for surveillance.
  • On Tuesday the bill’s authors released the full, updated text of the CISA legislation passed last week, and critics say the changes have done little to assuage their fears about wanton sharing of Americans’ private data. In fact, legal analysts say the changes actually widen the backdoor leading from private firms to intelligence agencies. “It’s a complete failure to strengthen the privacy protections of the bill,” says Robyn Greene, a policy lawyer for the Open Technology Institute, which joined a coalition of dozens of non-profits and cybersecurity experts criticizing the bill in an open letter earlier this month. “None of the [privacy-related] points we raised in our coalition letter to the committee was effectively addressed.” The central concern of that letter was how the same data sharing meant to bolster cybersecurity for companies and the government opens massive surveillance loopholes. The bill, as worded, lets a private company share with the Department of Homeland Security any information construed as a cybersecurity threat “notwithstanding any other provision of law.” That means CISA trumps privacy laws like the Electronic Communication Privacy Act of 1986 and the Privacy Act of 1974, which restrict eavesdropping and sharing of users’ communications. And once the DHS obtains the information, it would automatically be shared with the NSA, the Department of Defense (including Cyber Command), and the Office of the Director of National Intelligence.
  • In a statement posted to his website yesterday, Senator Burr wrote that “Information sharing is purely voluntary and companies can only share cyber-threat information and the government may only use shared data for cybersecurity purposes.” But in fact, the bill’s data sharing isn’t limited to cybersecurity “threat indicators”—warnings of incoming hacker attacks, which is the central data CISA is meant to disseminate among companies and three-letter agencies. OTI’s Greene says it also gives companies a mandate to share with the government any data related to imminent terrorist attacks, weapons of mass destruction, or even other information related to violent crimes like robbery and carjacking. 
  • ...2 more annotations...
  • The latest update to the bill tacks on yet another kind of information, anything related to impending “serious economic harm.” All of those vague terms, Greene argues, widen the pipe of data that companies can send the government, expanding CISA into a surveillance system for the intelligence community and domestic law enforcement. If information-sharing legislation does not include adequate privacy protections, then...It’s a surveillance bill by another name. Senator Ron Wyden
  • “CISA goes far beyond [cybersecurity], and permits law enforcement to use information it receives for investigations and prosecutions of a wide range of crimes involving any level of physical force,” reads the letter from the coalition opposing CISA. “The lack of use limitations creates yet another loophole for law enforcement to conduct backdoor searches on Americans—including searches of digital communications that would otherwise require law enforcement to obtain a warrant based on probable cause. This undermines Fourth Amendment protections and constitutional principles.”
  • Paul Merrell on 23 Mar 15
     
    I read the legislation. It's as bad for privacy as described in the aritcle. And its drafting is incredibly sloppy.
Gary Edwards

Brendan's Roadmap Updates: Open letter to Microsoft's Chris Wilson and their fight to s... - 0 views

weblogs.mozillazine.org/...en_letter_to_chris_wilson.html

es4 es3 javascript brendan-eich microsoft

shared by Gary Edwards on 28 Jan 09 - Cached
  • The history of ECMAScript since its beginnings in November 1996 shows that when Microsoft was behind in the market (against Netscape in 1996-1997), it moved aggressively in the standards body to evolve standards starting with ES1 through ES3. Once Microsoft dominated the market, the last edition of the standard was left to rot -- ES3 was finished in 1999 -- and even easy-to-fix standards conformance bugs in IE JScript went unfixed for eight years (so three years to go from Edition 1 to 3, then over eight to approach Edition 4). Now that the proposed 4th edition looks like a competitive threat, the world suddenly hears in detail about all those bugs, spun as differences afflicting "JavaScript" that should inform a new standard.
  • In my opinion the notion that we need to add features so that ajax programming would be easier is plain wrong. ajax is a hack and also the notion of a webapp is a hack. the web was created in a document centric view. All w3c standards are also based on the same document notion. The heart of the web, the HTTP protocol is designed to support a web of documents and as such is stateless. the proper solution, IMO, is not to evolve ES for the benefit of ajax and webapps, but rather generalize the notion of a document browser that connects to a web of documents to a general purpose client engine that connects to a network of internet applications. thus the current web (document) browser just becomes one such internet application.
  • Gary Edwards on 28 Jan 09
     
