US Might Start A Nuclear War... Because Iranians Wanted Access To Academic Papers Locked Behind A Paywall?

from the seems-a-little-harsh dept

You probably saw one of the many stories about the US government charging nine Iranians with "conducting massive cyber theft campaign on behalf of the Islamic Revolutionary Guard Corps", as the Department of Justice put it in its press release on the move:

"These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries," said Deputy Attorney General Rosenstein. "For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps. The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America's ideas by infiltrating our computer systems and stealing intellectual property. This case is important because it will disrupt the defendants' hacking operations and deter similar crimes."

That certainly sounds pretty serious, not least because some believe the US government may use this is a pretext for military action against Iran, possibly involving nuclear strikes. But what exactly did those Iranians allegedly steal?

The members of the conspiracy used stolen account credentials to obtain unauthorized access to victim professor accounts, which they used to steal research, and other academic data and documents, including, among other things, academic journals, theses, dissertations, and electronic books.

That is, they "stole" things like "academic journals, theses, dissertations, and electronic books" -- you know, the stuff that professors routinely publish as part of their work. The stuff that they desperately want as many people to read as possible, since that's how ideas spread, and academic credit is assigned. So rather than some "massive cyber theft" on behalf of the Islamic Revolutionary Guard Corps, is this not actually a bunch of people making copies of academic materials they and others want to read? We already know that Iranians have a particular hunger for academic knowledge of exactly this kind. An article published in Science in 2016 analyzed who was downloading unauthorized copies of scientific papers from Sci-Hub. Here's one striking result:

Of the 24,000 city locations to which [Sci-Hub downloaders] cluster, the busiest is Tehran, with 1.27 million requests. Much of that is from Iranians using programs to automatically download huge swaths of Sci-Hub's papers to make a local mirror of the site, [Sci-Hub's founder] Elbakyan says. Rahimi, the engineering student in Tehran, confirms this. "There are several Persian sites similar to Sci-Hub," he says. "So you should consider Iranian illegal [paper] downloads to be five to six times higher" than what Sci-Hub alone reveals.

Given that concentration of downloads from Sci-Hub in Iran, it's almost surprising the accused needed to break into US universities at all. The Department of Justice press release says that this activity has been going on since 2013, so maybe Iranians hadn't turned to Sci-Hub at that point. And perhaps there was other information they were seeking that was not available on Sci-Hub. A surprisingly precise figure of 31 terabytes in total is mentioned: how, exactly, was that calculated? After all, making copies of documents does not remove them, and people who break into systems tend not to leave notes about what they have "exfiltrated". It's hard to escape the feeling that 31 terabytes is simply the total amount of data they could have copied with all the credentials they obtained, and is used in the press release to make the incident sound bigger than it really is in order to justify any subsequent bellicose actions.

Of course, however much of whatever material was downloaded, breaking into other people's systems and accounts using stolen credentials is never justified. It's likely that the 8,000 compromised email accounts exposed a great deal of highly-sensitive personal information, which would arguably be a much more serious matter than the fact that journals, theses, dissertations, and electronic books were downloaded.

Still, this story doesn't really seem to be about 1337 Iranian government haxxors trying to undermine the US university system with a "massive cyber theft", as the over-the-top press release rather implies. It's more a bunch of unscrupulous individuals using fairly simple phishing techniques to get their hands on otherwise unavailable academic material, apparently to sell to others, at least according to the Department of Justice. It also suggests that if more of this academic work were freely available under open access licenses for everyone's benefit, rather than locked up behind paywalls, there would be less of an incentive for people to engage in this kind of illegal behavior. To say nothing of less risk of a nuclear war.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cyber theft, cybersecurity, doj, hacking, iran, islamic revolutionary guard, open access

Security Researcher At The Center Of Emoji-Gate Heading Home After Feds Drop Five Felony Charges

from the good-news-for-one-of-the-actual-good-guys dept

The security researcher who was at the center of an audacious and disturbing government demand to unmask several Twitter accounts on the basis of an apparently menacing smiley emoji contained in one of them is now facing zero prison time for his supposed harassment of an FBI agent. Justin Shafer, who was originally facing five felony charges, has agreed to plead guilty to a single misdemeanor charge. Shafer, who spent eight months in jail for blogging about the FBI raiding his residence repeatedly, is finally going home.

