GCHQ/NSA Data-Grabbing Malware Disguised Itself As Microsoft Drivers, Was Served Via Fake LinkedIn Pages

from the im-in-ur-internet-stealing-ur-files dept

Some nasty malware with a decade of history behind it has been uncovered and it has the fingerprints of two governments all over it.

Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.

Behind the malware -- which disguised itself as Microsoft drivers and was served via malicious, fake LinkedIn pages -- lies a cooperative effort between the NSA and GCHQ. Belgacom has long since ousted the intruding software and is now working with a federal prosecutor to pursue a criminal investigation. Belgacom's subversion by this malware -- comparable in sophistication to the infamous Stuxnet, according to Symantec (which published its findings last Sunday) -- led to the breach of EU offices.

Spying on foreign governments is what intelligence agencies are expected to do. But dumping malware into the operating systems of a communications provider generally isn't. Belgacom's infection is the only verified incident so far, but there are likely many, many more considering the Regin malware traces back nearly ten years.

Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent Hack.lu conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.

GCHQ has issued boilerplate in response to The Intercept's request for a comment. The NSA, on the other hand, apparently isn't going to dignify this story with a non-denial denial, opting instead for something much more brusque:

“We are not going to comment on The Intercept’s speculation.”

What's currently out there in the wild may not be as effective anymore. Belgacom discovered its infection around June 21, 2013, about a week before Der Spiegel published Snowden documents pointing to the digital infiltration of EU offices. The Intercept has made the malware available for download and states the following in its article.

Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.

If so, then the two agencies involved have likely moved on to something better and less detectable. Being outed is no reason to stop spying, especially in other nations where legal protections range from "thin" to "nonexistent."

Filed Under: gchq, malware, nsa, surveillance
Companies: belgacom, linkedin, microsoft

Big Tech Calls On Senate To Stop NSA's Bulk Surveillance Program

from the speak-out dept

In honor of the Reset the Net campaign, and the one-year anniversary of the first Ed Snowden revelation, a bunch of big tech companies, including Google, Facebook, Microsoft, Twitter, Apple, DropBox, LinkedIn, Yahoo and AOL, have published an open letter to the Senate asking it to pass real surveillance reform, rather than the weak sauce that the House passed in its massively watered-down USA Freedom Act. At the same time, a lobbyist representing a group of big tech companies specifically warned the Senate that the House version was too weak and needed to be much stronger. This is a good first step, but we need to see the pressure on the Senate ramp up even more.

Filed Under: nsa, reset the net, senate, surveillance, usa freedom act
Companies: aol, apple, dropbox, facebook, google, linkedin, microsoft, twitter, yahoo

Feds Reach Settlement With Internet Companies Allowing Them To Report Not Nearly Enough Details On Surveillance Efforts

from the too-bad dept

It appears that the lawsuit that a bunch of big internet companies had filed against the NSA in an attempt to reveal just how often they get FISA court information requests and how many of their users are impacted is now over, as the government has reached a settlement with the companies, allowing them slightly more leeway in sharing information, but in a very limiting way.

Not too long ago, the government had started allowing companies to reveal, for the first time, how many national security letter (NSL) requests they get, but said they had to reveal that number in ranges of 1,000 starting with 0 to 999. However, they did not allow any such reporting on FISA Court (FISC) orders, which covered things like the now infamous PRISM program under Section 702 of the FISA Amendments Act. It appears that the settlement more or less follows the outline of what the government allowed with NSLs. Companies are given two options. One is to basically report FISC requests like NSL requests, in bands of 1,000, and to similarly report "number of customer accounts affected" for NSLs, "FISA orders for content," "number of customer selectors targeted under FISA content orders," "FISA orders for non-content," and "number of customer selectors targeted under FISA non-content orders." All of those can be revealed separately, but always in bands of 1,000, starting with 0 to 999.

Alternatively, if companies are willing to lump these various programs together, they are allowed somewhat more granularity. So, if they lump together NSLs and FISA orders into a single number, they can reveal the details in bands of 250, starting with 0 to 249. Similarly, they can list the lumped together "customer selectors targeted" under combined NSLs and FISA orders in bands of 250.

This is a step forward, but it's not nearly far enough. As Kevin Bankston notes:

"Asking the public and policymakers to try to judge the appropriateness of the government’s surveillance practices based on a single, combined, rounded number is like asking a doctor to diagnose a patient’s shadow: only the grossest and most obvious problem, if even that, will be ever be evident."

