The DEA Is Buying Cyberweapons from Hacking Team

The US Drug Enforcement Agency has purchased zero-day exploits from the cyberweapons arms manufacturer Hacking Team.

BoingBoing post.

Posted on April 20, 2017 at 2:21 PM • 27 Comments

Comments

My InfoApril 20, 2017 3:29 PM

Nice. DEA is high on drugs, as usual.

Federal funds for armed enemy combatants.

Meanwhile the bank got hacked.

https://www.capitalone.com/bank/?bc=yes

Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: true HTTP Public Key Pinning: false
Certificate chain:
-----BEGIN CERTIFICATE----- MIINujCCDKKgAwIBAgIIE80mEWaSRdgwDQYJKoZIhvcNAQELBQAwgaUxCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx ETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkxFTATBgNVBAMMDEZvcnRpR2F0ZSBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9y dEBmb3J0aW5ldC5jb20wHhcNMTYwNDA4MDAwMDAwWhcNMTgwMjIwMjM1OTU5WjCC CNgxggfOMIIHygYLKwYBBAGCNzwCAQMTgge5VVMgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMRkwFwYLKwYBBAGC NzwCAQIMCERlbGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEQ MA4GA1UEBRMHMjQxOTk1OTELMAkGA1UEBhMCVVMxDjAMBgNVBBEMBTIyMTAyMREw DwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGTWNMZWFuMRwwGgYDVQQJDBMxNjgw IENhcGl0YWwgT25lIERyMSowKAYDVQQKDCFDYXBpdGFsIE9uZSBGaW5hbmNpYWwg Q29ycG9yYXRpb24xEDAOBgNVBAsMB0lQUy1FQ00xGzAZBgNVBAMMEnd3dy5jYXBp dGFsb25lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVMNVuK olw61uH3L1rZIrQPe1TCLEbxFb5UsoOgEeYHz+dkOJIcXdFPnjAXpulmOcf+wGmt r33ifU2cMEg8bxy1O7FpJ3ZXneJsx23DB94H3YnYrbXe/yFWSals+3JSEIYRxtA+ 7V4NsHM9eo9UI2OK4jy9OnsemgVWkfSpqB4CIZr6N6HnYgc33BlzGMcWluAhpFSt 4hh7PPAc3QA+GCihV5fPhIeXpi6qoFSS/JK2/kxsRopJlDfPL+S5MZs8Hr18zfIQ OV6545eEsRe8kEmlSvV0bd7hXXM1GW3Z5FVz1SWEEGSIkxcFQ+kkiV5206XtYXg5 D30E556TcxZNJvcCAwEAAaOCAbYwggGyMIIBkwYDVR0RBIIBijCCAYaCFG1lZGlh My5jb2ZzdGF0aWMuY29tghZ3d3diZXRhLmNhcGl0YWxvbmUuY29tghRtZWRpYTEu Y29mc3RhdGljLmNvbYISd3d3LmNhcGl0YWxvbmUuY29tghd3d3cuY2FwaXRhbG9u ZWZhY3RzLmNvbYITbWVkaWEuY29mc3RhdGljLmNvbYIUbWVkaWE0LmNvZnN0YXRp Yy5jb22CGGxvY2F0aW9ucy5jYXBpdGFsb25lLmNvbYIUYXNzZXRzLmNvZnN0YXRp Yy5jb22CFWFzc2V0czQuY29mc3RhdGljLmNvbYIVYXNzZXRzMy5jb2ZzdGF0aWMu Y29tgiNtZXJjaGFudHNlcnZpY2VzLmNhcGl0YWxvbmViYW5rLmNvbYIVYXNzZXRz Mi5jb2ZzdGF0aWMuY29tghRtZWRpYTIuY29mc3RhdGljLmNvbYIRd3d3LmNhcGl0 YWxvbmUuY2GCDmNhcGl0YWxvbmUuY29tghVhc3NldHMxLmNvZnN0YXRpYy5jb20w CQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBADJT EqhwTHEEN0Gpvb78yFnsmlxRNm3nQZepz18f+qRHNsWIRvriS8dohFn0ffzBqj0Q 3oz6BJrrSBqS3vUtJbS6AQdtBVROeJsJ2dYxkTfQCQzRVKVcY0rVmxh0GP36vcrf 7ZqqGpirPinik6fq5ljAWh8efDjJLk6M4ld/NiMtSs4ojkU3aCUDVM8D+qKM3twI ZXyZGbyYmTur1XNAwMvKM9z1SYhWXZ9cDwZjXXQKos2IJgnpYdXM7zQ/tLyB28xj dbir4H+YS/HvN1twRYb1XV8Ob7UTmGibZY+6+WPYXR4gsbIiPlQg+gxpq3s04GpT hgVZy4d11nONs0ZjWxo= -----END CERTIFICATE-----

Patriot COMSECApril 20, 2017 8:30 PM

If you work for the DEA or FBI, etc., tell the hackers from whom you buy products to pretty please not document the transaction with your true name. Tell the hackers to think about security.

