"The Mask" Espionage Malware

We’ve got a new nation-state espionage malware. "The Mask" was discovered by Kaspersky Labs:

The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world -- from the Middle East and Europe to Africa and the Americas.

The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).

"Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment," said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab. "This level of operational security is not normal for cyber-criminal groups."

It's been in operation, undetected, for at least seven years.

As usual, we infer the creator of the malware from the target list.

We counted over 380 unique victims between 1000+ IPs. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.

Based on the prevalence of Spanish-speaking victims, the number of infected victims in Morocco, and the fact that Gibraltar is on the list, that implies Spain is behind this one. My guess is that soon countries will start infecting uninteresting targets in order to deflect blame, but that they still think they’re immune from discovery. So Spain, if it is you, attack a few sites in the Falklands next time -- and use a separate tool for Morocco.

There are several news articles.

Posted on February 11, 2014 at 6:57 AM • 60 Comments

Comments

WooFebruary 11, 2014 7:30 AM

"This level of operational security is not normal for cyber-criminal groups." - but state-run organizations are known for always working diligently and well organized, da?

NachoFebruary 11, 2014 7:39 AM

France is a better bet, has bigger interests on Morocco and more resources for intelligence.

Bruce SchneierFebruary 11, 2014 8:04 AM

"France is a better bet, has bigger interests on Morocco and more resources for intelligence."

It's not just Morocco that points to Spain. It's the entire Spanish speaking world as a target.

But, to be sure, we're just speculating here.

Bob S.February 11, 2014 8:05 AM

It seems a well disciplined government or governments operate "The Mask".

Every government in the world is no doubt doing it's best to replicate the capabilities of the NSA to exploit data.

Should we thank NSA for making feel so safe and secure?

One day we will awaken to find NSA means National Surveillance Agency and all references to "Security" will have vanished.

Also, a new banner on Fort Meade will appear one dark night:

"Security is Slavery"

Ian McNeeFebruary 11, 2014 8:45 AM

Bruce: according to the distribution of compromised systems on Ars Technica I would suggest it's more likely to be the USA again. In the top ten targets are Venezuela, Iran, Libya, France & Brazil - all either likely or known US espionage targets.

Plus the UK figures tie-in with Snowden's revelations about NSA co-operation with GCHQ and the sharing of illicit data about each others respective citizens.

Oh and the Kaspersky link is broken, should be this.

BenniFebruary 11, 2014 9:36 AM

@Bob: I thought since it used angry birds, the nsa already has got this new banner:
http://2.f.ix.de/imgs/18/1/1/6/3/2/8/7/NSA-Birds-15c9145604c406fa.jpeg

regarding to the target list: I somewhat fear that the agencies are already empoying the following strategy: one malware for one language. This malware was designed to attack the spanish world. Perhaps some of its writers are already from spain.

But if, for example, an agency wants to make a malware for asian computers, it is conceivable that would hire people who speak asian language and know the usual computer tech that the victim in asia has.

I therefore do not think that one can infer from the target list where the malware comes from. Thanks to companies like vupen, any good agency probably has dozens of malwares, with each type of malware specialised for attacks in only one specific geographical region. Careto for the spanish world, other malwares for russia, again other malwares for asia, and then again different malwares for the arab world.

Carlos AlmeidaFebruary 11, 2014 9:53 AM

Bad link on the mask hyperlink

BAd :(https://www.schneier.com/blog/archives/2014/02/www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers)


Good :(http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers)

BenniFebruary 11, 2014 9:55 AM

Kapersky writes:
"The attacks rely on a combination of social engineering, for instance impersonating websites from The Guardian and Washington Post."

and it lists these domains

linkconf.net
redirserver.net
swupdt.com

with these sites:

negocios.iprofesional.linkconf.net/
www.internacional.elpais.linkconf.net/
politica.elpais.linkconf.net/
cultura.elpais.linkconf.net/
economia.elpais.linkconf.net/
test.linkconf.net/
soc.linkconf.net/
sociedad.elpais.linkconf.net/
world.time.linkconf.net/
internacional.elpais.linkconf.net/
elpais.linkconf.net/
www.elespectador.linkconf.net/
blogs.independent.linkconf.net/
www.elmundo.linkconf.net/
www.guardian.linkconf.net/
www.washingtonsblog.linkconf.net/
www.publico.linkconf.net/

