In Discussion of Unmasking Admiral Rogers Gets Closer to Admitting Types of Section 702 Cybersecurity Use

/2 Comments/in , , /by

Last Friday, Director of National Intelligence Dan Coats, Director of NSA Mike Rogers, and FBI Director Christopher Wray did an event at Heritage Foundation explaining why we need Section 702 and pretending that we need it without reasonable reforms. I attended Wray’s talk — and even got my question on cybersecurity asked, which he largely dodged (I’ll have more about two troubling things Wray said later). But I missed Rogers’ talk and am just now catching up on it.

In it, he describes a use of Section 702 that goes further than NSA usually does to describe how the authority is used in cybersecurity.

So what are some examples where we’ll unmask? Companies. Cybersecurity. So we’ll report that US company 1 was hacked by the following country, here’s how they got in, here’s where they are, here’s what they’re doing. Part of our responsibility on the US government side is the duty to warn. So how do you warn US company 1 if you don’t even know who US company 1 is? So one of the reasons we do unmasking is, so for example we can take protective to ensure this information is provided to the appropriate individuals.

What Rogers describes is an active hack, by a nation-state (which suggests that rule may not have changed since the 2015 report based off 2012 Snowden documents that said NSA could only use 702 against nation-state hackers). The description is not necessarily limited to emails, the type of data NSA likes to pretend it collects in upstream (though it could involve phishing). And the description even includes what is going on at the victim company.

Rogers explains that the NSA would unmask that information so as to be able to warn the victim — something that (via the FBI) happened with the DNC, but something which didn’t happen with a number of other election related hacks.

Of course, Reality Winner is facing prison for having made this clear. The FISA-derived report she is accused of leaking shows how the masking works in practice.

In the case of VR Systems, the targeted company described, it’s not entirely clear whether NSA (though FBI) warned them directly or simply warned the states that used it. But warnings, complete with their name, were issued. And then leaked to the press, presumably by people who aren’t facing prison time.

In any case, this is a thin description of NSA’s use of 702 on cybersecurity investigations. But more detail in unclassified public than has previously been released.

 

Let MalwareTech Surf! Status Report

/5 Comments/in /by

There were several developments in the MalwareTech case late last week.

On Friday, there was a status hearing in his case. Before the hearing, the government submitted a status report revealing that they only provided the malware at issue in the case to Hutchins on October 2, two months after arresting him (the judge approved a protection order on August 21). The government provided five malware samples.

The most recent production was made on October 2, 2017, and contained five malware samples, among other things.

There was also a status hearing Friday. In it, the government revealed they have yet to turn over chat logs from an Internet forum — Hutchins will get that next week.

Govt. notes that there is one more disk to be produced – chats from internet forum on disk to be received from FBI next week.

These may be the ones where, the government claims, Hutchins discussed getting paid for the Kronos malware update. If so, it’s another key piece of potentially rebuttable evidence they’ve taken their time handing over to Hutchins.

The government also has discovery from some foreign country that it is not sure it’ll be able to obtain. This is really sketchy. First, as I’ve mentioned, there are no known US victims of this malware. The victims are in other countries. Is this victim related information? Is it information the government otherwise obtained under EO 12333 that it needs to parallel construct to introduce in this case? Is this from Hutchins’ own government?

There is still an amount of discovery from another country. It is unknown whether it can be obtained by the government. Any information obtained by the govt. will be given to the defense.

In any case, why is the government only now trying to get this evidence? They’ve had two months since the arrest, and three since his indictment.

Finally, an interesting piece of good news. The defense declined to commit to a briefing schedule for fear the government might file a superseding indictment. Given the allegations that Hutchins was involved in other stuff, I had feared the government might indict him on those crimes to further pressure him to plea. But in Friday’s hearing they said if they do file a superseding indictment, it’ll be based on the discovery they’ve already provided to Hutchins, meaning it’ll presumably be on the same alleged malware crime and not any unrelated charges.

The defense notes that it does have concerns regarding the possible filing of a Superseding Indictment and whether there will be more discovery in connection with it. The government has given no details as to the possible filing.

The govt. notes that, if it decides to file a Superseding Indictment, it will relate to discovery already produced or to be produced shortly.

Finally, Hutchins’ lawyers are using the earlier promises the judge made and the malfunction of Hutchins’ GPS tracker in a bid alter the conditions of bail to let Hutchins surf.

During Hutchins’ first hearing in Wisconsin, the judge suggested that after Hutchins had shown a period of compliance, pretrial services could consider lifting his GPS monitoring.

And it will be up to them to decide if — the time at which he’s been sufficiently compliant that they can — they feel comfortable lifting the GPS monitoring, but that will be up to them.

Hutchins’ lawyers reminded the judge of that, even while they provided proof that Hutchins would remain compliant without a curfew or GPS monitoring: Apparently, on a recent trip to the East Coast, his curfew was suspended and his GPS monitor failed, yet he didn’t flee.

Hutchins has continued to comply with his conditions of release, and he traveled to a major city on the East Coast for a few days in September. So that he could catch his early-morning flights, Pretrial Services and the government agreed, with this Court’s approval, that his curfew could be suspended for the duration of his travel. During that trip—through no fault of his own—Mr. Hutchins’ GPS unit refused to take a battery charge and as a result became non-functional. Pretrial Services was alerted to this issue. Mr. Hutchins, of course, did not attempt to flee the country when the GPS unit failed. He simply abided by the rest of his release conditions while on the trip and returned home to Los Angeles as scheduled, where he was fitted with a working GPS unit.

