Info Security Firms and Their Antivirus Software Monitored (Hacked?) by NSA, GCHQ

/14 Comments/in /by

[NSA slide indicated info sec AV firms targeted for surveillance]

[NSA slide indicated info sec AV firms targeted for surveillance]

Let’s call this post a work in progress. I’m still reading through a pile of reporting from different outlets to see if it’s all the same information but rebranded, or if there’s a particular insight one outlet picked up, missed by the rest. Here are a few I’ve been working on today:

7:03 am – Popular Security Software Came Under Relentless NSA and GCHQ Attacks (The Intercept)

7:12 am – US and British Spies Targeted Antivirus Companies (WIRED)

9:48 am – Spies are cracking into antivirus software, Snowden files reveal (The Hill)

12:18 pm – GCHQ has legal immunity to reverse-engineer Kaspersky antivirus, crypto (Ars Technica-UK)

12:57 pm*  – US, UK Intel agencies worked to subvert antivirus tools to aid hacking [Updated] (Ars Technica)(*unclear if this is original post time or time update posted))

~3:00 pm – NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users (TechCrunch)
(post time is approximate as site only indicates rounded time since posting)

The question I don’t think anyone can answer yet is whether the hack of Kaspersky Lab using Duqu 2.0 was part of the effort by NSA or GCHQ, versus another nation-state. I would not be surprised if the cover over this operation was as thin as letting the blame fall on another entity. We’ve seen this tissue paper-thin cover before with Stuxnet.

For the general public, it’s important to note two things:

— Which firms were not targeted (that we know of);

— Understand the use of viruses and other malware that already threaten and damage civilian computing systems only creates a bigger future threat to civilian systems.

Once a repurposed and re-engineered exploit has been discovered, the changes to it are quickly shared, whether to those with good intentions or criminal intent. Simply put, criminals are benefiting from our tax dollars used to help develop their future attacks against us.

There’s a gross insufficiency of words to describe the level of shallow thinking and foresight employed in protecting our interests.

And unfortunately, the private sector cannot move fast enough to get out in front of this massive snowball of shite rolling towards it and us.

EDIT — 5:55 pm EDT —

And yes, I heard about the Polish airline LOT getting hit with a DDoS, grounding their flights. If as the airline’s spokesman is correct and LOT has recent, state-of-the-art systems, this is only the first such attack.

But if I were to hear about electrical problems on airlines over the next 24-48 hours, I wouldn’t automatically attribute it to hacking. We’re experiencing effects of a large solar storm which may have caused/will cause problems over the last few hours for GPS, communications, electricals systems, especially in North America.

EDIT — 1:15 am EDT 23JUN2015 —

At 2:48 pm local time Christchurch, New Zealand’s radar system experienced a “fault” — whatever that means. The entire radar system for the country was down, grounding all commercial flights. The system was back up at 4:10 pm local time, but no explanation has yet been offered as to the cause of the outage. There were remarks in both social media and in news reports indicating this is not the first such outage; however, it’s not clear when the last fault was, or what the cause may have been at that time.

It’s worth pointing out the solar storm strengthened over the course of the last seven hours since the last edit to this post. Aurora had been seen before dawn in the southern hemisphere, and from northern Europe to the U.S. Tuesday evening into Wednesday morning. It’s possible the storm affected the radar system — but other causes like malware, hacking, equipment and human failure are also possibilities.

The Curious Case of Stuxnet and North Korea: Why the News-Dumped Confession?

/2 Comments/in , /by
Map, NK's proliferation trading partners (see PBS' Frontline: Kim's Nuclear Gamble)

Map, NK’s proliferation trading partners (see PBS’ Frontline: Kim’s Nuclear Gamble)

In news dump territory — 2:59 p.m. on a Friday afternoon following this last Memorial Day, to be exact — Reuters published an EXCLUSIVE story in which anonymous sources claimed the U.S. launched a cyber attack on North Korea using a modified version of Stuxnet.

This is hardly news. It’s rather a confirmation by an anonymous source, likely a government official, of the Stuxnet program’s wider aims. This was discussed here at emptywheel in 2013.

Far too much of North Korea’s nuclear energy development program looked like Iran’s for Stuxnet not to be a viable counter-proliferation tool if North Korea had succeeded with uranium enrichment.

And far too much information had been shared in tandem between North Korea, Iran, and Syria on nuclear energy and missile development (see image), for Stuxnet not to have a broader range of targets than Iran’s Natanz facility.

