As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
The Intercept and the New Zealand Herald have reported that New Zealand spied on communications about the World Trade Organization director-general candidates. I'm not sure why this is news; it seems like a perfectly reasonable national intelligence target. More interesting to me is that the Intercept published the XKEYSCORE rules. It's interesting to see how primitive the keyword targeting is, and how broadly it collects e-mails.
The second really important point is that Edward Snowden's name is mentioned nowhere in the stories. Given how scrupulous the Intercept is about identifying him as the source of his NSA documents, I have to conclude that this is from another leaker. For a while, I have believed that there are at least three leakers inside the Five Eyes intelligence community, plus another CIA leaker. What I have called Leaker #2 has previously revealed XKEYSCORE rules. Whether this new disclosure is from Leaker #2 or a new Leaker #5, I have no idea. I hope someone is keeping a list.
The Brennan Center has a long report on what's wrong with the FISA Court and how to fix it.
At the time of its creation, many lawmakers saw constitutional problems in a court that operated in total secrecy and outside the normal "adversarial" process.... But the majority of Congress was reassured by similarities between FISA Court proceedings and the hearings that take place when the government seeks a search warrant in a criminal investigation. Moreover, the rules governing who could be targeted for "foreign intelligence" purposes were narrow enough to mitigate concerns that the FISA Court process might be used to suppress political dissent in the U.S. -- or to avoid the stricter standards that apply in domestic criminal cases.
In the years since then, however, changes in technology and the law have altered the constitutional calculus. Technological advances have revolutionized communications. People are communicating at a scale unimaginable just a few years ago. International phone calls, once difficult and expensive, are now as simple as flipping a light switch, and the Internet provides countless additional means of international communication. Globalization makes such exchanges as necessary as they are easy. As a result of these changes, the amount of information about Americans that the NSA intercepts, even when targeting foreigners overseas, has exploded.
Instead of increasing safeguards for Americans' privacy as technology advances, the law has evolved in the opposite direction since 9/11.... While surveillance involving Americans previously required individualized court orders, it now happens through massive collection programs...involving no case-by-case judicial review. The pool of permissible targets is no longer limited to foreign powers -- such as foreign governments or terrorist groups -- and their agents. Furthermore, the government may invoke the FISA Court process even if its primary purpose is to gather evidence for a domestic criminal prosecution rather than to thwart foreign threats.
...[T]hese developments...have had a profound effect on the role exercised by the FISA Court. They have caused the court to veer off course, departing from its traditional role of ensuring that the government has sufficient cause to intercept communications or obtain records in particular cases and instead authorizing broad surveillance programs. It is questionable whether the court's new role comports with Article III of the Constitution, which mandates that courts must adjudicate concrete disputes rather than issuing advisory opinions on abstract questions. The constitutional infirmity is compounded by the fact that the court generally hears only from the government, while the people whose communications are intercepted have no meaningful opportunity to challenge the surveillance, even after the fact.
Moreover, under current law, the FISA Court does not provide the check on executive action that the Fourth Amendment demands. Interception of communications generally requires the government to obtain a warrant based on probable cause of criminal activity. Although some courts have held that a traditional warrant is not needed to collect foreign intelligence, they have imposed strict limits on the scope of such surveillance and have emphasized the importance of close judicial scrutiny in policing these limits. The FISA Court's minimal involvement in overseeing programmatic surveillance does not meet these constitutional standards.
Fundamental changes are needed to fix these flaws. Congress should end programmatic surveillance and require the government to obtain judicial approval whenever it seeks to obtain communications or information involving Americans. It should shore up the Article III soundness of the FISA Court by ensuring that the interests of those affected by surveillance are represented in court proceedings, increasing transparency, and facilitating the ability of affected individuals to challenge surveillance programs in regular federal courts. Finally, Congress should address additional Fourth Amendment concerns by narrowing the permissible scope of "foreign intelligence surveillance" and ensuring that it cannot be used as an end-run around the constitutional standards for criminal investigations.
The BIOS boots a computer and helps load the operating system. By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computer's operating system were wiped and re-installed.
Although most BIOS have protections to prevent unauthorized modifications, the researchers were able to bypass these to reflash the BIOS and implant their malicious code.
Because many BIOS share some of the same code, they were able to uncover vulnerabilities in 80 percent of the PCs they examined, including ones from Dell, Lenovo and HP. The vulnerabilities, which they're calling incursion vulnerabilities, were so easy to find that they wrote a script to automate the process and eventually stopped counting the vulns it uncovered because there were too many.
Kallenberg said an attacker would need to already have remote access to a compromised computer in order to execute the implant and elevate privileges on the machine through the hardware. Their exploit turns down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed.
The devious part of their exploit is that they've found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure operating systems such as Tails in the line of fire of the implant.
From the Register:
"Because almost no one patches their BIOSes, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected," Kopvah says.
"The high amount of code reuse across UEFI BIOSes means that BIOS infection can be automatic and reliable.
"The point is less about how vendors don't fix the problems, and more how the vendors' fixes are going un-applied by users, corporations, and governments."
Though such "voodoo" hacking will likely remain a tool in the arsenal of intelligence and military agencies, it's getting easier, Kallenberg and Kovah believe. This is in part due to the widespread adoption of UEFI, a framework that makes it easier for the vendors along the manufacturing chain to add modules and tinker with the code. That's proven useful for the good guys, but also made it simpler for researchers to inspect the BIOS, find holes and create tools that find problems, allowing Kallenberg and Kovah to show off exploits across different PCs. In the demo to FORBES, an HP PC was used to carry out an attack on an ASUS machine. Kovah claimed that in tests across different PCs, he was able to find and exploit BIOS vulnerabilities across 80 per cent of machines he had access to and he could find flaws in the remaining 10 per cent.