Hutchins’ lawyers argue that the GPS monitor is inconvenient both because it requires two hours each day to charge but also because CA’s GPS monitors can’t be brought on planes, so pretrial services has to swap out the CA GPS monitor for a Milwaukee one any time Hutchins needs to fly.

But the real inconvenience, they admit in a footnote, is that Hutchins lives close to glorious CA beaches but can’t swim or surf.

The GPS unit also cannot be submerged in water. This is relevant because Mr. Hutchins is an avid swimmer and surfer. Engaging in these activities would help him maintain a healthy lifestyle and manage the tremendous stress of his difficult situation.

Given the details on discovery released Friday, my suspicion is the government made this a complex case so they could stall on discovery. If they’re going to do that, by all means Hutchins should be able to enjoy his time in CA.

Update: The government has objected to this request, arguing (ignoring the trip to the East Coast) that there’s no new reason Hutchins is requesting this.

Update: Judge Duffin says Hutchins can surf! There’s a detail in the opinion the government may make hay about, but for the moment, Hutchins is off his GPS and curfew. If he doesn’t watch out he’s going to end up staying in LA forever, once he ditches this charge.

Spaced In Time Trash Talk

/28 Comments/in , , , , , , /by

Welp, moving from KIller Trash Talk to the things that are this weekend takes a lot. Insanity abounds, and is all around. Your healthcare? Yes, that is getting screwed hard. JCPOA (the Iran anti-nuke deal) yes, that too. If it affects the world in at least semi-positive way, the current President is blowing it all up. The fact that a black man might have even touched on any subject seems to infuriate the dementia ridden sundowning asshole in the West Wing even more.

It is who and what we life forms are now. And it is sickness in every regard, domestically and internationally. Trash Talk was designed to be a refuge from such things. I just cannot anymore. So, if that is a problem, I am sorry. Hopefully we will not stand by, and will not back down, while assclowns like Donald Trump cravenly politicize even common sports entertainment to soothe the 30% base they so cherish.

Nope.

Puerto Rico is dying in their own streets. Northern California is burning. People are trying to ride out the fire in swimming pools as their houses burn around them. While the Trump Administration and GOP sit on their hands, when they are not actively trying to make the entire situation worse. The fuckers are flying on jets, flying flags and making coins in their own image.

But, hey, the NCAA is moving on. Not sure anybody thought anything different would happen in Chapel Hill. Begging the question as to what happens to Louisville, another legacy NCAA basketball program. The NCAA under the terminally lame leadership of Mark Emmert will never change.

In the pros, it is getting hard to figure who is the bigger asshole. Is it Goodell and the NFL, or is it the, at this point, ignorant scorched earth strategy of Jeff Kessler and the NFLPA? The NFLPA is making an ass of itself in trying the everything and the kitchen sink theory as to Zeke Elliot. The NFLPA had a sympathetic plaintiff, Brady, and a supremely tenuous case by the NFL based on simple physics and chemistry. But then the NFL won in the 2nd Circuit. Zeke Elliot is not an all American kid with multiple championships. He is an abusive punk from Ohio State that is lucky the NFL did not find an aggravating act from when he pulled down a woman’s blouse in public during a parade. If you think Elliot has the better case here, you don’t try cases in real courts.

The thing is, whether under federal or state law, and in this case collectively bargained law, the arbitration rules….and the rules ARE “relaxed”….and control. It is about the process, not the facts. I, and a lot of others, tried to argue in the face of this in both Brady and Peterson. Same in Bountygate prior to those two cases. Those arguments were all made in cases with far more appealing clients than a repetitive malefactor like Zeke Elliot. He will serve the suspension, it is only a question of whether he and Jeff Kessler are smart enough to do so soon, or make it later, when it will really hurt a likely playoff team. We shall see whether the NFLPA scorched earth insanity prevails over the inters of Homer Simpson, er Jerry Jones and the Cowboys.

The games go on. The Natinals really ought to still be around, but the Cubs put them to rest. The Yankees somehow overcame Cleveland. Hard to not think the Tribe was the better team, but they didn’t close the deal, and the Yankees did. That said, the conference championships look truly awesome. I think the Astros are not only a better team, but have some juice right now as opposed to the Yanks. Not betting a lot of real money on that, but I think so. The Dodgers are what the Yankees used to be. The best team that all the money in the world can buy. But Chris Hayes made a Trump for Cubs deal with the devil last year, and I hope it still holds, and the Cubs win. If we “have” to have Trump, let the Cubbies win again.

Syracuse obliterated Number 2 Clemson already. Man, that was ugly. So was the job an average Cal did on Pirate Mike Leach and Washington State. Utah at USC should be interesting. Washington at ASU here might be as well, but Chris Peterson is a light years better coach than ASU’s Todd Graham, so ASU likely to get blown out, even at home.