Let’s assume folks are savvy enough to know the Stuxnet program had more than Iran in its sights.

Why, dear “people familiar with the covert campaign,” was the confirmation to Reuters now — meaning, years after the likely attempt, and years after Stuxnet was discovered in the wild?

And how convenient this confession, five days before Kaspersky Lab revealed the existence of Duqu 2.0? Did someone “familiar with the covert campaign” believe the admission would be lost in Duqu-related news?

With the confession, though, begins a volley of exchanges:

  • North Korea has now shut down uncensored 3G wireless service to foreigners, likely in response to this confession. While most Americans were still basking in the slow pace of the national holiday week to the exclusion of foreign policy news, North Korea was certainly paying attention.
  • But NK also has a second reason for shutting down wireless. They may be anticipating increased numbers of foreign aid workers delivering foodstuffs, given their remarkable admission that their country is suffering from the worst drought in 100 years.
  • While not absolute proof that NK has halted their nuclear development, recent satellite imagery shows signs of construction but a reactor not in full operation. The publication of such observation hints broadly to NK’s leadership that the U.S. hasn’t given up on counter-proliferation.

It’s anybody’s guess what the next lob will look like, especially after NK’s foreign minister met with China for reasons believed connected to drought aid.

You can bet there will be some effort to exchange nuclear inspection access for trade and aid, as previously negotiated during Bill Clinton’s administration.

 

Vaporous Voids: Questions Remain About Duqu 2.0 Malware

/6 Comments/in , /by

Cybersecurity_MerrillCollegeofJournalismThe use of stolen Foxconn digital certificates in Duqu 2.0 gnaws at me, but I can’t put my finger on what exactly disturbs me. As detailed as reporting has been, there’s not enough information about this malware’s creation. Nor is there enough detail about its targeting of Kaspersky Lab and the P5+1 talks with Iran.

Kaspersky Lab carefully managed release of Duqu 2.0 news — from information security firm’s initial post and an op-ed, through the first wave of media reports. There’s surely information withheld from the public, about which no other entities know besides Kaspersky Lab and the hackers.

Is it withheld information that nags, leaving vaporous voids in the story’s context? Possibly.

But there are other puzzle pieces floating around without a home, parts that fit into a multi-dimensional image. They may fit into this story if enough information emerges.

Putting aside how much Duqu 2.0 hurts trust in certificates, how did hackers steal any from Foxconn? Did the hackers break into Foxconn’s network? Did they intercept communications to/from Foxconn? Did they hack another certificate authority?

If they broke into Foxconn, did they use the same approach the NSA used to hack Syria — with success this time? You may recall the NSA try to hack Syria’s communications in 2012, by inserting an exploit into a router. But in doing so, the NSA bricked the router. Because the device was DOA, the NSA could not undo its work and left evidence of hacking behind. The router’s crash took out Syria’s internet. Rapid recovery of service preoccupied the Syrians so much that they didn’t investigate the cause of the crash.

The NSA was ready to deny the operation, though, should the Syrians discover the hack:

…Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

Did the NSA’s attempted hack of Syria in 2012 provide direction along with added incentive for Duqu 2.0? The failed Syria hack demonstrated evidence must disappear with loss of power should an attempt crash a device — but the malware must have adequate persistence in targeted network. NSA’s readiness to blame Israel for the failed Syria hack may also have encouraged a fuck-you approach to hacking the P5+1 Iran talks. Read more

DOJ Is Back On The Baseball Beat; Is Their Past Prologue?

/21 Comments/in , , /by

Clems-Investigation-MapWhile it is not quite as exciting as Trump!-mania, the other news this morning is that DOJ is getting back into the baseball game. Having brought responsibility to the financial sector, sent the Wall Street scourges all to prison, and accountability to out of control warrior cops, DOJ is now focused like a laser on computer hacking by the St. Louis Cardinals. From the New York Times:

The F.B.I. and Justice Department prosecutors are investigating whether front-office officials for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, hacked into internal networks of a rival team to steal closely guarded information about player personnel.

Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built, according to law enforcement officials. Internal discussions about trades, proprietary statistics and scouting reports were compromised, the officials said.

The officials did not say which employees were the focus of the investigation or whether the team’s highest-ranking officials were aware of the hacking or authorized it. The investigation is being led by the F.B.I.’s Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence.