Has anyone opened these sites? I would be interested what happens.

this is the whois entry of these domains

[Querying whois.verisign-grs.com]
[Redirected to whois.gandi.net]
[Querying whois.gandi.net]
[whois.gandi.net]
Domain Name: linkconf.net
Registry Domain ID: 1710052877_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2013-10-23T18:46:03Z
Creation Date: 2012-03-30T12:12:52Z
Registrar Registration Expiration Date: 2017-03-30T12:12:52Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller:
Domain Status: clientTransferProhibited
Domain Status:
Domain Status:
Domain Status:
Domain Status:
Registry Registrant ID:
Registrant Name: JOAQUIM COSTA
Registrant Organization:
Registrant Street: Rua do Carmo 26
Registrant City: Braga
Registrant State/Province:
Registrant Postal Code: 4700-309
Registrant Country: PT
Registrant Phone: +351.253204804
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 531becdfa3836a9be267950583190dbc-1471114@contact.gandi.net
Registry Admin ID:
Admin Name: JOAQUIM COSTA
Admin Organization:
Admin Street: Rua do Carmo 26
Admin City: Braga
Admin State/Province:
Admin Postal Code: 4700-309
Admin Country: PT
Admin Phone: +351.253204804
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 531becdfa3836a9be267950583190dbc-1471114@contact.gandi.net
Registry Tech ID:
Tech Name: JOAQUIM COSTA
Tech Organization:
Tech Street: Rua do Carmo 26
Tech City: Braga
Tech State/Province:
Tech Postal Code: 4700-309
Tech Country: PT
Tech Phone: +351.253204804
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 531becdfa3836a9be267950583190dbc-1471114@contact.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Domain Name: SWUPDT.COM
Registrar: GANDI SAS
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Status: clientTransferProhibited
Updated Date: 14-apr-2010
Creation Date: 14-apr-2010
Expiration Date: 14-apr-2020


Domain Name: REDIRSERVER.NET
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: STVL113289.EARTH.OBOX-DNS.COM
Name Server: STVL113289.MARS.OBOX-DNS.COM
Name Server: STVL113289.MERCURY.OBOX-DNS.COM
Name Server: STVL113289.VENUS.OBOX-DNS.COM
Status: clientTransferProhibited
Updated Date: 18-sep-2013
Creation Date: 01-sep-2011
Expiration Date: 01-sep-2014

Stanislav DatskovskiyFebruary 11, 2014 10:57 AM

Author of the linked malware is clearly: U.S. Government. What a ham-handed attempt to pin the blame on a neutral country!

What kind of idiot would leave genuine human-readable variable/function name symbols in a serious Trojan?

The Spanish strings were meant to fool the rubes - and apparently it worked.

k3jnfkfjn3kjfnFebruary 11, 2014 11:19 AM

it's using Java zero days as seen in the kernelmode dot info samples that match kaspersky MD5. No deep analyses yet, just JRE exploits found.

Supposedly the infrastructure gives away that it's APT. With the money botnets and PPI spreading ransomware are making these days, people already operating can afford to contract out work and produce malware this grade or better with short turn-around, especially in Russia and some of Europe and China where financial malware has it's own industry and the governments mostly look the other way..

BenniFebruary 11, 2014 12:18 PM

Out of curiosity, I clicked on some of the above links. Immediately i get the message that my antivirus software has blocked a dangerous webpage. Nice to see the software is working that good.

DanielFebruary 11, 2014 1:07 PM

What worries me about these nation-state attacks is the collateral damage. It not simply the fact that an internet user has to worry about their own country being an attack vector, they have to worry about any country being an attack vector. Does it matter to me whether it's the NSA, Google, Spain, or a cyber-crime gang that gets access to my personal data? No. My privacy has been compromised and once it is compromised there is no getting it back.

So there is a way in which drawing distinctions between terms such as "nation-state" and "cyber-crime" is misleading in a soothing way. They are all threats, regardless of label.