Back to the pros: Philly already topped the Panthers, thanks to a good game by Wentz and a horrible one by Newton. Won’t always be that way, Panthers are dangerous if they get in the playoffs. Skins host the Niners. Will Kirk Cousins be playing on the other team next year? The Pack at Vikings looked really interesting when it looked like Sam Bradford was returning. Less so now, but Case Keenum can produce and they are in Minneapolise with that damn horn they blow. I’ll take Rodgers and the Cheese, but may be a great game.

My game of the week is the Buccos at Cardinals right here in the Big Toaster. Debut of Anthony Peterson at RB for Phoenix. Carson Palmer has quietly played superb QB so far this year for the Cards….when he is not getting murdered from bad, nee atrocious, O-Line play. If Arizona’s constantly remade O-Line can gel and protect the old man, it will be a hell of a game. Not going to bet on that, but just saying. Rams at Jags might actually be interesting. Glad that matchup is, for once, not in London. Other game of the week is unquestionably Scribe’s Steelers at Arrowhead to see the Chefs. I don’t for one second think Big Ben has lost a step, even if he may finally be maturing. But I am not sure that other forces in that locker room are unified the way past Steeler teams are. This will be a HUGE game for Pittsburgh, and less so for KC. I’ll take the upset on this one.

Okay, that is that. Another week. Another dime. Another dollar. Thank you for being here, and send some love to Puerto Rico and Napa.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

On the Kaspersky Hack

/37 Comments/in /by

When the news first broke that Kaspersky had found NSA’s hacking tools on the computer of a TAO employee working at home, I recalled that Kaspersky had revealed it had gotten hacked in June 2015, right around the time of this breach (and after Kaspersky released a series of reports on US, British, and Israeli spying). Last night, the NYT reported that Israel discovered NSA documents on Kaspersky’s systems while they were hacking the Russian antivirus company.

Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

The WaPo, matching NYT’s story, has yet another ridiculous explanation for why the TAO employee was working at home (though one that probably gets closer to the truth than the other three given thus far),

“There wasn’t any malice,” said one person familiar with the case, who, like others interviewed, spoke on the condition of anonymity to discuss an ongoing case. “It’s just that he was trying to complete the mission, and he needed the tools to do it.”

But the WaPo also reveals that the National Intelligence Council completed a report last month judging that FSB likely had access to Kaspersky’s source code.

Late last month, the National Intelligence Council completed a classified report that it shared with NATO allies concluding that the FSB had “probable access” to Kaspersky customer databases and source code. That access, it concluded, could help enable cyberattacks against U.S. government, commercial and industrial control networks.

Those scoops have drowned out this one from Cyberscoop, which explained that the reason the US first came to suspect Kaspersky is because the FSB told the US to stop snooping on the antivirus firm.

In the first half of 2015, Kaspersky was making aggressive sales pitches to numerous U.S. intelligence and law enforcement agencies, including the FBI and NSA, multiple U.S. officials told CyberScoop. The sales pitch caught officials’ attention inside the FBI’s Counterterrorism Division when Kaspersky representatives boasted they could leverage their product in order to facilitate the capture of targets tied to terrorism in the Middle East. While some were intrigued by the offer, other more technical members of the intelligence community took the pitch to mean that Kaspersky’s anti-virus software could effectively be used as a spying tool, according to current U.S. intelligence officials who received briefings on the matter.

The flirtation between the FBI and Kaspersky went far enough that the bureau began looking closely at the company and interviewing employees in what’s been described by a U.S. intelligence official as “due diligence” after Counterterrorism Division officials viewed Kaspersky’s offerings with interest.

The examination of Kaspersky was immediately noticed in Moscow. In the middle of July 2015, a group of CIA officials were called into a Moscow meeting with officials from the FSB, the successor to the KGB. The message, delivered as a diplomatic démarche, was clear: Do not interfere with Kaspersky.

These stories still are almost certainly revealing just a fraction of the story. All ignore Kaspersky’s reports laying out US and allies’ spying tools (explaining why Israel might hack Kaspersky and share the details, if not the work). And the most logical explanation for the FSB démarche is that Kaspersky — as they said at the time — reported the hack to their relevant law enforcement agency, which is the FSB, who in turn yelled at the CIA.

None of that is to minimize the intrusiveness of Kaspersky’s software. It’s just to remind that the US does this stuff too, and like Russia, requires compliance from US based software companies (though recent court decisions have required compliance on data for the entire globe).

Which is something the NYT admits, but doesn’t detail.

The N.S.A. bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries.

Finally, one other thing that could be going on here: all these entities do piggyback hacks on each other, and in fact it’s the first thing most of their tools do when they breach targeted systems — look who else is already there so you can see what they’re stealing and usually take your own copy.

Which means it’s possible that Russia found the NSA files by piggybacking on Israel. Or vice versa. Or, it could be nothing more complex than FSB taking the files it found while it responded to the Kaspersky hack and using them themselves.

None of this yet explains where the Shadow Brokers’ tools came from (though I think the method may be similar). But I’ll return to that later this week.

PureVPN Doesn’t Need to Keep Logs Given How Many Google Keeps

/13 Comments/in /by

There’s a cyber-stalking case in MA that has a lot of people questioning whether or not VPNs keep serial cyber-stalkers safe from the FBI. In it, Ryan Lin is accused of stalking a former roommate, referred to by the pseudonym Jennifer Smith in the affidavit, as well as conducting some bomb hoaxes and other incidences of stalking (if these accusations are true he’s a total shithole with severe control problems).