    the obvious conflict of interest between the standards-based web and proprietary platforms advanced by Microsoft, and the rationales for keeping the web's client-side programming language small while the proprietary platforms rapidly evolve support for large languages, does not help maintain the fiction that only clashing high-level philosophies are involved here. Readers may not know that Ecma has no provision for "minor releases" of its standards, so any ES3.1 that was approved by TG1 would inevitably be given a whole edition number, presumably becoming the 4th Edition of ECMAScript. This is obviously contentious given all the years that the majority of TG1, sometimes even apparently including Microsoft representatives, has worked on ES4, and the developer expectations set by this long-standing effort. A history of Microsoft's post-ES3 involvement in the ECMAScript standard group, leading up to the overt split in TG1 in March, is summarized here. The history of ECMAScript since its beginnings in November 1996 shows that when Microsoft was behind in the market (against Netscape in 1996-1997), it moved aggressively in the standards body to evolve standards starting with ES1 through ES3. Once Microsoft dominated the market, the last edition of the standard was left to rot -- ES3 was finished in 1999 -- and even easy-to-fix standards conformance bugs in IE JScript went unfixed for eight years (so three years to go from Edition 1 to 3, then over eight to approach Edition 4). Now that the proposed 4th edition looks like a competitive threat, the world suddenly hears in detail about all those bugs, spun as differences afflicting "JavaScript" that should inform a new standard.
Paul Merrell

Popular Security Software Came Under Relentless NSA and GCHQ Attacks - The Intercept - 0 views

