I blogged this over at DK.
Archive for the ‘wiretapping’ Category
Posted by Charles II on December 9, 2013
Posted by Charles II on October 14, 2013
The NSA has been harvesting address books from Americans’ e-mail. This is done semi-legally. That is, the NSA intercepts e-mail at points where it transits international boundaries, as in Google using a foreign server to handle e-mail. This brings in lots of American communications. The NSA also makes presumptions about the “foreignness” of e-mail that they know are, or are likely to be wrong. For example, an American writing to his home office from Europe would automatically be labeled as foreign correspondence, even though the recipient and the sender are American.
Spam has proven to be a significant problem for NSA — clogging databases with data that holds no foreign intelligence value. The majority of all e-mails, one NSA document says, “are SPAM from ‘fake’ addresses and never ‘delivered’ to targets.”
In fall 2011, according to an NSA presentation, the Yahoo account of an Iranian target was “hacked by an unknown actor,” who used it to send spam. The Iranian had “a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members.”
The cascading effects of repeated spam messages, compounded by the automatic addition of the Iranian’s contacts to other people’s address books, led to a massive spike in the volume of traffic collected by the Australian intelligence service on the NSA’s behalf.
After nine days of data-bombing, the Iranian’s contact book and contact books for several people within it were “emergency detasked.”
In this report, we learn that “Yahoo, unlike other service providers, has left connections to its users unencrypted by default.” This explains why spammers target Yahoo so often for address books.
Posted by Charles II on October 11, 2013
Thanks to Rachel Levinson-Waldman of the Brennan Center, we have an idea. An excerpt:
…this report finds that in many cases, information carrying no apparent investigative value is treated no differently from information that does give rise to reasonable suspicion of criminal or terrorist activity. Basically, the chaff is treated the same as the wheat. In other cases, while the governing policies do set certain standards limiting the retention or sharing of non-criminal information about Americans, the restrictions are weakened by exceptions for vaguely-described law enforcement or national security purposes. Depending on the data set, presumptively innocuous information may be retained for periods ranging from two weeks to five years to 75 years or more.
Posted by Charles II on October 4, 2013
The Guardian had almost a dozen articles relevant to the wiretapping of Americans by NSA.
There were several slide shows on how the NSA has been attacking TOR. A non-technical summary of what they say is given by James Ball, Bruce Schneier, and Glenn Greenwald here. A more technical summary by Bruce Schneier is linked below.
One slide show reviews how Tor works. Briefly, the user’s computer passes multiply-encrypted data to other computers on the network to create a series of cutouts (layers). Someone trying to monitor the traffic can to some degree monitor certificates.
As of 2012, NSA was finding Tor to be a difficult nut to crack. It was able to de-anonymize some users, but not on-demand. They had access to some nodes, but not enough to routinely get the data as it passed through entry, exit, and relay nodes. With access to a node, one may be able to match a user to the communication by the time; the British version of this is a program called QUICKANT. Some cookies survive Tor. Such cookie leakage, or identifying a user when they are not using Tor using QFD, can de-anonymize the user. The NSA is working on a version of QFD called Great Expectations, that would combine cookies with QFD to de-anonymize. There is also some effort by the British GCHQ and Germany’s DSD to detect Tor’s hidden services through ONIONBREATH. Tor nodes are identified through RONIN. QUANTUM is being used to degrade/deny/disrupt Tor service and QUANTUMCOOKIE to seize cookies. If the NSA has access to the target computer, they can stain the traffic or direct it to a node the NSA controls.
Egotistical Giraffe was a 2007 program to attack privacy in Tor, an anonymizing system used by dissidents in places like China and Iran, some criminals, and a lot of people who would just like some privacy. Tor relies on Firefox. The NSA uses TorButton to identify Tor users, winnowing the universe down to a few hundred thousand people. They can get a partial fingerprint based on the build time of the browser. The NSA can also use some exploits, especially if the user fails to activate NoScript.ERIN (Erroneous Ingenuity) was capable of penetrating Firefox 13-16.02. EGGO (Egotistical Goat) attacked a vulnerability in versions 10, and 11-16.02. They were able to use callbacks to gain control of a target.
Bruce Schneier summarizes the slide shows:
After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user’s computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.
Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.
To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target’s browser to visit a Foxacid server.
FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.
The NSA also uses phishing attacks to induce users to click on FoxAcid tags.
TAO additionally uses FoxAcid to exploit callbacks – which is the general term for a computer infected by some automatic means – calling back to the NSA for more instructions and possibly to upload data from the target computer.
According to a top-secret operational management procedures manual, FoxAcid servers configured to receive callbacks are codenamed FrugalShot. After a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install “implants” designed to exfiltrate data.
