This is one app all parents should be aware of. The Secrets app is the cyberspace where kids make their confessions and share their best kept secrets and the nightmare is, their supposedly anonymous postings were highly vulnerable after all.
It should come as no surprise that health insurance companies store lots, lots more sensitive and personal information about their clients than banks and credit card companies and it certainly doesn’t help when they were not taking cybersecurity seriously, as the recent hacks on Anthem and Premera (article below) have highlighted.
And what’s going to happen to these clients following the (Anthem and Premera) hacks? Watch the video clips below.
The disturbing truth behind the Premera, Anthem attacks
March 24, 2015 | By Dan Bowman
As details continue to emerge following the recent hack attacks on payers Anthem and Premera–in which information for close to 90 million consumers combined may have been put at risk–perhaps the most disturbing revelation of all is that, in both instances, neither entity appears to truly take security seriously.
Premera, for instance, knew three weeks prior to the initial penetration of its systems in May 2014 that network security issues loomed large. A report sent by the U.S. Office of Personnel Management’s Office of Inspector General detailed several vulnerabilities, including a lack of timely patch implementations and insecure server configurations.
The findings were so bad, they prompted OPM to warn Premera, “failiure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached.” In addition, OPM told the Mountlake Terrace, Washington-based insurer that failure to remove outdated software would increase the risk of a successful malicious attack on its information systems.
“Promptly” to Premera apparently meant eight months down the road. And one month after its self-imposed Dec. 31, 2014, deadline to resolve its issues, guess what the payer found?
Just imagine how much damage could have been spared had Premera acted with more haste.
In Anthem’s case, negligence continues to persist. The nation’s second-largest payer has refused to allow a federal watchdog agency to perform vulnerability scans and compliance tests on its systems in the wake of its massive hack attack. It also prevented auditors from adequately testing whether it appropriately secured its computer information systems during a 2013 audit, citing corporate policy prohibiting external entities from connecting to the Anthem network.
Corporate policy is all well and good, but it’s not going to mean squat to a consumer two years from now when Anthem’s complimentary credit monitoring wears off and the hackers begin wading through the treasure trove of stolen information. As one of those consumers, it would be nice to hear Anthem take the advice Shaun Greene, chief operating officer of Salt Lake City-based Arches Health Plan, who told my colleague Brian Eastwood last month that payers should hire third parties to conduct HIPAA risk assessments.
“That way, you avoid internal posturing and receive objective feedback,” Greene said.
Following last summer’s massive Community Health Systems breach–and on the heels of other high-profile cybersecurity attacks–it appeared earlier this year that the healthcare industry was finally starting to truly prioritize information protection.
That’s not to say that the majority of the industry doesn’t take such matters seriously. But it’s disappointing to see that some of its biggest players seem to feel differently. – Dan (@Dan_Bowman and @FierceHealthIT)
You may want to think twice about the new MacBook.
Apple may have ideas about its newly introduced USB-C but widely reported vulnerabilities of USB devices amplify big troubles ahead, as the following article explains.
The NSA Is Going to Love These USB-C Charging Cables
Thanks to Apple’s new MacBook and Google’s new Chromebook Pixel, USB-C has arrived. A single flavor of cable for all your charging and connectivity needs? Hell yes. But that convenience doesn’t come without a cost; our computers will be more vulnerable than ever to malware attacks, from hackers and surveillance agencies alike.
The trouble with USB-C stems from the fact that the USB standard isn’t very secure. Last year, researchers wrote a piece of malware called BadUSB which attaches to your computer using USB devices like phone chargers or thumb drives. Once connected, the malware basically takes over a computer imperceptibly. The scariest part is that the malware is written directly to the USB controller chip’s firmware, which means that it’s virtually undetectable and so far, unfixable.
Before USB-C, there was a way to keep yourself somewhat safe. As long as you kept tabs on your cables, and never stuck random USB sticks into your computer, you could theoretically keep it clean. But as The Verge points out, the BadUSB vulnerability still hasn’t been fixed in USB-C, and now the insecure port is the slot where you connect your power supply. Heck, it’s shaping up to be the slot where you connect everything. You have no choice but to use it every day. Think about how often you’ve borrowed a stranger’s power cable to get charged up. Asking for a charge from a stranger is like having unprotected sex with someone you picked up at the club.
What the Verge fails to mention however, is that it’s potentially much worse than that. If everyone is using the same power charger, it’s not just renegade hackers posing as creative professionals in coffee shops that you need to worry about. With USB-C, the surveillance establishment suddenly has a huge incentive to figure out how to sneak a compromised cable into your power hole.
It might seem alarmist and paranoid to suggest that the NSA would try to sneak a backdoor into charging cables through manufacturers, except that the agency has been busted trying exactly this kind of scheme. Last year, it was revealed that the NSA paid security firm RSA $10 million to leave a backdoor in their encryption unpatched. There’s no telling if or when or how the NSA might try to accomplish something similar with USB-C cables, but it stands to reason they would try.
We live in a world where we plug in with abandon, and USB-C’s flexibility is designed to make plugging in easier than ever. Imagine never needing to guess whether or not your aunt’s house will have a charger for your phone. USB-C could become so common that this isn’t even a question. Of course she has one! With that ubiquity and convenience comes a risk that the tech could become exploited—not just by criminals, but also by the government’s data siphoning machine.
Ever wonder what happens when one’s hacked?
Here’s an insightful chilling account of how one victim attempted to trace the hacker who invaded into his onlife life and Bitcoin wallet.
Anatomy of a Hack
In the early morning hours of October 21st, 2014, Partap Davis lost $3,000. He had gone to sleep just after 2AM in his Albuquerque, New Mexico, home after a late night playing World of Tanks. While he slept, an attacker undid every online security protection he set up. By the time he woke up, most of his online life had been compromised: two email accounts, his phone, his Twitter, his two-factor authenticator, and most importantly, his bitcoin wallets.
Davis was careful when it came to digital security. He chose strong passwords and didn’t click on bogus links. He used two-factor authentication with Gmail, so when he logged in from a new computer, he had to type in six digits that were texted to his phone, just to make sure it was him. He had made some money with the rise of bitcoin and held onto the bitcoin in three protected wallets, managed by Coinbase, Bitstamp, and BTC-E. He also used two-factor with the Coinbase and BTC-E accounts. Any time he wanted to access them, he had to verify the login with Authy, a two-factor authenticator app on his phone.
Other than the bitcoin, Davis wasn’t that different from the average web user. He makes his living coding, splitting time between building video education software and a patchwork of other jobs. On the weekends, he snowboards, exploring the slopes around Los Alamos. This is his 10th year in Albuquerque; last year, he turned 40.
After the hack, Davis spent weeks tracking down exactly how it had happened, piecing together a picture from access logs and reluctant customer service reps. Along the way, he reached out to The Verge, and we added a few more pieces to the puzzle. We still don’t know everything — in particular, we don’t know who did it — but we know enough to say how they did it, and the points of failure sketch out a map of the most glaring vulnerabilities of our digital lives.
It started with Davis’ email. When he was first setting up an email account, Davis found that Partap@gmail.com was taken, so he chose a Mail.com address instead, setting up Partap@mail.com to forward to a less memorably named Gmail address.
Some time after 2AM on October 21st, that link was broken. Someone broke into Davis’ mail.com account and stopped the forwarding. Suddenly there was a new phone number attached to the account — a burner Android device registered in Florida. There was a new backup email too, email@example.com, which is still the closest thing we have to the attacker’s name.
For simplicity’s sake, we’ll call her Eve.
How did Eve get in? We can’t say for sure, but it’s likely that she used a script to target a weakness in Mail.com’s password reset page. We know such a script existed. For months, users on the site Hackforum had been selling access to a script that reset specific account passwords on Mail.com. It was an old exploit by the time Davis was targeted, and the going rate was $5 per account. It’s unclear how the exploit worked and whether it has been closed in the months since, but it did exactly what Eve needed. Without any authentication, she was able to reset Davis’ password to a string of characters that only she knew.
Eve’s next step was to take over Partap’s phone number. She didn’t have his AT&T password, but she just pretended to have forgotten it, and ATT.com sent along a secure link to firstname.lastname@example.org to reset it. Once inside the account, she talked a customer service rep into forwarding his calls to her Long Beach number. Strictly speaking, there are supposed to be more safeguards required to set up call forwarding, and it’s supposed to take more than a working email address to push it through. But faced with an angry client, customer service reps will often give way, putting user satisfaction over the colder virtues of security.
Once forwarding was set up, all of Davis’ voice calls belonged to Eve. Davis still got texts and emails, but every call was routed straight to the attacker. Davis didn’t realize what had happened until two days later, when his boss complained that Davis wasn’t picking up the phone.
Google and Authy
Next, Eve set her sights on Davis’ Google account. Experts will tell you that two-factor authentication is the best protection against attacks. A hacker might get your password or a mugger might steal your phone, but it’s hard to manage both at once. As long as the phone is a physical object, that system works. But people replace their phones all the time, and they expect to be able to replace the services, too. Accounts have to be reset 24 hours a day, and two-factor services end up looking like just one more account to crack.
Davis hadn’t set up Google’s Authenticator app, the more secure option, but he had two-factor authentication enabled — Google texted him a confirmation code every time he logged in from a new computer. Call forwarding didn’t pass along Davis’ texts, but Eve had a back door: thanks to Google’s accessibility functions, she could ask for the confirmation code to be read out loud over the phone.
Authy should have been harder to break. It’s an app, like Authenticator, and it never left Davis’ phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve’s control.
It was the same trick that had fooled Google: as long as she had Davis’ email and phone, two-factor couldn’t tell the difference between them. At this point, Eve had more control over Davis’s online life than he did. Aside from texting, all digital roads now led to Eve.
At 3:19AM, Eve reset Davis’s Coinbase account, using Authy and his Mail.com address. At 3:55AM, she transferred the full balance (worth roughly $3,600 at the time) to a burner account she controlled. From there, she made three withdrawals — one 30 minutes after the account was opened, then another 20 minutes later, and another five minutes after that. After that, the money disappeared into a nest of dummy accounts, designed to cover her tracks. Less than 90 minutes after his Mail.com account was first compromised, Davis’ money was gone for good.
Authy might have known something was up. The service keeps an eye out for fishy behavior, and while they’re cagey about what they monitor, it seems likely that an account reset to an out-of-state number in the middle of the night would have raised at least a few red flags. But the number wasn’t from a known fraud center like Russia or Ukraine, even if Eve might have been. It would have seemed even more suspicious when Eve logged into Coinbase from the Canadian IP. Could they have stopped her then? Modern security systems like Google’s ReCAPTCHA often work this way, adding together small indicators until there’s enough evidence to freeze an account — but Coinbase and Authy each only saw half the picture, and neither had enough to justify freezing Partap’s account.
BTC-E and Bitstamp
When Davis woke up, the first thing he noticed was that his Gmail had mysteriously logged out. The password had changed, and he couldn’t log back in. Once he was back in the account, he saw how deep the damage went. There were reset emails from each account, sketching out a map of the damage. When he finally got into his Coinbase account, he found it empty. Eve had made off with 10 bitcoin, worth more than $3,000 at the time. It took hours on the phone with customer service reps and a faxed copy of his driver’s license before he could convince them he was the real Partap Davis.
What about the two other wallets? There was $2,500 worth of bitcoin in them, with no advertised protections that the Coinbase wallet didn’t have. But when Davis checked, both accounts were still intact. BTC-e had put a 48-hour hold on the account after a password change, giving him time to prove his identity and recover the account. Bitstamp had an even simpler protection: when Eve emailed to reset Davis’s authentication token, they had asked for an image of his driver’s license. Despite all Eve’s access, it was one thing she didn’t have. Davis’ last $2,500 worth of bitcoin was safe.
It’s been two months now since the attack, and Davis has settled back into his life. The last trace of the intrusion is Davis’ Twitter account, which stayed hacked for weeks after the other accounts. @Partap is a short handle, which makes it valuable, so Eve held onto it, putting in a new picture and erasing any trace of Davis. A few days after the attack, she posted a screenshot of a hacked Xfinity account, tagging another handle. The account didn’t belong to Davis, but it belonged to someone. She had moved onto the next target, and was using @partap as a disposable accessory to her next theft, like a stolen getaway car.
Who was behind the attack? Davis has spent weeks looking for her now — whole afternoons wasted on the phone with customer service reps — but he hasn’t gotten any closer. According to account login records, Eve’s computer was piping in from a block of IP addresses in Canada, but she may have used Tor or a VPN service to cover her tracks. Her phone number belonged to an Android device in Long Beach, California, but that phone was most likely a burner. There are only a few tracks to follow, and each one peters out fast. Wherever she is, Eve got away with it.
Why did she choose Partap Davis? She knew about the wallets upfront, we can assume. Why else would she have spent so much time digging through the accounts? She started at the mail.com account too, so we can guess that somehow, Eve came across a list of bitcoin users with Davis’ email address on it. A number of leaked Coinbase customer lists are floating around the internet, although I couldn’t find Davis’ name on any of them. Or maybe his identity came from an equipment manufacturer or a bitcoin retailer. Leaks are commonplace these days, and most go unreported.
Davis is more careful with bitcoin these days, and he’s given up on the mail.com address — but otherwise, not much about his life has changed. Coinbase has given refunds before, but this time they declined, saying the company’s security wasn’t at fault. He filed a report with the FBI, but the bureau doesn’t seem interested in a single bitcoin theft. What else is there to do? He can’t stop using a phone or give up the power to reset an account. There were just so many accounts, so many ways to get in. In the security world, they call this the attack surface. The bigger the surface, the harder it is to defend.