firstlook.org/...nsa-gchq-targeted-kaspersky

surveillance state NSA GCHQ anti-virus-software

shared by Paul Merrell on 23 Jun 15 - No Cached
  • The National Security Agency and its British counterpart, Government Communications Headquarters, have worked to subvert anti-virus and other security software in order to track users and infiltrate networks, according to documents from NSA whistleblower Edward Snowden. The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software. One security software maker repeatedly singled out in the documents is Moscow-based Kaspersky Lab, which has a holding registered in the U.K., claims more than 270,000 corporate clients, and says it protects more than 400 million people with its products. British spies aimed to thwart Kaspersky software in part through a technique known as software reverse engineering, or SRE, according to a top-secret warrant renewal request. The NSA has also studied Kaspersky Lab’s software for weaknesses, obtaining sensitive customer information by monitoring communications between the software and Kaspersky servers, according to a draft top-secret report. The U.S. spy agency also appears to have examined emails inbound to security software companies flagging new viruses and vulnerabilities.
  • The efforts to compromise security software were of particular importance because such software is relied upon to defend against an array of digital threats and is typically more trusted by the operating system than other applications, running with elevated privileges that allow more vectors for surveillance and attack. Spy agencies seem to be engaged in a digital game of cat and mouse with anti-virus software companies; the U.S. and U.K. have aggressively probed for weaknesses in software deployed by the companies, which have themselves exposed sophisticated state-sponsored malware.
  • The requested warrant, provided under Section 5 of the U.K.’s 1994 Intelligence Services Act, must be renewed by a government minister every six months. The document published today is a renewal request for a warrant valid from July 7, 2008 until January 7, 2009. The request seeks authorization for GCHQ activities that “involve modifying commercially available software to enable interception, decryption and other related tasks, or ‘reverse engineering’ software.”
  • ...9 more annotations...
  • The NSA, like GCHQ, has studied Kaspersky Lab’s software for weaknesses. In 2008, an NSA research team discovered that Kaspersky software was transmitting sensitive user information back to the company’s servers, which could easily be intercepted and employed to track users, according to a draft of a top-secret report. The information was embedded in “User-Agent” strings included in the headers of Hypertext Transfer Protocol, or HTTP, requests. Such headers are typically sent at the beginning of a web request to identify the type of software and computer issuing the request.
  • According to the draft report, NSA researchers found that the strings could be used to uniquely identify the computing devices belonging to Kaspersky customers. They determined that “Kaspersky User-Agent strings contain encoded versions of the Kaspersky serial numbers and that part of the User-Agent string can be used as a machine identifier.” They also noted that the “User-Agent” strings may contain “information about services contracted for or configurations.” Such data could be used to passively track a computer to determine if a target is running Kaspersky software and thus potentially susceptible to a particular attack without risking detection.
  • Another way the NSA targets foreign anti-virus companies appears to be to monitor their email traffic for reports of new vulnerabilities and malware. A 2010 presentation on “Project CAMBERDADA” shows the content of an email flagging a malware file, which was sent to various anti-virus companies by François Picard of the Montréal-based consulting and web hosting company NewRoma. The presentation of the email suggests that the NSA is reading such messages to discover new flaws in anti-virus software. Picard, contacted by The Intercept, was unaware his email had fallen into the hands of the NSA. He said that he regularly sends out notification of new viruses and malware to anti-virus companies, and that he likely sent the email in question to at least two dozen such outfits. He also said he never sends such notifications to government agencies. “It is strange the NSA would show an email like mine in a presentation,” he added.
  • The NSA presentation goes on to state that its signals intelligence yields about 10 new “potentially malicious files per day for malware triage.” This is a tiny fraction of the hostile software that is processed. Kaspersky says it detects 325,000 new malicious files every day, and an internal GCHQ document indicates that its own system “collect[s] around 100,000,000 malware events per day.” After obtaining the files, the NSA analysts “[c]heck Kaspersky AV to see if they continue to let any of these virus files through their Anti-Virus product.” The NSA’s Tailored Access Operations unit “can repurpose the malware,” presumably before the anti-virus software has been updated to defend against the threat.
  • The Project CAMBERDADA presentation lists 23 additional AV companies from all over the world under “More Targets!” Those companies include Check Point software, a pioneering maker of corporate firewalls based Israel, whose government is a U.S. ally. Notably omitted are the American anti-virus brands McAfee and Symantec and the British company Sophos.
  • As government spies have sought to evade anti-virus software, the anti-virus firms themselves have exposed malware created by government spies. Among them, Kaspersky appears to be the sharpest thorn in the side of government hackers. In the past few years, the company has proven to be a prolific hunter of state-sponsored malware, playing a role in the discovery and/or analysis of various pieces of malware reportedly linked to government hackers, including the superviruses Flame, which Kaspersky flagged in 2012; Gauss, also detected in 2012; Stuxnet, discovered by another company in 2010; and Regin, revealed by Symantec. In February, the Russian firm announced its biggest find yet: the “Equation Group,” an organization that has deployed espionage tools widely believed to have been created by the NSA and hidden on hard drives from leading brands, according to Kaspersky. In a report, the company called it “the most advanced threat actor we have seen” and “probably one of the most sophisticated cyber attack groups in the world.”
  • Hacks deployed by the Equation Group operated undetected for as long as 14 to 19 years, burrowing into the hard drive firmware of sensitive computer systems around the world, according to Kaspersky. Governments, militaries, technology companies, nuclear research centers, media outlets and financial institutions in 30 countries were among those reportedly infected. Kaspersky estimates that the Equation Group could have implants in tens of thousands of computers, but documents published last year by The Intercept suggest the NSA was scaling up their implant capabilities to potentially infect millions of computers with malware. Kaspersky’s adversarial relationship with Western intelligence services is sometimes framed in more sinister terms; the firm has been accused of working too closely with the Russian intelligence service FSB. That accusation is partly due to the company’s apparent success in uncovering NSA malware, and partly due to the fact that its founder, Eugene Kaspersky, was educated by a KGB-backed school in the 1980s before working for the Russian military.
  • Kaspersky has repeatedly denied the insinuations and accusations. In a recent blog post, responding to a Bloomberg article, he complained that his company was being subjected to “sensationalist … conspiracy theories,” sarcastically noting that “for some reason they forgot our reports” on an array of malware that trace back to Russian developers. He continued, “It’s very hard for a company with Russian roots to become successful in the U.S., European and other markets. Nobody trusts us — by default.”
  • Documents published with this article: Kaspersky User-Agent Strings — NSA Project CAMBERDADA — NSA NDIST — GCHQ’s Developing Cyber Defence Mission GCHQ Application for Renewal of Warrant GPW/1160 Software Reverse Engineering — GCHQ Reverse Engineering — GCHQ Wiki Malware Analysis & Reverse Engineering — ACNO Skill Levels — GCHQ
1 - 10 of 10
Showing 20 items per page