Here are the details of plea agreement [PDF] Shafer has agreed to. (h/t DissentDoe]

Mr. Shafer is pleading to a single misdemeanor of simple assault, based on his sending a Facebook direct message to an FBI Agent’s immediate relative's public Facebook account. There is no allegation of any physical contact.

The government agrees to recommend a sentence of time served. Mr. Shafer already served 8 months in jail before trial for criticizing the government's prosecution in a blog post. He was released after the defense filed a motion arguing his pre-trial detention violated First Amendment free speech rights and the statute governing pre-trial detention.

The government is not seeking for any restitution.

The United States Attorney's Office has agreed not to prosecute Mr. Shafer for the events leading to the initial armed FBI raid of his family’s home.

Mr. Shafer has agreed to a no contact order with the FBI agent, the agent’s family, and the company involved in the initial investigation.

What started out as normal security research soon became a nightmare for Shafer. His uncovering of poor security practices in the dental industry -- particularly the lack of attention paid to keeping HIPAA information secured -- led to his house being raided by FBI agents. The FBI raided his house again after he blogged about the first raid. The FBI justified its harassment of Shafer with vague theories about his connection to infamous black hat hacker TheDarkOverlord. To do this, the FBI had to gloss over -- if not outright omit -- the warnings Shafer had sent to victims of TheDarkOverlord, as well as the information on the hacker Shafer had sent to law enforcement agencies including the FBI.

Blogging about his interactions with the FBI led to the judge presiding over his criminal trial to revoke his release and jail him for exercising his First Amendment rights. This was ultimately reversed by a federal judge who agreed Shafer was allowed to call FBI agents "stupid" and blog about his treatment by the federal agency. (He was not to reveal personal info about FBI agents, however.)

This trial has come to a swift end because the presiding judge sees zero merit in the government's case.

[T]he case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal.

This case comes to an end, but it does not absolve the government of its abusive behavior. Here's what Shafer's defense team (Tor Ekeland, Fred Jennings, and Jay Cohen) had to say about their client's treatment by federal law enforcement.

Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen’s right to criticize the government.

And what can we learn from this debacle? Here's what Shafer has learned: never help anybody.

I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won’t care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk. I think it would benefit society greatly if people who find publicly accessible data were not threatened by the people who put it there.

Thank god the FBI was there to help ensure public safety no one publicly badmouthed one of its agents. Shooting the messenger is the expected response when security breaches are discovered. If it's not those leaving personal info exposed threatening researchers with lawsuits or criminal charges, it's the government itself stepping in to "protect" entities that can't even protect the data of paying customers.

Filed Under: disclosure, fbi, hacking, justin shafer, security, security research

Cryptocurrency Mining Company Coinhive Shocked To Learn Its Product Is Being Abused

from the who-knew? dept

So if you haven't noticed, the entire cryptocurrency mining thing has become a bit of an absurd stage play over the last few months. From gamers being unable to buy graphics cards thanks to miners hoping to cash in on soaring valuations, to hackers using malware to covertly infect websites with cryptocurrency miners that use visitors' CPU cycles without their knowledge or consent. As an additional layer of intrigue, some websites have also begun using such miners as an alternative to traditional advertising, though several have already done so without apparently deeming it necessary to inform visitors.

At the heart of a lot of this drama is crypotcurreny mining software company Coinhive, whose software is popping up in both malware-based and above board efforts to cash in on the cryptocurrency mining craze. Coinhive specifically focuses on using site visitor CPU cycles to help mine Monero. The company's website insists that their product can help websites craft "an ad-free experience, in-game currency or whatever incentives you can come up with." The company says its project has already resulted in the mining of several million dollars worth of Monero (depending on what Monero's worth any given day).

The folks behind the company told Motherboard this week they were blindsided by the way their software has quickly been adopted by both non-transparent websites, and malware authors looking to make some additional money:

"We were quite overwhelmed by the extremely fast adoption,” a member of the Coinhive team told Motherboard in an email. “In hindsight, we were also quite naive in our assumptions on how the miner would be used. We thought most sites would use it openly, letting their users decide to run it for some goodies, as we did with our test implementation on pr0gramm.com before the launch. Which is not at all what happened in the first few days with Coinhive."