Most importantly, resetting a password is still easy, as Eve discovered over and over again. When a service finally stopped her, it wasn’t an elaborate algorithm or a fancy biometric. Instead, one service was willing to make customers wait 48 hours before authorizing a new password. On a technical level, it’s a simple fix, but a costly one. Companies are continuously balancing the small risk of compromise against the broad benefits of convenience. A few people may lose control of their account, but millions of others are able to keep using the service without a hitch. In the fight between security and convenience, security is simply outgunned.
3/5 11:10am ET: Updated to clarify Bitstamp security protocols.
If there’s any one lesson on computer/phone scams you need to remember: Microsoft, or Apple for that matter, will not initiate a call to offer a remote computer scan to fix a “problem”.
So here’s an actual incident when the scammers called and met their match – it was a computer security researcher on the line, who recorded the entire conversation (his two audio files below).
At one point, after allowing the scammer to gain some limited control of his computer screen, he informed the caller that she was busted, who in turn threatened to hack him (second audio file).
Enjoy witnessing scammers at work and here’s the article for a brief background.
Oh by the way, the caller’s number was 949-000-7676.
Above photo credit: http://background-kid.com/blurred-people-background.html
Great, now there’s a new technology to get true clear pictures out of blurred CCTV images just when we learned last week that there are gadgets to hide one’s identity from the prying eyes of facial recognition programs like the FBI’s US$1 billion futuristic facial recognition program – the Next Generation Identification (NGI) System.
Fujitsu, the Japanese multinational information technology equipment and services company, recently said it has invented a new, first of its kind image-processing technology that can detect people from low-resolution imagery and track people in security camera footage, even when the images are heavily blurred to protect privacy. See full story below.
Sad to say, this is probably the easiest, effective and most feasible solution:
Fujitsu tech can track heavily blurred people in security videos
By Tim Hornyak
IDG News Service | March 6, 2015
Fujitsu has developed image-processing technology that can be used to track people in security camera footage, even when the images are heavily blurred to protect their privacy.
Fujitsu Laboratories said its technology is the first of its kind that can detect people from low-resolution imagery in which faces are indistinguishable.
Detecting the movements of people could be useful for retail design, reducing pedestrian congestion in crowded urban areas or improving evacuation routes for emergencies, it said.
Fujitsu used computer-vision algorithms to analyze the imagery and identify the rough shapes, such as heads and torsos, that remain even if the image is heavily pixelated. The system can pick out multiple people in a frame, even if they overlap.
Using multiple camera sources, it can then determine if two given targets are the same person by focusing on the distinctive colors of a person’s clothing.
An indoor test of the system was able to track the paths of 80 percent of test subjects, according to the company. Further details of the trial were not immediately available.
“The technology could be used by a business owner when planning the layout of their next restaurant/shop,” a Fujitsu spokesman said via email. “It would also be used by the operators of a large sporting event during times of heavy foot traffic.”
People-tracking know-how has raised privacy concerns in Japan. Last year, the National Institute of Information and Communications Technology (NICT) was forced to delay and scale down a large, long-term face-recognition study it was planning to carry out at Osaka Station, one of the country’s busiest rail hubs.
The Fujitsu research is being presented to a conference of the Information Processing Society of Japan being held at Tohoku University in northern Japan. The company hopes to improve the accuracy of the system with an aim to commercializing it in the year ending March 31, 2016.
Fujitsu has also been developing retail-oriented technology such as sensors that follow a person’s gaze as he or she looks over merchandise as well as LED lights that can beam product information for smartphones.
Forget Google Glass, there’s something more fun and useful (picture above) but first, consider this picture below.
It may sounds like the Hollywood movie Matrix but let’s face it, everyone would sooner or later have their photos captured in the public space.
Consider for example, the FBI’s US$1 billion futuristic facial recognition program – the Next Generation Identification (NGI) System – was already up and running with the aim to capture photographs of every Americans and everyone on US soils.
The pictures above is an example of what the US government had collected of one individual – she filed a Freedom of Information Act request to see what was collected and the Department of Homeland Security subsequently released the data collected under the Global Entry Program.
But apart from immigration checkpoints, and potentially other files from other government departments (local and global), we are also subjected to the millions of CCTV cameras in public areas and the facial recognition programs scanning through the captured images (and also those on the internet and social networks).
So it’s good to know there may be a potential solution – though it’s still early days and it may not apply to cameras at immigration checkpoints.
The (computer) antivirus software company AVG is working on a “privacy glasses” project. These glasses (above) are designed to obfuscate your identity and prevent any facial recognition software from figuring out who you are, either by matching you with the pictures in their database or creating a new file of you for future use.
Find out more from this article below.
It could be game over for Russian hacker Evgeniy Bogachev as the US State Department and FBI have issued a “Wanted” poster with a US$3 million reward for information leading to his arrest, the highest price the US authorities had ever placed on a head in a cyber case.
Bogachev, apparently still in Russia, was charged by the US for running a computer attack called GameOver Zeus that has allegedly amassed in excess of US$100 million from online bank accounts of businesses and consumers in the US and around the world.
However, despite the taking down of the GameOver botnet and the demise of CryptoLocker, it’s not all over as new variants of file-encrypting ransomware still exist. The following screen is what you don’t want to see on your computer monitor.
Check out this nice article about how to protect yourself from ransomware with the Sophos Virus Removal Tool.
I have an easier, effective and unorthodox solution, which I have mentioned in public lectures and previous columns.: changing your cyber lifestyle by having “naked” computers, i.e. not storing a single file in the computer hard disks, apart from the operating system and software program files.
In essence, I store all my files on an external encrypted hard disk and use either the 1 laptop or 2 laptops approach – with the former you alternate between online and offline depending on when you connect the external disk to the laptop and with the latter, you attach the external disk to a laptop that is offline (you can go one step further with the Snowden approach by using an “air gapped” computer, as he has recommended to Glenn Greenwald) and work online only with the other computer. The latter would come handy when on the road (even with the extra weight) as there are always risks with public (which one should always avoid) and hotel internet connections, spying walls, etc.
Gemalto, the world’s largest SIM cards manufacturer that The Intercept reported last week to be hacked by the NSA and GCHQ, putting at risk some two billion SIM cards used in cellphones across the world, has somehow and somewhat concluded its findings after a “thorough” internal investigations in just six days, with assurance that its encryption keys are safe and admitted that the French-Dutch company believes the US and British spy agencies were behind a “particularly sophisticated intrusion” of its internal computer networks, back four-five years ago.
In The Intercept follow-up report (please see further below):
“Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the American Civil Liberties Union.
Or consider this (below – Source: https://www.youtube.com/watch?v=z0amvXr8BUk )
Gemalto Doesn’t Know What It Doesn’t Know
By Jeremy Scahill
Gemalto, the French-Dutch digital security giant, confirmed that it believes American and British spies were behind a “particularly sophisticated intrusion” of its internal computer networks, as reported by The Intercept last week.
This morning, the company tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys — and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.
Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.
The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.
After the brief investigation, Gemalto now says that the NSA and GCHQ operations in 2010-2011 would not allow the intelligence agencies to spy on 3G and 4G networks, and that theft would have been rare after 2010, when it deployed a “secure transfer system.” The company also said the spy agency hacks only affected “the outer parts of our networks — our office networks — which are in contact with the outside world.”
Security experts and cryptography specialists immediately challenged Gemalto’s claim to have done a “thorough” investigation into the state-sponsored attack in just six days, saying the company was greatly underestimating the abilities of the NSA and GCHQ to penetrate its systems without leaving detectable traces.
“Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the American Civil Liberties Union. He adds that Gemalto remains “a high-profile target for intelligence agencies.”
Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, said, “This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all.”
In its statement, Gemalto asserted:
“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.
It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.”
But security and encryption experts told The Intercept that Gemalto’s statements about its investigation contained a significant error about cellphone technology. The company also made sweeping, overly-optimistic statements about the security and stability of Gemalto’s networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees. “Their ‘investigation’ seem to have consisted of asking their security team which attacks they detected over the past few years. That isn’t much of an investigation, and it certainly won’t reveal successful nation-state attacks,” says the ACLU’s Soghoian.
Security expert Ronald Prins, co-founder of the Dutch firm Fox IT, told The Intercept, “A true forensic investigation in such a complex environment is not possible in this time frame.”
“A damage assessment is more what this looks like,” he added.
In a written presentation of its findings, Gemalto claims that “in the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable.” Gemalto also referred to its own “custom algorithms” and other, unspecified additional security mechanisms on top of the 3G and 4G standards.
Green, the Johns Hopkins cryptography specialist, said Gemalto’s claims are flatly incorrect.
“No encryption mechanism stands up to key theft,” Green says, “which means Gemalto is either convinced that the additional keys could not also have been stolen or they’re saying that their mechanisms have some proprietary ‘secret sauce’ and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That’s a deeply worrying statement.”
“I think you could make that statement against some gang of Internet hackers,” Green adds. “But you don’t get to make it against nation state adversaries. It simply doesn’t have a place in the conversation. They are saying that NSA/GCHQ could not have breached those technologies due to ‘additional encryption’ mechanisms that they don’t specify, and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys.”
In a press conference today in Paris, Gemalto’s CEO, Olivier Piou, said his company will not take legal action against the NSA and GCHQ. “It’s difficult to prove our conclusions legally, so we’re not going to take legal action,” he said. “The history of going after a state shows it is costly, lengthy and rather arbitrary.”
There has been significant commercial pressure and political attention placed on Gemalto since The Intercept’s report. Wireless network providers on multiple continents demanded answers and some, like Deutsche Telekom, took immediate action to change their encryption algorithms on Gemalto-supplied SIM cards. The Australian Privacy Commissioner has launched an investigation and several members of the European Union parliament and Dutch parliament have asked individual governments to launch investigations. German opposition lawmakers say they are initiating a probe into the hack as well.
On Wednesday, Gerard Schouw, a member of the Dutch parliament, submitted formal questions about the Gemalto hack and the findings of the company’s internal investigation to the interior minister. “Will the Minister address this matter with the Ambassadors of the United States and the United Kingdom? If not, why is the Minister not prepared to do so? If so, when will the Minister do this?” Schouw asked. “How does the Minister assess the claim by Gemalto that the attack could only lead to wiretapping 2G-network connections, and that 3G and 4G-type networks are not susceptible to this kind of hacks?”
China Mobile, which uses Gemalto SIM cards, has more wireless network customers than any company in the world. This week it announced it was investigating the breach and the Chinese government said it was “concerned” about the Gemalto hack. “We are opposed to any country attempting to use information technology products to conduct cyber surveillance,” Foreign Ministry spokesman Hong Lei said. “This not only harms the interests of consumers but also undermines users’ confidence.” He did not mention that China itself engages in widespread, state-sponsored hacking.
While Gemalto is clearly trying to calm its investors and customers, security experts say the company’s statements appear intended to reassure the public about the company’s security rather than to demonstrate that it is taking the breach seriously.
The documents published by The Intercept relate to hacks done in 2010 and 2011. The idea that spy agencies are no longer targeting the company — and its competitors — with more sophisticated intrusions, according to Soghoian, is ridiculous. “Gemalto is as much of an interesting target in 2015 as they were in 2010. Gemalto’s security team may want to keep looking, not just for GCHQ and NSA, but also, for the Chinese, Russians and Israelis too,” he said.
Green, the Johns Hopkins cryptographer, says this hack should be “a wake-up call that manufacturers are considered valuable targets by intelligence agencies. There’s a lot of effort in here to minimize and deny the impact of some old attacks, but who cares about old attacks? What I would like to see is some indication that they’re taking this seriously going forward, that they’re hardening their systems and closing any loopholes — because loopholes clearly existed. That would make me enormously more confident than this response.”
Green says that the Gemalto hack evidences a disturbing trend that is on the rise: the targeting of innocent employees of tech firms and the companies themselves. (The same tactic was used by GCHQ in its attack on Belgian telecommunications company Belgacom.)
“Once upon a time we might have believed that corporations like this were not considered valid targets for intelligence agencies, that GCHQ would not go after system administrators and corporations in allied nations. All of those assumptions are out the window, so now we’re in this new environment, where everyone is a valid target,” he says. “In computer security, we talk about ‘threat models,’ which is a way to determine who your adversary is, and what their capabilities are. This news means everyone has to change their threat model.”
Additional reporting by Ryan Gallagher. Josh Begley contributed to this report.
Congratulations to Laura Poitras and her team behind “CitizenFour” in winning the Oscars for Best Documentary Feature. And did you notice Snowden‘s girlfriend Lindsay Mills was on the stage (see picture above (Credit: YouTube) and video clips below)?
The newly announced internet-connected “Hello Barbie” (see video clip below) may be every girls’ dream but every parents’ nightmare.
The first-ever conversational doll (developed by ToyTalk in partnership with Mattel) will chat with the kids, record their conversations and transmit the recorded data to servers to be analyzed… and yes, risk being hacked and abused by pedophiles.
Think about it, it has all the hacking ingredients for any tech savvy blokes: wi-fi connection, speech-recognition software, phone apps (for kids?!), two-way conversations with kids and cloud storage.
Not convinced? Consider this: these capabilities mean these Barbies can also eavesdrop and record any conversation within the four-walls. Not much difference from the internet-connected spying Samsung smart TV.