Among the problems here, are that while they can reveal the number of customer accounts impacted for NSLs, that's not what they can do with FISC orders. Instead, they can only reveal "customer selectors targeted." That can be very different. You can imagine a "customer selector" that impacts many, many user accounts. And that's what many people are worried about -- and with this agreement, we won't actually know.

Furthermore, the agreement has a ridiculous clause that says if a FISA court order covers a "new capability" (i.e., getting access to a service that previously was not being tapped by the NSA/FBI), the companies cannot share that information for two years. The thinking here is rather obvious. Say, for example, a company launches a new voice communications service, like Skype -- and then gets hit with a FISA court order demanding that the NSA be able to listen in. The companies would be blocked from revealing that for two years. Clearly, the idea is to keep people from knowing how quickly the NSA is able to tap into any new form of communication, but that also opens up plenty of opportunities for the NSA to abuse its powers.

There is still some indication that Congress may require greater transparency here. I can understand why the tech companies agreed to settle, but it's a bit disappointing that they threw in the towel so quickly.

Apple has already updated its transparency report to note 0 - 249 "national security orders" and 0 - 249 "total accounts affected." Since they're doing ranges of 250, they're clearly lumping together both national security letters and FISC orders as "national security orders" though that's a bit confusing. Also, I don't think Apple is actually allowed to say "total accounts affected" from the terms of the agreement. When it comes to FISC orders, they can only list "customer selectors targeted," and saying "accounts affected" would suggest more information than the agreement appears to allow. Still, the obvious suggestion is that the government isn't requesting that much information directly from Apple, though other reports suggest it gets plenty of information, not directly via Apple, but by hacking their way into iOS devices....

Filed Under: doj, fisa orders, fisc, internet companies, national security letters, nsls, transparency, transparency report
Companies: apple, facebook, google, linkedin, microsoft, yahoo

Feds To FISC: Of Course We Don't Have To Share Our Full Legal Filings With Companies Suing Us Over NSA Transparency

from the because dept

As you may recall, in the ongoing lawsuit by various tech companies against the government, in which they're seeking to reveal some rather basic details about how many surveillance data requests they get and how many users are impacted, much of the feds' brief was redacted... even to the tech companies. The companies argued, quite reasonably, that it was crazy to make them fight a legal battle in which the DOJ could make arguments that the companies themselves couldn't see or respond to. They asked the FISA Court to either let them see the arguments or to remove them from the case.

The DOJ has now filed its response, which basically says "we've revealed enough."

The Government's public brief meets and exceeds the requirements of Rule 7(j). The rule clearly provides that submissions to the Court "which may include classified information" will be reviewed by the Court "ex parte and in camera" and that adversarial parties will receive only "an unclassified or redacted version" which "clearly articulate[s] the government's legal arguments." Rule of Procedure 7(j). Not only does the Government's public brief "clearly articulate the government's legal arguments," the legal arguments are fully disclosed. The redacted information contains no additional legal arguments, no case citations, and no discussion of statutory or other law.

Of course, that raises other questions. If the redacted portions (which are fairly large) don't raise legal arguments, then what are they doing?

The government also argues that the executive branch gets the right to determine what to redact and the court should defer to the government on such things:

... this Court does not independently review Executive Branch classification decisions.... Executive Branch classification decisions are entitled to "the utmost deference"... and that such deference is especially appropriate where the Executive Branch bases its classification decision, as here, on a review of all pertinent information, including whether disclosure of the data in the manner proposed by the companies would risk filling out the mosaic of information available to our adversaries in their efforts to assess and avoid our surveillance capabilities.

And so we're back to the "mosaic theory," in which the feds argue they can redact stuff out of a fear that a bunch of random info can be put together by bad people to figure out more than the feds want to reveal. But... that makes no sense here. The companies are asking at this point that their own lawyers be able to see the arguments, not necessarily that the details be made public. The court could easily seal the filings from the public while letting the companies' lawyers see it.