You would think that people in that line of work would be more aware of the potential of being a victim of some information op. Due to some quirk in human psychology, just the opposite is true. But it might be the money. Once the money is in your hand, most people think that the important part is over.

So if you are a hacker in the middle of a busy day trying to keep all those invoices from the DEA, JSOC, FBI, etc., straight, then take a moment and give each one a cover name for documentation. Memorize the list OR put it on a hidden encrypted volume inside another encrypted volume on a USB stick that only touches your air-gapped system. Tell your boss, the only other person who needs to know.

I'll even make it easy for you:

DEA SMOKEY
FBI UN-SCHMENDRICK
CIA PHILANTHROPIC
Wikileaks SHOWBOAT
NSA GREGARIOUS
JSOC KINDNESS
North Korea PIMPMOBILE
Republican Party HAIRSPRAY
Democratic Party LOW-FAT

65535April 20, 2017 11:34 PM

I agree with Bruce and others, that “National Security” style of zero days, viruses, root kits and other NIT weapons are trickling down to law enforcement – for a giant fishing expedition.

Once the DEA has these “Nation Security” spy tools they will be passed to local law enforcement [legally or illegally]… then down go Private Investigators and criminals.

Parallel Construction and lies will be used by law enforcement to essential circumvents the US Constitution [I wonder when a lawyer or politician will be burned by the DEA - and what will happen].

The DEA and related Controlled Substance Act was originally for truly dangerous drugs such as LSD, Heroin [diacetyl-morphine], and psychedelic amphetamine style of drugs in a pure form and in high dosages [DEA Schedules 1 to 6 where schedule 1 is scientific uses only and 2-6 is for doctors to prescribe].

It’s said that heroin addicts use 500 milligrams to 3000 milligrams per day [the usual dosage of morphine is about 15 milligrams injected – heroin is 1.5 or 2.0 times as powerful so the European dose would be about 8 to 10 milligrams per dose – and is a legitimate drug in parts of Europe – unlike the USA with stricter drug laws].

Clearly, pure heroin used at a high dosage is dangerous to the public along with other pure drugs or street drugs… and possibly a good reason for the DEA to exist – depending on your point of view.

This DEA has now stooped down to round up doctors accused of being a so called “pill mills” and skewed the US schedule of controlled substance to higher and more illegal status year after year.

This clever escalation of medicines into higher controlled categories causes problems for doctors. It as even been suggested that the so-called “pill death” rate reported in the news has doubled or tripled due to including heroin and pills together to produce exaggerated pill death rates [and other statistical tricks]. You can just google, “DEA rounding up doctors” to see the huge list.

From what I have read in various left of center articles, the latest DEA trick was to move a well known pain medication [hydrocodone] from the Schedule 3 list where it has been for 50 years to the highest category of prescription drugs or the Schedule 2 list [which is used for morphine, heroin, and fentanyl – which is about 100 times more powerful than morphine, and other very power substances in that category].

This clever trick by the DEA and its tentacles has caused a lot of doctors to get in trouble for prescribing a 50 year old drug now moved into a category of much more powerful drugs. So, doctors are now afraid to prescribe said drug to patients who used to use it and even to prescribe to other doctors in pain [the DEA will be surly spying on them].

For the actual DEA Schedule see:
https://en.wikipedia.org/wiki/Controlled_Substances_Act

Now, there is a problem of giving patients placebos such as aspirin type drugs – and telling the patients they are genuine pain killers. Next, is the growing problem of the "Assisted Death" treatment or Kevorkian School of medicine. All of which causes huge problems… including additional lawsuits and arrests for “assisted death,” lying to patients about placebos, and under-treatment of pain in critical cases.

The use of “Nation Security” type of zero-day exploits and root-kit/viruses is going to greatly increase the above problems. I say the DEA should be not allowed to use such weapons unless strict oversight is used – which it is not. This must change!

DroneApril 21, 2017 12:05 AM

Hah! I wonder how many 0-days are intentional implants by over-worked and under-paid H-1B Visa holders so they can be sold to our Government later-on for wheelbarrows full of taxpayer money by "Cyberweapons" companies owned by H-1B Visa violators.

NewSixtyfiveApril 21, 2017 12:14 AM

I agree with Bruce and others.

These dangerous style of zero days, viruses, root kits and other NIT weapons are flowing down to law enforcement for a giant fishing expedition.