“It wouldn’t take much for a malicious individual to intercept either the wi-fi communications from the phone or tablet, or connect to the doll over Bluetooth directly. These problems aren’t difficult to solve; the manufacturer needs to check the phone application carefully to make sure it’s secure. They also need to check that any information sent by the doll to their online systems is protected,” reportedly according to Ken Munro, a security researcher at Pen Test Partners, who has previously warned about the vulnerabilities in another doll called Cayla which uses speech-recognition and Google’s translation tools.
This news originally from The Intercept, based on leaked files from Edward Snowden, shouldn’t come as a surprise as the NSA had been on a mission to Collect It All (Chapter 3) according to Glenn Greenwald’s book “No Place to Hide” (see above).
I’m a self-confessed hardcore fan of the good old IBM Thinkpad laptops but I’ve shied away from the black box ever since the Lenovo acquisition in 2005. And this (see video clips below) is one of those reasons. My tilt these days is towards those laptops with no parts made in China…
Amid continuing Sino-US spats on cyber-espionage and related matters, China is beefing up its cyber and national security in a big way as it is reportedly just months away from launching the longest quantum communications network on earth stretching some 2,000 kilometer between its capital Beijing and financial center Shanghai to transfer data close to the speed of light with no hacking risks – initially to transmit sensitive diplomatic and classified information for the government and military with personal and financial data also on the cards for the near future.
And that’s ahead of the previously announced plan for 2016 to become the first country to launch a quantum communications satellite into the orbit.
Looks like Snowden was spot on again. In a post just a month ago, I wrote what he said about how the US (would and) is paying the price for focusing too much on the cyber offensive at the expense of cyber defense.
Meanwhile, following the recent cyber-attack on Sony Pictures, President Barack Obama’s homeland security and counter-terrorism adviser Lisa Monaco announced earlier this week a new intelligence unit – the Cyber Threat Intelligence Integration Center – to take the lead in tracking cyber-threats by pooling and disseminating data on cyber-breaches to other US agencies.
“Currently, no single government entity is responsible for producing coordinated cyber threat assessments,” according to Monaco.
China nears launch of hack-proof ‘quantum communications’ link
Published: Feb 9, 2015 11:13 p.m. ET
Technology to be employed for military and other official uses
BEIJING (Caixin Online) — This may be a quantum-leap year for an initiative that accelerates data transfers close to the speed of light with no hacking threats through so-called “quantum communications” technology.
Within months, China plans to open the world’s longest quantum-communications network, a 2,000-kilometer (1,240-mile) electronic highway linking government offices in the cities of Beijing and Shanghai.
Meanwhile, the country’s aerospace scientists are preparing a communications satellite for a 2016 launch that would be a first step toward building a quantum communications network in the sky. It’s hoped this and other satellites can be used to overcome technical hurdles, such as distance restrictions, facing land-based systems.
Physicists around the world have spent years working on quantum-communications technology. But if all goes as planned, China would be the first country to put a quantum-communications satellite in orbit, said Wang Jianyu, deputy director of the China Academy of Science’s (CAS) Shanghai branch.
At a recent conference on quantum science in Shanghai, Wang said scientists from CAS and other institutions have completed major research and development tasks for launching the satellite equipped with quantum-communications gear.
The satellite program’s likelihood for success was confirmed by China’s leading quantum-communications scientist, Pan Jianwei, a CAS academic who is also a professor of quantum physics at the University of Science and Technology of China (USTC) in Hefei, in the eastern province of Anhui. Pan said researchers reported significant progress on systems development after conducting experiments at a test center in Qinghai province, in the northwest
The satellite would be used to transmit encoded data through a method called quantum key distribution (QKD), which relies on cryptographic keys transmitted via light-pulse signals. QKD is said to be nearly impossible to hack, since any attempted eavesdropping would change the quantum states and thus could be quickly detected by data-flow monitors.
A satellite-based quantum-communications system could be used to build a secure information bridge between the nation’s capital and Urumqi, a city that’s the capital of the restive Xinjiang Uyghur Autonomous Region in the west, Pan said.
It’s likely the technology initially will be used to transmit sensitive diplomatic, government-policy and military information. Future applications could include secure transmissions of personal and financial data.
Plans call for China to put additional satellites into orbit after next year’s ground-breaking launch, Pan said, without divulging how many satellites might be deployed or when. He did say that China hopes to complete a QKD system linking Asia and Europe by 2020, and have a worldwide quantum-communications network in place by 2030.
In 2009, China became the first country in the world to put quantum-communications technology to work outside of a laboratory.
In October of that year, a team of scientists led by Pan built a secure network for exchanging information among government officials during a military parade in Beijing celebrating the 60th anniversary of the People’s Republic. The demonstration underscored the research project’s key military application.
“China is completely capable of making full use of quantum communications in a regional war,” Pan said. “The direction of development in the future calls for using relay satellites to realize quantum communications and control that covers the entire army.”
The country is also working to configure the new technology for civilian use.
A pilot quantum-communications network that took 18 months to build was completed in February 2012 in Hefei. The network, which cost the city’s government 60 million yuan ($9.6 million), was designed by Pan’s team to link 40 telephones and 16 video cameras installed at city government agencies, military units, financial institutions and health-care offices.
A similar, civilian-focused network built by Pan’s team in Jinan, the provincial capital of the eastern province of Shandong, started operating in March 2014. It connects some 90 users, most of whom tap the network for general business and information.
In late 2012, Pan’s team installed a quantum-communications network that was used to securely connect the Beijing venue hosting a week-long meeting of the 18th National Congress of the Communist Party, with hotel rooms where delegates stayed, as well as the Zhongnanhai compound in Beijing where the nation’s top leaders live and work.
Next on the development agenda is opening the network linking Beijing and Shanghai. Pan is leading that project as well.
If all goes as planned, Pan said, existing networks in Hefei and Jinan would eventually be tied to the Beijing-Shanghai channel to provide secure communications connecting government and financial agencies in each of the four regions. The new network could be operating as early as 2016.
No room for hype
A quantum code expert said that so far, quantum-communications technology development efforts in China have basically focused on protecting national security. “How important it will be for the public and in everyday life are questions that remain unanswered,” said the expert.
To date, Pan said, technical barriers and the high cost of systems development have kept private capital out of what’s now almost exclusively a government initiative. Moreover, it’s still too early to tell whether the technology has any potential commercial value.
Pan has warned the public not to listen to investment come-ons that hype the money-making potential of quantum-communications businesses. At this stage of the game, he said, the focus is still on technological development, not commercial applications.
Nevertheless, since 2009, USTC has been building a commercial enterprise called Anhui Quantum Communication Technology Co. to produce equipment based on technology developed by Pan and his team. The company is China’s largest quantum-communications equipment supplier. Last September, it said it had started mass-producing quantum-cryptography equipment.
Anhui Quantum general manager Zhao Yong said the company’s clients include financial institutions and government agencies seeking to supplement, not replace, conventional communications systems. Their shared goal, he said, is to improve data security.
Once the technology has matured, said Wang Xiangbin, a physicist at Beijing’s Tsinghua University, its range of applications should be targeted to specific industries and regions because of its high barrier in technology and cost. Quantum communications is not a technology suitable for mass use via the Internet, for example, Wang told a group of scientists at a 2012 seminar.
Some experts say it’s wrong to assume that quantum communications is a flawlessly secure means of transmitting information. Another Tsinghua physics professor, Long Guilu, said quantum communication is only theoretically safe, since malfunctioning equipment or operational errors can open doors to risk.
Experimental systems built in 2007 by Chinese and U.S. physicists reportedly achieved secure QKD transmissions between two points more than 100 kilometers apart. But the experiment also taught scientists that data can be intercepted by a third party during a transmission.
In addressing the naysayers, Pan admitted that quantum communications is not perfect. But he defended it as safer than conventional means of communication. In fact, he said, no means of protecting data is more secure than quantum communications.
To test the capacity and safety of the network linking Beijing and Shanghai, Pan said his team plans to ask other communications experts to carefully study the system and look for potential security holes. The network could then be modified in ways that close any detected gaps and reduce hacking risks.
“Assessments and testing will be conducted after the network is completed,” said Pan, who remains convinced that any network using quantum cryptographic technology is more secure than any other communications channel.
Pan has been working on quantum-communications technology since the late 1990s, when he was a researcher at the University of Vienna and working in a partnership with Austrian physicist Anton Zeilinger. That team is credited with developing the first protocol for quantum communications.
Pan worked with Zeilinger about a decade after U.S. physicist Charles Bennett and colleagues at IBM Research built the world’s first functioning quantum cryptographic system. Based on their research, the first network was installed in the U.S. city of Boston.
Like their counterparts in China, researchers in the United States, Japan and European countries continue work to advance the technology. A key effort is aimed at extending that potential reach of quantum-communications systems, which for years were used only to span short distances.
Some experts have even wondered whether the new technology has been misidentified, since its key feature is high-level cryptography, not electronic communications.
“What we can do now is merely encrypt data, which is far from real quantum communications,” said one expert who declined to be named. “Theoretically it can’t be hacked, but in practice it has many limitations.”
Guo Guangcan, director of USTC’s quantum-communications lab, said networks now operating and those being built in China “achieve encryption only,” whereas true communications networks “involve content.”
“It’s not accurate to call it quantum communications,” said Guo.
Whatever it’s called, China appears determined to push ahead with the research and development that paves the way for a new era of secure communications. And according to Pan, that era is still at least a decade away.
“It will take 10 to 20 years to really put (the technology) into practice,” said Pan.
Rewritten by Han Wei
This is really nothing new but I’m posting it because similar “news” resurfaced again the past week.
If you’ve already bought one, the easy solution is to cover the webcam with a duct tape unless you need to use it.
Photo (above) credit: US Central Command
Snowden was spot on, the US (would and) is paying the price for focusing too much on the cyber offensive at the expense of cyber defense.
“The National Security Agency has two halves, one that handles defense and one that handles offense. Michael Hayden and Keith Alexander, the former directors of NSA, they shifted those priorities… But the problem is when you deprioritize defense, you put all of us at risk,” according to Snowden.
“If we attack a Chinese university and steal the secrets of their research program, how likely is it that that is going to be more valuable to the United States than when the Chinese retaliate and steal secrets from a U.S. university, from a U.S. defense contractor, from a U.S. military agency?
“The most important thing to us is not being able to attack our adversaries, the most important thing is to be able to defend ourselves. And we can’t do that as long as we’re subverting our own security standards for the sake of surveillance.”
The website PBS.org published an exclusive interview with Snowden and his views on cyber warfare, just days before the CENTCOM hacks early this week. Interestingly, the video link is no longer working but the full unedited transcript is splashed below.
Exclusive: Edward Snowden on Cyber Warfare
By James Bamford and Tim De Chant on Thu, 08 Jan 2015
Last June, journalist James Bamford, who is working with NOVA on a new film about cyber warfare that will air in 2015, sat down with Snowden in a Moscow hotel room for a lengthy interview. In it, Snowden sheds light on the surprising frequency with which cyber attacks occur, their potential for destruction, and what, exactly, he believes is at stake as governments and rogue elements rush to exploit weaknesses found on the internet, one of the most complex systems ever built by humans. The following is an unedited transcript of their conversation.
James Bamford: Thanks very much for coming. I really appreciate this. And it’s really interesting—the very day we’re meeting with you, this article came out in The New York Times, seemed to be downplaying the potential damage, which they really seem to have hyped up in the original estimate. What did you think of this article today?
Edward Snowden: So this is really interesting. It’s the new NSA director saying that the alleged damage from the leaks was way overblown. Actually, let me do that again.
So this is really interesting. The NSA chief in this who replaced Keith Alexander, the former NSA director, is calling the alleged damage from the last year’s revelations to be much more insignificant than it was represented publicly over the last year. We were led to believe that the sky was going to fall, that the oceans were going to boil off, the atmosphere was going to ignite, the world would end as we know it. But what he’s saying is that it does not lead him to the conclusion that the sky is falling.
And that’s a significant departure from the claims of the former NSA director, Keith Alexander. And it’s sort of a pattern that we’ve seen where the only U.S. officials who claim that these revelations cause damage rather than serve the public good were the officials that were personally embarrassed by it. For example, the chairs of the oversight committees in Congress, the former NSA director himself.
But we also have, on the other hand, the officials on the White House’s independent review panels who said that these programs had never been shown to stop even a single imminent terrorist attack in the United States, and they had no value. So how could it be that these programs were so valuable that talking about them, revealing them to the public would end the world if they hadn’t stopped any attacks?
But what we’re seeing and what this article represents is that the claims of harm that we got last year were not accurate and could in fact be claimed to be misleading, and I think that’s a concern. But it is good to see that the director of NSA himself now today, with full access to classified information, is beginning to come a little bit closer to the truth, getting a little bit closer to the President’s viewpoint on that, which is this discussion that we’ve had over the last year doesn’t hurt us. It makes us stronger. So thanks for showing that.
Bamford: Thanks. One other thing that the article gets into, which is what we’re talking about here today, is the article quotes the new NSA director, who is also the commander of Cyber Command, as basically saying that it’s possible in the future that these cyber weapons will become sort of normal military weapons, and they’ll be treated sort of like guided missiles or cruise missiles and so forth.
Snowden: Cruise missiles or drones.
Bamford: What are your thoughts about that, having spent time in this whole line of work yourself?