DBFebruary 11, 2014 2:34 PM

@Daniel, exactly. I think traditionally a lot of security experts have for many years been thinking essentially "well, if it's 'APT' or 'nation state' there's nothing we can do about it anyway, and that would be incredibly rare too, so just ignore that"... when it turns out APT/nation state attacks are all around us, we're virtually swimming in them everywhere, with hardware, software, and service companies all mostly complicit and/or coerced into cooperating with them... So our whole security mental picture has to be redone to take that into account, and stop ignoring it as merely theoretical.

I've always loved technology. I've always wanted to tinker with it, build it, program it, play with it, etc... But now, every single piece of complex electronic hardware I own is suspect. Not a single commercial company in existence can be trusted to have MY best interest at heart, and many are directly working AGAINST my interests. What can I do? I just don't want to buy any technology anymore. I hate it, it all sux.

I still love technology, but there has to be a revolution in how it's made for me to get back on board. From the ground up there has to be a whole new industry of products that are all built with the principles of openness and public scrutiny at their core, not secrecy and manipulating and invading/attacking everyone. This has to affect everything from individual chips, to boards, to firmwares, to the operating systems and software that runs on top of them, all of it. All of it needs to be done based on open principles to regain my trust.

3jgfkfjnkFebruary 11, 2014 2:58 PM

@DB: there has to be a changes in CPU and RAM architecture to supplement all these MAC and allocation-integrity solutions done in software. Because profitability dictates the industry I don't see it happening any time soon..

Execute-Disable bits that you see in modern AMD and Intel architectures for MMU are a joke. Trivial ROP methods were made to bypass them within 72 hours of them being put in circulation. There has to be cryptographic methods for MMU and you have to have a chain-of-trust.

Not a chain-of-trust that attempts to hide keys either, because silicon or deep code analyses will always expose them and attackers will just fuzz the interface for overflows and glitches. Use OTP with some form of out-of-range(even in real mode) RNG table that is queried through a hardware enforced oracle that has no buffered input; it only responds to little byte instructions paired with a real address and size so it can deliver OTP keying data for things like page table encryption and write-back hashing. Maybe put write-back hashing in microcode.

susú pétalosFebruary 11, 2014 3:04 PM

spain doesnt have computers, bulls ate them all! thats why we fight (bulls)
so spain has to be innocent, plus we were sleeping siesta

this unfounded accousations are foolish!!!

DBFebruary 11, 2014 3:13 PM

@ 3jgfkfjnk yeah, well, I wasn't talking about a minor change. The industry is going orthogonal to what I'm talking about, where money is the only thing that matters. Therefore, if any government can freely shut off the money faucet at will, then they can freely coerce any company into going against its customer's best interests at will.

The difference is similar to closed source vs open source software, except that it needs to be with hardware too. So far as I've seen, only relatively minor pieces of hardware have been developed with open principles in mind. We need more, much much more.

And yes, cryptography should be at the core of everything too. Individual programs and even whole operating systems should be able to run in virtual machines that not only hide architectures, but also hide all details of what's going on from an executional standpoint, so that they cannot be spied upon by unwelcome outside sources like the host environment.

RafaelFebruary 11, 2014 3:22 PM

From the Kaspersky report, page 57:
All communication between the component and the server is encrypted using the RC4 encryption algorithm. The encryption key is read from the configuration block and equals to the string “Caguen1aMar” in all the configurations we discovered. It also loads additional libraries specified in the configuration, i.e. “mfcn30”.
The module can execute the following commands provided by the C&C server:

Whoever used 'Caguen1aMar' as an encryption key is a Spaniard. This rude expression is not used in other spanish-speaking countries.
It is an exclamation of disgust used for instance when somecing bad and unexpected happens.
An American would use the expression 'F**k!' in the same situation.

Jorge February 11, 2014 3:53 PM

To add some more info to Rafael 's post. It is not only that the expression "me cago la mar" is only used Spain. The way it is written hints more to a native Spanish speaker, because it tries to mimic how it said in coloquial Spanish.

Shawn SmithFebruary 11, 2014 4:02 PM

Whoever used 'Caguen1aMar' as an encryption key is a Spaniard. This rude expression is not used in other spanish-speaking countries.

Or by someone who wants to frame Spain and is moderately familiar with its idioms.

vas pupFebruary 11, 2014 4:16 PM

@Daniel. Agree. Same when you are killed by the felon or by police (in error). As victim, you don't care what the source is. You do care about outcome.