Rufo Guerreschi April 21, 2017 1:30 AM

I do not understand why this would be news, or bad news.
Why buying zero days on the market is worse than other ways US gov maintains access for cyber-investigation zero days by breaking all tech and standards at birth?
The problems is really that thay should do a radically better job at:
-securing use and spread of such tools
-promote guarantees against remote subversion to those high assurance IT services providing in-person lawful access to their techs (as we are proposing at the Trustless Computing Consortium)

Clive RobinsonApril 21, 2017 2:12 AM

@ Patriot COMSEC,

So if you are a hacker in the middle of a busy day trying to keep all those invoices from the DEA, JSOC, FBI, etc., straight, then take a moment and give each one a cover name for documentation.

So you want hacker businesses to commit the crime of False Accounting?

Thus based on you reasoning that it is idiotic not to hide the organisation identity, it would be the Government Agencies not seting up a cover that would be the idiots?

Clive RobinsonApril 21, 2017 2:32 AM

@ Rufo Guerreschi,

Why buying zero days on the market is worse than other ways US gov maintains access for cyber-investigation zero days by breaking all tech and standards at birth?

There is a long list of reasons, not least is that there use makes any evidence collected "fruit of the poison vine". As we have seen the Federal Authorities back down when a defendents legal team push for a proper evidence chain.

The problems is really that thay should do a radically better job at: -securing use and spread of such tools...

They don't develop the tools, they purchase them, often from entities abroad. Thus they can not secure the use of such tools, nor can they stop them spreading.

Contrary to your self interested "business opinion" the only solution to the creation and disemination of hacking tools is to improve the security of the computers, but then thst would stop the "data rape" that such organisations want to commit.

ATNApril 21, 2017 3:18 AM

> the only solution to the creation and disemination of hacking tools is to improve the security of the computers

And I do not believe that the real developper who has found a 0 day (who obviously speaks assembler every days) will sell that zero day before patching/protecting his own computer... But the protection is not for sale, or at least not for cheap.

I am not sure the "US Drug Enforcement Agency" is paying even a penny to protect its own computers, so that drugs mafias would not be in total control of what that agency stores on their own computers.

rApril 21, 2017 5:57 AM

@ATN,

The revelation of exterior sourced weapons in this case may indicate their lack (uniform[ed]) of trustworthiness.

Unlike the FBI CIA NSA they don't have their own NITs. ;-)

rApril 21, 2017 6:04 AM

I suppose it could also be that that's the biggest gun they need (something simple and readily deployed), or that their 'managers' aren't specifically interested in results.

How do the cartels operate?

Who helps them with their private pirate and other adhoc/proprietary radio issues?

Clive RobinsonApril 21, 2017 7:31 AM

@ r,

Who helps them with their private pirate and other adhoc/proprietary radio issues?

As far as FM Broadcast, the last time I checked, they were bying equipment from an Israeli company that had stolen the designs of a British company.

As for two-way HF and VHF/UHF walkie talkies they buy through various South American distributors via front companies and the like. Contrary to what you might think buying commercial equipment first/second hand is very easy and very cheap.

Have a search for the G7 licence exempt equipment you can by pairs of then for 50USD, a few minutes work to make three solder bridges on the PCB and a minute or two to remove the intetnal antenna and replace it with a BNC connector and a couple more to bring out power wires to a connector and put it all back together about another three or four. Say half an hour for a pair. You end up with a pair of UHF walki-talkies with a 3watt output, with an amature 5/8ths whip you are looking for a twenty mile coverage area. Use it with a twenty element yagi array from a mountain or other vantage point then you could get two-three hundred KM range.

In the UK with similar kit I've worked from Epsom Downs Race Course just outside South West London all the way to the Isle of Wight and to sailing craft in the English channel(over 100miles). People in hot air ballons and glider (sail plane) aircraft have been heard half the length of the country (two hundred miles).

On similar frequencies but a lot less power people have worked the International Space Station and various Ham / Amateur Satellites out to 600-700Km.

If you want to "Get Cute" you can set up "passive repeaters" to work over mountains. What you do is put up a pole with two high gain yagi or "backfire" arrays wired back-back via a very short piece of high quality RF coax...

For those in Europe that are looking to do something on the cheap have a look at,

https://uk.passion-radio.com/

To see 0.5-30Mhz 20W HF tranciver or several dirt cheap wide band VHF UHF or both walkie-talkies for "beer money".

ModeratorApril 21, 2017 8:51 AM

@65535, you ran afoul of a filter meant to block pharmacy spammers. I've just approved your first instance of the comment that triggered it.

Clive RobinsonApril 21, 2017 9:07 AM

@65535,

you ran afoul of a filter meant to block pharmacy spammers.

Have you been trying to flog 'Daddies little helpers' ;-)

David McClainApril 21, 2017 11:37 AM

you ran afoul of a filter meant to block pharmacy spammers.

Oh, that's funny! I remember years ago being blocked at work (a major defense contractor) for attempting to look up the "Byte Sex" of a Sun workstation...