The attack would represent the first known case of corporate espionage in which a professional sports team hacked the network of another team. Illegal intrusions into companies’ networks have become commonplace, but it is generally conducted by hackers operating in foreign countries, like Russia and China, who steal large tranches of data or trade secrets for military equipment and electronics.

Ay caramba, so the, arguably consistently best organization in MLB, the Cardinals, was hacking the consistently worst, or close thereto, team the Astros, in an effort to get ahead? Who is running the Cardinals these days, Bill Belichick? This is almost too stupid to be true, but there it is, in glaring black and white. Hard not to smell a full blown Congressional hearing inquest coming too, because that is just how they roll on The Hill. Maybe after their summer vacation.

But, all kidding aside, while the US government does not have a reputation for securing their own networks, it is scary to think what resources may be spent on what is effectively a civil matter between two baseball teams. It is always instructive to remember the ridiculous amount of time and money DOJ expended fruitlessly pursuing Roger Clemens. If you had forgotten my report on the DOJ Clemens absurdity, in its full graphical clarity, from almost exactly three years ago, click on and embiggen the graphic above, which is an official DOJ creation by the way, and recall all its sickening glory.

This is without even getting into the idiotic, and humiliatingly losing, pursuit DOJ made of Barry Bonds. It is hard to tell where DOJ is going, or how far it will go, with this excursion into a pissing match between two professional sports franchises, but if past is prologue, count on DOJ wasting an absolute ton of your and my tax money.

So, when the Department of Justice and Executive Branch come hat in hand screaming for more “cyber” resources and funding, remember just what it is they are doing with that money and those resources to date. And remember just how terminally stupid this case, and DOJ investigation into it, really is.

NYT Buries the Ineffective CyberSecurity Lede

/18 Comments/in /by

The NYT has a story today headlined,

Senate Rejects Measure to Strengthen Cybersecurity

In paragraph 12 of the story — after portraying the horse race details of Mitch McConnell and Richard Burr’s attempt to push through CISA yesterday and then reviewing how devastating the Office of Personnel Management hack is — NYT reports,
The bills before Congress would not directly address the attack on the Office of Personnel Management systems, which resulted from a series of missteps that included the use of outdated detection technology, a failure to employ basic authentication techniques most Americans use for online banking, having not acted on previous security recommendations, and a lack of encryption on the data.
The story then embraces a do something, do anything approach it says is backed by experts, plural, of which it only cites one, a contractor in information sharing:

However, the attack bore a similar signature as those on two insurance companies and underscored the overall need for Congress to advance new policies, experts said.

“It is as clear as a bell to me that this is case and point in favor of information sharing,” said Paul Kurtz, who worked on the issue under in the Clinton, Bush and Obama administrations, and is the chief executive of TruStar, which aids companies in information sharing. “It is really terribly unfortunate that this measure failed because of the politics on Capitol Hill.”

It’s all very nice for the NYT to “report” this as a matter of Congressional dysfunction — as an example of stupid politics getting in the way of protecting the country. But even the evidence the story itself presents suggests a different story: the solution being pursued by Congress would not actually fix our most urgent cybersecurity problems. The real story is about Congressional dysfunction, but of a different kind.

Indeed, the lede and headline of the story should be something like,

Congress Responds to Devastating Hack by Pushing Bill that Wouldn’t Help

Had the NYT reported that story, it might have found far more experts, who would explain in more detail why there are a long list of things we should do before facilitating information sharing with expansive immunity and obscurity.

But somehow, it didn’t report that story, even though that’s what the evidence it presents supports.

Big Data: An Alternate Reason for Hacks Past and Future?

/11 Comments/in , /by

[Fracking sites, location unknown (Simon Fraser University via Flickr)]

[Fracking sites, location unknown (Simon Fraser University via Flickr)]

On Monday, MIT’s Technology Review published an interesting read: Big Data Will Keep the Shale Boom Rolling.

Big Data. Industry players are relying on large sets of data collected across the field to make decisions. They’re not looking at daily price points alone in the market place, or at monthly and quarterly business performance. They’re evaluating comprehensive amounts of data over time, and some in real time as it is collected and distributed.

Which leads to an Aha! moment. The fastest entrant to market with the most complete and reliable data has a competitive advantage. But what if the fastest to market snatches others’ production data, faster than the data’s producer can use it when marketing their product?

