Transparency is worth having for itself, since governments often tend to behave a little better when they know that someone is watching. But occasionally, requests for data turn up something big and totally unexpected because someone failed to notice quite what the information provided implies.
The German ministry for home affairs and thus the German police clearly state that they are monitoring Skype, Google Mail, MSN Hotmail, Yahoo Mail and Facebook chat if deemed necessary. Money is spent on trojan viruses and we can be quite certain which company produces the IMSI catchers [used for "man-in-the-middle" attacks on mobile phones] used by German police.
It's been known for a year that the German police forces have been using malware to spy on citizens via their computers, but the latest revelations about surveillance activity go far beyond that. It confirms that even in countries where people are very sensitive about privacy, Internet snooping by the police is routine. It also emphasizes, once more, the importance of encrypting your communication channels where possible, and avoiding those where it isn't.
It's become something of a cliché that anyone with a mobile phone is carrying a tracking device that provides detailed information about their location. But things are moving on, as researchers (and probably others as well) explore new ways to subvert increasingly-common smartphones to gain other revealing data about their users. Here's a rather clever use of malware to turn your smartphone into a system for taking clandestine photos -- something we've seen before, of course, in othercontexts -- but which then goes even further by stitching them together to form a pretty accurate 3D model of your world:
This paper introduces a novel visual malware called PlaceRaider, which allows remote attackers to engage in remote reconnaissance and what we call virtual theft. Through completely opportunistic use of the camera on the phone and other sensors, PlaceRaider constructs rich, three dimensional models of indoor environments.
The use of 3D reconstructions overcomes a potential problem with ordinary spyware: there's often too much data whose significance is unclear. That makes finding anything interesting hard. The solution here is to combine all the data into a unified, virtual reconstruction that can then be navigated by snoopers looking for significant items just as they might if they were rooting through your physical space.
The full academic paper "PlaceRaider: Virtual Theft in Physical Spaces with Smartphones" (pdf) makes for fascinating reading, even if it doesn't seem to understand the difference between "theft" and "surveillance". It includes the following rather fanciful description of how this 3D-spying capability might be used. It's rather over the top, but it gives an idea of what's theoretically possible:
Alice does not know that her Android phone is running a service, PlaceRaider, that records photos surreptitiously, along with orientation and acceleration sensor data. After on-board analysis, her phone parses the collected images and extracts those that seem to contain valuable information about her environment. At opportune moments, her phone discretely transmits a package of images
to a remote PlaceRaider command and control server.
Upon receiving Alice's images, the PlaceRaider command and control server runs a computer vision algorithm to generate a rich 3D model. This model allows Mallory, the remote attacker, to immerse herself easily in Alice's environment. The fidelity of the model allows Mallory to see Alice's calendar, items on her desk surface and the layout of the room. Knowing that the desktop surface might yield valuable information, Mallory zooms into the images that generated the desktop and quickly finds a check that yields Alice's account and routing numbers along with her identity and home address. This provides immediate value. She also sees the wall calendar, noticing the dates that the family will be out of town, and ponders asking an associate who lives nearby to 'visit' the house while the family is away and 'borrow'; the iMac that Mallory sees in Alice's office.
Well, maybe not. But what's more interesting is the way that smartphone malware is able to gather enough information to allow the detailed reconstruction of complex spaces. The paper includes some impressive 3D reconstructions from apparently random images that have been stitched together. These and the research project that produced them are a salutary reminder that useful as they are, smartphones also bring with them new dangers that need to be considered and, ultimately, addressed.
The American Enterprise Institute (AEI) recently held an event about cybersecurity and cybersecurity legislation. The keynote speech was from NSA boss General Keith Alexander. He of course talked about why he supports cybersecurity legislation, such as CISPA and other proposals that will make it easier for the NSA access private content from service providers -- much of which, reports claim, they're already capturing and storing. Alexander has claimed that the NSA doesn't have "the ability" to spy on American emails and such, and reiterates that claim during the Q&A in this session, insisting that the Utah data center doesn't hold data on Americans' emails (and makes a joke about just how many emails that would be to read). That's nice for him to say, but so many people with knowledge of the situation claim the opposite.
In a motion filed today, the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the "secret room" at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006.
