Category Archives: Cyber Issues

Some people think Trump asked Putin to hack the DNC

The Washington Post reports: Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.

The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic, said DNC officials and the security experts.

The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some GOP political action committees, U.S. officials said. But details on those cases were not available. [Continue reading…]

Facebooktwittermail

How to run a Russian hacking ring

Kaveh Waddell writes: A man with intense eyes crouches over a laptop in a darkened room, his face and hands hidden by a black ski mask and gloves. The scene is lit only by the computer screen’s eerie glow.

Exaggerated portraits of malicious hackers just like this keep popping up in movies and TV, despite the best efforts of shows like Mr. Robot to depict hackers in a more realistic way. Add a cacophony of news about data breaches that have shaken the U.S. government, taken entire hospital systems hostage, and defrauded the international banking system, and hackers start to sound like omnipotent super-villains.

But the reality is, as usual, less dramatic. While some of the largest cyberattacks have been the work of state-sponsored hackers — the OPM data breach that affected millions of Americans last year, for example, or the Sony hack that revealed Hollywood’s intimate secrets​ — the vast majority of the world’s quotidian digital malice comes from garden-variety hackers.

And for many of those cybercriminals, hacking is as unglamorous as any other business. That’s what a group of security researchers found when they infiltrated a ring of hackers based in Russia earlier this year, and monitored its dealings over the course of five months.

The researchers were with Flashpoint, an American cybersecurity company that investigates threats on the dark and deep web. Their undercover operation began when they came across a post on a Russian hacker forum on the dark web — a part of the internet that’s inaccessible to regular browsers — that read very much like a get-rich-quick ad you might find on Facebook. [Continue reading…]

Facebooktwittermail

The kinds of surveillance people want

shadow2

If you use a credit card, your daily activities are under continuous surveillance. Information gathered from each transaction is monitored and analysed, not by the NSA, but by the financial companies themselves.

Most cardholders who are aware of this are grateful for the fact. It means that if or when you get a phone call or text message from the company telling you they’ve noticed suspicious activity on your account, the chances are that the warning is warranted and some fraud can get snipped in the bud.

Suppose your online activity was being monitored in an analogous way — not to spot fraud but instead to spot symptoms of undiagnosed disease — would you welcome this kind of surveillance?

Right now, this is a hypothetical question, but it probably won’t be long before automated health-tracking systems emerge. Perhaps health insurance companies will offer a discount to individuals who opt-in for the service.

The hyperbole surrounding the issue of surveillance usually looks at it through the lens of the intelligence agencies and political oppression, but what may in the long run be much more significant, socially, is the kind of benign surveillance that caters to our needs — that makes life easier by anticipating our needs.

Needs easily met create an expanding field of things we take for granted, but with that comes a diminishing state of awareness. For some people, the fewer their cares, the more creative they become, but more often it seems like ease fuels a hunger for stimulation and distraction.

The surveillance state we are moving into is not one where we are at much risk of getting whisked away by the secret police, but rather it is one in which we are likely to submerge deeper and deeper into the oblivion of convenience.

The New York Times reports: Microsoft scientists have demonstrated that by analyzing large samples of search engine queries they may in some cases be able to identify internet users who are suffering from pancreatic cancer, even before they have received a diagnosis of the disease.

The scientists said they hoped their work could lead to early detection of cancer. Their study was published on Tuesday in The Journal of Oncology Practice by Dr. Eric Horvitz and Dr. Ryen White, the Microsoft researchers, and John Paparrizos, a Columbia University graduate student.

“We asked ourselves, ‘If we heard the whispers of people online, would it provide strong evidence or a clue that something’s going on?’” Dr. Horvitz said.

The researchers focused on searches conducted on Bing, Microsoft’s search engine, that indicated someone had been diagnosed with pancreatic cancer. From there, they worked backward, looking for earlier queries that could have shown that the Bing user was experiencing symptoms before the diagnosis. Those early searches, they believe, can be warning flags. [Continue reading…]

Facebooktwittermail

FBI wants access to Internet browser history without a warrant in terrorism and spy cases

The Washington Post reports: The Obama administration is seeking to amend surveillance law to give the FBI explicit authority to access a person’s Internet browser history and other electronic data without a warrant in terrorism and spy cases.