You developed a technology with the capability of covertly hijacking a user's CPU cycles to make additional money, sold it to an industry with longstanding problems with both transparency and self defeating practices during an era where everything but the kitchen sink is hackable, and you're honestly surprised it's being abused? While it's obvious the malware itself isn't Coinhive's fault, this seems like either a notable lack of foresight, or a dash of disingenuous denial.

One team member attempted to downplay the scope of the problem, hoping nobody would notice the new reports this week indicating that over 4,000 UK and U.S. websites have been compromised by malware that embeds the Coinhive software:

"'Cryptojacking’ will probably be here to stay for a while. At least until the rising difficulty in the Monero network (and others) makes it impracticable or Browser vendors somehow block CPU heavy websites,” the Coinhive team member said. They caveated that reports of malicious Coinhive use “have slowed down tremendously, as ‘hackers’ realize there's not much to gain with our service."

Yes, not much to gain outside of, well, making money off of countless IT and server admins who don't realize this is even a threat yet in hundreds of countries around the world. It's worth noting that some in the security community have accused Coinhive of being complicit because they take a 30% cut of all of the cryptocurrency mining that occurs with their product, regardless of whether it's via malware implementations:

As such there's little motivation on their end to thwart the trend of poorly implemented or downright hostile applications of the outfit's product, and it's not quite the kind of company journalism funding revolutions should probably be built upon. One anonymous Coinhive developer half-jokingly told Motherboard the company was doing websites a service by forcing them to be more aware of sloppy code or outdated server configurations:

"Food for thought; and we only mean this half serious: embedded miners in compromised websites are usually detected way sooner than other malicious browser scripts. Website owners recognize the breach and are finally forced to update their shitty WordPress installations."

Again, poor, non-transparent implementation of Coinhive's product by legitimate websites isn't necessarily Coinhive's fault. Nor is malware authors embedding Coinhive into their own, more malicious work. But Coinhive's lack of foresight and casual response to some fairly major issues--as well as the fact it's taking a cut of malware implementations--would seemingly open the door to other, similar companies which may be eager to elbow in on Coinhive's success with a bit more foresight and a dash more professionalism.

Filed Under: abuse, coinhive, cryptocurrency, hacking, mining
Companies: coinhive

Georgia Senate Thinks It Can Fix Its Election Security Issues By Criminalizing Password Sharing, Security Research

from the if-you-can't-make-it-better,-at-least-stop-making-it-worse dept

When bad things happen, bad laws are sure to follow. The state of Georgia has been through some tumultuous times, electorally-speaking. After a presidential election plagued with hacking allegations, the Georgia Secretary of State plunged ahead with allegations of his own. He accused the DHS of performing ad hoc penetration testing on his office's firewall. At no point was he informed the DHS might try to breach his system and the DHS, for its part, was less than responsive when questioned about its activities. It promised to get back to the Secretary of State but did not confirm or deny hacking attempts the state had previously opted out of.

To make matter worse, there appeared to be evidence the state's voting systems had been compromised. A misconfigured server left voter records exposed, resulting in a lawsuit against state election officials. Somehow, due to malice or stupidity, a server containing key evidence needed in the lawsuit was mysteriously wiped clean, just days after the lawsuit was filed.

Rather than double down on efforts to secure state voting systems, the state legislature has decided to expand the definition of computer crime. A CFAA but for federalists has been introduced in the state Senate. And it could possibly lead to criminalizing a whole lot of benign computer use.

A new bill winding its way through the Georgia state senate has cybersecurity experts on alert. As Senate Bill 315 is currently written, academics and independent security researchers alike could be subject to prosecution in Georgia alongside malicious hackers.

The two-page bill aims to amend legislation governing computer crimes in the Peach State to criminalize “unauthorized computer access.” It would penalize violations as a “high and aggravated misdemeanor,” with up to a $5,000 fine and year in jail, “any person who accesses a computer or computer network with knowledge that such access is without authority.”

"Unauthorized computer access" is a phrase security researchers hate to see. Much of their valuable work depends on unauthorized access. Criminals and malicious hackers aren't going to knock politely and ask for permission before helping themselves to personally-identifiable information or financial documents. Neither are researchers, who hope to beat criminals at their own game while helping affected entities patch holes and harden existing systems.

But it gets even worse. It's not just security research being criminalized. State senators appear ready to slap cuffs on Netflix users.

The bill also criminalizes terms-of-service violations, which could include infractions as minor as using a pseudonym on Facebook or sharing a password, says a Georgia government lawyer who spoke on the condition of anonymity.