Snowden: I think the public still isn’t aware of the frequency with which these cyber-attacks, as they’re being called in the press, are being used by governments around the world, not just the US. But it is important to highlight that we really started this trend in many ways when we launched the Stuxnet campaign against the Iranian nuclear program. It actually kicked off a response, sort of retaliatory action from Iran, where they realized they had been caught unprepared. They were far behind the technological curve as compared to the United States and most other countries. And this is happening across the world nowadays, where they realize that they’re caught out. They’re vulnerable. They have no capacity to retaliate to any sort of cyber campaign brought against them.
The Iranians targeted open commercial companies of U.S. allies. Saudi Aramco, the oil company there—they sent what’s called a wiper virus, which is actually sort of a Fisher Price, baby’s first hack kind of a cyber-campaign. It’s not sophisticated. It’s not elegant. You just send a worm, basically a self-replicating piece of malicious software, into the targeted network. It then replicates itself automatically across the internal network, and then it simply erases all of the machines. So people go into work the next day and nothing turns on. And it puts them out of business for a period of time.
But with enterprise IT capabilities, it’s not trivial, but it’s not impossible to restore a company to working order in fairly short time. You can image all of the work stations. You can restore your backups from tape. You can perform what’s called bare metal restores, where you get entirely new hardware that matches your old hardware, if the hardware itself was broken, and just basically paint it up, restore the data just like the original target was, and you’re back in the clear. You’re moving along.
Now, this is something that people don’t understand fully about cyber-attacks, which is that the majority of them are disruptive, but not necessarily destructive. One of the key differentiators with our level of sophistication and nation-level actors is they’re increasingly pursuing the capability to launch destructive cyber-attacks, as opposed to the disruptive kinds that you normally see online, through protestors, through activists, denial of service attacks, and so on. And this is a pivot that is going to be very difficult for us to navigate.
Bamford: Let me ask you about that, because that is the focus of the program here. It’s a focus because very few people have ever discussed this before, and it’s the focus because the U.S. launched their very first destructive cyber-attack, the Stuxnet attack, as you mentioned, in Iran. Can you just tell me what kind of a milestone that was for the United States to launch their very first destructive cyber-attack?
Snowden: Well, it’s hard to say it’s the first ever, because attribution is always hard with these kind of campaigns. But it is fair to say that it was the most sophisticated cyber-attack that anyone had ever seen at the time. And the fact that it was launched as part of a U.S. authorized campaign did mark a radical departure from our traditional analysis of the levels of risks we want to assume for retaliation.
When you use any kind of internet based capability, any kind of electronic capability, to cause damage to a private entity or a foreign nation or a foreign actor, these are potential acts of war. And it’s critical we bear in mind as we discuss how we want to use these programs, these capabilities, where we want to draw the line, and who should approve these programs, these decisions, and at what level, for engaging in operations that could lead us as a nation into a war.
The reality is if we sit back and allow a few officials behind closed doors to launch offensive attacks without any oversight against foreign nations, against people we don’t like, against political groups, radicals, and extremists whose ideas we may not agree with, and could be repulsive or even violent—if we let that happen without public buy-in, we won’t have any seat at the table of government to decide whether or not it’s appropriate for these officials to drag us into some kind of war activity that we don’t want, but we weren’t aware of at the time.
Bamford: And what you seem to be talking about also is the blowback effect. In other words, if we launch an attack using cyber warfare, a destructive attack, we run the risk of having been the most industrialized and electronically connected country in the world, that that’s a major problem for the US. Is that your thinking?
Snowden: I do agree that when it comes to cyber warfare, we have more to lose than any other nation on earth. The technical sector is the backbone of the American economy, and if we start engaging in these kind of behaviors, in these kind of attacks, we’re setting a standard, we’re creating a new international norm of behavior that says this is what nations do. This is what developed nations do. This is what democratic nations do. So other countries that don’t have as much respect for the rules as we do will go even further.
And the reality is when it comes to cyber conflicts between, say, America and China or even a Middle Eastern nation, an African nation, a Latin American nation, a European nation, we have more to lose. If we attack a Chinese university and steal the secrets of their research program, how likely is it that that is going to be more valuable to the United States than when the Chinese retaliate and steal secrets from a U.S. university, from a U.S. defense contractor, from a U.S. military agency?
We spend more on research and development than these other countries, so we shouldn’t be making the internet a more hostile, a more aggressive territory. We should be cooling down the tensions, making it a more trusted environment, making it a more secure environment, making it a more reliable environment, because that’s the foundation of our economy and our future. We have to be able to rely on a safe and interconnected internet in order to compete.
Bamford: Where do you see this going in terms of destruction? In Iran, for example, they destroyed the centrifuges. But what other types of things might be targeted? Power plants or dams? What do you see as the ultimate potential damage that could come from the cyber warfare attack?
Snowden: When people conceptualize a cyber-attack, they do tend to think about parts of the critical infrastructure like power plants, water supplies, and similar sort of heavy infrastructure, critical infrastructure areas. And they could be hit, as long as they’re network connected, as long as they have some kind of systems that interact with them that could be manipulated from internet connection.
However, what we overlook and has a much greater value to us as a nation is the internet itself. The internet is critical infrastructure to the United States. We use the internet for every communication that businesses rely on every day. If an adversary didn’t target our power plants but they did target the core routers, the backbones that tie our internet connections together, entire parts of the United States could be cut off. They could be shunted offline, and we would go dark in terms of our economy and our business for minutes, hours, days. That would have a tremendous impact on us as a society and it would have a policy backlash.
The solution, however, is not to give the government more secret authorities to put kill switches and monitors and snooping devices on the internet. It’s to reorder our priorities for how we deal with threats to the security of our critical infrastructure, for our electronic infrastructure. And what that means is taking bodies like the National Security Agency that have traditionally been about securing the nation and making sure that that’s their first focus.
In the last 10 years, we’ve seen—in the last 10 years, we’ve seen a departure from that traditional role of signals intelligence gathering overseas that’s related to responding to threats that are—
Bamford: Take your time.
Snowden: Right. What we’ve seen over the last decade is we’ve seen a departure from the traditional work of the National Security Agency. They’ve become sort of the national hacking agency, the national surveillance agency. And they’ve lost sight of the fact that everything they do is supposed to make us more secure as a nation and a society.
The National Security Agency has two halves, one that handles defense and one that handles offense. Michael Hayden and Keith Alexander, the former directors of NSA, they shifted those priorities, because when they went to Congress, they saw they could get more budget money if they advertised their success in attacking, because nobody is ever really interested in doing the hard work of defense.
But the problem is when you deprioritize defense, you put all of us at risk. Suddenly, policies that would have been unbelievable, incomprehensible even 20 years ago are commonplace today. You see decisions being made by these agencies that authorize them to install backdoors into our critical infrastructure, that allow them to subvert the technical security standards that keep your communication safe when you’re visiting a banking website online or emailing a friend or logging into Facebook.
And the reality is, when you make those systems vulnerable so that you can spy on other countries and you share the same standards that those countries have for their systems, you’re also making your own country more vulnerable to the same attacks. We’re opening ourselves up to attack. We’re lowering our shields to allow us to have an advantage when we attack other countries overseas, but the reality is when you compare one of our victories to one of their victories, the value of the data, the knowledge, the information gained from those attacks is far greater to them than it is to us, because we are already on top. It’s much easier to drag us down than it is to grab some incremental knowledge from them and build ourselves up.
Bamford: Are you talking about China particularly?
Snowden: I am talking about China and every country that has a robust intelligence collection program that is well-funded in the signals intelligence realm. But the bottom line is we need to put the security back in the National Security Agency. We can’t have the national surveillance agency. We’ve got to go—look, the most important thing to us is not being able to attack our adversaries, the most important thing is to be able to defend ourselves. And we can’t do that as long as we’re subverting our own security standards for the sake of surveillance.
Bamford: That is a very strange combination, where you have one half of the NSA, the Information Assurances Directorate, which is charged with protecting the country from cyber-attacks, coexisting with the Signals Intelligence Directorate and the Cyber Command, which is pretty much focused on creating weaknesses. Can you just tell me a little bit about how that works, the use of vulnerabilities and implants and exploits?
Snowden: So broadly speaking, there are a number of different terms that are used in the CNO, computer networks operations world.
Broadly speaking, there are a number of different terms that are used to define the vernacular in the computer network operations world. There’s CNA, computer network attack, which is to deny, degrade, or destroy the functioning of a system. There’s CND, computer network defense, which is protecting systems, which is noticing vulnerabilities, noticing intrusions, cutting them off, and repairing them, patching the holes. And there’s CNE, computer network exploitation, which is breaking into a system and leaving something behind, this sort of electronic ear that will allow you to monitor everything that’s happening from that point forward. CNE is typically used for espionage, for spying.
To achieve these goals, we use things like exploits, implants, vulnerabilities, and so on. A vulnerability is a weakness in a system, where a computer program has a flaw in its code that, when it thinks it’s going to execute a normal routine task, it’s actually been tricked into doing something the attacker asks it to do. For example, instead of uploading a file to display a picture online, you could be uploading a bit of code that the website will then execute.
Or instead of logging into a website, you could enter code into the username field or into the password field, and that would crash through the boundaries of memory—that were supposed to protect the program—into the executable space of computer instructions. Which means when the computer goes through its steps of what is supposed to occur, it goes, I’m looking for user login. This is the username. This is the password. And then when it should go, check to see that these are correct, if you put something that was too long in the password field, it actually overwrites those next instructions for the computer. So it doesn’t know it’s supposed to check for a password. Instead, it says, I’m supposed to create a new user account with the maximum privileges and open up a port for the adversary to access my network, and then so on and so forth.
Vulnerabilities are generally weaknesses that can be exploited. The exploit itself are little shims of computer code that allow you to run any sort of program you want.
Exploits are the shims of computer code that you wedge into vulnerabilities to allow you to take over a system, to gain access to them, to tell that system what you wanted to do. The payload or implant follows behind the exploit. The exploit is what wedges you into the system. The payload is the instructions that are left behind. Now, those instructions often say install an implant.
The implant is an actual program that runs—it stays behind after the exploit has occurred—and says, tell me all of the files on this machine. Make a list of all of the users. Send every new email or every new keystroke that’s been recorded on this program each day to my machine as the attacker, or really anything you can imagine. It can also tell nuclear centrifuges to spin up to the maximum RPM and then spin down quickly enough that no one notices. It can tell a power plant to go offline.
Or it could say, let me know what this dissident is doing day to day, because it lives on their cell phone and it keeps track of all their movements, who they call, who they’re associating with, what wireless device it’s nearby. Really an exploit is only limited—or not an exploit. An implant is only limited by the imagination. Anything you can program a computer to do, you can program an implant to do.
Bamford: So you have the implant, and then you have the payload, right?
Snowden: The payload includes the implant. The exploit is what basically breaks into the vulnerability. The payload is what the exploit runs, and that is basically some kind of executable code. And the implant is a payload that’s left behind long term, some kind of basically listening program, some spying program, or some kind of a destructive program.
Bamford: Interviewing you is like doing power steering. I don’t have to pull this out.
Snowden: Yeah, sorry, I get a little ramble-y on my answers, and the political answers aren’t really strong, but I’m not a politician, so I’m just trying my best on these.
Bamford: This isn’t nightly news, so we’ve got an hour.
Snowden: Yeah, I hope you guys cut this so it’s not so terrible.
Producer: We’ve got two cameras, and we can carve your words up.
Snowden: (laughter) Great.
Producer: But we won’t.
Bamford: Should mention this implant now—the implant sounds a bit like what used to be sleeper agents back in the old days of the Cold War, where you have an agent that’s sitting there that can do anything. It can do sabotage. It can do espionage. It can do whatever. And looking at one of those slides that came out, what was really fascinating was the fact that the slide was a map of the world, and they had little yellow dots on it. The little yellow dots were indicated as CNEs, computer network exploitation. And you expect to see them in North Korea, China, different places like that. But what was interesting when we looked at it was there were quite a few actually in Brazil, for example, and other places that were friendly countries. Any idea why the U.S. would want to do something like that?
Snowden: So the way the United States intelligence community operates is it doesn’t limit itself to the protection of the homeland. It doesn’t limit itself to countering terrorist threats, countering nuclear proliferation. It’s also used for economic espionage, for political spying to gain some knowledge of what other countries are doing. And over the last decade, that sort of went too far.
No one would argue that it’s in the United States’ interest to have independent knowledge of the plans and intentions of foreign countries. But we need to think about where to draw the line on these kind of operations so we’re not always attacking our allies, the people we trust, the people we need to rely on, and to have them in turn rely on us. There’s no benefit to the United States hacking Angela Merkel’s cell phone. President Obama said if he needed to know what she was thinking, he would just pick up the phone and call her. But he was apparently allegedly unaware that the NSA was doing precisely that. These are similar things we see happening in Brazil and France and Germany and all these other countries, these allied nations around the world.
And we also need to remember that when we talk about computer network exploitation, computer network attack, we’re not just talking about your home PC. We’re not just talking about a control system in a factory somewhere. We’re talking about your cell phone, and we’re also talking about internet routers themselves. The NSA and its sister agencies are attacking the critical infrastructure of the internet to try to take ownership of it. They hack the routers that connect nations to the internet itself.
And this is dangerous for a number of reasons. It does provide us a real intelligence advantage, but at the same time, it’s a serious risk. If one of these hacking operations goes wrong, and this has happened in the past, and it’s a core router that connects all of the internet service providers for an entire country to the internet, we’ve blacked out that entire nation from online access until that problem can be corrected. And these routers are not your little Linksys, D-Link routers sitting at home. We’re talking $60,000, $600,000, $6 million devices, complexes, that are not easy to fix, and they don’t have an off the shelf replacement that’s ready to swap in.