The administration made a similar effort six years ago but dropped it after concerns were raised by privacy advocates and the tech industry.

FBI Director James B. Comey has characterized the legislation as a fix to “a typo” in the Electronic Communications Privacy Act, which he says has led some tech firms to refuse to provide data that Congress intended them to provide.

But tech firms and privacy advocates say the bureau is seeking an expansion of surveillance powers that infringes on Americans’ privacy. [Continue reading…]

Facebooktwittermail

The human side of cybercrime

M. Mitchell Waldrop writes: Say what you will about cybercriminals, says Angela Sasse, “their victims rave about the customer service”.

Sasse is talking about ransomware: an extortion scheme in which hackers encrypt the data on a user’s computer, then demand money for the digital key to unlock them. Victims get detailed, easy-to-follow instructions for the payment process (all major credit cards accepted), and how to use the key. If they run into technical difficulties, there are 24/7 call centres.

“It’s better support than they get from their own Internet service providers,” says Sasse, a psychologist and computer scientist at University College London who heads the Research Institute in Science of Cyber Security. That, she adds, is today’s cybersecurity challenge in a nutshell: “The attackers are so far ahead of the defenders, it worries me quite a lot.”

Long gone are the days when computer hacking was the domain of thrill-seeking teenagers and college students: since the mid-2000s, cyberattacks have become dramatically more sophisticated. Today, shadowy, state-sponsored groups launch exploits such as the 2014 hack of Sony Pictures Entertainment and the 2015 theft of millions of records from the US Office of Personnel Management, allegedly sponsored by North Korea and China, respectively. ‘Hacktivist’ groups such as Anonymous carry out ideologically driven attacks on high-profile terrorists and celebrities. And a vast criminal underground traffics in everything from counterfeit Viagra to corporate espionage. By one estimate, cybercrime costs the global economy between US$375 billion and $575 billion each year. [Continue reading…]

Facebooktwittermail

Court refuses request to force alleged hacker to divulge passwords

The Guardian reports: An alleged hacker fighting extradition to the US will not have to give the passwords for his encrypted computers to British law enforcement officers, following a landmark legal ruling.

Lauri Love, a 31-year-old computer scientist, has been accused of stealing “massive quantities” of sensitive data from US Federal Reserve and Nasa computers. His lawyers say he faces up to 99 years in prison if found guilty in the US.

The National Crime Agency (NCA) raided Love’s family home in Stradishall, Suffolk, in October 2013, seizing encrypted computers and hard drives. No charges were brought against him in Britain and Love is suing the NCA for the return of six items of encrypted hardware, which he says contain his entire digital life.

The NCA applied to the courts to force Love to hand over his passwords before it returns the computers but this was rejected by a judge on Tuesday.

Speaking to the Guardian, Love called on governments around the world to set aside differences with activists and hackers and to work together to improve global computer security. [Continue reading…]

Facebooktwittermail

David Vincenzetti: How the Italian mogul built a hacking empire

David Kushner reports: The Blackwater of surveillance, the Hacking Team is among the world’s few dozen private contractors feeding a clandestine, multibillion-dollar industry that arms the world’s law enforcement and intelligence agencies with spyware. Comprised of around 40 engineers and salespeople who peddle its goods to more than 40 nations, the Hacking Team epitomizes what Reporters Without Borders, the international anti-censorship group, dubs the “era of digital mercenaries.”

The Italian company’s tools — “the hacking suite for governmental interception,” its website claims — are marketed for fighting criminals and terrorists. But there, on Marquis-Boire’s computer screen, was chilling proof that the Hacking Team’s software was also being used against dissidents. It was just the latest example of what Marquis-Boire saw as a worrying trend: corrupt regimes using surveillance companies’ wares for anti-democratic purposes.