One might ask who would hack fossil fuel companies’ data. The most obvious, logical answers are:

— anti-fossil fuel hackers cutting into production;
— retaliatory nation-state agents conducting cyber warfare;
— criminals looking for cash; and
— more benign scrip kiddies defacing property for fun.

But what if the hackers are none of the above? What if the hackers are other competitors (who by coincidence may be state-owned businesses) seeking information about the market ahead?

What would that look like? We’re talking really big money, impacting entire nation-state economies by breach-culled data. The kind of money that can buy governments’ silence and cooperation. Would it look as obvious as Nation A breaking the digital lock on Company B’s oil production? Or would it look far more subtle, far more deniable? Read more

Cyber-spawn Duqu 2.0: Was Malware Infection ‘Patient Zero’ Mapped?

/17 Comments/in , /by

Cybersecurity_MerrillCollegeofJournalismKaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.

Duqu is a known reconnaissance malware. Its complexity suggests it was written by a nation-state. The malware appears closely affiliated with the cyber weapon malware Stuxnet.

WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.

Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.

The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.

Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.

Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.

…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)

How was a single non-technical point of contact in Asia identified as a target for an infected email? Read more

Because Government Employees Have Been Spied On, Richard Burr Wants All of Us To Be

/4 Comments/in /by

Predictably, Richard Burr has used the news of the Office of Personnel Management hack to renew his efforts to pass CISA. Burr added it as an amendment to the National Defense Authorization Act yesterday, stating,

The recent cyber breach at the Office of Personnel Management was a serious attack on our government and we cannot continue to have citizens’ personal information needlessly exposed to foreign adversaries and criminals.  In passing the Cybersecurity Information Sharing Act with an overwhelmingly bipartisan vote of 14-1, the Committee recognized the extreme threat posed by our adversaries who, in addition to the OPM breach, have stolen hundreds of millions of Americans’ personal information in the last year alone, swiped intellectual property, and conducted attacks on our agencies.  Not only does CISA propose a solution to help address these threats, it does so in a way that works to ensure the personal privacy of all Americans. We can no longer simply watch Americans’ personal information continue to be compromised. This bill is long needed and will help us combat threats to our country and our economy.

Remember, OPM was warned in a series of IG Reports that it didn’t have adequate protection for the Federal government workers’ data it stored. Congressional overseers, like Burr, did nothing to force OPM to improve security, just as the Intelligence Committees have tried for years to get National Security agencies to provide better checks on insider threats and other security problems, but never succeeded in actually getting them to do so.

So Burr’s response to neglect is to do something else that wouldn’t prevent the OPM hack. But it would effectively gut ECPA and FOIA, all in the name of information sharing which is about the 20th most effective way to combat hacking.

This is sheer incompetence from a legislative standpoint — pushing through an ineffective solution when faced with mounting evidence it wouldn’t work, all so as to increase spying on Americans.

But then, that seems to be Burr’s aspiration: to increase spying regardless of the efficacy of it.

Both Patrick Leahy and Ron Wyden released statements in response to Burr’s move. I’m intrigued by the way they note no one has been able to see the amendments Wyden tried to push through in the committee.
Leahy:

The Intelligence Committee’s information sharing bill will affect the privacy rights of all Americans, yet it has been cloaked in secrecy. It was considered behind closed doors, without a public hearing or public debate. We cannot even read the text of amendments considered at the mark up of this legislation. Senator Burr’s information sharing bill also erodes Americans’ right to know what their government is doing by weakening the Freedom of Information Act. I am deeply concerned that the Republican Leader now wants the Senate to pass this information sharing bill without any opportunity for the kind of public debate it needs. This is not the transparent and meaningful committee process the Republican Leader promised just months ago. I agree that we must do more to protect our cybersecurity, but this information sharing bill should not be considered as a last-minute amendment to yet another bill that was negotiated and considered behind closed doors. The privacy of millions of Americans is at stake. The American people deserve an open debate about legislation that would dramatically expand the amount of information about them that companies can share with agencies throughout the federal government.

Wyden:

“Senate Republican leaders are trying to make a bad defense bill worse by adding a flawed cybersecurity bill,” Wyden said.

“If Senator McConnell insists on attaching the flawed CISA bill to unrelated legislation, I will be fighting to ensure the Senate has a full debate and a chance to offer amendments to add vital protections for American privacy and address the threats to our cybersecurity.