Because the affidavit in the case refers to tying Lin’s usage to several VPNs, it has been read to confirm that PureVPN, especially, has been keeping historic logs of users, contrary to their public claims. To be clear: you can never know whether a VPN is honest about keeping logs or not, and simply having a VPN on your computer might provide means of compromise (sort of like an anti-virus), that makes you more vulnerable. But I don’t think the affidavit, by itself (particularly with a great deal of the evidence in the case still hidden), confirms PureVPN is keeping logs. Rather, I think the account matching described in the affidavit says the FBI could have identified which VPNs Lin used via orders to Google, Facebook, and other tech companies, and using that, obtained a pen register on PureVPN collecting prospective traffic. I don’t think what is shown proves that FBI obtained historic logs (though it doesn’t disprove it either).

One thing to understand about this case is that Lin would have been the suspect right from the start, because his stalking started while he still lived with Smith, and intensified right after his roommates got him evicted. Plus, some of his stalking of Smith and others involved his real social media accounts. That means that, at a very early stage in this investigation, FBI would have been able to get all this information from Google and Facebook, which his victims knew he used.

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers);
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as [] the accounts listed in Part 1; and Records of any accounts that are linked to either of the accounts listed in Part 1 by machine cookies (meaning all Google user IDs that logged into any Google account by the same machine as [] the accounts in Part 1). [my emphasis]

So very early in the investigation (almost certainly 2016), the FBI would have started obtaining every IP address that Lin was using to access Google and Facebook, and any accounts tied to the IP addresses used to log into his known accounts.

Instragram IDs WAN usage

Now consider the different references to VPNs in the affidavit. First, in February 2017, Lin registered a new Instagram account via WAN Security, one of the three VPNs listed.

February 2017: Lin registers Instagram account via WAN Security, also uses it to send email from [email protected] to local police department

That would mean that from the time FBI learned he used WAN to register with Instagram, the FBI would have known he used that service, and probably would have a very good idea which WAN server he default logged into.

Gmail ties WAN usage to other pseudonymous accounts

Then, FBI tracked April 2017 activity to connect Lin to an anonymous account at a service called Rover that he used to stalk people.

  • April 14, 2017, 14:55:52: Lin’s Gmail address accessed from IP address tied to WANSecurity server
  • April 14, 2017, 15:06:27: “Ashley Plano,” using [email protected], accessed Rover via same WANSecurity server
  • April 17, 2017, 21:54:25: “Ashley Plano” accesses Rover via Secure Internet server
  • April 17, 2017, 23:19:12: Lin’s Gmail address accessed via same Secure Internet server
  • April 18, 2017, 23:48:28: Lin’s Gmail address accessed via same Secure Internet server
  • April 19, 2017, 00:30:11: Ashley Plano account accessed via same Secure Internet server
  • April 24, 2017 (unspecified times): Lin’s Gmail and [email protected] email account accessed via same Secure Internet server

The WAN Security usage would have been accessible from Lin’s Gmail account (and would have been known since at least February). A subpoena to Rover after reports it was used for stalking would have likewise shown the WAN Security usage and times (assuming their logs are that detailed).

The Secure Internet use would have likewise shown up in his Gmail usage. Matching that to the Rover logs would have been the same process as with the WAN Security usage. And matching Lin’s known Gmail to his (alleged) pseudonymous teleportx email would have been done by Google itself, matching other accounts accessed by the IP Lin used (though they would have had to weed out other multiple Secure Internet server users).

In other words, this stuff could have come — and almost certainly did — from 2703(d) order returns available with a relevance standard, probably starting months before this activity.

Work computer confirms PureVPN usage, may provide account number

Then there’s this information, tying Lin’s work computer to PureVPN.

July 24, 2017: Lin fired by his unnamed software company employer — he asks, but is denied, to access his work computer to sign out of accounts

August 29, 2017: FBI agents find “Artifacts indicat[ing] that PureVPN, a VPN service that was used repeatedly in the cyberstalking scheme, was installed on the computer.”

What is not mentioned here is whether the “artifact” that showed Lin, like a fucking moron, loaded PureVPN onto his work computer also included him loading his PureVPN account number onto the computer. I think the vagueness here is intentional — both to keep the information from us and from Lin (at least until he signs a protection order). I also think this discussion, while useful for establishing probable cause to search his house, is also a feint. I suspect they already had Lin tied to PureVPN, and probably to a specific account there.

FBI’s not telling when and how they IDed Lin’s PureVPN usage, but Google would have had it

Which leads us to this language, which is the stuff that has everyone wigged out about PureVPN keeping logs.

Further, records from PureVPN show that the same email accounts–Lin’s gmail account and the teleportfx gmail account–were accessed from the same WANSecurity IP address. Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time.

[snip]

PureVPN also features prominently in the cyberstalking campaign, and the search of Lin’s workplace computer showed access of PureVPN.

Unlike almost every reference in this affidavit, there’s no date attached to this knowledge. It appears after the work computer language, leaving the impression that the knowledge came after the work computer access. But particularly since FBI alleges Lin used PureVPN for a lot of his stalking, they probably were looking at PureVPN much earlier.