When Citizen Lab published its findings in the October 2012 report “Backdoors are Forever: Hacking Team and the Targeting of Dissent?” the group also documented traces of the company’s spyware in a document sent to Ahmed Mansoor, a pro-democracy activist in the United Arab Emirates. Privacy advocates and human rights organizations were alarmed. “By fueling and legitimizing this global trade, we are creating a Pandora’s box,” Christopher Soghoian, the principal technologist with the American Civil Liberties Union’s Speech, Privacy, and Technology Project, told Bloomberg.

The Hacking Team, however, showed no signs of standing down. “Frankly, the evidence that the Citizen Lab report presents in this case doesn’t suggest anything inappropriately done by us,” company spokesman Eric Rabe told the Globe and Mail.

As media and activists speculated about which countries the Italian firm served, the founder and CEO of the Hacking Team, David Vincenzetti — from his sleek, white office inside an unsuspecting residential building in Milan — took the bad press in stride. He joked with his colleagues in a private email that he was responsible for the “evilest technology” in the world.

A tall, lean 48-year-old Italian with a taste for expensive steak and designer suits, Vincenzetti has transformed himself over the past decade from an under-ground hacker working out of a windowless basement into a mogul worth millions. He is nothing if not militant about what he defines as justice: Julian Assange, the embattled founder of WikiLeaks, is “a criminal who by all means should be arrested, expatriated to the United States, and judged there”; whistleblower Chelsea Manning is “another lunatic”; Edward Snowden “should go to jail, absolutely.”

“Privacy is very important,” Vincenzetti says on a recent February morning in Milan, pausing to sip his espresso. “But national security is much more important.”

Vincenzetti’s position has come at a high cost. Disturbing incidents have been left in his wake: a spy’s suicide, dissidents’ arrests, and countless human rights abuses. “If I had known how crazy and dangerous he is,” Guido Landi, a former employee, says, “I would never have joined the Hacking Team.” [Continue reading…]

Facebooktwittermail

What cyberwar against ISIS should look like

Fred Kaplan writes: Pentagon officials have publicly said, in recent weeks, that they’re hitting ISIS not only with bullets and bombs but also with cyberoffensive operations. “We are dropping cyberbombs,” Robert Work, deputy secretary of defense, is quoted as proclaiming in Monday’s New York Times. Similar, if less colorful, statements have been made by Secretary of Defense Ash Carter and,a week ago, President Obama.

What does it mean? And what effects are these new weapons having on the overall war? After dropping his “cyberbombs” bombshell, Work said, “We have never done that before.” But in fact, the United States has done it before, against Iraqi insurgents, including al-Qaida fighters, back in 2007. And, as I discovered while researching my book Dark Territory: The Secret History of Cyber War, the effects were devastating.

Standard accounts have credited President George W. Bush’s troop surge and Gen. David Petraeus’ counterinsurgency strategy for turning the Iraq conflict in the coalition’s favor in 2007. These accounts aren’t wrong, as far as they go, but they leave out another crucial factor — cyberoffensive warfare, as conducted by the Joint Special Operations Command and the National Security Agency. [Continue reading…]

Facebooktwittermail

FBI director suggests bill for iPhone hacking topped $1.3 million

The New York Times reports: The director of the F.B.I. suggested Thursday that his agency paid at least $1.3 million to an undisclosed group to help hack into the encrypted iPhone used by an attacker in the mass shooting in San Bernardino, Calif.

At a technology conference in London, a moderator asked James B. Comey Jr., the F.B.I. chief, how much bureau officials had to pay the undisclosed outside group to demonstrate how to bypass the phone’s encryption.

“A lot,” Mr. Comey said, as audience members at the Aspen Institute event laughed.

He continued: “Let’s see, more than I will make in the remainder of this job, which is seven years and four months, for sure.”