Cybersecurity threats demand thoughtful solutions, not half-baked efforts that don’t address the real problems. CISA would create a way for the government to obtain Americans’ information without a warrant, and without adequate protections to protect their privacy. Most security experts agree that encouraging private companies to share more information with the government would have done little if anything to prevent recent data breaches.

In Advance of FISA Amendments Act Reauthorization, DOJ Did Not Tell Congress about Cyber Signature Collection

/5 Comments/in , /by

As I noted here, I’m working on a post that puts last week’s report on NSA’s use of upstream Section 702 collection in context.

But first, there’s one more detail that deserves its own post.

By March 23, 2012, NSA had drafted a certificate exclusively for cyber, with the intent of getting the FISC to approve it that year (which probably would have been in October). Yet “the current Certifications already allow[ed] for the tasking of [] cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.”

And whether or not NSA was already collecting cyber signatures in March 2012, by May, DOJ approved their collection on the Foreign Government certificate.

On May 4, 2012, DOJ sent the Intelligence Committee Chairs a white paper on Section 702 to be shared with the rest of Congress. Here’s the passage that describes how NSA uses upstream collection:

Screen Shot 2015-06-08 at 8.13.37 AM

Given that the only redaction here addresses terrorists and the unredacted remainder describes only the collection of email and phone identifiers, it seems virtually certain that the passage — and therefore the white paper — made no mention of the cyber signature collection the NSA and DOJ were actively preparing to collect, and would collect before the reauthorization of FAA that December.

It’s certainly possible DOJ gave Congress notice that the use of Section 702 had changed significantly by the time Congress voted in December, but there’s no public record of it. In the interim period, the Senate defeated a cybersecurity bill that would even have restricted NSA from obtaining domestically collected cyber data, reflecting real skepticism about spying for cybersecurity purposes in the US.

If, as the record strongly suggests, the government expanded NSA upstream 702 to include cyber signatures without telling Congress before they reauthorized the underlying authority, it would not be the first time: DOJ did not tell even the House Judiciary Committee — much less Congress as a whole — that it was using Section 215 to collect location data until after both the 2010 and 2011 Patriot Act reauthorizations.

Whatever the merit to using 702 upstream collection to hunt hackers — even ignoring the real privacy problems with it — the public record raises real questions about whether the practice was authorized and would have been authorized by Congress. Given that such collection involves an expansion of the intentional collection of domestic data, the apparent absence of Congressional sanction raises real problems about the practice (though, as I’ve suggested, Congress just retroactively authorized the use of whatever illegally-collected 702 data NSA can get FISC to approve the use of).

The NSA’s defenders like to claim Congress always gets notice. But the record shows that, over and over, NSA only asks for for forgiveness after the fact rather than asking for permission before the collection.

Why Is the Aramco Hack Considered a Significant NSA Milestone?

/8 Comments/in , , /by

Screen Shot 2015-06-06 at 10.04.57 AMI’ve been puzzling over the list of “key SSO cyber milestone dates” released with the upstream 702 story the other day.

For the most part, it lists technical and legal milestones leading to expanded collection targeting cyber targets (which makes sense, given that’s what Special Source Operations does — collect data off switches). There’s the one redacted bullet (which, if it referred to an attack thwarted, might refer to this thwarted attack on a US defense contractor in December 2012).

But what is the August 2012 DDOS attack on Saudi Aramco doing on the list? And, for that matter, why is it referred to as a DDOS attack?

The attack was publicly described as a two-step hack targeted against both Aramco and Qatar’s gas industry which copy-catted an attack associated with the Flame attack on Iran. It is generally now described as Iranian retaliation for StuxNet. Though at the time, potential attribution ranged from hacktivists, a single hacker, or Aramco insiders. The Sony hack used tools related to the Shamoon attack.

Not long after the Aramco hack, the NSA expanded their Third Party SIGINT relationship to include the Saudi Interior Ministry (then led by close US ally Mohammed bin Nayef). The next month the Saudis (again, with MbN in the leader) prematurely renewed their Technical Cooperation Agreement with the US, adding a new cybersecurity component.

So regardless of how serious an attack it was (on that, too, accounts varied) it did have a significant effect on our role in cybersecurity in the Middle East, potentially with implications for SSO.

But unless SSO thwarted the attack — or at least alerted the Saudis in time to pull their computers offline — why would that be a significant milestone for SSO?