Clive RobinsonFebruary 11, 2014 5:25 PM

@ DB,

    I've always loved technology. I've always wanted to tinker with it, build it program it, play with it, etc... But now, every single piece of complex electronic hardware I own is suspect.

Welcome to my world...

I started traveling this path back in the late 1990's having worked in and at the edges of the "suspect technology" industry since the late 1970's when I started making simple surveilance and counter surveilance equipment as the profit on the work was eye wateringly large. At one point I was earning as much for a couple of hours work as I was in two months of regular employment...

However as you travel down the dark road you start to think about what actually goes on in the gloom and the shadows. And if you are smart you can seen that technology is agnostic to it's use and what you design for what you once thhought of as "for the good" is apt to be more used "for the bad". Thus you realise the business is very very amoral which is why the profit is there, to salve the concience if you have one.

Eventialy you realise that it's worse than just amoral it eats into your self respect, especialy if you are not the sort with "a sense of entitlement" who measures success in the accumulation of power that makes others fear and loath you.

These days I spend "my time" more wisely, and amongst other things I look into alternative technology such as how to make wood burning stoves produce not just heat for the home but gas to run generators etc. Atleast that technology is more honest in it's uses. I also try to make information available to people, they can use it or ignore it, that is their choice if they use it I would prefer they then used it to benift others so that hopefully we all get something back, but again that is their choice.

As was once said of "art", '... it's purpose is not to make the artist great, but to put beauty in the minds of others'.

Joseph HFebruary 11, 2014 5:31 PM

Chaouki Bekrar, CEO & Head of Research for VUPEN (one of the entities mentioned in the full report on Mask) published a rather nasty tweet this morning directed at Kaspersky.

Marcos El MaloFebruary 11, 2014 5:43 PM

@Clive Robinson

"amongst other things I look into alternative technology such as how to make wood burning stoves produce not just heat for the home but gas to run generators etc."

You don't happen to blog on the topic? It's an area of interest and I've enjoyed reading your comments here.

GonzoFebruary 11, 2014 8:01 PM

Am I wrong in thinking that finding things like this provide US (the security conscious community) with a side-channel that helps us figure out what things, properly implemented, are still "unbroken" -- or at least not broken badly enough that it is still cheaper/easier for nation states to go through the brain damage of endpoint compromise rather than sniffing and decrypt?

The fact this thing goes looking for SSH keys, for example, makes me feel good about my use of SSH and SSH tunnels -- again, assuming I have not made myself a target of the endpoint compromise scenario...

DBFebruary 11, 2014 9:28 PM

@Gonzo, if the FBI has specifically targeted activists over the years just for being activists, what makes you think they haven't targeted each and every one of us commenters here individually too just because we're concerned about security?

I used to never comment or blog or anything much, because I knew that everything I "put out there" on the internet somewhere could come back to haunt me someday... But now the state of things is so bad that I just don't give a crap anymore, I have to speak out against it, or I'll go insane.

GinjasFebruary 11, 2014 9:40 PM

Just one note... totally speculative, but still somehow worth considering.

Those domains have in common being registered through GANDI.net registar, right? Just check Gandi's about page..

GANDI SAS was founded in 1999 by three individuals who were highly regarded in the French internet world (Pierre Beyssac, Laurent Chemla, Valentin Lacambre). In 2005, it was bought by an experienced European management team within the same field, in order to create an alternative and independent line of Internet services based around domain names. Gandi has offices in Paris (France), Baltimore (USA) and Vancouver (Canada).

experienced European management team? right..
offices in .. imagine.. Baltimore.

coincidences. there are none.

FigureitoutFebruary 12, 2014 12:50 AM

Welcome to my world...
Clive Robinson
--Yeah but do you see really a lot of progress in renewable energy? Seems to me like basic physics won't allow for such a miracle...

I know you've talked about it before, I remember. But since so much effort is expended first on spying on each other, next on defending against said spying, and all the other worthless distractions. I'm not predicting many advances in renewable clean energy...but if someone or a group finds a "new" source of renewable energy I think they become the smartest people on the planet...

Clive RobinsonFebruary 12, 2014 4:03 AM

@ Marcos El Malo,

Quick answer is no, when this threads been quiet for a few days I'll explaine

@ Figureitout,

If we don't make renewable energy work than mankind does not have a future. And no I'm talking hard science not political nonsense when I say/use "renewable".