One thing is certain: FBI could have easily IDed a known PureVPN server accessing Lin’s Gmail account and the teleportfx one FBI identified at least as early as April, months before finding PureVPN loaded onto his work computer.

The FBI doesn’t say which victims Lin accessed via PureVPN or when, only that it figured prominently. It does say, however, that PureVPN identified use from both Lin’s home and work addresses.

Most importantly, FBI doesn’t say when they asked PureVPN about all this. Nothing in this affidavit rules out the FBI serving PureVPN with a PRTT to track ongoing usage tied to Lin’s known accounts (rather than historical usage tied to them). Mind you, there’s nothing to rule out historical logs either (as the affidavit also notes, Lin at one point tweeted something indicating knowledge that VPNs will at least keep access information tied to users).

Here’s the thing, though: if you’re using the same Gmail account tied to the same home IP to access three different VPN providers, often on the same day, your VPN usage is going to be identified from Google’s extensive log keeping. It is an open question what the FBI can do with that knowledge once they have it — whether they can only collect prospective information or whether a provider is going to have some useful historical knowledge to share. But the FBI didn’t need historic logs from PureVPN to get to Lin.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Conflicting Homework Explanations in Three Kaspersky Stories

/13 Comments/in /by

There are now three versions of the Kaspersky story from yesterday, reporting that a TAO employee brought files home from work and used them on his laptop running Kaspersky AV, which ultimately led to Russia getting the files. I’m interested in the three different explanations for why he brought the files home.

WSJ says he brought them home “possibly to continue working beyond his normal office hours.”

People familiar with the matter said he is thought to have purposely taken home numerous documents and other materials from NSA headquarters, possibly to continue working beyond his normal office hours.

WaPo (which has been reporting on this guy since last November) says he brought files he was working on to replace ones burned by Snowden.

The employee had taken classified material home to work on it on his computer,

[snip]

The material the employee took included hacking tools he was helping to develop to replace ­others that were considered compromised following the breach of NSA material by former contractor Edward Snowden, said one individual familiar with the matter.

NYT says he brought files home to refer to as he worked on his resume.

Officials believe he took the material home — an egregious violation of agency rules and the law — because he wanted to refer to it as he worked on his résumé

While the WSJ and WaPo stories don’t conflict, they are different, with the poignant detail that NSA lost hacking files even as it tried to replace Snowden ones.

Meanwhile, none of these stories say this guy got any punishment besides removal from his job (from all his jobs? does he still work for the US government?). And while the NYT says prosecutors in Maryland are “handling” his case, they don’t believe he has been charged.

While federal prosecutors in Maryland are handling the case, the agency employee who took the documents home does not appear to have been charged.

But all of these stories go way too easy on this guy, as compared to the way sources would treat any other person (aside from James Cartwright) caught improperly handling classified information. As the WSJ makes clear, Admiral Rogers — not this guy — was supposed to lose his job as a result of this breach.

Then-Defense Secretary Ash Carter and then-Director of National Intelligence James Clapper pushed President Barack Obama to remove Adm. Rogers as NSA head, due in part to the number of data breaches on his watch, according to several officials familiar with the matter.

So I suspect there is a more complex story about why he had these files at home, if that’s in fact what he did.

Remember, NSA’s hackers don’t launch attacks sitting in Fort Meade. They launch the attacks from some other location. Both Shadow Brokers

We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.

And WikiLeaks have said that’s how they got their US hacking files.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

In other words, I suspect at least part of this story is an attempt to package this compromise (which is not the Shadow Brokers source, but may be the same method) in a way that doesn’t make the NSA look totally incompetent.

Update: In this thread, Jonathan Nichols points out that the Vulnerabilities Equities Process has a big loophole.

Vulnerabilities identified during the course of federally-sponsored open and unclassified research, whether in the public domain or at a government agency, FFRDC, National Lab, or other company doing work on behalf of the USG need not be put through the process. Information related to such vulnerabilities, however, does require notification to the Executive Secretariat, which shall notify process participants for purposes of general USG awareness.

That is, one way to avoid the VEP process altogether (and therefore potential notice to companies) is to conduct the research to develop the systems on unclassified systems. Which would be an especially big problem if you were running KAV.

Which might also explain why none of the stories explaining how this guy’s files got compromised make sense.

Kaspersky and the Third Major Breach of NSA’s Hacking Tools

/19 Comments/in , /by

The WSJ has a huge scoop that many are taking to explain why the US has banned Kaspersky software.

Some NSA contractor took some files home in (the story says) 2015 and put them on his home computer, where he was running Kaspersky AV. That led Kaspersky to discover the files. That somehow (the story doesn’t say) led hackers working for the Russian state to identify and steal the documents.

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter.

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said.

Way down in the story, however, is this disclosure: US investigators believe Kaspersky’s AV identified the files, but isn’t sure whether Kaspersky told the Russian government.

U.S. investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Given the timing, it’s worth considering several other details about the dispute between the US and Kaspersky. (This was all written for another post that I’ll return to.)

The roots of Kaspersky’s troubles in 2015

Amid the reporting on Eugene Kaspersky’s potential visit to testify to Congress, Reuters reported the visit would be Kaspersky’s first visit to the US since spring 2015.

