Entries Tagged "surveillance"

Page 37 of 93

Legal Attacks Against Tor

Last week, we learned that the NSA targets people who look for information about Tor. A few days later, the operator of a Tor exit node in Austria has been found guilty as an accomplice, because someone used his computer to transmit child porn. Even more recently, Tor has been named as a defendant in a revenge-porn suit in Texas because it provides web-porn operators with privacy.

Here’s the EFF: “Seven Things You Should Know About Tor.”

EDITED TO ADD (7/16): It seems that article about Tor in Austria was wrong.

Posted on July 15, 2014 at 6:13 AMView Comments

GCHQ Catalog of Exploit Tools

The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:

GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.

MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.

MOUTH: Tool for collection for downloading a user’s files from Archive.org.

PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.

SILVER SPECTOR: Allows batch Nmap scanning over Tor.

SPRING BISHOP: Find private photographs of targets on Facebook.

ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.

BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.

BOMB BAY: is the capacity to increase website hits/rankings.

BURLESQUE: is the capacity to send spoofed SMS messages.

CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.

CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.

GATEWAY: Ability to artificially increase traffic to a website.

GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).

SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.

SUNBLOCK: Ability to deny functionality to send/receive email or view material online.

SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine

UNDERPASS: Change outcome of online polls (previously known as NUBILO).

WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.

HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.

HUSK: Secure one-on-one web based dead-drop messaging platform.

There’s lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.

I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.

EDITED TO ADD (7/16): HTML of the entire catalog is here.

Posted on July 14, 2014 at 12:35 PMView Comments

NSA Spied on Prominent Muslim Americans

The latest story from the Snowden documents is about five prominent Muslim Americans who were spied on by the NSA and FBI. It’s a good story, and I recommend reading it in its entirety. I have a few observations.

One, it’s hard to assess the significance of this story without context. The source document is a single spreadsheet that lists 7,485 e-mail addresses monitored between 2002 and 2008.

The vast majority of individuals on the “FISA recap” spreadsheet are not named. Instead, only their email addresses are listed, making it impossible in most cases to ascertain their identities. Under the heading “Nationality,” the list designates 202 email addresses as belonging to “U.S. persons,” 1,782 as belonging to “non-U.S. persons,” and 5,501 as “unknown” or simply blank. The Intercept identified the five Americans placed under surveillance from their email addresses.

Without knowing more about this list, we don’t know whether this is good or bad. Is 202 a lot? A little? Were there FISA warrants that put these people on the list? Can we see them?

Two, the 2008 date is important. In July of that year, Congress passed the FISA Amendments Act, which restricted what sorts of surveillance the NSA can do on Americans. So while this story tells us about what was happening before the FAA, we don’t know what—if anything—changed with the passage of the FAA.

Three, another significant event at the time was the FBI’s prosecution of the Holy Land Foundation on terrorism charges. This brought with it an overly broad investigation of Muslim Americans who were just associated with that charity, but that investigation came with approved warrants and all the due process it was supposed to have. How many of the Americans on this list are there as a result of this one case?

Four, this list was just the starting point for a much broader NSA surveillance effort. As Marcy Wheeler pointed out, these people were almost certainly associationally mapped. CAIR founder Nihad Awad is one of the NSA targets named in the story. CAIR is named in an EFF lawsuit against the NSA. If Awad had any contact with the EFF in 2008, then they were also being spied on—that’s one hop. Since I had lots of contact with the EFF in the affected time period, I was being spied on as well—that’s two hops. And if any of you e-mailed me around that time—well, that’s three hops. This isn’t “just metadata”; this is full-take content that’s stored forever. And, yes, the president instructed the NSA to only spy people up to two hops away this January, but that was just one program under one authority.

This is a hard story to analyze, because it’s more anecdote than data. I much preferred last Saturday’s story that tried to analyze broad trends about who the subjects of NSA surveillance are. But anecdotes are more persuasive than data, so this story might be more compelling to a mainstream audience.

Other commentary: EFF, Ben Wittes, the Director of National Intelligence. I’m curious to watch how this story unfolds in the media.

One final note: I just couldn’t think of a headline more sensationalist than the descriptive one.

Posted on July 9, 2014 at 12:39 PMView Comments

NSA Targets the Privacy-Conscious for Surveillance

Jake Appelbaum et al., are reporting on XKEYSCORE selection rules that target users—and people who just visit the websites of—Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.

This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the “email_address” function to see if the message is to or from “bridges@torproject.org”. Next, if the address matched, it uses the “email_body” function to search the full content of the email for a particular piece of text – in this case, “https://bridges.torproject.org/”. If the “email_body” function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.

[…]

It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.

[…]

There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 128.31.0.34, a server located on the MIT campus.

It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link—with the embedded torproject.org URL above—is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.

EDITED TO ADD (7/3): The BoingBoing story says that this was first published on Tagesschau. Can someone who can read German please figure out where this originated.

And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.

EDITED TO ADD (7/3): More news stories. Thread on Reddit. I don’t expect this to get much coverage in the US mainstream media.