The simple fact is all our energy has come either from our sun or past super novas. From earths point of view the sun is renewable energy nuclear fuels not. But it's not just energy sources that are the problem, the ultimate form of polution is heat and there is only so much of it the earth can radiate back into space at any one time.

But we have to be carefull our climate is a large heat engine which amongst other things turns undrinkable sea water into rain which gives us water we and our food sources can drink, vast distances inland from the sea. Disturbing that cycle will kill us off quicker than any technology we could build to replace it (we know what will happen from areas of Africa and South America where weather patterns do not carry water inland, likewise other areas where to much is carried inland).

Underlying the issue of life on this planet is "storage", both water and energy need to be available in a usable form when required and in the right place otherwise life stops.

With energy we need it not just when the sun is shining or the wind blowing. It's fairly easy to calculate that there is not enough of the metals required to make "batteries" to do the job. Which is why "electric cars" that use the battery technology we have today are a dead end side show.
Likewise the current fuel cell designs have the same metal issues. The best alternatives we have, are what we currently have which is chemical fuels. But we don't currently know how to make them efficient or safe, in production or use.

Currently nature has us beat hands down on the storage issue both short term and long term (fats and carbs through fosil fuels). There is nothing inherantly wrong with using chemical bonds to store energy it's just that we do it so badly and inefficiently currently and in a way that creates the worst types of polution due to "quick and dirty" thinking and the optomistic view "it's the next generations problem", when it should have been our grandparents problem.

Secondly one of the biggest efficiency problems we currently have which is seldom if ever talked about politicaly is power distribution we currently lose upto half the energy we generate. And a big chunk of that problem is "big power" lobying to keep it that way.

Yes mankind can live comfortably within the earth's re-newable "sunlight in heat out" budget provided we can efficiently generate, transport, store and utilise the energy. The problem is we have exponentialy increasing demands for energy but not so solutions to efficiency. We have to balance the energy budget and live within our means both short and long term or otherwise we die out as a spiecies....

3jgfkfjnkFebruary 12, 2014 10:24 AM

@DB: Regarding your last comment: Good luck fighting economics and psychology.. Profit margins are what drive innovations. Engineers, chemists, and physicists don't work for free, or cheap, nor do marketing firms..

It sounds like you're expecting some socialist movement in the computing industry which is never going to happen. Humans pursue self-interest by nature and that doesn't involve high risk investments and low profit margins to do things the logical or "fair" way..

Be thankful we got some shotty page guarding technologies about a decade ago.. I'm pretty sure designers even factored economics and profitability into that which is why trivial user-land techniques are able to defeat it..

DBFebruary 12, 2014 11:43 AM

@3jgfkfjnk and yet... somehow... there's quite a large and healthy open source software movement... where did it come from? how does it exist at all in a world where only profit margins matter?

3jgfkfjnkFebruary 12, 2014 12:58 PM

@DB: Oh you mean the one where they charge for support and have donations but everyone still has full time jobs for sustainability, including the founders? Yeah.. what about that?

This blog can always be relied upon for it's high frequency of illogical arguments. Let's just forge idealistic fictional-realities to base our arguments on in an effort to seem enlightened or knowledgeable when someone brings up reality which contradicts our flawed grandstand statements..

AnuraFebruary 12, 2014 5:35 PM

@DB

I think if we are going to see commercial open-source hardware become a big thing, big organizations need to be the ones to push for adoption. Universities are the most likely to make the push, but the problem is that unlike software, hardware is susceptible to economies of scale, and it may be too costly for a university.

The best entity to push for open hardware would be government. From desktops to laptops, to networking equipment, to servers, to cell phones. If the government made the push for 100% open hardware, firmware, software, etc. you would see some real improvement in the area. Sadly, I don't think it will happen. Maybe I'll run for President.

DBFebruary 12, 2014 7:26 PM

@Anura the thing is, ALL proprietary closed source hardware is always insecure by its very nature. There is no way for it to ever become secure either, because it's not made to benefit you, the user of the product, it's made only to benefit the company, to make profit. With profit being the only motivator to make it at all, any and all governments can and will weasel their way into making companies put in special backdoors too, by threatening profits (or in our case, even prison time) if they don't. There's no way around this, except... open source it. I'm not saying everything in the world should be open source, I'm saying there should be open source options available for every kind of thing, so that anyone who cares in the least bit about security at least has a chance at achieving it...