Kaspersky told NBC News in July that he was not currently traveling to the United States because he was “worried about some unexpected problems” if he did, citing the “ruined relationship” between Moscow and Washington.

Kaspersky Lab did not immediately respond when asked when its chief executive was last in the United States. A source familiar with U.S. inquiries into the company said he had not been to the United States since spring of 2015.

A link in that Reuters piece suggests Kaspersky’s concern dates back to August 2015 Reuters reporting, based off leaked emails and interviews with former Kaspersky employees, that suggests the anti-virus firm used fake files to trick its competitors into blocking legitimate files, all in an effort to expose their theft of Kaspersky’s work. A more recent reporting strand, again based on leaked emails, dates to the same 2009 time period and accuses Kaspersky of working with FSB (which in Russia, handles both spying and cybersecurity — though ostensibly again, that’s how the FBI works here).

But two events precede that reporting. In June 2015, Kaspersky revealed that it (and a bunch of locales where negotiations over the Iran deal took place) had been infected by Duqu 2.0, a thread related to StuxNet.

Kaspersky says the attackers became entrenched in its networks some time last year. For what purpose? To siphon intelligence about nation-state attacks the company is investigating—a case of the watchers watching the watchers who are watching them. They also wanted to learn how Kaspersky’s detection software works so they could devise ways to avoid getting caught. Too late, however: Kaspersky found them recently while testing a new product designed to uncover exactly the kind of attack the intruders had launched.

[snip]

Kaspersky is still trying to determine how much data the attackers stole. The thieves, as with the previous Duqu 2011 attack, embedded the purloined data inside blank image files to slip it out, which Raiu says “makes it difficult to estimate the volume of information that was actually transferred.” But at least, he says, it doesn’t appear that the attackers were out to infect Kaspersky customers through its networks or products. Kaspersky claims to have more than 400 million users worldwide.

Which brings us to what the presumed NSA hackers were looking for:

The attackers were primarily interested in Kaspersky’s work on APT nation-state attacks–especially with the Equation Group and Regin campaigns. Regin was a sophisticated spy tool Kaspersky found in the wild last year that was used to hack the Belgian telecom Belgacom and the European Commission. It’s believed to have been developed by the UK’s intelligence agency GCHQ.

The Equation Group is the name Kaspersky gave an attack team behind a suite of different surveillance tools it exposed earlier this year. These tools are believed to be the same ones disclosed in the so-called NSA ANT catalogue published in 2013 by journalists in Germany. The interest in attacks attributed to the NSA and GCHQ is not surprising if indeed the nation behind Duqu 2.0 is Israel.

Kaspersky released its Equation Group whitepaper in February 2015. It released its Regin whitepaper in November 2014.

One thing that I found particularly interesting in the Equation Group whitepaper — in re-reading it after ShadowBrokers released a bunch of Equation Group tools — is that the report offers very little explanation of how Kaspersky was able to find so many samples of the NSA malware that the report makes clear is almost impossible to find. The only explanation is this CD attack.

One such incident involved targeting participants at a scientific conference in Houston. Upon returning home, some of the participants received by mail a copy of the conference proceedings, together with a slideshow including various conference materials. The compromised CD-ROM used “autorun.inf” to execute an installer that began by attempting to escalate privileges using two known EQUATION group exploits. Next, it attempted to run the group’s DOUBLEFANTASY implant and install it onto the victim’s machine. The exact method by which these CDs were interdicted is unknown. We do not believe the conference organizers did this on purpose. At the same time, the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, don’t end up on a CD by accident.

But none of the rest of the report explains how Kaspersky could have learned so much about NSA’s tools.

We now may have our answer: initial discovery of NSA tools led to further discovery using its AV tools to do precisely what they’re supposed to. If some NSA contractor delivered all that up to Kaspersky, it would explain the breadth of Kaspersky’s knowledge.

It would also explain why NSA would counter-hack Kaspersky using Duqu 2.0, which led to Kaspersky learning more about NSA’s tools.

So to sum up, Eugene Kaspersky’s reluctance to visit the US dates back to a period when 1) Kaspersky’s researchers released detailed analysis of some of NSA and GCHQ’s key tools, which seems to have led to 2) an NSA hack of Kaspersky, which in turn shortly preceded 3) some reporting based off unexplained emails floating accusations of unfair competition dating back to 2009 and earlier.

We now know all that came after Kaspersky found at least some of these tools sitting on some NSA contractor’s home laptop.

This still doesn’t explain how Russian hackers figured out precisely where Kaspersky was getting this information from — which is a real question, but not one the WSJ piece answers.

But reading those reports again, especially the Equation Group one, should make it clear how the Russian government could have discovered that Kaspersky had discovered these tools.

Putin Discovers He Needs to Indict Another Russian Hacker

/1 Comment/in /by

Back when Russian hacker Yevgeniy Nikulin got arrested in Prague in association with US charges of hacking Linked in and DropBox, Russia quickly delivered up its own, far more minor indictment of him to set off a battle over his extradition. Months alter, Nikulin’s legal team publicized a claim that an FBI Agent had discussed a deal with him, related to the hack of the DNC — a claim that is not as nuts as it seems (because a number of the people hacked had passwords exposed in those breaches). Whatever the reason, Russia clearly would like to keep Nikulin out of US custody.