The F.B.I. had been unwilling to say anything at all until Thursday about how much it paid for what has become one of the world’s most publicized hacking jobs, so Mr. Comey’s cryptic comments about his own wages and the bounty quickly sent listeners scurrying in search of their calculators.

The F.B.I. director makes about $185,100 a year — so Mr. Comey stands to earn at least $1.35 million at that base rate of pay for the remainder of his 10-year term. [Continue reading…]

Facebooktwittermail

FBI says it needs hackers to keep up with tech companies

The New York Times reports: The F.B.I. defended its hiring of a third party to break into an iPhone used by a gunman in last year’s San Bernardino, Calif., mass shooting, telling some skeptical lawmakers on Tuesday that it needed to join with partners in the rarefied world of for-profit hackers as technology companies increasingly resist their demands for consumer information.

Amy Hess, the Federal Bureau of Investigation’s executive assistant director for science and technology, made the comments at a hearing by members of Congress who are debating potential legislation on encryption. The lawmakers gathered law enforcement authorities and Silicon Valley company executives to discuss the issue, which has divided technology companies and officials in recent months and spurred a debate over privacy and security.

The hearing follows a recent standoff between the F.B.I. and Apple over a court order to force the company to help unlock an iPhone used by one of the San Bernardino attackers. Apple opposed the order, citing harm to the privacy of its users. The F.B.I. later dropped its demand for Apple’s help when it found a third-party alternative to hack the device. [Continue reading…]

Facebooktwittermail

U.S. ratchets up cyber attacks on ISIS

The Daily Beast reports: President Obama confirmed for the first time last week that the U.S. is conducting “cyber operations” against ISIS, in order to disrupt the group’s “command-and-control and communications.”

But the American military’s campaign of cyber attacks against ISIS is far more serious than what the president laid out in his bland description. Three U.S. officials told The Daily Beast that those operations have moved beyond mere disruption and are entering a new, more aggressive phase that is targeted at individuals and is gleaning intelligence that could help capture and kill more ISIS fighters.

As the U.S. ratchets up its online offensive against the terror group, U.S. military hackers are now breaking into the computers of individual ISIS fighters. Once inside the machines, these hackers are implanting viruses and malicious software that allow them to mine their devices for intelligence, such as names of members and their contacts, as well as insights into the group’s plans, the officials said, speaking on condition of anonymity to describe sensitive operations.

One U.S. official told The Daily Beast that intelligence gleaned from hacking ISIS members was an important source for identifying key figures in the organization. In remarks at CIA headquarters in Langley, Virginia this week, Obama confirmed that cyber operations were underway and noted that recently the U.S. has either captured or killed several key ISIS figures, including Sulayman Dawud al-Bakkar, a leader of its chemical weapons program, and “Haji Iman,” the man purported to be ISIS’s second in command. [Continue reading…]

Facebooktwittermail

FBI used hacking software decade before iPhone fight

The New York Times reports: In early 2003, F.B.I. agents hit a roadblock in a secret investigation, called Operation Trail Mix. For months, agents had been intercepting phone calls and emails belonging to members of an animal welfare group that was believed to be sabotaging operations of a company that was using animals to test drugs. But encryption software had made the emails unreadable.

So investigators tried something new. They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption.

That effort, revealed in newly declassified and released records, shows in new detail how F.B.I. hackers worked to defeat encryption more than a decade before the agency’s recent fight with Apple over access to a locked iPhone. The Trail Mix case was, in some ways, a precursor to the Apple dispute. In both cases, the agents could not decode the data themselves, but found a clever workaround.

The Trail Mix records also reveal what is believed to be the first example of the F.B.I. remotely installing surveillance software, known as spyware or malware, as part of a criminal wiretap.

“This was the first time that the Department of Justice had ever approved such an intercept of this type,” an F.B.I. agent wrote in a 2005 document summing up the case.

The next year, six activists were convicted of conspiracy to violate the Animal Enterprise Protection Act in the case. An appeals court upheld the convictions in 2009, and said that the use of encryption, among other things, was “circumstantial evidence of their agreement to participate in illegal activity.”