Filed Under: doj, first amendment, fisa, fisc, redacted, transparency
Companies: apple, facebook, google, linkedin, microsoft, yahoo

Most Big Internet Companies Speak Out For Major Surveillance Reform

from the about-time dept

Since the Snowden leaks began we've highlighted that the US internet companies should be furious about the NSA's actions, because it was almost certainly going to harm their ability to get any business outside of the US. Some of the companies seemed to be lying low, and we argued they should be speaking out and fighting back. While many of them did decide to sue for greater transparency, we argued that transparency was just one issue, and not even the most important one. About a month ago, with the revelations of the NSA infiltrating data centers, it appeared to finally dawn on the major internet companies that this was a serious issue.

Basically all of the largest internet companies -- with the exception of Amazon (and Apple, if you consider them an internet company) have now launched a website demanding major reforms for government surveillance. Facebook, Yahoo, Twitter, Microsoft, Google, LinkedIn and AOL have all joined in this effort, with a bunch of specific requests:

1. Limiting Governments' Authority to Collect Users' Information
2. Increase Oversight and Accountability (such as by making FISA an adversarial process)
3. Transparency About Government Demands
4. Respecting the Free Flow of Information
5. Avoiding Conflicts Among Governments

With the website, they've also sent a specific open letter to the government highlighting why this is important, focusing on the rights of individuals and the ability to keep their information private.

We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.

For our part, we are focused on keeping users’ data secure — deploying the latest encryption technology to prevent unauthorized surveillance on our networks and by pushing back on government requests to ensure that they are legal and reasonable in scope.

We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight.

Some will, undoubtedly, argue that this is all just noise for the sake of public perception, but compare what these companies are doing to the major telco companies, which not only have refused to comment on all of this, but have actively fought efforts by their own shareholders to make them just slightly more transparent (up to the level many internet companies were even before the Snowden leaks).

The question, now, is how much effort these companies will really put into getting Congress to change the laws. There are a number of different bills in Congress. Having the tech companies assist the efforts for real reform would certainly be helpful.

Filed Under: internet, nsa, reform, surveillance, tech companies
Companies: aol, facebook, google, linkedin, microsoft, twitter

DOJ Refuses To Let Tech Companies See Legal Arguments It's Making Against Them

from the isn't-that-convenient dept

The ongoing legal fight, in which a bunch of US tech and internet companies -- namely Google, Facebook, Microsoft, Yahoo and LinkedIn -- are suing the US government, claiming a First Amendment right to publish some details on the number of requests they get from the NSA under Section 702 of the FISA Amendments Act, as well as the number of users impacted by those requests, is getting ever weirder. The government had filed its response back at the end of September. And, you might notice, large portions of it are totally redacted. For example, here is page 13 of the document (though, numbered page 8):
At least they didn't redact the page number Of course, stuff gets filed under seal all the time, and it's not particularly uncommon to see redacted passages in legal documents -- especially (obviously) when it has to do with matters of national security. But, here's what's different. Normally the opposing parties in the case are allowed to see the details of what's redacted. Here, the DOJ is simply refusing to let the tech companies see its own argument. In response, the companies have filed a pretty direct and somewhat angry motion, asking the FISA court to either let them see the arguments, or to strike the redacted portions from the DOJ's motion. Basically, the DOJ is saying that it can make legal arguments that only the court can see, but which the tech companies suing it cannot see. That goes against every basic concept of due process.

The government has submitted a response and supporting declaration for ex parte, in camera review. It has given the providers only a heavily redacted version of its submissions, and it has rejected all requests for greater access.

Unless the government reconsiders its refusal to accommodate the providers' legitimate need to understand the basis for the government's response, the providers respectfully request that this Court strike the redacted portions of the government's brief and supporting declaration. The redacted version of the government's submissions does not comply with Foreign Intelligence Surveillance Court Rule 7(j) because it does not "clearly articulate the government's legal arguments," as the rule requires. If the government's interpretation of the rule were correct, the rule would violate both the First Amendment and the Due Process Clause. To avoid that result, the Court should construe the rule to require fuller disclosure to the providers.

Allowing the government to file an ex parte brief in this case will cripple the providers' ability to reply to the government's arguments and is likely to result in a disposition of the providers' First Amendment claims based on information that the providers will never see. The providers do not dispute that in some cases it may be appropriate for this Court to consider ex parte filings. In this case, however, such a course is neither justified nor constitutional. The providers already know the core information that the government seeks to protect in this litigation--the number of FISC orders or FAA directives to which they have been subject, if any. At issue here is only the secondary question whether the providers may be told the reason why the government seeks to keep that information a secret. The government has not argued that sharing those reasons with the providers or their counsel would endanger national security. Accordingly, unless the government allows the providers' counsel to access its response, the Court should strike the redacted portions of the response.