And not long after Russian hacker Alexander Vinnik got detained in Greece related to the Bitcoin-e charges, Russia dug up an indictment for him too. Russia has emphasized crypto-currencies of late, so it’s understandable why they’d want to keep a guy alleged to be an expert at using crypto-currencies to launder money out of US hands.

What’s a more interesting question is why Russia waited so long to manufacture a Russian indictment for Pyotr Levashov, the alleged culprit behind the Kelihos bot, who is currently facing extradition to the US from Spain. Levashov was detained in April, but Russia only claimed they wanted him, too, a few weeks ago, around the same time Levashov started claiming he had spied on behalf of Putin’s party.

Perhaps it’s harder to manufacture a Russian indictment on someone the state had had no problem with before. Perhaps Russia has just decided this ploy is working and has few downsides. Or perhaps other events — maybe the arrest of Marcus Hutchins in August or the extradition back to the UK of Daniel Kaye in September — have made Levashov’s exposure here in the US even more problematic for Russia.

But I find it really curious that it took five months after Levashov got arrested for the Russians to decide it’d be worth claiming they want to arrest him too.

Update: Spain has approved Levashov’s extradition to the US.

Facebook Anonymously Admits It IDed Guccifer 2.0 in Real Time

/24 Comments/in , /by

The headline of this story focuses on how Obama, in the weeks after the election, nine days before the White House declared the election, “free and fair from a cybersecurity perspective,” begged Mark Zuckerberg to take the threat of fake news seriously.

Now huddled in a private room on the sidelines of a meeting of world leaders in Lima, Peru, two months before Trump’s inauguration, Obama made a personal appeal to Zuckerberg to take the threat of fake news and political disinformation seriously. Unless Facebook and the government did more to address the threat, Obama warned, it would only get worse in the next presidential race.

But 26 paragraphs later, WaPo reveals a detail that should totally change the spin of the article: in June, Facebook not only detected APT 28’s involvement in the operation (which I heard at the time), but also informed the FBI about it (which, along with the further details, I didn’t).

It turned out that Facebook, without realizing it, had stumbled into the Russian operation as it was getting underway in June 2016.

At the time, cybersecurity experts at the company were tracking a Russian hacker group known as APT28, or Fancy Bear, which U.S. intelligence officials considered an arm of the Russian military intelligence service, the GRU, according to people familiar with Facebook’s activities.

Members of the Russian hacker group were best known for stealing military plans and data from political targets, so the security experts assumed that they were planning some sort of espionage operation — not a far-reaching disinformation campaign designed to shape the outcome of the U.S. presidential race.

Facebook executives shared with the FBI their suspicions that a Russian espionage operation was in the works, a person familiar with the matter said. An FBI spokesperson had no immediate comment.

Soon thereafter, Facebook’s cyber experts found evidence that members of APT28 were setting up a series of shadowy accounts — including a persona known as Guccifer 2.0 and a Facebook page called DCLeaks — to promote stolen emails and other documents during the presidential race. Facebook officials once again contacted the FBI to share what they had seen.

Like the U.S. government, Facebook didn’t foresee the wave of disinformation that was coming and the political pressure that followed. The company then grappled with a series of hard choices designed to shore up its own systems without impinging on free discourse for its users around the world. [my emphasis]

But the story doesn’t provide the details you would expect from such disclosures.

For example, where did Facebook see Guccifer 2.0? Did Guccifer 2.0 try to set up a Facebook account? Or, as sounds more likely given the description, did he/they use Facebook as a signup for the WordPress site?

More significantly, what did Facebook do with the DC Leaks account, described explicitly?

It seems Facebook identified, and — at least in the case of the DC Leaks case — shut down an APT 28 attempt to use its infrastructure. And it told FBI about it, at a time when the DNC was withholding its server from the FBI.

This puts this passage from Facebook’s April report, which I’ve pointed to repeatedly, in very different context.

Facebook is not in a position to make definitive attribution to the actors sponsoring this activity. It is important to emphasize that this example case comprises only a subset of overall activities tracked and addressed by our organization during this time period; however our data does not contradict the attribution provided by the U.S. Director of National Intelligence in the report dated January 6, 2017.

In other words, Facebook had reached this conclusion back in June 2016, and told FBI about it, twice.

And then what happened?

Again, I’m sympathetic to the urge to blame Facebook for this election. But this article describes Facebook’s heavy handed efforts to serve as a wing of the government to police terrorist content, without revealing that sometimes Facebook has erred in censoring content that shouldn’t have been. Then, it reveals Facebook reported Guccifer 2.0 and DC Leaks to FBI, twice, with no further description of what FBI did with those leads.

Yet from all that, it headlines Facebook’s insufficient efforts to track down other abuses of the platform.

I’m not sure what the answer is. But it sounds like Facebook was more forthcoming with the FBI about APT 28’s efforts than the DNC was.