So it's interesting to pay attention to what Alexander has to say in pushing for cybersecurity legislation. You can watch the full video below, if you'd like:
Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on? His "quote" line is that these attacks represent the "greatest transfer of wealth in history." That is a pretty broad statement, and there's almost no evidence to support it. He points to studies from Symantec and McAfee on the "costs" of dealing with security issues -- but remember, those are two of the biggest sellers of security software, and have every incentive in the world to inflate the so-called "costs." Also, seriously? The "greatest transfer of wealth in history"? Has he paid absolutely no attention to what's happened on Wall Street and the financial world over the past decade? Does anyone honestly believe that the amount of money "transferred" due to hack attacks is greater than the amount of money transferred due to dodgy financial deals and the mortgage/CDO mess? That doesn't pass the laugh test.
He does insist that worse attacks are coming, but provides no basis for that (or, again, why the NSA needs your info). In fact, according to a much more believable study, the real risks are not outside threats and hackers, but internal security screwups and disgruntled inside employees. None of that requires NSA help. At all.
But it sure makes for a convenient bogeyman to get new laws that take away privacy rights.
Alexander, recognizing the civil liberties audience he was talking to, admits that the NSA neither needs nor wants most personal info, such as emails, and repeatedly states that they need to protect civil liberties (though, in the section quoted below, you can also interpret his words to actually mean they don't care about civil liberties -- but that's almost certainly a misstatement on his part):
One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed. It doesn't require the government to read their mail -- or your mail -- to do that. It requires them -- the internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it.
It's like a missile, coming in to the United States.... there are two things you can do. We can take the "snail mail" approach and say "I saw a missile going overhead, looks like it's headed your way" and put a letter in the mail and say, "how'd that turn out?" Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster. We probably don't want to use snail mail. Maybe we could do this in real time. And come up with a construct that you and the American people know that we're not looking at civil liberties and privacy, but we're actually trying to figure out when the nation is under attack and what we need to do about it.
Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there.
Now all that's interesting, because if that's true, then why is he supporting legislation that would override any privacy rules that protect such info? If he really only needs limited information sharing, then why isn't he in favor of more limited legislation that includes specific privacy protections for that kind of information? He goes back to insisting they don't care about this info later on in the talk, but never explains why he doesn't support legislation that continues to protect the privacy of such things:
The key thing in information sharing that gets, I think, misunderstood, is that when we talk about information sharing, we're not talking about taking our personal emails and giving those to the government.
So make that explicit. Rather than supporting cybersecurity legislation that wipes out all privacy protections why not highlight what kind of information sharing is blocked right now and why it's blocked? Is it because of ECPA regulations? Something else? What's the specific problem? Talking about bogeymen hackers and malicious actors makes for a good Hollywood script, but there's little evidence to support the idea that it's a real threat here -- and in response, Alexander is asking us all to basically wipe out all such privacy protections... because he insists that the NSA doesn't want that kind of info. And, oh yeah, this comes at the same time that three separate whistleblowers -- former NSA employees -- claim that the NSA is getting exactly that info already.
So, this speech is difficult to square up with that reality. If he really believes what he's saying, then why not (1) clearly identify the current regulatory hurdles to information sharing, (2) support legislation that merely amends those regulations and is limited to just those regulations and (3) support much broader privacy protections for the personal info that he insists isn't needed? It seems like a pretty straightforward question... though one I doubt we'll get an answer to. Ever. At least not before cybersecurity legislation gets passed.
Here's a fascinating story, found via Boing Boing, of some malware (a password stealing trojan targeting Diablo III players) that included some sort of integrated chat function, which the researchers at AVG only noticed when the hacker reached out to them while they were searching through his code. Imagine their surprise when up popped a dialog box asking them what they were doing:
Hacker: What are you doing? Why are you researching my Trojan?
Hacker: What do you want from it?
The AVG folks continued to chat with the guy for a little while, which is how they realized just how powerful the trojan was and how much it could do. The guy controlling it demonstrated this to them by remotely shutting down their machine after talking to them for a little while.