Bruce Schneier explains why the NSA’s attacks must be made public:
Finding a vulnerability – or creating one – and keeping it secret to attack the bad guys necessarily leaves the good guys more vulnerable.
Far better would be for the NSA to take those vulnerabilities back to the vendors to patch. Yes, it would make it harder to eavesdrop on the bad guys, but it would make everyone on the internet safer.
Seymour Hersh is clear that the documents leaked by Edward Snowden have changed the debate.
Snowden was significant because he provided documentary evidence – although he is sceptical about whether the revelations will change the US government’s policy.
“Editors love documents. Chicken-shit editors who wouldn’t touch stories like that, they love documents, so he changed the whole ball game,” he adds, before qualifying his remarks.
John Lanchester discusses the dangers of a surveillance state and suggests how to guard against it. He’s far too sanguine about either the merits of the surveillance and the ability to mitigate the dangers. I suspect that the worst revelations are yet to come.
The EU is investigating the GCHQ hack of the Belgian telecomm, Belgacom:
The executives added that the company believed it had comprehensive security systems in place to counter cyber-attacks, but had been rendered helpless by the scale of the infiltration of 124 Belgacom IT systems.
The Belgian PM, Elio Di Rupo, last month complained that the attacks amounted to an assault on the country’s integrity and promised a strong response if the perpetrators were identified.
Posted by Charles II on September 29, 2013
Since 2010, the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials.
The spy agency began allowing the analysis of phone call and e-mail logs in November 2010 to examine Americans’ networks of associations for foreign intelligence purposes….
The agency was authorized to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness” of every e-mail address, phone number or other identifier, the document said.
N.S.A. officials declined to say how many Americans have been caught up in the effort, including people involved in no wrongdoing.
The agency did say that the large database of Americans’ domestic phone call records… was excluded.
In the 2011 memo explaining the shift, N.S.A. analysts were told that they could trace the contacts of Americans as long as they cited a foreign intelligence justification. That could include anything from ties to terrorism, weapons proliferation or international drug smuggling to spying on conversations of foreign politicians, business figures or activists. [emphasis added]
Why construct a dossier if you have all the data? Then you can use a search program to compile a dossier on any individual in nanoseconds, and deny you are keeping a dossier on anyone besides “suspects.” When anyone’s past actions can be compiled at will, everyone is a suspect, if only a future one.
By the way, I added the bolding because that’s a point that analysts like Bob Swern and Marcy seem to have missed. What conceivable legitimate function does targeting people based on their conversations with otherwise non-criminal businessmen, politicians, or activists have?
Posted by Charles II on September 11, 2013
Ryan Gallagher, Slate:
On Sunday, Brazilian TV show Fantastico published previously undisclosed details based on documents obtained by Guardian journalist Glenn Greenwald from former NSA contractor Edward Snowden. The 13-minute news segment focused on the revelation that, according to the leaked files, the NSA apparently targeted Brazil’s state-run Petrobras oil producer for surveillance—undermining a recent statement by the agency that it “does not engage in economic espionage in any domain.” The Petrobras detail has been picked up internationally, and is likely to cause a serious stir in Brazil. (The country is still reeling from the revelation last week that the NSA spied on its president.) But Fantastico delivered several other highly significant nuggets that deserve equal attention.
Google is listed as a target. So are the French Ministry of Foreign Affairs and SWIFT, a financial cooperative that connects thousands of banks and is supposed to help “securely” facilitate banking transactions made between more than 200 countries. Other documents show that the NSA’s so-called STORMBREW program—which involves sifting Internet traffic directly off of cables as it is flowing past—is being operated with the help of a “key corporate partner” at about eight key locations across the United States where there is access to “international cables, routers, and switches.” According to a leaked NSA map, this surveillance appears to be taking place at network junction points in Washington, Florida, Texas, at two places in California, and at three further locations in or around Virginia, New York, and Pennsylvania.
far from “cracking” SSL encryption—a commonly used protocol that shows up in your browser as HTTPS—the spy agencies have been forced to resort to so-called “man-in-the-middle” attacks to circumvent the encryption by impersonating security certificates in order to intercept data.
Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events”) and also allows spies to collect information about specific SSL encryption certificates.
When they say it’s not about the money, it’s about the money.
Posted by Charles II on September 5, 2013
Ryan Gallagher, Slate:
The secretive surveillance technology industry does its best to fly under the radar. But the shadowy companies selling controversial spy tools to governments are being exposed to public scrutiny whether they like it or not, thanks to a new WikiLeaks project.