"There are protections in place that are supposed to prevent you from flashing the BIOS and we've essentially automated a way to find vulnerabilities in this process to allow us to bypass them. It turns out bypassing the protections is pretty easy as well," added Kallenberg.
The NSA has a term for vulnerabilities it think are exclusive to it: NOBUS, for "nobody but us." Turns out that NOBUS is a flawed concept. As I keep saying: "Today's top-secret programs become tomorrow's PhD theses and the next day's hacker tools." By continuing to exploit these vulnerabilities rather than fixing them, the NSA is keeping us all vulnerable.
David Omand -- GCHQ director from 1996-1997, and the UK's security and intelligence coordinator from 2000-2005 -- has just published a new paper: "Understanding Digital Intelligence and the Norms That Might Govern It."
Executive Summary: This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency (NSA) contractor Edward Snowden. Digital intelligence is presented as enabled by the opportunities of global communications and private sector innovation and as growing in response to changing demands from government and law enforcement, in part mediated through legal, parliamentary and executive regulation. A common set of organizational and ethical norms based on human rights considerations are suggested to govern such modern intelligence activity (both domestic and external) using a three-layer model of security activity on the Internet: securing the use of the Internet for everyday economic and social life; the activity of law enforcement -- both nationally and through international agreements -- attempting to manage criminal threats exploiting the Internet; and the work of secret intelligence and security agencies using the Internet to gain information on their targets, including in support of law enforcement.
I don't agree with a lot of it, but it's worth reading.
My favorite Omand quote is this, defending the close partnership between the NSA and GCHQ in 2013: "We have the brains. They have the money. It's a collaboration that's worked very well."
Last May, we learned that the NSA intercepts equipment being shipped around the world and installs eavesdropping implants. There were photos of NSA employees opening up a Cisco box. Cisco's CEO John Chambers personally complained to President Obama about this practice, which is not exactly a selling point for Cisco equipment abroad. Der Spiegel published the more complete document, along with a broader story, in January of this year:
In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. The call back provided us access to further exploit the device and survey the network. Upon initiating the survey, SIGINT analysis from TAO/Requirements & Targeting determined that the implanted device was providing even greater access than we had hoped: We knew the devices were bound for the Syrian Telecommunications Establishment (STE) to be used as part of their internet backbone, but what we did not know was that STE's GSM (cellular) network was also using this backbone. Since the STE GSM network had never before been exploited, this new access represented a real coup.
Now Cisco is taking matters into its own hands, offering to ship equipment to fake addresses in an effort to avoid NSA interception.
I don't think we have even begun to understand the long-term damage the NSA has done to the US tech industry.
Right now, the book is #6 on the New York Times best-seller list in hardcover nonfiction, and #13 in combined print and e-book nonfiction. This is the March 22 list, and covers sales from the first week of March. The March 29 list -- covering sales from the second week of March -- is not yet on the Internet. On that list, I'm #11 on the hardcover nonfiction list, and not at all on the combined print and e-book nonfiction list.
Marc Rotenberg of EPIC tells me that Vance Packard's The Naked Society made it to #7 on the list during the week of July 12, 1964, and -- by that measure -- Data and Goliath is the most popular privacy book of all time. I'm not sure I can claim that honor yet, but it's a nice thought. And two weeks on the New York Times best-seller list is super fantastic.
For those curious to know what sorts of raw numbers translate into those rankings, this is what I know. Nielsen Bookscan tracks retail sales across the US, and captures about 80% of the book market. It reports that my book sold 4,706 copies during the first week of March, and 2,339 copies in the second week. Taking that 80% figure, that means I sold 6,000 copies the first week and 3,000 the second.
My publisher tells me that Amazon sold 650 hardcovers and 600 e-books during the first week, and 400 hardcovers and 500 e-books during the second week. The hardcover sales ranking was 865, 949, 611, 686, 657, 602, 595 during the first week, and 398, 511, 693, 867, 341, 357, 343 during the second. The book's rankings during those first few days don't match sales, because Amazon records a sale for the rankings when a person orders a book, but only counts the sale when it actually ships it. So all of my preorders sold on that first day, even though they were calculated in the rankings during the days and weeks before publication date.
There are few new book reviews. There's one from the Dealbook blog at the New York Times that treats the book very seriously, but doesn't agree with my conclusions. (A rebuttal to that review is here.) A review from the Wall Street Journal was even less kind. This review from InfoWorld is much more positive.
All of this, and more, is on the book's website.
There are several book-related videos online. The first is the talk I gave at the Harvard Bookstore on March 4th. The second and third are interviews of me on Democracy Now. I also did a more general Q&A with Gizmodo.
Note to readers. The book is 80,000 words long, which is a normal length for a book like this. But the book's size is much larger, because it contains a lot of references. They're not numbered, but if they were, there would be over 1,000 numbers. I counted all the links, and there are 1,622 individual citations. That's a lot of text. This means that if you're reading the book on paper, the narrative ends on page 238, even though the book continues to page 364. If you're reading it on the Kindle, you'll finish the book when the Kindle says you're only 44% of the way through. The difference between pages and percentages is because the references are set in smaller type than the body. I warn you of this now, so you know what to expect. It always annoys me that the Kindle calculates percent done from the end of the file, not the end of the book.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.