Ryan Shapiro, a national security researcher and animal welfare advocate, provided the documents in the case to The New York Times after obtaining them in a Freedom of Information Act lawsuit. Several important details remain secret, including whether the tactic worked. The wiretap was disclosed at trial but the software hacking was not, said Lauren Gazzola, one of the defendants, who now works for the Center for Constitutional Rights. [Continue reading…]

Facebooktwittermail

Apple iPhone unlocking manoeuvre likely to remain secret

Reuters reports: The company that helped the FBI unlock a San Bernardino shooter’s iPhone to get data has sole legal ownership of the method, making it highly unlikely the technique will be disclosed by the government to Apple or any other entity, Obama administration sources said this week.

The White House has a procedure for reviewing technology security flaws and deciding which ones should be made public. But it is not set up to handle or reveal flaws that are discovered and owned by private companies, the sources said, raising questions about the effectiveness of the so-called Vulnerabilities Equities Process.

The secretive process was created to let various government interests debate about what should be done with a given technology flaw, rather than leaving it to agencies like the National Security Agency, which generally prefers to keep vulnerabilities secret so they can use them. [Continue reading…]

Facebooktwittermail

FBI paid professional hackers one-time fee to crack San Bernardino iPhone

The Washington Post reports: The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.

The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution. [Continue reading…]

Facebooktwittermail

Intelligence community olive branch on data sharing greeted with skepticism

The Intercept reports: Top intelligence community lawyer Robert Litt has offered a rare olive branch to privacy advocates, in the form of information.

In a post on one of the intelligence community’s favorite blogs on Wednesday, Litt, general counsel for the Office of the Director of National Intelligence, outlined new intelligence data-sharing guidelines that he said will be released soon.

The post, on Just Security, was essentially a response to reporting last month from the New York Times’s Charlie Savage that the NSA would soon be sharing with other government agencies the raw, unfiltered intelligence from the depths of its massive overseas spying programs.

“There has been a lot of speculation about the content of proposed procedures that are being drafted to authorize the sharing of unevaluated signals intelligence,” Litt wrote.

The New York Times story raised concerns that the data, which inevitably includes information about Americans, would become too easily accessible by intelligence agencies including the FBI, potentially leading to fishing expeditions. [Continue reading…]

BuzzFeed reports: Just days after breaking into a terrorist’s iPhone using a mysterious third-party technique, FBI officials on Friday told local law enforcement agencies it will assist them with unlocking phones and other electronic devices.

The advisory, obtained by BuzzFeed News, was sent in response to law enforcement inquiries about its new method of unlocking devices — a technique the FBI said was successful at gaining access to the iPhone 5C belonging to one of the shooters in the deadly San Bernardino, California, attack.

“In mid-March, an outside party demonstrated to the FBI a possible method for unlocking the iPhone,” the message said. “That method for unlocking that specific iPhone proved successful.” [Continue reading…]

Facebooktwittermail

British authorities demand encryption keys in case with ‘huge implications’

encryption

The Intercept reports: British authorities are attempting to force a man accused of hacking the U.S. government to hand over his encryption keys in a case that campaigners believe could have ramifications for journalists and activists.

England-based Lauri Love was arrested in October 2013 by the U.K.’s equivalent of the FBI, the National Crime Agency, over allegations that he hacked a range of U.S. government systems between 2012 and 2013, including those of the Department of Defense, the Environmental Protection Agency, the Department of Energy, and NASA.

The U.S. Justice Department is seeking the extradition of Love, claiming that he and a group of conspirators breached “thousands of networks” in total and caused millions of dollars in damages. But Love has been fighting the extradition attempt in British courts, insisting that he should be tried for the alleged offenses within the U.K. The 31-year-old, who has been diagnosed with Asperger’s syndrome, has argued that he would not get a fair trial in the U.S., where his legal team says he could face a sentence of up to 99 years in jail. [Continue reading…]

Facebooktwittermail

How to hack an election

Bloomberg Businessweek reports on the confessions of Andrés Sepúlveda, a political hacker who rigged elections throughout Latin America for almost a decade: His teams worked on presidential elections in Nicaragua, Panama, Honduras, El Salvador, Colombia, Mexico, Costa Rica, Guatemala, and Venezuela. Campaigns mentioned in this story were contacted through former and current spokespeople; none but Mexico’s PRI and the campaign of Guatemala’s National Advancement Party would comment.