- DM

Lucy in the Sky with DiamondsApril 21, 2017 12:27 PM

@65535

Good post generally, except for this:

"The DEA and related Controlled Substance Act was originally for truly dangerous drugs such as LSD..."

False. Not a dangerous drug. In fact, a lot of fun and useful for many therapeutic applications and general mind-expanding experiences. In that same category (useful & fun) you can add: MDMA, psilocybin mushrooms, mescaline, DMT, cannabis and a lot of other entheogens.

If you do your research, you will find all of these have applications for disorders/ailments like OCD, PTSD, alcoholism, depression, cluster headaches, anxiety disorders and various physical ailments (cannabis particularly). Deaths from all of the above combined are minimal, and zero with regard to cannabis.

So, the DEA is the "fun police" and most of these substances should not be regulated at all. But, since they pose a threat to corporate interests, we have the ludicrous "Controlled Substances Act".

"Truly dangerous" is the amphetamine and opioid classes (although even they have their valid uses in various cases), alcohol, tobacco, and legal pharmaceuticals like fentanyl (which kill FAR more people than street drugs - check any recent references). Also, they are as addictive as hell.

Virtually nobody ever got 'hooked' on LSD or other psychedelics - tolerance increases rapidly, and the death numbers are miniscule. A few who 'tripped the light fantastic' didn't fully come back, true, but maybe they shouldn't have eaten a sheet of tabs in the first place.

The DEA is fighting the wrong war, and is on the wrong side of history. But Americans never let facts get in the way of hyperbole.

BTW the reason they are pushing drugs into higher classifications is they are going to be severely budget constrained when cannabis is legal in most states. The DEA's raison d'etre is pot busts when looking at the totality of their activity.

Clive RobinsonApril 21, 2017 3:36 PM

@ Lucy in derrrr..., 65535,

So, the DEA is the "fun police" and most of these substances should not be regulated at all. But, since they pose a threat to corporate interests, we have the ludicrous "Controlled Substances Act".

Yes and no, the DEA exist for political reasons as history shows, go back to Hogarth's time and gin ally, and likewise "The protestant work ethic".

Those in charge are "the idle rich" living of "the comman man", or as we would call them today "rent seakers".

The big advantage of drugs is that by making them illegal you raise the profit by the simple process of supply and demand, this alows the tax to be raised on the so called "legal drugs" which in the main are actually way more harmfull as you note. This alows for the employment of more "guard labour" as well as creating benificial economic churn (who do you think kept the banks liquid during finacial crisis one?).

A well known economist made the mistake of puting his head above the parapet by observing that there were only to economicly sound solutions to "the cost" of drugs. The so called "Indian or Chinese" solutions. The first is you accept that a certain percentage of the population become a loss to society and you drop them from.any societal benifit. The latter is to take anyone caught using, in posession or growing/manufacturing drugs into the town square force them to their knees then shoot them down the spine, burn the body dispose of the ashes with garbage or in the river and bill the persons family for the bullet and refuse disposal.

The hidden drug problem is the legal drugs when you look at the cost to society of just smokers they out weigh any tax gathered by an order or two in magnitude. People have been moaning about Obama Care and the mental disorders premium, but few have mentioned the smoking gun of the smoking/alcohol premiums that dwarf any spending on mental health care.

rApril 21, 2017 9:13 PM

@65535,

Re assisted suicide,

Just give them a permanently mind alerting drug and take them as zombies.

Sign here.

If they can't see the subtext an "interpreter" will be provided for them.

vas pupApril 22, 2017 1:49 PM

@all:
Recently in UK it was conducted more than one clinical research on using psychodelic drugs under medical control for treatment mental health problems, severe depression in particular. Those drugs are not evil, but rather their uncontrolled usage is, so blank ban without taking into consideration evidence based results on effectiveness is just counterproductive.

My InfoApril 24, 2017 3:49 PM

@Drone @@ Hah! I wonder how many 0-days are intentional implants by over-worked and under-paid H-1B Visa holders so they can be sold to our Government later-on for wheelbarrows full of taxpayer money by "Cyberweapons" companies owned by H-1B Visa violators. @@

A lot of them. That is totally the name of the game. We scarcely dare speak of it in our own land, for fear of being put on the Indian H1-B mafia hit-list. I'm not a-kidding, either.

My InfoApril 24, 2017 3:53 PM

AS to my previous comment as well, I am appalled that U. S. law enforcement monies are being diverted to La Cosa Nostra. How much are we "paying" that Italian "Hacking Group" for vulnerabilities? I don't believe it.

We need to go back to Article I, Section 9 of our Constitution for that.

No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law; and a regular Statement and Account of the Receipts and Expenditures of all public Money shall be published from time to time.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.