And since all governments generally just want more and more control, we can't look for governments to do things that counter their control mechanisms either. Or if they do, it's likely to be only rarely, as a freak anomaly from the general trend. It has to mainly come from somewhere else. Academic and hobbyist circles are possibilities. That's where open source software came from for the most part. Don't underestimate the power of angry citizenry fed up with the state of things going off and doing something crazy like open source to fix the problem either.

TenThousandDeathsAndStillDyingFebruary 12, 2014 9:30 PM

Nation-state my ***.

It's just like 'Stux' & co: not one single shred of actual evidence in any direction, only the most banal assumptions biased in whatever direction found most pleasing.

"Technologically superior" or "extremely advanced" or "requiring multiple hard to get resources" or "multiple zero-days" or "whatever"?

Those things only mean it was done by someone more knowledgeable and smarter than 99.999% of the people offering their opinions as facts.

And no: public "admissions of guilt" —contrived or not— is not in itself valid proof, false confessions happen for all kinds of reasons and are far from rare.

So sick and tired of all the stupidity people willingly flaunt and brag about because they do not understand anything at all :(

Stop assuming! As the first step realize I'm not saying it couldn't be a nation-state, I'm only saying there is zero actual proof of any kind both in this and the previous examples.

The speed at which some moronic or simplistically infantile"journalistic" sentiments are picked up by both the general public and further along so-called "experts" and turned into undeniable "facts" is frightening.

FigureitoutFebruary 12, 2014 10:05 PM

TenThousandDeathsAndStillDying
--You just did the exact same thing in your previous post, what proof do you have that SWAP stands for SoftWare Access Persistent? Then saying Those things only mean...; that's your opinion. If you want to get philosophical, all evidence can be fabricated, any security person could probably see that.

BuckFebruary 12, 2014 11:27 PM

@Anura

The best entity to push for open hardware would be government.

Wrong, wrong, and... just even more wrong!

If these "leaks" have taught us anything at all, it is certainly that the best entities for such a push are primarily private citizens...

BryanFebruary 13, 2014 2:47 AM

reading all of this... and many of recent blog posts... im starting to freak out. Is it possible that every windows pc has a built in key-logger that sends out everything that's written on the keyboard? I've written so many private messages to my lawyer, girlfriend, doctor using my computer... should we just all assume we have compromised systems?? what is there to left to do?

yesmeFebruary 13, 2014 3:31 AM

@Bryan,

Is it possible that every windows pc has a built in key-logger that sends out everything that's written on the keyboard?
Yes.

should we just all assume we have compromised systems?
Yes.

what is there to left to do?
Some Russian government organisations are going back to typewriters. Serious.

The NSA isn't building these huge buildings for nothing. They use it to store massive amounts of data.

Of course, one thing they are absolutely afraid about is being detected, so they won't intercept things that could be detected. But other than that, they are probably intercepting everything that is allowed within the law.

But AFAIK they are mostly interested in metadata. That allows them to follow the paths people walk. Except when they tap political / influencial people like Merkel. Than it's probably just about money or extorsion.

SchneieronSecurityFanFebruary 13, 2014 5:11 AM

A majority of the attacked IP addresses are in Brazil and Morocco.

It might have something to do with Repsol, the Spanish energy company.

Certainly, energy companies in these countries whether the countries are energy sources or have companies and operations in extraction, refining & retail.

I have heard the particular Spanish expression mentioned above uttered by non-Spaniards.

The list of countries reminds me of the film, 3 Days of the Condor.

AnuraFebruary 13, 2014 11:32 AM

@Buck

Private citizens won't make open hardware widespread because the people who care enough are such a small subset of the population and the initial cost is too expensive, especially if you start talking about processors that can come close to matching the performance of modern intel or AMD processors; if the NSA leaks have taught us anything it is that private citizens don't really pay much attention to security. Remember that there are more governments than just the US government (and we also have state and local governments), and only a handful have to start pushing for open hardware.

@DB, Buck

If you live in a democracy, your government doesn't trust the people, and the people don't trust your government, then your problems are a lot bigger than hardware. In this case, I think your top priority shouldn't be open hardware, but working to replace existing officials with those who trust the people, and who we can trust as well.