On Wednesday, the whistleblower organization published a new trove of documents that reveal the surveillance equipment being sold by more than 90 firms to authorities across the world as part of a burgeoning clandestine market in electronic spying. The documents shed light on the growing catalog of surveillance devices being offered to governments, ranging from portable transceivers that can sweep up thousands of phone calls to Trojan spyware designed to help police and intelligence agencies hack into computers and mobile phones to monitor chats and emails.
Dubbed the “SpyFiles” by WikiLeaks, the release builds on a previous surveillance industry exposé by the group in 2011, and comes amid unprecedented international discussion about government spying tactics disclosed in June by former National Security Agency contractor Edward Snowden.
RT has more.
Posted by Charles II on September 5, 2013
Crossposted from DK
I remember when I was thought silly for saying this. James Ball, Julian Borger, and Glenn Greenwald, The Guardian:
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
Among other things, the program is designed to “insert vulnerabilities into commercial encryption systems”.
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
Documents show that Edgehill’s initial aim was to to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.
Another program, codenamed Cheesy Name, was aimed at singling out encryption keys, known as ‘certificates’, that might be vulnerable to being cracked by GCHQ supercomputers.
This was a view echoed in a recent paper by Stephanie Pell, a former prosecutor at the US Department of Justice and non-resident fellow at the Center for Internet and Security at Stanford Law School.
“[An] encrypted communications system with a lawful interception back door is far more likely to result in the catastrophic loss of communications confidentiality than a system that never has access to the unencrypted communications of its users,” she states.
And if you want the details, they are here.
So, even if users of e-mail do have a reasonabel expectation of privacy, they don’t. Because NSA says so.
This is bad for legitimate business and people trying to resist despotism abroad, because as Stephanie Pell says, deliberately broken software is more susceptible to being broken by other methods.
Posted by Charles II on August 30, 2013
Also, Danielle Allen on the link between privacy, civil liberties, and civil rights–why one can be free unless one can have privacy– here. I diaried this on Daily Kos. The civil rights movement of the 50s and 60s would have been smashed if the government had had the powers it has now.
Posted by Charles II on August 23, 2013
(crossposted with minor revisions at DK)
It’s an odd question, to be sure, but one in response to a very odd event. The Independent is a newspaper that I have traditionally regarded as off the reservation in the very best sense of the term. That is, I have always regarded them as a left-wing newspaper refusing to be marginalized and demanding that issues of importance to the left receive the same attention as those of interest to the rest of the corporate media.
But Glenn Greenwald has published a piece in The Guardian in which he says (to distill it down) that the Independent has published an article which could, perhaps, endanger lives based, according to The Independent, on “documents obtained from the NSA by Edward Snowden” but which, according to Greenwald “clearly did not come from Snowden or any of the journalists with whom he has directly worked.”
For both of those statements to be true, the documents would have to have come from the government based on a list of the documents that Snowden obtained but has not published. They could, for example, have been based on documents supplied from the government based on the (apparently ineffectual) audit of Snowden’s actions or based on decrypts of the materials obtained from Miranda. Once in the public domain, the government could easily use them against Miranda to allege that the materials he has are being used to aid the enemies of Britain.
Greenwald quotes Snowden as saying that:
“It appears that the UK government is now seeking to create an appearance that the Guardian and Washington Post’s disclosures are harmful, and they are doing so by intentionally leaking harmful information to The Independent and attributing it to others.
The Independent’s Oliver Wright has said,
“For the record: The Independent was not leaked or ‘duped’ into publishing today’s front page story by the Government.”
He is receiving a torrent of well-deserved abuse for publishing dodgy material from dodgy sources for dodgy purposes.
The relevant phrases from the Independent are these. They either could serve to identify the site and therefore endanger the lives of personnel or provide information about sourcing for the article:
Britain runs a secret internet-monitoring station in the Middle East to intercept and process vast quantities of emails, telephone calls and web traffic on behalf of Western intelligence agencies, The Independent has learnt.
The Independent is not revealing the precise location of the station but information on its activities was contained in the leaked documents obtained from the NSA by Edward Snowden.
installation is regarded as particularly valuable by the British and Americans because it can access submarine cables passing through the region
Many of them came from an internal Wikipedia-style information site called GC-Wiki
The Independent understands that The Guardian agreed to the Government’s request not to publish any material contained in the Snowden documents that could damage national security.
A senior Whitehall source said: “We agreed with The Guardian that our discussions with them would remain confidential”.
It [the intercept station] is part of the surveillance and monitoring system, code-named “Tempora”, …
Across three sites, communications – including telephone calls – are tracked both by satellite dishes and by tapping into underwater fibre-optic cables.
The Middle East station was set up under a warrant signed by the then Foreign Secretary David Miliband