We're often told that the big media companies need to be saved because of all the important expensive reporting work they do. And then we see something absolutely ridiculous, such as Fox News linking the infamous Flame malware to Angry Birds... because both use the Lua computing language (found via Slashdot):
This is, of course, a complete pointless linkage, which seems to serve no purpose whatsoever, other than (perhaps) to attract the attention of those who are obsessed with Angry Birds (an admittedly large group of people). But just because two programs are written in the same language, it doesn't mean... well, it doesn't mean anything of importance whatsoever. Instead, it just seems like Fox News and its "Chief Intelligence Correspondent" Catherine Herridge needed to fill some space and came up with something entirely pointless. But, you know, we need those big professional news companies because of deep, hard-hitting stories like this one.
We've discussed in the past just how dangerous our reliance on Certificate Authorities "signing" security certificates has become. This is a key part of the way we handle security online, and yet it's clearly subject to abuse. The latest such example: the now infamous Flame malware that targeted computer systems in the Middle East was signed by a "rogue" Microsoft certificate -- one which was supposed to be used for allowing employees to log into a remote system. Microsoft rushed out a security update over the weekend, but that doesn't change the core problem: the whole setup of relying so heavily on secure certificates seems to be increasingly dangerous.
With all the attention on the Flame malware, there's a great post over at Wired by F-Secure's Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time -- despite samples having been sent all the way back to 2010. What's refreshing (even as it's surprising) is to see someone so forthright about this being a failure on his part:
What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.
It's so rare to see someone admit to a mistake -- especially one that seems so big (even if it doesn't really impact most people outside of the Middle East. Part of the problem, he notes, is that spotting this kind of thing is just beyond what companies like his can do:
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.
Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network.
He later concludes: "We were out of our league, in our own game."
Of course, this is the nature of a security system that is based on reacting to threats, rather than preventing security holes and risks, as he more or less explains. In the end, there's a bit of a cat and mouse game going on here, and no one's going to be able to catch all malware. But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.
It's been fascinating to watch the back and forth discussions about Bitcoin. The big story recently was the supposed "theft" of $500,000 worth of Bitcoins. But, perhaps a lot more interesting is the report of new malware specifically targeting Bitcoins. The malware specifically looks for a Bitcoin wallet, which it then looks to email to a specific server. Among the many concerns people have raised about Bitcoins, this one hadn't received that much attention earlier, but could potentially scare a lot of people. The lack of traceability is one of the selling points, but it also has a downside in these types of situations.
With all of the highly questionable pre-settlement lawsuits out there demanding cash from people to avoid a lawsuit for copyright infringement, we've heard of a few different scams designed to use the same tactics: accuse someone of copyright infringement and demand cash to avoid a lawsuit... even if the operation demanding cash has nothing to do with the copyright holder. One recent example of this was a bit of malware that, once installed on a computer, would generate fake infringement warnings from the RIAA/MPAA, demanding cash settlements. TorrentFreak points us to a report from Brian Krebs who got his hands on some documents from ChronoPay, the operation that was used to handle the payments in this scam, showing just how lucrative the scam has been. The documents only cover the past two months, but in that time, 580 people paid up, handing over $283,000 to scammers. Of course, this is only marginally less legit than the standard shakedown from various lawyers who are working with the copyright holders. But, the success of these scammers' operations is almost certainly driven in part by the success and press coverage of those lawyers who are sending out those mass pre-settlement letters. People are hearing about this and thinking any such threat is legitimate, even when it's a pure scam. Of course, this means you should only expect to start receiving plenty more such scam requests, demanding you pay up to avoid a lawsuit. Kinda makes you wonder if it will make the "actual" letters sent by copyright holders less effective as people just assume they're scam letters.
As someone who flies all too frequently, I'd be lying if I said I wasn't a bit spooked by a report that the Spanair flight 5022 crash from two years ago may have been caused -- at least in part -- by malware on a computer that failed to detect three technical problems. Apparently, the computer which monitored those things got some sort of trojan horse, and may have failed to set off the necessary alarms because of this. As for how the computer got infected... it sounds like investigators still are not sure, but someone sticking in an infected USB stick or some other remote network connection seem like the most likely culprit. Of course, the reports seem woefully lacking in details. It's unclear how a trojan would block some software from alerting the crew that there was a problem with the aircraft. Honestly, the report seems to raise a lot more questions than it answers, and if it's actually true, it makes me wonder why we're relying on software that can be disabled via some random malware to watch for life-and-death safety issues on airplanes...