How to Read the DHS Targeted States Information

/9 Comments/in , /by

Yesterday, DHS informed the states that had their registration databases targeted by Russian hackers last year. There has been an outright panic about the news since states started revealing they got notice, so I thought it worthwhile to describe what we should take away from the notice and subsequent reporting:

  • “Most” of the 21 targeted states were not successfully hacked
  • Some targeted states were successfully hacked
  • Not all swing states were targeted, not all targeted states are swing states
  • These hacks generally do not involve vote tallying
  • These hacks do not involve hacking voting machines
  • These hacks do not involve other voter suppression methods — whether by GOP or Russians
  • Notice needs to improve

The AP has done good work tracking down which states got notice they were targeted, identifying the 21 targeted states. Those targeted states were:

  1. Alabama
  2. Alaska
  3. Arizona
  4. California
  5. Colorado
  6. Connecticut
  7. Delaware
  8. Florida
  9. Illinois
  10. Iowa
  11. Maryland
  12. Minnesota
  13. North Dakota
  14. Ohio
  15. Oklahoma
  16. Oregon
  17. Pennsylvania
  18. Texas
  19. Virginia
  20. Washington
  21. Wisconsin

 

“Most” of the 21 targeted states were not successfully hacked

This list of 21 states does not mean that Russians successfully hacked 21 states. All it means is Russians probed 21 states. And the AP says “most” were not successful. WI, WA, and MN have said the attacks on them were not successful.

Thus, for “most” of these states, the impact is the same as the reports that Russians were attempting, unsuccessfully, to phish engineers in the energy industry: it is cause for concern, but unless new intelligence becomes available, it means that for those “most” states these probes could not affect the election.

Some targeted states were successfully probed

Of course, by saying that “most” attacks were not successful, you’re admitting that “some” were. We only know IL and AZ to have successfully been breached.

This means this story may not be done yet: reporters, especially state based ones, are going to have to get their voting officials to provide details about the attacks and it may take some FOIA work.

Mind you, a successful hack still doesn’t mean that the election was affected (as I believe to be the understanding with respect to AZ, though there is more dispute about IL). It might be that the hackers just succeeded in getting into the database. It may be that they succeeded only in downloading the voter registration database — which in many states, is readily available, and which is nowhere near the most interesting available data for targeting in any case.

In my opinion, the most effective way to affect the outcome of the election via voter registration databases is not to download and use it for targeting, but instead, to alter the database, selectively eliminating or voiding the registration of voters in targeted precincts (which of course means the hackers would need to come in with some notion of targets). Even changing addresses would have the effect of creating lines at the polls.

Altering the database would have the same effect as an existing GOP tactic does. In many states, GOP secretaries of state very aggressively purge infrequent voters. Particularly for transient voters (especially students, but poorer voters are also more likely to move from year to year), a voter may not get notice they’ve been purged. This has the effect of ensuring that the purged voter cannot vote, and also has the effect of slowing the voting process for voters who are registered.  In other words, that’s the big risk here — that hackers will do things to make it impossible for some voters to vote, and harder for others to do so.

Not all swing states were targeted, not all targeted states are swing states

The list of targeted states is very curious. Some targeted states are obvious swing states — WI, PA, FL, and VA were four of the five states where the election was decided. But MI is not on there, and NC, another close state, is not either.

In addition, a lot of these states are solidly red, like AL and OK. A lot of them are equally solidly blue, like CA and CT. So if the Russians had a grand scheme here, it was not (just) to flip swing states.

These hacks generally do not involve vote tallying

DHS has said that these hacks do not involve vote tallying. That means these disclosed probes, even assuming they were successful, are not going to explain what may seem to be abnormalities in particular states’ tallies.

These hacks do not involve hacking voting machines

Nor do these hacks involve hacking voting machines (which is covered, in any case, by the denial that it involves vote tallying).

Yes, voting machines are incredibly vulnerable. Yes, it would be child’s play for a hacker — Russian or American — to hack individual voting machines. With limited exceptions, there been no real assessment of whether individual machines got hacked (though it’d generally be easier to affect a local race that way than the presidential).

These hacks do not involve other voter suppression methods — whether by GOP or Russians

This list of 21 targeted states does not represent the known universe of Russian voting-related hacking.

It does not, for example, include the targeting of voting infrastructure contractors, such as VR Systems (which Reality Winner faces prison for disclosing). There’s good reason to at least suspect that the VR Systems hack may have affected NC’s outcome by causing the most Democratic counties to shift to paper voting books, resulting in confusion and delays in those counties that didn’t exist in more Republican ones.

And they don’t include any Russian social media-related support or suppression, which we’re getting closer to having proof of right now.

Importantly, don’t forget that we know Republicans were engaging in all these techniques as well, with far better funding. Russians didn’t need to hack WI and NC given how much organized suppression of voters of color took place. Republican secretaries of state had the power to purge voters on trumped up excuses without engaging in any hacking.

Do not let the focus on Russian tampering distract from the far more effective Republican suppression.

Notice needs to be improved

Finally, the other big story about this is that some states only got notice they were targeted yesterday, some even after having partnered with DHS to assess their voting infrastructure.

DHS has used classification, in part, to justify this silence, which is an issue the Intelligence Committees are trying to address in next year’s authorization. But that’s particularly hard to justify that many of these same states have run elections since.

Mind you, we’re likely to see this debate move to the next level — to demanding that state officials disclose full details about their state’s infrastructure to citizens.

In any case, if we’re to be able to use democratic pressure to ensure the infrastructure of democracy gets better protected, we’re going to need more notice.