EDITED TO ADD (7/3): Here is the code. In part:

// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/

$TAILS_terms=word(‘tails’ or ‘Amnesiac Incognito Live System’) and
word(‘linux’
or ‘ USB ‘ or ‘ CD ‘ or ‘secure desktop’ or ‘ IRC ‘ or ‘truecrypt’ or ‘
tor ‘);
$TAILS_websites=(‘tails.boum.org/’) or (‘linuxjournal.com/content/linux*’);
// END_DEFINITION

// START_DEFINITION
/*
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to
TAILs,
or viewing websites that detail TAILs.
*/
fingerprint(‘ct_mo/TAILS’)=
fingerprint(‘documents/comsec/tails_doc’) or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);
// END_DEFINITION

Hacker News and Slashdot threads. ArsTechnica and Wired articles.

EDITED TO ADD (7/4): EFF points out that it is illegal to target someone for surveillance solely based on their reading:

The idea that it is suspicious to install, or even simply want to learn more about, tools that might help to protect your privacy and security underlies these definitions—and it’s a problem. Everyone needs privacy and security, online and off. It isn’t suspicious to buy curtains for your home or lock your front door. So merely reading about curtains certainly shouldn’t qualify you for extra scrutiny.

Even the U.S. Foreign Intelligence Surveillance Court recognizes this, as the FISA prohibits targeting people or conducting investigations based solely on activities protected by the First Amendment. Regardless of whether the NSA is relying on FISA to authorize this activity or conducting the spying overseas, it is deeply problematic.

Posted on July 3, 2014 at 11:01 AMView Comments

More on Hacking Team's Government Spying Software

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones.

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone’s camera to snap pictures or piggyback on the phone’s GPS system to monitor the user’s location. The Android version can also enable the phone’s Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner’s suspicion.

[…]

Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.

“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.

One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.

Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems.

Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can’t be certain the Saudi government is a customer, but there’s good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it’s a perfectly reasonable strategy for Country A to locate its servers in Country B.

And remember, this is just one example of government spyware. Assume that the NSA—as well as the governments of China, Russia, and a handful of other countries—have their own systems that are at least as powerful.

Posted on June 26, 2014 at 6:37 AMView Comments

Defending Against Algorithm Substitution Attacks

Interesting paper: M. Bellare, K. Paterson, and P. Rogaway, “Security of Symmetric Encryption against Mass Surveillance.”

Abstract: Motivated by revelations concerning population-wide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of “big-brother” is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big-brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.

Posted on June 24, 2014 at 7:21 AMView Comments

Building Retro Reflectors

A group of researchers have reverse-engineered the NSA’s retro reflectors, and has recreated them using software-defined radio (SDR):

An SDR Ossmann designed and built, called HackRF, was a key part of his work in reconstructing the NSA’s retro-reflector systems. Such systems come in two parts – a plantable “reflector” bug and a remote SDR-based receiver.

One reflector, which the NSA called Ragemaster, can be fixed to a computer’s monitor cable to pick up on-screen images. Another, Surlyspawn, sits on the keyboard cable and harvests keystrokes. After a lot of trial and error, Ossmann found these bugs can be remarkably simple devices – little more than a tiny transistor and a 2-centimetre-long wire acting as an antenna.

Getting the information from the bugs is where SDRs come in. Ossmann found that using the radio to emit a high-power radar signal causes a reflector to wirelessly transmit the data from keystrokes, say, to an attacker. The set-up is akin to a large-scale RFID- chip system. Since the signals returned from the reflectors are noisy and often scattered across different bands, SDR’s versatility is handy, says Robin Heydon at Cambridge Silicon Radio in the UK. “Software-defined radio is flexibly programmable and can tune in to anything,” he says.

The NSA devices are LOUDAUTO, SURLYSPAWN, TAWDRYYARD, and RAGEMASTER. Here are videos that talk about how TAWDRYYARD and LOUDAUTO work.

This is important research. While the information we have about these sorts of tools is largely from the NSA, it is fanciful to assume that they are the only intelligence agency using this technology. And it’s equally fanciful to assume that criminals won’t be using this technology soon, even without Snowden’s documents. Understanding and building these tools is the first step to protecting ourselves from them.

Posted on June 23, 2014 at 6:51 AMView Comments

More Details on NSA Tapping the Internet Backbone

Two new stories: one from Der Spiegel in Germany (also reported in the Intercept) and the other from Dagbladet Information in Denmark (again, also reported in the Intercept). Lots of good information in both stories.

EDITED TO ADD (6/20): Der Spiegel has two other stories, as well as a large trove of source documents. The Dagbladet Information source documents are here.

And in related news, the US House of Representatives voted to ban NSA backdoor searches, as well as it weakening commercial products and protocols. There’s no chance it’ll become a law, but the 293-123 vote is a big deal nonetheless.

The current authority for the NSA’s bulk collection of telephone metadata expires today. A bunch of organizations have tried to urge the president not to renew it. I don’t think that’ll happen, either.

It’s a measure of the popular interest in this issue that the German/Danish story isn’t being reported by the US press, and I had to search to find the Congressional vote on the New York Times and Washington Post sites. Only the Guardian had it as a home page headline. No one is reporting today’s renewal of the telephone metadata program.

EDITED TO ADD (6/21): The bulk surveillance of Americans’ phone call records program has been renewed. And Der Spiegel published an editorial explaining why it broke the story and released the secret NSA documents.

EDITED TO ADD (6/23): Marcy Wheeler noticed at the FISC order renewing the bulk surveillance order came with some sort of memorandum opinion.

EDITED TO ADD (7/14): Good commentary from the comments.

Posted on June 20, 2014 at 9:43 AMView Comments

1 35 36 37 38 39 93

Sidebar photo of Bruce Schneier by Joe MacInnis.