I can see how someone connected to this law might want to remain anonymous. I mean, these are the non-anonymous assertions of named prosecutors who support the bill -- and I'd definitely want to distance myself from those as well.

A representative for Georgia Attorney General Chris Carr declined to comment for this story. In a statement, Carr said Georgia is “one of only three states in the nation where it is not illegal to access a computer, so long as nothing is disrupted or stolen. This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole."

The AG makes unauthorized access sound so nefarious when, in many cases, it's perfectly harmless. Password sharing gives people technically unlawful access, but letting a few extra people log into an HBO Go account shouldn't be a criminal act. Running a script to scrape publicly-available info from a website may be annoying to the site's owner (and likely forbidden by the terms of service), but it's nothing anyone should be looking at jail time for committing.

The state is still stinging from its election security failures and has decided to take it out on its citizens. It received a second pass in the state Senate before passing but the amendments made were mostly useless. It granted exemptions for parents monitoring their kids' computer use and some badly-worded stuff about "legitimate business activity," but the bill remains a second-rate CFAA just waiting to be abused by zealous prosecutors. And it's going to harm local businesses, which definitely shouldn't have to pay the price for the government's security issues.

“Companies will move divisions elsewhere, and startups will go elsewhere. Likewise, students will search for jobs elsewhere,” Georgia-based independent security researcher Rob Graham says. “It’s insane for legislators wanting to pass legislation that will mess this up.”

This is lawmaking so short-sighted it won't even solve the problem it's supposedly designed to target. The state needs to fix its own security issues before it starts criminalizing security research and password sharing. If it has problems with its election machine vendors, it should take it up with them, rather than burdening constituents with an unnecessary law that lends itself to abuse.

Filed Under: cfaa, cybersecurity, election security, georgia, hacking, password sharing, security research

Hacker Lauri Love Wins Extradition Appeal; Won't Be Shipped Off To The US

from the phew dept

We've been writing about the saga of Lauri Love for almost four years now. If you don't recall, he's the British student who was accused of hacking into various US government systems, and who has been fighting a battle against being extradited to the US for all these years. For those of you old timers, the situation was quite similar to the story of Gary McKinnon, another UK citizen accused of hacking into US government computers, and who fought extradition for years. In McKinnon's case, he lost his court appeals, but the extradition was eventually blocked by the UK's Home Secretary... Theresa May.

In the Lauri Love case, the situation went somewhat differently. A court said Love could be extradited and current Home Secretary Amber Rudd was happy to go along with it. But, somewhat surprisingly, an appeals court has overruled the lower court and said Love should not be extradited:

Lawyers for the 32-year-old, who lives in Suffolk, had argued that he should be tried for his alleged crimes in the UK and that he would be at risk of killing himself if sent to the US.

The court accepted both of the main arguments advanced by Love’s lawyers that there was no reason he could not be tried in England and that he might suffer serious damage to his health if he were extradited.

Love may now face a trial in the UK -- but that is considered a much better option than being shipped overseas. After the ruling, Love noted that this could impact future cases of individuals in similar circumstances, and the link above quotes some lawyers suggesting that it's going to be much more difficult for the US to extradite people for computer crimes going forward. Given the ridiculousness of the CFAA and the way that the US treats computer crimes, this is clearly a good thing.

Filed Under: cfaa, computer crimes, extradition, hacking, lauri love, uk, us

Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges

from the barely-post-pubescent-wrecking-crew dept

The teenage hacker who tore CIA director John Brennan a new AOL-hole is awaiting sentencing in the UK. Kane Gamble, the apparent founder of hacker collective Crackas With Attitude, was able to access classified documents Brennan has forwarded to his personal email account by posing as a Verizon tech. Social engineering is still the best hacking tool. It's something anyone anywhere can do. If you do it well, a whole host of supposedly-secured information can be had, thanks to multiple entities relying on the same personal identifiers to "verify" the social engineer they're talking to is the person who owns accounts they're granting access to.

Despite claiming he was motivated by American injustices perpetrated around the world (Palestine is namechecked in the teen's multiple mini-manifestos), a lot of what Gamble participated in was plain, old fashioned harassment.

Gamble taunted his victims online, released personal information, bombarded them with calls and messages, downloaded pornography onto their computers and took control of their iPads and TV screens, a court heard.