As a child, he witnessed the violence of Colombia’s Marxist guerrillas. As an adult, he allied with a right wing emerging across Latin America. He believed his hacking was no more diabolical than the tactics of those he opposed, such as Hugo Chávez and Daniel Ortega.

Many of Sepúlveda’s efforts were unsuccessful, but he has enough wins that he might be able to claim as much influence over the political direction of modern Latin America as anyone in the 21st century. “My job was to do actions of dirty war and psychological operations, black propaganda, rumors — the whole dark side of politics that nobody knows exists but everyone can see,” he says in Spanish, while sitting at a small plastic table in an outdoor courtyard deep within the heavily fortified offices of Colombia’s attorney general’s office. He’s serving 10 years in prison for charges including use of malicious software, conspiracy to commit crime, violation of personal data, and espionage, related to hacking during Colombia’s 2014 presidential election. He has agreed to tell his full story for the first time, hoping to convince the public that he’s rehabilitated — and gather support for a reduced sentence.

Usually, he says, he was on the payroll of Juan José Rendón, a Miami-based political consultant who’s been called the Karl Rove of Latin America. Rendón denies using Sepúlveda for anything illegal, and categorically disputes the account Sepúlveda gave Bloomberg Businessweek of their relationship, but admits knowing him and using him to do website design. “If I talked to him maybe once or twice, it was in a group session about that, about the Web,” he says. “I don’t do illegal stuff at all. There is negative campaigning. They don’t like it — OK. But if it’s legal, I’m gonna do it. I’m not a saint, but I’m not a criminal.” While Sepúlveda’s policy was to destroy all data at the completion of a job, he left some documents with members of his hacking teams and other trusted third parties as a secret “insurance policy.”

Sepúlveda provided Bloomberg Businessweek with what he says are e-mails showing conversations between him, Rendón, and Rendón’s consulting firm concerning hacking and the progress of campaign-related cyber attacks. Rendón says the e-mails are fake. An analysis by an independent computer security firm said a sample of the e-mails they examined appeared authentic. Some of Sepúlveda’s descriptions of his actions match published accounts of events during various election campaigns, but other details couldn’t be independently verified. One person working on the campaign in Mexico, who asked not to be identified out of fear for his safety, substantially confirmed Sepúlveda’s accounts of his and Rendón’s roles in that election.

Sepúlveda says he was offered several political jobs in Spain, which he says he turned down because he was too busy. On the question of whether the U.S. presidential campaign is being tampered with, he is unequivocal. “I’m 100 percent sure it is,” he says. [Continue reading…]

Facebooktwittermail

FBI backs off from its day in court with Apple this time – but there will be others

By Martin Kleppmann, University of Cambridge

After a very public stand-off over an encrypted terrorist’s smartphone, the FBI has backed down in its court case against Apple, stating that an “outside party” – rumoured to be an Israeli mobile forensics company – has found a way of accessing the data on the phone.

The exact method is not known. Forensics experts have speculated that it involves tricking the hardware into not recording how many passcode combinations have been tried, which would allow all 10,000 possible four-digit passcodes to be tried within a fairly short time. This technique would apply to the iPhone 5C in question, but not newer models, which have stronger hardware protection through the so-called secure enclave, a chip that performs security-critical operations in hardware. The FBI has denied that the technique involves copying storage chips.

So while the details of the technique remain classified, it’s reasonable to assume that any security technology can be broken given sufficient resources. In fact, the technology industry’s dirty secret is that most products are frighteningly insecure.

Continue reading

Facebooktwittermail