So we need to be very careful, and we need to make sure that whenever we’re engaging in a cyber-warfare campaign, a cyber-espionage campaign in the United States, that we understand the word cyber is used as a euphemism for the internet, because the American public would not be excited to hear that we’re doing internet warfare campaigns, internet espionage campaigns, because we realize that we ourselves are impacted by it. The internet is shared critical infrastructure for everyone on earth. It’s not supposed to be a domain of warfare. We’re not supposed to be putting our economy on the frontlines in the battleground. But that’s increasingly what’s happening today.
So we need to put processes, policies, and procedures in place with real laws that forbid going beyond the borders of what’s reasonable to ensure that the only time that we and other countries around the world exercise these authorities are when it is absolutely necessary, there’s not alternative means of achieving the appropriate outcome, and it’s proportionate to the threat. We shouldn’t be putting an entire nation’s infrastructure at risk to spy on one company, to spy on one person. But increasingly, we see that happening more and more today.
Bamford: You mentioned the problems, the dangers involved if you’re trying to put an exploit into some country’s central nervous system when it comes to the internet. For example in Syria, there was a time when everything went down, and that was blamed on the president of Syria, Bashar al-Assad. Did you have any particular knowledge of that?
Snowden: I don’t actually want to get into that one on camera, so I’ll have to demur on that.
Bamford: Can you talk around it somehow?
Snowden: What I would say is when you’re attacking a router on the internet, and you’re doing it remotely, it’s like trying to shoot the moon with a rifle. Everything has to happen exactly right. Every single variable has to be controlled and precisely accounted for. And that’s not possible to do when you have limited knowledge of the target you’re attacking.
So if you’ve got this gigantic router that you’re trying to hack, and you want to hack it in a way that’s undetectable by the systems administrators for that device, you have to get below the operating system level of that device, of that router. Not where it says here are the rules, here are the user accounts, here are the routes and the proper technical information that everybody who’s administering this device should have access to. Down onto the firmware level, onto the hardware control level of the device that nobody ever sees, because it’s sort of a dark place.
The problem is if you make a mistake when you’re manipulating the hardware control of a device, you can do what’s called bricking the hardware, and it turns it from a $6 million internet communications device to a $6 million paperweight that’s in the way of your entire nation’s communications. And that’s something that all I can say is has happened in the past.
Bamford: When we were in Brazil, we were shown this major internet connection facility. It was the largest internet hub in the southern hemisphere, and it’s sitting in Brazil. And the Brazilians had a lot of concern, because again, they saw the slide that showed all this malware being planted in Brazil. Is that a real concern that they should have, the fact that they’ve, number one, got this enormous internet hub sitting right in Sao Paulo, and then on the second hand, they’ve got NSA flooding the country with malware?
Snowden: The internet exchange is sort of the core points where all of the international cables come together, where all of the internet service providers come together, and they trade lines with each other, where we move from separate routes, separate highways on the internet into one coherent traffic circle where everybody can get on and off on the exit they want. These are priority one targets for any sort of espionage agency, because they provide access to so many people’s communications.
Internet exchanges and internet service providers—international fiber optic landing points—these are the key tools that governments go after in order to enable their programs of mass surveillance. If they want to be able to watch the entire population of a country instead of a single individual, you have to go after those bulk interchanges. And that’s what’s happening.
So it is a real threat, and the only way that can be accounted for is to make sure that there’s some kind of independent control and auditing, some sort of routine forensic investigations into these devices, to ensure that not only were they secure when they were installed, but they hadn’t been monitored or tampered with or changed in any way since that last audit occurred. And that requires doing things like creating mathematical proofs called hashes of the validity of the actual hardware signature and software signatures on these devices and their hardware.
Bamford: Another area—you mentioned the presidential panel that looked into all these areas that are of concern now, which you’ve basically brought out these areas. And the presidential panel came out with I think 46 different recommendations. One of those recommendations dealt with restricting the use or cutting back or maybe even doing away with the idea of going after zero-day exploits. Can you tell me a little bit about your fears that you may have of the U.S. creating this market of zero-day exploits?
Snowden: So a zero-day exploit is a method of hacking a system. It’s sort of a vulnerability that has an exploit written for it, sort of a key and a lock that go together to a given software package. It could be an internet web server. It could be Microsoft Office. It could be Adobe Reader or it could be Facebook. But these zero-day exploits—they’re called zero-days because the developer of the software is completely unaware of them. They haven’t had any chance to react, respond, and try to patch that vulnerability away and close it.
The danger that we face in terms of policy of stockpiling zero-days is that we’re creating a system of incentives in our country and for other countries around the world that mimic our behavior or that see it as a tacit authorization for them to perform the same sort of operations is we’re creating a class of internet security researchers who research vulnerabilities, but then instead of disclosing them to the device manufacturers to get them fixed and to make us more secure, they sell them to secret agencies.
They sell them on the black market to criminal groups to be able to exploit these to attack targets. And that leaves us much less secure, not just on an individual level, but on a broad social level, on a broad economic level. And beyond that, it creates a new black market for computer weapons, basically digital weapons.
And there’s a little bit of a free speech issue involved in regulating this, because people have to be free to investigate computer security. People have to be free to look for these vulnerabilities and create proof of concept code to show that they are true vulnerabilities in order for us to secure our systems. But it is appropriate to regulate the use and sale of zero-day exploits for nefarious purposes, in the same way you would regulate any other military weapon.
And today, we don’t do that. And that’s why we see a growing black market with companies like Endgame, with companies like Vupen, where all they do—their entire business model is finding vulnerabilities in the most critical infrastructure software packages we have around the internet worldwide, and instead of fixing those vulnerabilities, they tear them open and let their customers walk in through them, and they try to conceal the knowledge of these zero-day exploits for as long as possible to increase their commercial value and their revenues.
Bamford: Now, of those 46 recommendations, including the one on the zero-day exploits that the panel came up with, President Obama only approved maybe five or six at the most of those 46 recommendations, and he didn’t seem to talk at all about the zero-day exploit recommendation. What do you think of that, the fact that that was sort of ignored by the President?
Snowden: I can’t comment on presidential policies. That’s a landmine for me. I would recommend you ask Chris Soghoian at the ACLU, American Civil Liberties Union, and he can get you any quote you want on that. You don’t need me to speak to that point, but you’re absolutely right that where there’s smoke, there’s fire, as far as that’s concerned.
Bamford: Well, as someone who has worked at the NSA, been there for a long time, during that time you were there, they created this entire new organization called Cyber Command. What are your thoughts on the creation of this new organization that comes just like the NSA, under the director of NSA? Again, backing up, the director of NSA for ever since the beginning was only three stars, and now he’s a four star general, or four star admiral, and he’s got this enormous largest intelligence agency in the world, the NSA, under him, and now he’s got Cyber Command. What are your thoughts on that, having seen this from the inside?
Snowden: There was a strong debate last year about whether or not the National Security Agency and Cyber Command should be split into two independent agencies, and that was what the President’s independent review board suggested was the appropriate method, because when you have an agency that’s supposed to be defensive married to an agency that’s entire purpose in life is to break things and set them on fire, you’ve got a conflict of interest that is really going to reduce the clout of the defensive agency, while the offensive branch gains more clout, they gain more budget dollars, they gain more billets and personnel assignments.
So there’s a real danger with that happening. And Cyber Command itself has always existed in a—Cyber Command itself has always been branded in a sort of misleading way from its very inception. The director of NSA, when he introduced it, when he was trying to get it approved, he said he wanted to be clear that this was not a defensive team. It was a defend the nation team. He’s saying it’s defensive and not defensive at the same time.
Now, the reason he says that is because it’s an attack agency, but going out in front of the public and asking them to approve an aggressive warfare focused agency that we don’t need is a tough sell. It’s much better if we say, hey, this is for protecting us, this is for keeping us safe, even if all it does every day is burn things down and break things in foreign countries that we aren’t at war with.
So there’s a real careful balance that needs to be struck there that hasn’t been addressed yet, but so long as the National Security Agency and Cyber Command exist under one roof, we’ll see the offensive side of their business taking priority over the defensive side of the business, which is much more important for us as a country and as a society.
Bamford: And you mentioned earlier, if we could just go back a little bit over this again, how much more money is going to the cyber offensive time than going to the cyber defensive side. Not only more money, but more personnel, more attention, more focus.
Snowden: I didn’t actually get the question on that one.
Bamford: I just wondered if you could just elaborate a little bit more on that. Again, we have Cyber Command and we have the Information Assurance Division and so forth, and there’s far more money and personnel and emphasis going on the cyber warfare side than the defensive side.
Snowden: I think the key point in analyzing the balance and where we come out in terms of offense versus defense at the National Security Agency and Cyber Command is that, more and more, what we’ve read in the newspapers and what we see debating in Congress, the fact the Senate is now trying to put forward a bill called CISPA, the Cyber Intelligence Sharing—I don’t even know what it’s called—let me take that back.
We see more and more things occurring like the Senate putting forward a bill called CISPA, which is for cyber intelligence sharing between private companies and government agencies, where they’re trying to authorize not just the total immunity, a grant of total immunity, to private companies if they share the information on all of their customers, on all the American citizens and whatnot that are using their services, with intelligence agencies, under the intent that that information be used to protect them.
Congress is also trying to immunize companies in a way that will allow them to invite groups like the National Security Agency or the FBI to voluntarily put surveillance devices on their internal networks, with the stated intent being to detect cyber-attacks as they occur and be able to respond to them. But we’re ceding a lot of authority there. We’re immunizing companies from due diligence and protecting their customers’ privacy rights.
Actually, this is a point that’s way too difficult to make in the interview. Let me dial back out of that.
What we see more and more is sort of a breakdown in the National Security Agency. It’s becoming less and less the National Security Agency and more and more the national surveillance agency. It’s gaining more offensive powers with each passing year. It’s gained this new Cyber Command that’s under the director of NSA that by any measure should be an entirely separate organization because it has an entirely separate mission. All it does is attack.
And that’s putting us, both as a nation and an economy, in a state of permanent vulnerability and permanent risk, because when we lose a National Security Agency and instead get an offensive agency, we get an attack agency in its place, all of our eyes are looking outward, but they’re not looking inward, where we have the most to lose. And this is how we miss attacks time and time again. This results in intelligence failures such as the Boston Marathon bombings or the underwear bomber, Abdul Farouk Mutallab (sic).
In recent years, the majority of terrorist attacks that have been disrupted in the United States have been disrupted due to things like the Time Square bomber, who was caught by a hotdog vendor, not a mass surveillance program, not a cyber-espionage campaign.
So when we cannibalize dollars from the defensive business of the NSA, securing our communications, protecting our systems, patching zero-day vulnerabilities, and instead we’re giving those dollars to them to be used for creating new vulnerabilities in our systems so that they can surveil us and other people abroad who use the same systems. When we give those dollars to subvert our encryption methods so we don’t have any more privacy online and we apply all of that money to attacking foreign countries, we’re increasing the state of conflict, not just in diplomatic terms, but in terms of the threat to our critical infrastructure.
When the lights go out at a power plant sometime in the future, we’re going to know that that’s a consequence of deprioritizing defense for the sake of an advantage in terms of offense.
Bamford: One other problem I think is that people think that, as you mentioned—just to sort of clarify this—people out there that don’t really follow this that closely think that the whole idea of Cyber Command was to protect the country from cyber-attacks. Is that a misconception, the fact that these people think that the whole idea of Cyber Command is to protect them from cyber-attack?
Snowden: Well, if you ask anybody at Cyber Command or look at any of the job listings for openings for their positions, you’ll see that the one thing they don’t prioritize is computer network defense. It’s all about computer network attack and computer network exploitation at Cyber Command. And you have to wonder, if these are people who are supposed to be defending our critical infrastructure at home, why are they spending so much time looking at how to attack networks, how to break systems, and how to turn things off? I don’t think it adds up as representing a defensive team.
Bamford: Now, also looking a little bit into the future, it seems like there’s a possibility that a lot of this could be automated, so that when the Cyber Command or NSA sees a potential cyber-attack coming, there could be some automatic devices that would in essence return fire. And given the fact that it’s so very difficult to—or let me back up. Given the fact that it’s so easy for a country to masquerade where an attack is coming from, do you see a problem where you’re automating systems that automatically shoot back, and they may shoot back at the wrong country, and could end up starting a war?
Snowden: Right. So I don’t want to respond to the first part of your question, but the second part there I can use, which is relating to attribution and automated response. Which is that the—it’s inherently dangerous to automate any kind of aggressive response to a detected event because of false positives.
Let’s say we have a defensive system that’s tied to a cyber-attack capability that’s used in response. For example, a system is created that’s supposed to detect cyber-attacks coming from Iran, denial of service attacks brought against a bank. They detect what appears to be an attack coming in, and instead of simply taking a defensive action, instead of simply blocking it at the firewall and dumping that traffic so it goes into the trash can and nobody ever sees it—no harm—it goes a step further and says we want to stop the source of that attack.
So we will launch an automatic cyber-attack at the source IP address of that traffic stream and try to take that system online. We will fire a denial of service attack in response to it, to destroy, degrade, or otherwise diminish their capability to act from that.
But if that’s happening on an automated basis, what happens when the algorithms get it wrong? What happens when instead of an Iranian attack, it was simply a diagnostic message from a hospital? What happens when it was actually an attack created by an independent hacker, but you’ve taken down a government office that the hacker was operating from? That wasn’t clear.