This might be chalked up to Gamble's youth or his supposed residence on the autism spectrum. But that's not the limit of the chaos caused by his social engineering. He was able to gain access to the FBI's law enforcement database and DHS boss Jeh Johnson's voicemail. He apparently dumped a database of FBI 20,000 agents' personal info and accessed email accounts of deputy national security advisor Avril Haines.

But there were other acts as well, some that resulted in plenty of people fearing for their safety.

He used his access to steal and post online personal details of Officer Darren Wilson who shot and killed black teenager Michael Brown in Ferguson Missouri.

At the same time he harassed the [FBI Deputy Director Mark] Giuliano family and people associated with them and bombarded them with calls, meaning that they were forced to seek protection from the intelligence agencies and an armed guard was placed at their home.

Mr Obama's senior science and technology adviser John Holdren had his personal accounts hacked and Gamble passed all of his personal details to an accomplice who used them to make hoax calls to the local police claiming that there was a violent incident at Mr Holdren’s house resulting in an armed swat team being deployed.

Gamble has pled guilty to ten counts of criminal computer misuse. He has yet to be sentenced but I can't imagine it will go well for him. What Gamble did was harmful to many people's personal security and the harassment of family members of public officials crosses several lines, as does the SWATing. But he did expose plenty of weak leaks in the security protocols deployed by companies like Verizon and the US government itself. The reliance on the same security questions (names of pets, schools, maiden names, etc.) across multiple services often means accessing one will open up access to all of them. Once a primary account is compromised, it can be used to change login and security verification info for accounts reliant on it.

It also exposed how high-ranking government officials made these weak links even weaker. In CIA Director Brennan's case, the sensitive documents Gamble accessed had been forwarded to an email account maintained by a third party. If Brennan had been more careful with his handling of classified documents -- like keeping them in the secured systems they came from -- Gamble wouldn't have been able to view and/or distribute these to people who shouldn't be seeing them.

Governments make weird enemies. Sometimes they're teens residing in small council houses in the UK. But the enemies they make can do considerable damage armed with nothing more than a cellphone, a laptop, and an internet connection.

Filed Under: hacking, john brennan, kane gamble, social engineering

FBI Leaves It To Journalists To Notify US Government Targets Of Russian Hacking

from the all-the-small-things dept

The last year-and-a-half has provided plenty of evidence that the Russian government attempted to influence the 2016 presidential election. Unfortunately, most of the evidence confirming this has been delivered by entities outside the US government. The government has released reports but has omitted plenty of key details.

This hasn't done much for those affected by Russia's efforts. In almost every case, individuals targeted by Russian government-directed hacking entity Fancy Bear were made aware of this by journalists, not the FBI, despite the fact both had access to the same evidence.

The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin's crosshairs, The Associated Press has found.

Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.

"It's utterly confounding," said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. "You've got to tell your people. You've got to protect your people."

The FBI refused to comment specifically on its disclosure efforts (or rather, the lack thereof). It offered no official excuse for its across-the-board lack of notification. Even the few that were notified could hardly be considered to be apprised of anything.

Rob “Butch” Bracknell, a 20-year military veteran who works as a NATO lawyer in Norfolk, Virginia, said an FBI agent visited him about a year ago to examine his emails and warn him that a “foreign actor” was trying to break into his account.

“He was real cloak-and-dagger about it,” Bracknell said. “He came here to my work, wrote in his little notebook and away he went.”

Despite evidence otherwise, the FBI claims it "routinely" notifies people and organizations about potential threats. The statement it issued to the AP would sound credible if it weren't immediately disproved by results of the AP investigation. This lack of target notification dovetails nicely with the government's handling of other disclosure efforts. The government says the same thing about the hardware and software vulnerabilities its intelligence agencies exploit. It claims to be very forthcoming about vulnerabilities and yet exploits it never informed affected tech companies about have been repeatedly leveraged to attack computers all over the world.

The FBI's unofficial excuse for this lack of notification is unavailing:

A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on timing but said that the bureau was overwhelmed by the sheer number of attempted hacks.

“It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said.