@AnuraFebruary 13, 2014 12:27 PM

@Anura

In this case, I think your top priority shouldn't be open hardware, but working to replace existing officials with those who trust the people, and who we can trust as well.

Yeah, that's pretty much what I was hinting at... The 'government' actually has no power of its own, but instead takes advantage of the collective power of all participating citizens.

DBFebruary 13, 2014 2:47 PM

Democracies are not based on trust, they are based on distrust. If they were based on trust, they'd simply be one-time-elected dictatorships instead. The reason why our government has "checks and balances" is because we cannot trust one branch to always do the right thing, so we try to have opposing branches to (hopefully) reign it in when that happens. The whole reason why the 2nd amendment was written (the right to bear arms) was originally supposed to be so that the people could overthrow a corrupt government at any time by force, as yet another check/balance (not that this can happen in our modern world, the horse has left that barn long ago, and this amendment is mostly useless now).

And now in the past few months, we've come to realize that the 1st amendment (freedom of association), and the 4th amendment (the ability to keep our private lives private, unless there's specific and particular suspicion) are also both mostly useless now too. We are all completely and totally under a great and invasive microscope every second of every day with mass surveillance, and we have no freedom to associate or freedom from government interference with the minutiae of our daily lives.

The list could go on and on... With our government tossing out all the fundamental principles of our country, ones that are supposed to guarantee liberty and justice, how could anyone POSSIBLY throw around a word like TRUST?? It makes no sense at all.

Ok, let's talk about it from a technical perspective: Security is also based on distrust too, not trust. You don't just say "well, I trust this friend of mine, so I'm going to give him everything... all my passwords, all my bank access details, the keys to my house, car, the ability to impersonate me at will, etc, etc"... really? Who does that? Nobody. Because you should only trust the minimal amount you NEED to, to achieve a specific goal. Why trust the minimal amount instead of the maximum amount? Because the default level of trust in every case must be none, zero, zippo, total and complete distrust. Then you add minimal little bits of trust on top of that only when absolutely necessary. This is why "whitelisting" is better than "blacklisting" etc...

So let's please get rid of the whole idea that "we need to trust more"... no we don't. We need to get realistic here. Distrust is not the problem, it's the solution. Then on top of that you can build little bits of trust only as needed, and as they're earned.

AnuraFebruary 13, 2014 8:40 PM

@DB

The entire basis of democracy is not that you can't trust the officials to rule, it's that you can trust the people to rule. The entire basis of electing representatives is that you can trust them to represent your interests. If you don't trust the officials, you don't choose representative democracy, you choose direct democracy. If you can't trust the people, then you go with monarchies or oligarchies. If you can't trust anyone, you might as well go full anarchy.

The basis of checks and balances is not about distrust of the government, it's about not trusting that the majority will always consider whether they are stomping on the minorities to get what they want. Even if you have direct democracy, you need checks to prevent the majority from steamrolling over the rights of minorities.

vas pupFebruary 14, 2014 8:45 AM

@Anura:
"The basis of checks and balances is not about distrust of the government, it's about not trusting that the majority will always consider whether they are stomping on the minorities to get what they want. Even if you have direct democracy, you need checks to prevent the majority from steamrolling over the rights of minorities". But you should not go to the other extreme when any type of minority attempts to force their views, ideals, modus of living on majority, in particular when majority is there for centuries and minority just arrived. You can't make somebody happy by force. I guess you agree that there is no place for love after rape (in broad sense of words).

DBFebruary 14, 2014 1:19 PM

@ Anura if you read my post again carefully, I didn't say "never trust anything ever" anarchy-style, I said "the default baseline basis of everything should be distrust, you should distrust everything by default, then you add the minimum amount of trust you need to have a functioning life and society"

I'm totally sick and tired of hearing pathological liars in office complaining that someone or another is a "traitor" for revealing what liars they are, and bemoaning "we need to get back to trust, just trust us already"... NO! That is wrong-headed. You lie, you personally should get NO TRUST WHATSOEVER FOREVERMORE PERIOD. And all those who defend your lies as great truths are personally tainted and should not be trusted either. Unfortunately, this is some 40% of the population right now, because we're all so scared of "terrorism" that we're willing to give up our principles, when even dying from slipping in the bathtub is so much more likely... Remember the Japanese internment camps? I predict they are coming again at this rate, only it won't be the Japanese, it will be some other innocent people.