The whole thing is really quite incredible. Our government is so focused on the secrecy of its secret laws and secret demands that it won't even tell the companies fighting the secrecy the secret reasons it's telling the court it has to keep stuff secret? How is that possibly consistent with basic due process under the law?

Filed Under: due process, faa, fisa, fisa amendments act, fisa court, fisc, free speech, gag order, nsa, redactions, section 702
Companies: facebook, google, linkedin, microsoft, yahoo

GCHQ's Response To Hacking Slashdot And LinkedIn: No Comment, But It Was Perfectly Legal

from the yeah,-nice-try dept

Over the weekend it came out that GCHQ used a packet injection attack on Slashdot and LinkedIn pages in order to do a "quantum insert" -- basically a man-in-the-middle attack to install malware on the computers of key employees at Belgian telco Belgacom, which they then used to get much greater access to Belgacom's infrastructure for spying. It would appear that neither LinkedIn, nor the owners of Slashdot, are particularly pleased about this. After requesting more information, GCHQ had a useful response: "no comment."

In an emailed statement to Slashdot, the GCHQ’s Press and Media Affairs Office wrote: “We have no comment to make on this particular story.” It added:

“All GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.”

Right. So we can't comment on this, but we assure you that it's very much legal that we effectively ran a man-in-the-middle attack on your site, guaranteeing that people are less willing to go to your sites any more. Meh. Collateral damage for the very important work of spying on everyone.

Filed Under: gchq, packet injection, quantum insert, slashdot, surveillance
Companies: linkedin

Tech Companies Lawsuit Over Transparency Concerning NSA Surveillance Put On Hold Due To Government Shutdown

from the please-hold... dept

This is hardly a surprise, but it appears that the tech companies' lawsuit against the federal government, in which they're arguing a First Amendment right to reveal details (at least in terms of numbers) related to NSA information requests, has been put on hold. The DOJ told the court that the government shutdown means that its lawyers really can't work on the case and the Court has agreed to put the case on hold until the government is up and running again. It has also told the feds to declassify yet another court ruling concerning the interpretation of Section 215 of the Patriot Act, though it will let that wait until after the government opens up again too.

Filed Under: first amendment, government shutdown, nsa, nsa surveillance, transparency
Companies: dropbox, google, linkedin, microsoft, yahoo

LinkedIn Passwords Leaked... Congress Immediately Wants To 'Do Something!'

from the grandstanding... dept

As you hopefully have heard already, a ton of Linkedin passwords were leaked online. They were leaked in encrypted forms -- and without associated usernames -- leading some to suggest there was no real threat for users, unless someone also had the full list of usernames as well. However, that doesn't seem quite accurate. Since the passwords were hashed but not salted, it's made it relatively easy for the passwords to be decrypted. Yes, the usernames haven't been released, but some are suggesting that whoever leaked the data probably only released this subset, because they had already decrypted a bunch of easier passwords (and probably had the usernames) and just needed "the crowd" to help decrypt the rest.

Linkedin took its time, but did admit that there was a breach, and reset those passwords. However, Congress is never one to miss an opportunity to grandstand. Rep. Mary Bono Mack was quick to jump up and announce that something must be done!

"How many times is this going to happen before Congress finally wakes up and takes action?" said Rep. Mary Bono Mack, R-Palm Springs, who heads a House Energy and Commerce subcommittee that has looked at online-privacy issues, in a statement. "This latest incident once again brings into sharp focus the need to pass data protection legislation."

Similarly, Senator Pat Leahy jumped in with a similar statement:

"Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking," Leahy said in a statement provided to The Hill. "Congress should make comprehensive data privacy and cybercrime legislation a top priority.”

First of all, it does appear that LinkedIn wasn't using particularly smart security techniques (no salting? really?). But would a law really change things? And Leahy's claim that we need "cybercrime" legislation, again doesn't seem likely to help "fix" anything. If anything, the "cybersecurity" legislation that's out there might make such data even more vulnerable, by making companies more encouraged to share information.

Yes, these kinds of data breaches are bad. And we should be concerned when we find out that a company as big as LinkedIn still uses such weak security practices. But does that really mean we need a law?

Filed Under: congress, data breach, mary bono mack, passwords, pat leahy, security
Companies: linkedin