This doesn't explain why the AP was able to track down affected government employees and contractors -- using less personal information than the FBI has access to -- and inform those affected by Fancy Bear hacking. The AP unquestionably has less manpower available than the nation's largest law enforcement agency. Certainly limiting its notification efforts to just this hacking effort allowed the AP to complete this task, but even in the face of multiple hacking attacks, the FBI should have been able to provide more notification. The "there's too much to deal with properly" excuse doesn't even impress former Intelligence Community members -- people who definitely know about drowning in data.

Charles Sowell, who previously worked as a senior administrator in the Office of the Director of National Intelligence and was targeted by Fancy Bear two years ago, said there was no reason the FBI couldn’t do the same work the AP did.

“It’s absolutely not OK for them to use an excuse that there’s too much data,” Sowell said. “Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? That’s ridiculous.”

Phishig attempts aren't murders, but the underlying assertion -- there's too much happening to do anything about -- is still worthless. The FBI wants to be the go-to agency for national security issues as well as a key player in the cyberwar, but seems unwilling to perform the mundane, but necessary, tasks that accompany those noble pursuits. The boring parts of the job still need to be done. If the FBI seriously wants people to get behind its counterterrorism efforts and cybersecurity work, it needs to make a better effort getting behind the people affected by those the agency is targeting.

Filed Under: fbi, hacking, journalists, russians

Virginia (Again) Dumps Electronic Voting Devices Over Concerns About Election Interference

from the deja-vu-for-President! dept

It seems Virginia can't catch a break when it comes to voting. Trusting vendors to provide secure electronic voting devices just isn't paying off. Two years ago, Virginia pulled a bunch of voting machines after it was discovered they were leaky, insecure devices masquerading as something American voters could trust.

The security wasn't just bad in the way many machines are -- frailties that can only be sussed out by security researchers and talented criminals. No, they were bad in the way your grandparents' Google Box is: "secured" with passwords like "abcde" or "admin," along with accessible DOS prompts and multiple open ports.

Time moves on but the electronic portion of Virginia's electoral system does not.

Virginia’s election supervisors on Friday directed counties to ditch touchscreen voting machines before November’s elections, saying the devices posed unacceptable digital risks.

[...]

The decision forces Virginia counties to swiftly replace any touchscreen devices with machines that produce a paper trail, ensuring the state can audit its closely watched gubernatorial race this November between Democrat Ralph Northam and Republican Ed Gillespie.

With possible interference in last year's presidential election not even in the rearview mirror yet, Virginia's government is moving up the date of its planned obsolescence. As Politico notes, there's already a law on the books in Virginia phasing out use of touchscreen voting devices by 2020. This just moves that date forward three years, just in time for this year's elections.

It's not that electronic voting devices are inherently bad. It's just that they appear to be inherently flawed. Report after report shows multiple vulnerabilities in voting machines and yet, year after year, there appears to be little forward motion on the security side. This is baffling, considering learning from mistakes is one of those things even lab rats can do -- but it often seems to be almost impossible for voting device vendors. The flaws generally aren't the result of meticulously-targeted exploits by criminals, but rather the sorts of things that shouldn't go overlooked when vetting machines for use in the public sector.

The paperless office may be on the threshold but the (secure) paperless vote is continually several years away.

Filed Under: dre, e-voting, elections, hacking, paper trail, virginia, voting machines

North Carolina Election Agencies First Learned They'd Been Hacked From Leaked Documents Published By The Intercept

from the accelerated-disclosure dept

At the time, the documents leaked by NSA contractor Reality Winner -- showing Russian interference in the recent election -- didn't seem to be of much importance. They showed something that had long been suspected, but also showed the NSA performing the sort of surveillance no one really disapproves of. The documents were in the public's interest, but weren't necessarily of the "whistleblower" variety.

That aspect of the documents hasn't changed, but public interest in the unauthorized disclosure certainly has. In a post for Emptywheel, Marcy Wheeler takes on an NPR story about actions taken by electoral agencies as a result of the leak.

The company that provided the software for the poll books is VR Systems — the company that the document Reality Winner leaked showed had been probed by Russian hackers.

[S]usan Greenhalgh, who’s part of an election security group called Verified Voting, worried that authorities underreacted. She was monitoring developments in Durham County when she saw a news report that the problem pollbooks were supplied by a Florida company named VR Systems.

“My stomach just dropped,” says Greenhalgh.

She knew that in September, the FBI had warned Florida election officials that Russians had tried to hack one of their vendor’s computers. VR Systems was rumored to be that company.