What happens when the attack hits an office that a hacker from a third country had hacked into to launch that attack? What if it was a Chinese hacker launching an attack from an Iranian computer targeting the United States? When we retaliate against a foreign country in an aggressive manner, we the United States have stated in our own policies that’s an act of war that justifies a traditional kinetic military response.
We’re opening the doors to people launching missiles and dropping bombs by taking the human out of the decision chain for deciding how we should respond to these threats. And this is something we’re seeing more and more happening in the traditional means as our methods of warfare become increasingly automated and roboticized such as through drone warfare. And this is a line that we as a society, not just in the United States but around the world, must never cross. We should never allow computers to make inherently governmental decisions in terms of the application of military force, even if that’s happening on the internet.
Bamford: And Richard Clarke has said that it’s more important for us to defend ourselves against attacks from China than to attack China using cyber tools. Do you agree with that?
Snowden: I strongly agree with that. The concept there is that there’s not much value to us attacking Chinese systems. We might take a few computers offline. We might take a factory offline. We might steal secrets from a university research programs, and even something high-tech. But how much more does the United States spend on research and development than China does? Defending ourselves from internet-based attacks, internet-originated attacks, is much, much more important than our ability to launch attacks against similar targets in foreign countries, because when it comes to the internet, when it comes to our technical economy, we have more to lose than any other nation on earth.
Bamford: I think you said this before, but in the past, the U.S. has actually used cyber warfare to attack things like hospitals and things like that in China?
Snowden: So they’re not cyber warfare capabilities. They’re CNE, computer network exploitation.
Bamford: Yeah, if you could just explain that a little.
Snowden: I’m not going to get into that on camera. But what the stories showed and what you can sort of voice over is that Chinese universities—not just Chinese, actually—scratch that—is that the National Security Agency has exploited internet exchanges, internet service providers, including in Belgium—the Belgacom case— through their allies at GCHQ and the United Kingdom.
They’ve attacked universities, hospitals, internet exchange points, internet service providers—the critical infrastructure that all of us around the world rely on.
And it’s important to remember when you start doing things like attacking hospitals, when you start doing things like attacking universities, when you start attacking things like internet exchange points, when something goes wrong, people can die. If a hospital’s infrastructure is affected, lifesaving equipment turns off. When an internet exchange point goes offline and voice over IP calls with the common method of communication—cell phone networks rout through internet communications points nowadays—people can’t call 911. Buildings burn down. All because we wanted to spy on somebody.
So we need to be very careful about where we draw the line and what is absolutely necessary and proportionate to the threat that we face at any given time. I don’t think there’s anything, any threat out there today that anyone can point to, that justifies placing an entire population under mass surveillance. I don’t think there’s any threat that we face from some terrorist in Yemen that says we need to hack a hospital in Hong Kong or Berlin or Rio de Janeiro.
Bamford: I know we’re on a time limit here, but are there questions that I haven’t—
Producer: Let’s take a two minute break here.
Bamford: One of the most interesting things about the Stuxnet attack was that the President—both President Bush and President Obama—were told don’t worry, this won’t be detected by anybody. There’ll be no return address on this. And number two, it won’t escape from the area that they’re focusing it anyway, the centrifuges. Both of those proved wrong, and the virus did escape, and it was detected, and then it was traced back to the United States. So is this one of the big dangers, the fact that the President is told is these things, the President doesn’t have the capability to look into every technical issue, and then these things can wind up hitting us back in the face?
Snowden: The problem is the internet is the most complex system that humans have ever invented. And with every internet enabled operation that we’ve seen so far, all of these offensive operations, we see knock on effects. We see unintended consequences. We see emergent behavior, where when we put the little evil virus in the big pool of all our private lives, all of our private systems around the internet, it tends to escape and go Jurassic Park on us. And as of yet, we’ve found no way to prevent that. And given the complexity of these systems, it’s very likely that we never will.
What we need to do is we need to create new international standards of behavior—not just national laws, because this is a global problem. We can’t just fix it in the United States, because there are other countries that don’t follow U.S. laws. We have to create international standards that say these kind of things should only ever occur when it is absolutely necessary, and that the response that the operation is tailored to be precisely restrained and proportionate to the threat faced. And that’s something that today we don’t have, and that’s why we see these problems.
Bamford: Another problem is, back in the Cold War days—and most people are familiar with that—when there was a fairly limited number of countries that could actually develop nuclear weapons. There were a handful of countries basically that could have the expertise, take the time, find the plutonium, put a nuclear weapon together. Today, the world is completely different, and you could have a small country like Fiji with the capability of doing cyber warfare. So it isn’t limited like it was in those days to just a handful of countries. Do you see that being a major problem with this whole idea of getting into cyber warfare, where so many countries have the capability of doing cyber warfare, and the U.S. being the most technologically vulnerable country?
Snowden: Yeah, you’re right. The problem is that we’re more reliant on these technical systems. We’re more reliant on the critical infrastructure of the internet than any other nation out there. And when there’s such a low barrier to entering the domain of cyber-attacks—cyber warfare as they like to talk up the threat—we’re starting a fight that we can’t win.
Every time we walk on to the field of battle and the field of battle is the internet, it doesn’t matter if we shoot our opponents a hundred times and hit every time. As long as they’ve hit us once, we’ve lost, because we’re so much more reliant on those systems. And because of that, we need to be focusing more on creating a more secure, more reliable, more robust, and more trusted internet, not one that’s weaker, not one that relies on this systemic model of exploiting every vulnerability, every threat out there. Every time somebody on the internet sort of glances at us sideways, we launch an attack at them. That’s not going to work out for us long term, and we have to get ahead of the problem if we’re going to succeed.
Bamford: Another thing that the public doesn’t really have any concept of, I think at this point, is how organized this whole Cyber Command is, and how aggressive it is. People don’t realize there’s a Cyber Army now, a Cyber Air Force, a Cyber Navy. And the fact that the models for some of these organizations like the Cyber Navy are things like we will dominate the cyberspace the same way we dominate the sea or the same way that we dominate land and the same way we dominate space. So it’s this whole idea of creating an enormous military just for cyber warfare, and then using this whole idea of we’re going to dominate cyberspace, just like it’s the navies of centuries ago dominating the seas.
Snowden: Right. The reason they say that they want to dominate cyberspace is because it’s politically incorrect to say you want to dominate the internet. Again, it’s sort of a branding effort to get them the support they need, because we the public don’t want to authorize the internet to become a battleground. We need to do everything we can as a society to keep that a neutral zone, to keep that an economic zone that can reflect our values, both politically, socially, and economically. The internet should be a force for freedom. The internet should not be a tool for war. And for us, the United States, a champion of freedom, to be funding and encouraging the subversion of a tool for good to be a tool used for destructive ends is, I think, contrary to the principles of us as a society.
Bamford: You had a question, Scott?
Producer: It was really just a question about (inaudible) vulnerabilities going beyond operating systems that we know of, (inaudible) and preserving those vulnerabilities, that that paradox extends over into critical infrastructure as well as—
Snowden: Let me just freestyle on that for a minute, then you can record the question part whenever you want. Something we have to remember is that everything about the internet is interconnected. All of our systems are not just common to us because of the network links between them, but because of the software packages, because of the hardware devices that comprise it. The same router that’s deployed in the United States is deployed in China. The same software package that controls the dam floodgates in the United States is the same as in Russia. The same hospital software is there in Syria and the United States.
So if we are promoting the development of exploits, of vulnerabilities, of insecurity in this critical infrastructure, and we’re not fixing it when we find it—when we find critical flaws, instead we put it on the shelf so we can use it the next time we want to launch an attack against some foreign country. We’re leaving ourselves at risk, and it’s going to lead to a point where the next time a power plant goes down, the next time a dam bursts, the next time the lights go off in a hospital, it’s going to be in America, not overseas.
Bamford: Along those lines, one of the things we’re focusing on in the program is the potential extent of cyber warfare. And we show a dam, for example, in Russia, where there was a major power plant under that. This was a facility that was three times larger than the Hoover Dam, and it exploded. One of the turbines, which weighed as much as two Boeing 747s, exploded 50 feet into the air and then crashed down and killed 75 people. And that was all because of what was originally thought was a cyber-attack, but turned out to be a mistaken piece of cyber that was sent to make this happen. It was accidental.
But the point is this is what can happen if somebody wants to deliberately do this, and I don’t think that’s what many people in the U.S. have a concept of, that this type of warfare can be that extensive. And if you could just give me some ideas along those lines of how devastating this can be, not just in knocking off a power grid, but knocking down an entire dam or an entire power plant.
Snowden: So I don’t actually want to get in the business of enumerating the list of the horrible of horribles, because I don’t want to hype the threat. I’ve said all these things about the dangers and what can go wrong, and you’re right that there are serious risks. But at the same time, it’s important to understand that this is not an existential threat. Nobody’s going to press a key on their keyboard and bring down the government. Nobody’s going to press a key on their keyboard and wipe a nation off the face of the earth.
We have faced threats from criminal groups, from terrorists, from spies throughout our history, and we have limited our responses. We haven’t resorted to total war every time we have a conflict around the world, because that restraint is what defines us. That restraint is what gives us the moral standing to lead the world. And if we go, there are cyber threats out there, this is a dangerous world, and we have to be safe, we have to be secure no matter the cost, we’ve lost that standing.
We have to be able to reject disproportionate and unjustified responses in the cyber domain just as we do in the physical domain. We reject techniques like torture regardless of whether they’re effective or ineffective because they are barbaric and harmful on a broad scale. It’s the same thing with cyber warfare. We should never be attacking hospitals. We should never be taking down power plants unless that is absolutely necessary to ensure our continued existence as a free people.
Bamford: That’s fine with me. If there’s anything that you think we didn’t cover or you want to put in there?
Snowden: I was thinking about two things. One is—I went a lot off on the politics here, and a lot of it was ramble-y, so I might try one more thing on that. The other one I was talking about the VFX thing for the cloud, how cyber-attacks happen.
Producer: So I just want sort of an outline of where you want to go to make sure we get that.
Bamford: Yeah, what kind of question you want me to ask.
Snowden: You wouldn’t even necessarily have to ask a question. It would just be—
Snowden: Yeah. It would just be like a segment. I would say people ask how does a cyber-attack happen. People ask what does exploitation on the internet look like, and how do you find out where it came from. Most people nowadays are aware of what IP addresses are, and they know that you shouldn’t send an email from a computer that’s associated with you if you don’t want it to be tracked back to you. You don’t want to hack the power plant from your house if you don’t want them to follow the trail back and see your IP address.
But there are also what are called proxies, proxy servers on the internet, and this is very typical for hackers to use. They create what are called proxy chains where they gain access to a number of different systems around the world, sometimes by hacking these, and they use them as sort of relay boxes. So you’ve got the originator of an attack all the way over here on the other side of the planet in the big orb of the internet, just a giant constellation of network links all around. And then you’ve got their intended victim over here.
But instead of going directly from them to the victim in one straight path where this victim sees the originator, the attacker, was the person who sent the exploit to them, who attacked their system, you’ll see they do something where they zigzag through the internet. They go from proxy to proxy, from country to country around the world, and they use that last proxy, that last step in the chain, to launch the attack.
So while the attack could have actually come from Missouri, an investigator responding to the attack will think it came from the Central African Republic or from the Sudan or from Yemen or from Germany. And the only way to track that back is to hack each of those systems back through the chain or to use mass surveillance techniques to have basically a spy on each one of those links so you can follow the tunnel all the way home.
The more I think about it, the more I think that would be way too complicated to—
Producer: No, I was just watching your hands. That was just filling in the blanks.
Bamford: No, I was, too. That’ll be fine.
Producer: And it’s a good point of how you can automate responses and how you—
Bamford: Yeah, we can just drive in and draw in those zigzags.
Snowden: Right. I mean, yeah, the way I would see it is just sort of like stars, like a constellation of points. And you’ve got different colored paths going between them. And then you just highlight the originator and the victim. And they don’t have to be on the edges. They could even be in the center of the cloud somewhere. And then you have sort of a green line going straight between them, and it turns red when it hacks, but then you see the little police agency follow it back. And then so you put an X on it and you replace it with the zigzag line that’s green, and then it goes red when it attacks, to sort of call it the path.
Bamford: From Missouri to the Central African Republic.
Producer: Are there any other visualizations that you can think of that maybe you see it as an image as opposed to a (multiple conversations; inaudible).
Snowden: I think one of the good ones to do—and you can do it pretty cheaply, even almost funny, like cartoon-like, and sort of like almost a Flash animation, like paper cutouts—would be to help people visualize the problem with the U.S. prioritizing offense over defense is you look at it—and I’ll give a voiceover here.
When you look at the problem of the U.S. prioritizing offense over defense, imagine you have two bank vaults, the United States bank vault and the Bank of China. But the U.S. bank vault is completely full. It goes all the way up to the sky. And the Chinese bank vault or the Russian bank vault of the African bank vault or whoever the adversary of the day is, theirs is only half full or a quarter full or a tenth full.
But the U.S. wants to get into their bank vault. So what they do is they build backdoors into every bank vault in the world. But the problem is their vault, the U.S. bank vault, has the same backdoor. So while we’re sneaking over to China and taking things out of their vault, they’re also sneaking over to the United States and taking things out of our vault. And the problem is, because our vault is full, we have so much more to lose. So in relative terms, we gain much less from breaking into the vaults of others than we do from having others break into our vaults. That’s why it’s much more important for us to be able to defend against foreign attacks than it is to be able to launch successful attacks against foreign adversaries.