BenniFebruary 15, 2014 5:42 PM

@Ginjas
actually i find the description of gandi more interesting:

"We are different from other companies in this market in that we set respect for customer rights as our first priority. We are committed to protecting customer privacy under applicable law, and to respecting due process. We offer an alternative approach to that of our competitors, spending no money on advertising, and instead supporting the community "
That they say they will protect the data of their customers very carefully makes them, of course, an interesting host for all sorts of criminals. The fact that they do not live from ads raises the question whether they live from secret government funding.

Que_careto_tienes_tioFebruary 15, 2014 6:56 PM

Stuxnet, ..., but that they still think they’re immune from discovery. So USA, if it is you, attack a few sites in the Falklands next time -- and use a separate tool for Europe. No te jode con el tío este Schneier que se permite el lujo prepotente de amenazar. Saluditos desde España, careto, que menudo careto que tienes, so jeta.

Stan DatskoFebruary 15, 2014 7:33 PM

Replaying to Stanislav Datskovskiy once again:

Source:
http://www.securelist.com/en/blog/208193767/

Watch this and learn:


In addition, the authors forgot to remove debugging information from some of the Gauss samples, which contain the paths where the project resides. The paths are:
Variant Path to project files
August 2011 d:\projects\gauss
October 2011 d:\projects\gauss_for_macis_2
Dec 2011-Jan 2012 c:\documents and settings\flamer\desktop\gauss_white_1
One immediately notices “projects\gauss”

Nick PFebruary 15, 2014 10:37 PM

@ Stan Datsko

I also noticed "c:\documents and settings\flamer..."

Gauss was said to be in Flame family. Flame, 'flamer'... coincidence? Doubtful in this case.

BuckFebruary 16, 2014 12:58 AM

Replaying to Stan Datsko who said:

Replaying to Stanislav Datskovskiy who said:
"What kind of idiot would leave genuine human-readable variable/function name symbols in a serious Trojan?"
You mean, maybe, the same kind of 'professionals' that are: "Fluently speaking foreign languages (for disguising origin)"..?
Reference: https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_399.html#c2237197
Also see: https://www.schneier.com/blog/archives/2014/01/friday_squid_bl_410.html#c4375703

Stan DatskoFebruary 16, 2014 8:29 AM

Replaying Buck:

Theory of speaking foreign languages for disguising the origin of the malware is just that: a theory. Means that could be perfectly right (or absolutely wrong).

In addition, thinking that only countries like USA, Israel can build complex spying malware, (Stuxnet, ...), is not only arrogant but far from reality. Russia, China, and Europe (among others) could write complex malwares.

Nowdays nobody (but its creators of course) can say where this malware was written. We have only speculations.

But real stuff is this one:

1. "Careto" is a spanish slang word (from Spain) which means literaly "rare face" "strange face" "ugly face". (That slang word is not used by american english speakers people who also speak spanish, neither used by american native spanish speakers: all around in middle America and South America).

2. A key which malware uses for RC4 encryption is "Caguen1aMar" which is a contraction from another spanish (only from Spain) expression used to swear: "Caguen la mar" or more extended "Me cago en la mar", which means something like: "fuck, fuck it, fuck".

3. Most countries being infected by this malware are main countries in Spain's external politics like: Brasil, Morroco, USA, France, UK, ..., and Gibraltar (the disputed, Spain-UK tiny region).

Summarizing:

Nobody can say where this malware was written. We have only speculations. And the theory of speaking foreign languages for disguising the origin of the malware is just another speculation.

Cheers.

Denis PetrovimFebruary 16, 2014 9:19 AM

Reply to Mr Bruce Schneier saying: "So Spain, if it is you, attack a few sites in the Falklands next time -- and use a separate tool for Morocco."

Please, do not be *so arrogant Mr Bruce Schneier* ! Careto not only spies on Morocco but on many other countries as well like yours: USA.

So speculating Spain is the origin of this malware, Spain is not only spying on Morocco, but on USA as well, your dearest country Mr Bruce Schneier.

Regards.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..