Now, there's an investigation underway in North Carolina, linked directly to the documents leaked by Reality Winner. Josh Lawson, general counsel for the state's board of elections, said it first learned about the hacking from the Intercept's article.

Which makes you wonder when the federal government was going to get around to notifying affected state agencies. When local agencies are learning about Russian hacking from leaked documents rather than straight from the source, the downward flow of pertinent information seems to be more than a little broken.

Not that this news will do Winner any good as she heads to court. As noted by Ed Snowden earlier, and reaffirmed here by Marcy Wheeler, any positive outcomes resulting from leaked documents can't be raised by the defendant.

Last week, Magistrate Judge Brian Epps imposed a protection order in her case that prohibits her or her team from raising any information from a document the government deems to be classified, even if that document has been in the public record. That includes the document she leaked.

The protective order is typical for leak cases. Except in this case, it covers information akin to information that appeared in other outlets without eliciting a criminal prosecution. And more importantly, Winner could now point to an important benefit of her leak, if only she could point to the tie between her leak and this investigation in North Carolina.

With the protection order, she can’t.

This is generally how things go in espionage cases. This is what Snowden detractors ignore when they argue he should just return home and face a "fair trial." There are no fair trials in espionage cases. In Winner's case, the order is so broad it forbids her legal reps from discussing any classified document or any document they believe might be classified (or derived from classified documents), even if those documents have been leaked and published by journalistic entities.

The info in the leaked documents led to an investigation. This may excuse the leak in the minds of those whose first encounter with evidence of Russian hacking came from a site known for publishing leaks, rather than the federal government performing the surveillance that uncovered it. But this is of no use to Reality Winner, or any leaker in her position. No matter how much good may result from unauthorized disclosures, the government only cares about the authorization.

Filed Under: hacking, leak, north carolina, nsa, reality winner

DEA Looking To Buy More Malware From Shady Exploit Dealers

from the ends-and-something-about-means dept

The DEA -- like other federal agencies involved in surveillance -- buys and deploys malware and exploits. However, it seems to do better than most at picking out the sketchiest malware purveyors to work with.

When Italian exploit retailer Hacking Team found itself hacked, obtained emails showed the company liked to route around export bans through middlemen to bring the latest in surveillance malware to UN-blacklisted countries with horrendous human rights records. It also, apparently, sold its wares to the DEA -- an agency in a country with only periodic episodes of horrendous human rights violations.

Maybe there's a shortage of exploit sellers, but it would be nice to see a US agency be a bit more selective about who it buys from, rather than jumping into the customer pool with Saudi Arabia, Sudan, and Egypt. But the DEA has done it again. Emails obtained via FOIA by Motherboard show the DEA attempting to get in bed with another questionable malware purveyor.

The Drug Enforcement Administration held a meeting with the US sales arm of NSO Group, a controversial malware company whose products can remotely siphon data from iPhones and other devices, according to internal DEA emails obtained by Motherboard.

The news highlights law enforcement agencies' increased interest in using hacking tools and malware, as well as NSO's efforts to enter the lucrative US market.

The problems with NSO are multitudinous. Not only have its iPhone zero-days been used to target a dissident in the United Arab Emirates, but the Mexican government apparently deployed NSO malware on several occasions, each time with highly-questionable targets.

Privacy International has uncovered NSO malware in operation in Mexico, targeting journalists, lawyers, soda tax supporters [?!]... even children. Some of the targets were investigating government corruption. Others were investigating the mass disappearance of 43 schoolchildren from Iguala, Mexico. The deployment methods were at least as troubling as the demographics of those targeted.

The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats. The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years.

This is what governments are doing with NSO's malware. Certainly NSO can't be expected to prevent end users from using its malware for evil, but it could be more selective about who it sells to. Perhaps the pitch to the DEA was viewed as a step towards legitimacy. But the DEA entertaining offers from NSO should be viewed as a step backwards for an agency that already has a few issues with its malware deployment.

Joseph Cox of Motherboard makes it clear the obtained emails don't show any purchases from NSO. But they do show the agency is interested in its wares. The lack of concerns about the source are par for the course. The DEA can't seem to find the time to deliver required Privacy Impact Assessments for its malware/exploit deployment and routinely thwarts its oversight. Buying from shady dealers is just another component of the DEA way.

Filed Under: dea, exploits, hacking, malware, vulnerabilities