You know, just something sort of symbolic and quick that people can instantly visualize.
Producer: The other thing I’d like to put to you, because we have to find somebody to do it, is how do you make a cyber-weapon? What is malware? What is that?
Snowden: When people are talking about malware, what they really mean is—when people are talking about malware, what they—
When people are talking about cyber weapons, digital weapons, what they really mean is a malicious program that’s used for a military purpose. A cyber weapon could be something as simple as an old virus from 1995 that just happens to still be effective if you use it for that purpose.
Custom developed digital weapons, cyber weapons nowadays typically chain together a number of zero-day exploits that are targeted against the specific site, the specific target that they want to hit. But it depends, this level of sophistication, on the budget and the quality of the actor who’s instigating the attack. If it’s a country that’s less poor or less sophisticated, it’ll be a less sophisticated attack.
But the bare bones tools for a cyber-attack are to identify a vulnerability in the system you want to gain access to or you want to subvert or you want to deny, destroy, or degrade, and then to exploit it, which means to send codes, deliver code to that system somehow, whether it’s locally in the physical realm or on the same network or remotely across the internet, across the global network, and get that code to that vulnerability, to that crack in their wall, jam it in there, and then have it execute.
The payload can then be the action, the instructions that you want to execute on that system, which typically, for the purposes of espionage, would be leaving an implant behind to listen in on what they’re doing, but could just as easily be something like the wiper virus that just deletes everything from the machines and turns them off. Really, it comes down to any instructions that you can think of that you would want to execute on that remote system.
Bamford: Along those lines, there’s one area that could really be visualized I think a lot better, and that’s the vulnerabilities. The way I’ve said it a few times but might be good if you thought about it is looking at a bank vault, and then there are these little cracks, and that enables somebody to get into the bank vault. So what the U.S. is doing is cataloguing all those little cracks instead of telling the bank how to correct those cracks. Problem is other people can find those same cracks.
Snowden: Other people can see the same cracks, yeah.
Bamford: And take the money from the bank, in which case the U.S. did a disservice to the customers of the bank, which is the public, by not telling the bank about the cracks in the first place.
Snowden: Yeah, that’s perfect. And another way to do it is not just cracks in the walls, but it could be other ways in. You can show a guy sort of peeking over the wall, you can see a guy tunneling underneath, you can see a guy going through the front door. All of those, in cyber terms, are vulnerabilities, because it’s not that you have to look for one hole of a specific type. It’s the whole paradigm. You look at the totality of their security situation, and you look for any opening by which you might subvert the intent of that system. And you just go from there. There’s a whole world of exploitation, but it goes beyond the depth of the general audience.
Producer: We can just put them all (multiple conversations; inaudible).
Bamford: Any others?
Snowden: One thing, yeah. There were a couple things I wanted to think about. One was man-in-the-middle, a type of attack you should illustrate. It’s routine hacking, but it’s related to CNE specifically, computer network exploitation. But I think in conflating in into cyber warfare helps people understand what it is.
A man-in-the-middle attack is where someone like the NSA, somebody who has access to the transmission medium that you use for communicating, actually subverts your communication. They intercept it, read it, and pass it on, or they intercept it, modify it, and pass it on.
You can imagine this as you put a letter in your mailbox for the postal carrier to pick up and then deliver, but you don’t know that the postal carrier actually took it to the person that you want until they confirm that it happened. The postal carrier could have replaced it with a different letter. They could have opened it. If it was a gift, they could have taken the gift out, things like that.
We have, over time, created global standards of behavior that mean mailmen don’t do that. They’re afraid of the penalties. They’re afraid of getting caught. And we as a society recognize that the value of having trusted means of communication, trusted mail, far outweighs any benefit that we might get from being able to freely tamper with mail. We need those same standards to apply to the internet. We need to be able to trust that when we send our emails through Verizon, that Verizon isn’t sharing with the NSA, that Verizon isn’t sharing them with the FBI or German intelligence or French intelligence or Russian intelligence or Chinese intelligence.
The internet has to be protected from this sort of intrusive monitoring or else the medium upon which we all rely for the basis of our economy and our normal life—everybody touches the internet nowadays—we’ll lose that, and it’s going to have broad effects as a consequence that we cannot predict.
Producer: Terrific. I think we ought to keep going and do like an interactive Edward Snowden kind of app.
Snowden: My lawyer would murder me.
Producer: No, you really—(inaudible) used to give classes.
Snowden: Yeah, I used to teach. It was on a much more specific level, which is why I keep having to dial back and think about it.
Producer: You’re a very clear speaker about it.
Snowden: Let me just one more time do the offense and defense and security thing. I think you guys already have enough to patch it together, but let me just try to freestyle on it.
The community of technical experts who really manage the internet, who built the internet and maintain it, are becoming increasingly concerned about the activities of agencies like the NSA or Cyber Command, because what we see is that defense is becoming less of a priority than offense. There are programs we’ve read about in the press over the last year, such as the NSA paying RSA $10 million to use an insecure encryption standard by default in their products. That’s making us more vulnerable not just to the snooping of our domestic agencies, but also foreign agencies.
We saw another program called Bullrun which subverted the—which subverts—it continues to subvert similar encryption standards that are used for the majority of e-commerce all over the world. You can’t go to your bank and trust that communication if those standards have been weakened, if those standards are vulnerable. And this is resulting in a paradigm where these agencies wield tremendous power over the internet at the price of making the rest of their nation incredibly vulnerable to the same kind of exploitative attacks, to the same sort of mechanisms of cyber-attack.
And that means while we may have a real advantage when it comes to eavesdropping on the military in Syria or trade negotiations over the price of shrimp in Indonesia—which is an actually real anecdote—or even monitoring the climate change conference, it means it results. It means we end up living in an America where we no longer have a National Security Agency. We have a national surveillance agency. And until we reform our laws and until we fix the excesses of these old policies that we inherited in the post-9/11 era, we’re not going to be able to put the security back in the NSA.
Bamford: That’s great. Just along those lines, from what you know about the project Bullrun and so forth, how secure do you think things like AES, DES, those things are, the advanced encryption standard?
Snowden: I don’t actually want to respond to that one on camera, and the answer is I actually don’t know. But yeah, so let’s leave that one.
Bamford: I mean, that would have been the idea to weaken it.
Snowden: Right. The idea would be to weaken it, but which standards? Like is it AES? Is it the other ones? DES was actually stronger than we thought it was at the time because the NSA had secretly manipulated the standard to make it stronger back in the day, which was weird, but that shows the difference in thinking between the ’80s and the ’90s. It was the S-boxes. That’s what it was called. The S-boxes was the modification made. And today, where they go, oh, this is too strong, let’s weaken it. The NSA was actually concerned back in the time of the crypto-wars with improving American security. Nowadays, we see that their priority is weakening our security, just so they have a better chance of keeping an eye on us.
Bamford: Right, well, I think that’s perfect. So why don’t we just do the—
Producer: Would you like some coffee? Something to drink?
Bamford: Yeah, we can get something from room service, if you like.
Snowden: I actually only drink water. That was one of the funniest things early on. Mike Hayden, former NSA CIA director, was—he did some sort of incendiary speech—
Bamford: Oh, I know what you’re going to say, yeah.
Snowden: —in like a church in D.C., and Barton Gellman was there. He was one of the reporters. It was funny because he was talking about how I was—everybody in Russia is miserable. Russia is a terrible place. And I’m going to end up miserable and I’m going to be a drunk and I’m never going to do anything. I don’t drink. I’ve never been drunk in my life. And they talk about Russia like it’s the worst place on earth. Russia’s great.
Bamford: Like Stalin is still in charge.
Snowden: Yeah, I know. It’s crazy.
Bamford: But you know what he was referring to, I think. You know what he was flashing back to was—and I’d be curious whether you’ve actually heard about this or not—
Snowden: Philby and Burgess and—
Bamford: Martin and Mitchel.
Snowden: I actually don’t remember the Martin and Mitchell case that well. I’m aware of the outlines of it.
Bamford: But you know what they did?
The CENTCOM hack was much more damaging than what the Pentagon has openly admitted (Pentagon spokesman said it was “little more than a prank or vandalism”):
Following up on an earlier post on the same topic:
Continuing on my blog post yesterday – shouldn’t one feel guilty about posting photos of their loved ones online without knowing or truly understanding the underlying risks?
Well instead of covering the face(s), how about encoding your photos with personal secret code so that only you and those selected parties can see them? That’s what this software PhotoScrambler is about.
If you’re still coining your new year resolutions… how about never to post (and tag) any photos of yourself and loved ones online?
Yes, it’s a social norm these days – just look at the Facebook sphere – but I can’t explain the risks better than this excellent presentation (below) from the Make Use Of blog about facial recognition technology and the risks of posting our photos online.
Food for thoughts?
Here’s one for the (urgent) To Do List, as the following article (below) from threatpost.com explains…
12 Million Home Routers Vulnerable to Takeover
by Michael Mimoso December 18, 2014 , 12:23 pm
More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer.
Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order.
The problem with embedded device security is that, with consumer-owned gear especially, it’s up to the device owner to find and flash new firmware, leaving most of the devices in question vulnerable indefinitely.
In the case of the RomPager vulnerability, an attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device.
“We hope this is a game-changing wake-up call,” said Shahar Tal, malware and vulnerability research manager with Check Point. “Certainly in terms of numbers, I don’t remember a vulnerability released that had 12 million endpoints online since maybe Conficker in 2008. This is really, really bad and the incredibly slow update propagation chain makes it worse.”
Tal said the vulnerable code was written in 2002 and given to chipset makers bundled in a software development kit (SDK). This SDK was given to manufacturers who used it when building their respective firmware; ISPs, Tal said, also used the same SDK to prepare custom firmware used in consumer residential devices.
“The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.”
Tal said Check Point conducted Internet scans that show the 12 million devices exposed online in 189 countries. In some of those countries, Tal said, vulnerability rates hover around 10 percent, and in one country half of its Internet users are at risk.
“Even when people become aware of this, I don’t expect updated firmware to be deployed in 189 countries,” Tal said. “This will be with us for months and years to come.”
That means that vulnerable home routers are at risk to remote attacks that put not only Internet traffic at risk, but also other devices on a local network such as printers.
“The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes,” Check Point wrote in an analysis published today. “This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.”
Tal said Check Point is not aware of any exploits of this issue, but assumes that researchers and black hats will soon begin pinging Shodan and doing Google searches looking for vulnerable devices.
“This is very easy to exploit once you figure out the program internals,” Tal said. “We are assuming that some researchers will do that in upcoming days and we hope vendors react as fast as possible to get consumers protected.”
Some vendors, which Tal would not name, have already shared beta versions of upgraded firmware with Check Point, and Check Point has confirmed the issue as patched in those cases.
“Everyone is aware that embedded devices are insecure, but we haven’t had one game-changing event that crosses boundaries and makes the industry understand this,” Tal said. “This one is definitely worth the attention and needs fixing.”
I like to share this WIRED updates on the use of TOR.
The FBI Used the Web’s Favorite Hacking Tool to Unmask Tor Users
By Kevin Poulsen 12.16.14 | 7:00 am
For more than a decade, a powerful app called Metasploit has been the most important tool in the hacking world: An open-source Swiss Army knife of hacks that puts the latest exploits in the hands of anyone who’s interested, from random criminals to the thousands of security professionals who rely on the app to scour client networks for holes.
Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network.
That attack, “Operation Torpedo,” was a 2012 sting operation targeting users of three Dark Net child porn sites. Now an attorney for one of the defendants ensnared by the code is challenging the reliability of the hackerware, arguing it may not meet Supreme Court standards for the admission of scientific evidence. “The judge decided that I would be entitled to retain an expert,” says Omaha defense attorney Joseph Gross. “That’s where I am on this—getting a programming expert involved to examine what the government has characterized as a Flash application attack of the Tor network.”
A hearing on the matter is set for February 23.
Tor, a free, open-source project originally funded by the US Navy, is sophisticated anonymity software that protects users by routing traffic through a labyrinthine delta of encrypted connections. Like any encryption or privacy system, Tor is popular with criminals. But it also is used by human rights workers, activists, journalists and whistleblowers worldwide. Indeed, much of the funding for Tor comes from grants issued by federal agencies like the State Department that have a vested interest in supporting safe, anonymous speech for dissidents living under oppressive regimes.
With so many legitimate users depending upon the system, any successful attack on Tor raises alarm and prompts questions, even when the attacker is a law enforcement agency operating under a court order. Did the FBI develop its own attack code, or outsource it to a contractor? Was the NSA involved? Were any innocent users ensnared?
Now, some of those questions have been answered: Metasploit’s role in Operation Torpedo reveals the FBI’s Tor-busting efforts as somewhat improvisational, at least at first, using open-source code available to anyone.
Created in 2003 by white hat hacker HD Moore, Metasploit is best known as a sophisticated open-source penetration testing tool that lets users assemble and deliver an attack from component parts—identify a target, pick an exploit, add a payload and let it fly. Supported by a vast community of contributors and researchers, Metasploit established a kind of lingua franca for attack code. When a new vulnerability emerges, like April’s Heartbleed bug, a Metasploit module to exploit it is usually not far behind.
Moore believes in transparency—or “full disclosure”—when it comes to security holes and fixes, and he’s applied that ethic in other projects under the Metasploit banner, like the Month of Browser Bugs, which demonstrated 30 browser security holes in as many days, and Critical.IO, Moore’s systematic scan of the entire Internet for vulnerable hosts. That project earned Moore a warning from law enforcement officials, who cautioned that he might be running afoul of federal computer crime law.
In 2006, Moore launched the “Metasploit Decloaking Engine,” a proof-of-concept that compiled five tricks for breaking through anonymization systems. If your Tor install was buttoned down, the site would fail to identify you. But if you’d made a mistake, your IP would appear on the screen, proving you weren’t as anonymous as you thought. “That was the whole point of Decloak,” says Moore, who is chief research officer at Austin-based Rapid7. “I had been aware of these techniques for years, but they weren’t widely known to others.”
One of those tricks was a lean 35-line Flash application. It worked because Adobe’s Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user’s true IP address. It was a known issue even in 2006, and the Tor Project cautions users not to install Flash.
The decloaking demonstration eventually was rendered obsolete by a nearly idiot-proof version of the Tor client called the Tor Browser Bundle, which made security blunders more difficult. By 2011, Moore says virtually everyone visiting the Metasploit decloaking site was passing the anonymity test, so he retired the service. But when the bureau obtained its Operation Torpedo warrants the following year, it chose Moore’s Flash code as its “network investigative technique”—the FBI’s lingo for a court-approved spyware deployment.
Torpedo unfolded when the FBI seized control of a trio of Dark Net child porn sites based in Nebraska. Armed with a special search warrant crafted by Justice Department lawyers in Washington DC, the FBI used the sites to deliver the Flash application to visitors’ browsers, tricking some of them into identifying their real IP address to an FBI server. The operation identified 25 users in the US and an unknown number abroad.
Gross learned from prosecutors that the FBI used the Decloaking Engine for the attack — they even provided a link to the code on Archive.org. Compared to other FBI spyware deployments, the Decloaking Engine was pretty mild. In other cases, the FBI has, with court approval, used malware to covertly access a target’s files, location, web history and webcam. But Operation Torpedo is notable in one way. It’s the first time—that we know of—that the FBI deployed such code broadly against every visitor to a website, instead of targeting a particular suspect.
The tactic is a direct response to the growing popularity of Tor, and in particular an explosion in so-called “hidden services”—special websites, with addresses ending in .onion, that can be reached only over the Tor network.
Hidden services are a mainstay of the nefarious activities carried out on the so-called Dark Net, the home of drug markets, child porn, and other criminal activity. But they’re also used by organizations that want to evade surveillance or censorship for legitimate reasons, like human rights groups, journalists, and, as of October, even Facebook.
A big problem with hidden service, from a law enforcement perceptive, is that when the feds track down and seize the servers, they find that the web server logs are useless to them. With a conventional crime site, those logs typically provide a handy list of Internet IP addresses for everyone using the site – quickly leveraging one bust into a cascade of dozens, or even hundreds. But over Tor, every incoming connection traces back only as far as the nearest Tor node—a dead end.
Thus, the mass spyware deployment of Operation Torpedo. The Judicial Conference of the United States is currently considering a Justice Department petition to explicitly permit spyware deployments, based in part on the legal framework established by Operation Torpedo. Critics of the petition argue the Justice Department must explain in greater detail how its using spyware, allowing a public debate over the capability.
“One thing that’s frustrating for me right now, is it’s impossible to get DOJ to talk about this capability,” says Chris Soghoian, principal technologist at the ACLU. “People in government are going out of their way to keep this out of the discussion.”
For his part, Moore has no objection to the government using every available tool to bust pedophiles–he once publicly proposed a similar tactic himself. But he never expected his long-dead experiment to drag him into a federal case. Last month he started receiving inquiries from Gross’ technical expert, who had questions about the efficacy of the decloaking code. And last week Moore started getting questions directly from the accused pedophile in the case— a Rochester IT worker who claims he was falsely implicated by the software.
Moore finds that unlikely, but in the interest of transparency, he answered all the questions in detail. “It only seemed fair to reply to his questions,” Moore says. “Though I don’t believe my answers help his case at all.”
Using the outdated Decloaking Engine would not likely have resulted in false identifications, says Moore. In fact, the FBI was lucky to trace anyone using the code. Only suspects using extremely old versions of Tor, or who took great pains to install the Flash plug-in against all advice, would have been vulnerable. By choosing an open-source attack, the FBI essentially selected for the handful offenders with the worst op-sec, rather than the worst offenders.
Since Operation Torpedo, though, there’s evidence the FBI’s anti-Tor capabilities have been rapidly advancing. Torpedo was in November 2012. In late July 2013, computer security experts detected a similar attack through Dark Net websites hosted by a shady ISP called Freedom Hosting—court records have since confirmed it was another FBI operation. For this one, the bureau used custom attack code that exploited a relatively fresh Firefox vulnerability—the hacking equivalent of moving from a bow-and-arrow to a 9-mm pistol. In addition to the IP address, which identifies a household, this code collected the MAC address of the particular computer that infected by the malware.
“In the course of nine months they went from off the shelf Flash techniques that simply took advantage of the lack of proxy protection, to custom-built browser exploits,” says Soghoian. “That’s a pretty amazing growth … The arms race is going to get really nasty, really fast.”
It’s time to raise the antenna again on smartphone encryption matters.
Law enforcement agencies, particularly the FBI, have been desperately pressurizing the Congress to force Apple and Google to do away with their new default smartphone encryption. And authorities are apparently giving in.
According to an exclusive report by Ars Technica (below) earlier this week, court documents from 2 federal criminal cases in New York and California show the US Department of Justice on October 31 this year went as far as exercising a 18th century law – the All Writs Act – to compel Apple and at least one other company to cooperate with law enforcement officials in investigations dealing with locked and encrypted smartphones.
The 225-year-old law gives the courts the right to issue whatever writs or orders in order to compel someone to do something.
To the extent that Apple has recently beefed up encryption in its latest iOS 8, the fact that the DOJ would go to such absurd lengths might set worrying precedence – recall a recent ludicrous DOJ assertion that the new encryption standards would kill a child.
A more disturbing question: What would you do if you were FBI director James Comey making his rounds to denounce smartphone encryption?
Make the DOJ use the All Writs Act to force manufacturers to install convenient backdoors. Why not?
Feds want Apple’s help to defeat encrypted phones, new legal case shows
Prosecutors invoke 18th-century All Writs Act to get around thorny problem.
by Cyrus Farivar – Dec 1 2014, 10:00pm CST
OAKLAND, CA—Newly discovered court documents from two federal criminal cases in New York and California that remain otherwise sealed suggest that the Department of Justice (DOJ) is pursuing an unusual legal strategy to compel cellphone makers to assist investigations.
In both cases, the seized phones—one of which is an iPhone 5S—are encrypted and cannot be cracked by federal authorities. Prosecutors have now invoked the All Writs Act, an 18th-century federal law that simply allows courts to issue a writ, or order, which compels a person or company to do something.
Some legal experts are concerned that these rarely made public examples of the lengths the government is willing to go in defeating encrypted phones raise new questions as to how far the government can compel a private company to aid a criminal investigation.
Two federal judges agree that the phone manufacturer in each case—one of which remains sealed, one of which is definitively Apple—should provide aid to the government.
Ars is publishing the documents in the California case for the first time in which a federal judge in Oakland specifically notes that “Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.”
The two orders were both handed down on October 31, 2014, about six weeks after Apple announced that it would be expanding encryption under iOS 8, which aims to render such a data handover to law enforcement useless. Last month, The Wall Street Journal reported that DOJ officials told Apple that it was “marketing to criminals” and that “a child will die” because of Apple’s security design choices.
Apple did not immediately respond to Ars’ request for comment.
Meet the “All Writs Act”
Alex Abdo, an attorney with the American Civil Liberties Union, wondered if the government could invoke the All Writs Act to “compel Master Lock to come to your house and break [a physical lock] open.”
“That’s kind of like the question of could the government compel your laptop maker to unlock your disk encryption?” he said. “And I think those are very complicated questions, and if so, then that’s complicated constitutional questions whether the government can conscript them to be their agents. Then there’s one further question: can the government use the All Writs Act to compel the installation of backdoors?”
But, if Apple really can’t decrypt the phone as it claims, the point is moot.
“Then that’s pretty much the end of it,” Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, told Ars. “The writ doesn’t require Apple to do something that is impossible for it to do.”
Andrew Crocker, a legal fellow also at the Electronic Frontier Foundation, pointed out on Twitter on Tuesday that back in 2005, a different New York magistrate refused to accept the government’s invocation of the All Writs Act to obtain real-time cell site data.
As Magistrate Judge James Orenstein wrote at the time:
Thus, as far as I can tell, the government proposes that I use the All Writs Act in an entirely unprecedented way. To appreciate just how unprecedented the argument is, it is necessary to recognize that the government need only run this Hail Mary play if its arguments under the electronic surveillance and disclosure statutes fail.
The government thus asks me to read into the All Writs Act an empowerment of the judiciary to grant the executive branch authority to use investigative techniques either explicitly denied it by the legislative branch, or at a minimum omitted from a far-reaching and detailed statutory scheme that has received the legislature’s intensive and repeated consideration. Such a broad reading of the statute invites an exercise of judicial activism that is breathtaking in its scope and fundamentally inconsistent with my understanding of the extent of my authority.
“Any capabilities [Apple] may have to unlock the iPhone”
One of the new phone search cases was filed in federal court in Oakland, just across the bay from San Francisco, while another was filed in federal court in Manhattan.
In the Oakland case, prosecutors asked a federal judge in to “assist in the execution of a federal search warrant by facilitating the un-locking of an iPhone.”
Ars went in person to the Oakland courthouse on Wednesday to obtain the documents and is publishing both the government’s application and the judge’s order for the first time here. The All Writs Act application and order are not available via PACER, the online database for federal court records.
“This Court has the authority to order Apple, Inc., to use any capabilities it may have to unlock the iPhone,” Garth Hire, an assistant US attorney, wrote to the court and cited the All Writs Act.
“The government is aware, and can represent, that in other cases, courts have ordered the unlocking of an iPhone under this authority,” he wrote. “Additionally, Apple has routinely complied with such orders.”
“This court should issue the order because doing so would enable agents to comply with this Court’s warrant commanding that the iPhone be examined for evidence identified by the warrant,” he continued. “Examination of the iPhone without Apple’s assistance, if it is possible at all, would require significant resources and may harm the iPhone. Moreover, the order is not likely to place any unreasonable burden on Apple.”
In response, Magistrate Judge Kandis Westmore ordered that Apple “provide reasonable technical assistance to enable law enforcement agents to obtain access to unencrypted data.” She did not specifically mention the All Writs Act.
But she added:
It is further ordered that, to the extent that data on the iOS device is encrypted, Apple may provide a copy of the encrypted data to law enforcement but Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.
Westmore’s language is a near-duplicate of a June 6, 2014 order issued by a different judge from the Northern California district, San Jose division, which is about 40 miles south of Oakland. There, Magistrate Judge Howard Lloyd ordered Apple to assist in the search of an iPad Mini, months before the release of iOS 8.
New spying tools afoot
On Tuesday, The Wall Street Journal reported on an order issued by a federal magistrate in New York in a case involving alleged credit card fraud.
In that Manhattan case, Magistrate Judge Gabriel Gorenstein granted the government’s proposed order on the same day as Westmore (October 31, 2014), also citing the All Writs Act, which compels the unnamed phone manufacturer to provide “reasonable technical assistance” in unlocking the device.
The mystery company could challenge the judge’s order, according to Brian Owsley, a former federal magistrate judge who now is a law professor at Indiana Tech.
“Unfortunately, we will probably not know because the issue will likely be sealed even though there should be more transparency in these issues,” he told Ars by e-mail, noting that during his tenure on the bench he could not remember a time when the government invoked the All Writs Act.
“It is only through greater transparency will we start to get the answers. If the provider simply complies we will know nothing. Here, Judge Gorenstein’s approach strikes me as very even-handed, but the inherent problem is that those who are concerned about privacy issues in general simply have to hope that the provider will speak up for us.”
But Orin Kerr, a law professor at George Washington University and a former federal prosecutor, does not believe that the seized phone in the New York case was an iOS 8 device.
“The government obtained a warrant on October 10 for a phone already in its possession,” he told Ars by e-mail. “Apple’s announcement was something like September 18. If it was an iPhone, it was probably an iPhone running [on] an earlier operating system.”
Still, Alex Abdo, the ACLU attorney, after reading a copy of the Oakland documents, concluded that the “government’s application raises troubling questions about the extent to which it can force companies to break the products they sell.”
“We are heartened, however, that the court recognized that possibility and stopped short of ordering Apple to come up with a way to decrypt its customers’ data,” he added.
“More broadly, it is disconcerting that the government is relying on a catch-all law to seek surveillance powers that it should be seeking from Congress and the public,” said Abdo. “If the government wants new spying tools, it should allow our democratic process to debate them openly first.”
UPDATE 1:50pm CT: Jonathan Mayer, a lecturer at Stanford Law, said that use of the All Writs Act is not as novel as it may seem. (He recommended his recent lecture on the subject!)
“The TL;DR is that there is nothing new about using the All Writs Act to compel assistance,” Mayer told Ars by e-mail. “And there is also nothing new about using it to compel assistance with unlocking a phone. That repeated language you saw? It’s provided by Apple itself!”
“As for the opinion discounting the All Writs Act, that had to do with surveillance under the Electronic Communications Privacy Act. Where ECPA applies, the All Writs Act doesn’t. (It’s just a default, as the court rightly noted.) Phone unlocking isn’t covered by ECPA, so the All Writs Act remains in play.”