(1) Russian Kaspersky researchers expose NSA spyware within hard drives (2) NSA spyware within hard drives survives military-grade disk wiping and formatting (3) US IT companies lose sales over complicity in NSA spying (4) NSA and GCHQ hack mobile phones (5) UK surveillance tribunal finds GCHQ-NSA intelligence sharing unlawful (6) Spooks can track a mobile phone by looking at battery power (7) Smart TVs & phones listen in on users' personal conversations (8) Energy companies need insurance cover for cyber attack 'time bomb' (1) Russian Kaspersky researchers expose NSA spyware within hard drives http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216 Russian researchers expose breakthrough U.S. spying program By Joseph Menn SAN FRANCISCO Mon Feb 16, 2015 5:10pm EST NSA is infecting hard drives with difficult to detect spying software, report says JOSEPH MENN, REUTERS | February 17, 2015 | Last Updated: Feb 17 1:07 PM ET The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives. That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations. Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran’s uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence. A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it. NSA spokeswoman Vanee Vines said the agency was aware of the Kaspersky report but would not comment on it publicly. Kaspersky on Monday published the technical details of its research on Monday, a move that could help infected institutions detect the spying programs, some of which trace back as far as 2001. The disclosure could hurt the NSA’s surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden’s revelations have upset some U.S. allies and slowed the sales of U.S. technology products abroad. The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection. Peter Swire, one of five members of U.S. President Barack Obama’s Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering. “There can be serious negative effects on other U.S. interests,” Swire said. According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on. Snowden’s revelations have upset some U.S. allies and slowed the sales of U.S. technology products abroad Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up. “The hardware will be able to infect the computer over and over,” lead Kaspersky researcher Costin Raiu said in an interview. Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections. Kaspersky’s reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc , Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd. Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment. Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily. “There is zero chance that someone could rewrite the [hard drive] operating system using public information,” Raiu said. Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies. It is not clear how the NSA may have obtained the hard drives’ source code. Western Digital spokesman Steve Shattuck said the company “has not provided its source code to government agencies.” The other hard drive makers would not say if they had shared their source code with the NSA. Seagate spokesman Clive Over said it has “secure measures to prevent tampering or reverse engineering of its firmware and other technologies.” Micron spokesman Daniel Francisco said the company took the security of its products seriously and “we are not aware of any instances of foreign code.” According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe. “They don’t admit it, but they do say, ‘We’re going to do an evaluation, we need the source code,’” said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. “It’s usually the NSA doing the evaluation, and it’s a pretty small leap to say they’re going to keep that source code.” The NSA declined to comment on any allegations in the Kaspersky report. Vines said the agency complies with the law and White House directives to protect the United States and its allies “from a wide array of serious threats.” Kaspersky called the authors of the spying program “the Equation group,” named after their embrace of complex encryption formulas. The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kaspersky said. Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as “zero days,” which strongly suggested collaboration by the authors, Raiu said. He added that it was “quite possible” that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus. (Reporting by Joseph Menn; Editing by Tiffany Wu) (2) NSA spyware within hard drives survives military-grade disk wiping and formatting http://www.csmonitor.com/USA/USA-Update/2015/0217/Did-the-NSA-embed-spyware-in-your-computer http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ How "omnipotent" hackers tied to NSA hid for 14 years--and were found at last "Equation Group" ran the most advanced hacking operation ever uncovered. by Dan Goodin - Feb 17, 2015 5:00am AEST CANCUN, Mexico -- In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn't know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail. It wasn't the first time the operators--dubbed the "Equation Group" by researchers from Moscow-based Kaspersky Lab--had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group's extensive library. (Kaspersky settled on the name Equation Group because of members' strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.) Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands. A long list of almost superhuman technical feats illustrate Equation Group's extraordinary skill, painstaking work, and unlimited resources. They include: * The use of virtual file systems, a feature also found in the highly sophisticated Regin malware. Recently published documents provided by Ed Snowden indicate that the NSA used Regin to infect the partly state-owned Belgian firm Belgacom. * The stashing of malicious files in multiple branches of an infected computer's registry. By encrypting all malicious files and storing them in multiple branches of a computer's Windows registry, the infection was impossible to detect using antivirus software. * Redirects that sent iPhone users to unique exploit Web pages. In addition, infected machines reporting to Equation Group command servers identified themselves as Macs, an indication that the group successfully compromised both iOS and OS X devices. * The use of more than 300 Internet domains and 100 servers to host a sprawling command and control infrastructure. * USB stick-based reconnaissance malware to map air-gapped networks, which are so sensitive that they aren't connected to the Internet. Both Stuxnet and the related Flame malware platform also had the ability to bridge airgaps. * An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution. Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware. "It seems to me Equation Group are the ones with the coolest toys," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars. "Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame." In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA--but they provided detailed evidence that strongly implicates the US spy agency. First is the group's known aptitude for conducting interdictions, such as installing covert implant firmware in a Cisco Systems router as it moved through the mail. Second, a highly advanced keylogger in the Equation Group library refers to itself as "Grok" in its source code. The reference seems eerily similar to a line published last March in an Intercept article headlined "How the NSA Plans to Infect 'Millions' of Computers with Malware." The article, which was based on Snowden-leaked documents, discussed an NSA-developed keylogger called Grok. Third, other Equation Group source code makes reference to "STRAITACID" and "STRAITSHOOTER." The code words bear a striking resemblance to "STRAITBIZARRE," one of the most advanced malware platforms used by the NSA's Tailored Access Operations unit. Besides sharing the unconventional spelling "strait," Snowden-leaked documents note that STRAITBIZARRE could be turned into a disposable "shooter." In addition, the codename FOXACID belonged to the same NSA malware framework as the Grok keylogger. Apart from these shared code words, the Equation Group in 2008 used four zero-day vulnerabilities--including two that were later incorporated into Stuxnet. The similarities don't stop there. Equation Group malware dubbed GrayFish encrypted its payload with a 1,000-iteration hash of the target machine's unique NTFS object ID. The technique makes it impossible for researchers to access the final payload without possessing the raw disk image for each individual infected machine. The technique closely resembles one used to conceal a potentially potent warhead in Gauss, a piece of highly advanced malware that shared strong technical similarities with both Stuxnet and Flame. (Stuxnet, according to The New York Times, was a joint operation between the NSA and Israel, while Flame, according to The Washington Post, was devised by the NSA, the CIA, and the Israeli military.) Beyond the technical similarities to the Stuxnet and Flame developers, Equation Group boasted the type of extraordinary engineering skill people have come to expect from a spy organization sponsored by the world's wealthiest nation. One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers--a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate. The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove. While it's simple for end users to re-flash their hard drives using executable files provided by manufacturers, it's just about impossible for an outsider to reverse engineer a hard drive, read the existing firmware, and create malicious versions. "This is an incredibly complicated thing that was achieved by these guys, and they didn't do it for one kind of hard drive brand," Raiu said. "It's very dangerous and bad because once a hard drive gets infected with this malicious payload it's impossible for anyone, especially an antivirus [provider], to scan inside that hard drive firmware. It's simply not possible to do that." One of the most intriguing elements of Equation Group is its suspected use of interdiction to infect targets. Besides speaking to the group's organization and advanced capabilities, such interceptions demonstrate the lengths to which the group will go to infect people of interest. The CD from the 2009 Houston conference--which Kaspersky declined to identify, except to say it was related to science--tried to use the autorun.inf mechanism in Windows to install malware dubbed DoubleFantasy. Kaspersky knows that conference organizers did send attendees a disc, and the company knows the identity of at least one conference participant who received a maliciously modified one, but company researchers provided few other details and don't know precisely how the malicious content wound up on the disc. "It would be very easy to trace the attack back to the organizers and point them out, and this could in turn result in some very serious diplomatic incidents," Raiu said. "Our best guess is that the organizers didn't act in a malicious way against the participants, but [that] some of the CD-ROMs on their way to the participants were intercepted and replaced with the malicious variants." Even less is known about a CD for installing Oracle 8i-8.1.7 for Windows sent six or seven years earlier, except that it installed an early Equation Group malware program known as EquationLaser. The conference and Oracle CDs are the only Equation Group interdictions that Kaspersky researchers have discovered. Given how little is known about the interdictions, they weren't likely to have been used often. A separate method of infection relied on a worm introduced in 2008 that Kaspersky has dubbed Fanny, after a text string that appears in one of the zero-day exploits used by the worm to self-replicate. The then-unknown vulnerability resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is connected to a PC. By embedding malicious code inside the .LNK files, a booby-trapped stick could automatically infect the connected computer even when its autorun feature was turned off. The self-replication and lack of any dependence on a network connection made the vulnerability ideal for infecting air-gapped machines. (The .LNK vulnerability is classified as CVE-2010-2568.) Some two years after first playing its role in Fanny, the .LNK exploit was added to a version of Stuxnet so that the worm could automatically spread through highly sensitive computers in Iran. Fanny also relied on an elevation-of-privilege vulnerability that was a zero day at the time the worm was introduced. In 2009, the exploit also made its way into Stuxnet, but by then, Microsoft had patched the underlying bug with the release of MS09-025. A far more common infection vector was Web-based attacks that exploited vulnerabilities in Oracle's Java software framework or in Internet Explorer. The exploits were hosted on a variety of websites related to everything from reviews of technology products to discussions of Islamic Jihad. In addition to planting exploits on the websites, the attack code was also transmitted through ad networks. The wide range of exploit carriers may explain why so many of the machines Kaspersky observed reporting to its sinkholes were domain controllers, data warehouses, website hosts, and other types of servers. Equation Group, it seems, wasn't infecting only end user computers--it was also booby-trapping servers known to be accessed by targeted end users. Equation Group exploits are notable for the surgical precision exercised to ensure that only an intended target was infected. One Equation Group-written PHP script that Kaspersky unearthed, for instance, checked if the MD5 hash of a website visitor's username was either 84b8026b3f5e6dcfb29e82e0b0b0f386 or e6d290a03b70cfa5d4451da444bdea39. The plaintext corresponding to the first hash is "unregistered," an indication that attackers didn't want to infect visitors who weren't logged in. The second hash has yet to be deciphered Update: now been cracked; see this brief. "We could not crack this MD5, despite using considerable power for several weeks, which makes us believe [the plaintext username] is a relatively complex one," Raiu said. "It definitely indicates that whoever is behind this username should not be infected by the Equation Group, [and] actually it shouldn't even see the exploit. I would assume this is either one of the group members (a fake identity), one of their partners, or a known identity of a previously infected victim." The PHP script also took special care not to infect IP addresses based in Jordan, Turkey, and Egypt. Kaspersky observed users visiting the site who didn't meet any of these exceptions, yet they still weren't attacked--an indication that an additional level of filtering spared all but the most sought-after targets who visited the site. More recently, Kaspersky has observed malicious links on the site standardsandpraiserepurpose[.]com that looked like standardsandpraiserepurpose[.]com/login?qq=5eaae4d[SNIP]0563&rr=1&h=cc593a6bfd8e1e26c2734173f0ef75be3527a205 where the h value (that is, the text following the "h=") appears to be an SHA1 hash. Kaspersky has yet to crack those hashes, but company researchers suspect they're being used to serve customized exploits to specific people. The company is recruiting help from fellow white-hat hackers in cracking them. Other hashes include: * 0044c9bfeaac9a51e77b921e3295dcd91ce3956a * 06cf1af1d018cf4b0b3e6cfffca3fbb8c4cd362e * 3ef06b6fac44a2a3cbf4b8a557495f36c72c4aa6 * 5b1efb3dbf50e0460bc3d2ea74ed2bebf768f4f7 * 930d7ed2bdce9b513ebecd3a38041b709f5c2990 * e9537a36a035b08121539fd5d5dcda9fb6336423 The PHP exploit code also serves unique Web pages and HTML code to people visiting with iPhones, behavior that Kaspersky found telling. "This indicates the exploit server is probably aware of iPhone visitors and can deliver exploits for them as well," Kaspersky's report published Monday explained. "Otherwise, the exploitation URL can simply be removed for these." The report also said one sinkholed server receives visits from a large pool of China-based machines that identify themselves as Macs in the browser user agent string. While Kaspersky has yet to obtain Equation Group malware that runs on OS X, they believe it exists. Six codenames In all, Kaspersky has tied at least six distinct pieces of malware to Equation Group. They include: EquationLaser: an early implant in use from 2001 to 2004. DoubleFantasy: a validator-style trojan designed to confirm if the infected person is an intended target. People who are confirmed get upgraded to either EquationDrug or GrayFish. EquationDrug: also known as Equestre, this is a complex attack platform that supports 35 different modules and 18 drivers. It is one of two Equation Group malware platforms to re-flash hard drive firmware and use virtual file systems to conceal malicious files and stolen data. It was delivered only after a target had been infected with DoubleFantasy and confirmed to be a target. It was introduced in 2002 and was phased out in 2013 in favor of the more advanced GrayFish. Enlarge GrayFish: the successor to EquationDrug and the most sophisticated of all the Equation Group attack platforms. It resides completely in the registry and relies on a bootkit to take hold each time a computer starts. Whereas EquationDrug re-flashed hard drives for six models, GrayFish re-flashed 12 classes of hard drives. GrayFish exploits a vulnerability in the CloneCD driver ElbyCDIO.sys--and possibly drivers of other programs--to bypass Windows code-signing requirements. Enlarge / The VBR means Virtual Boot Record. It is a special area of the disk that is responsible for loading the operating system. The Pill is an injected piece of code ("blue pill", "red pill" - Matrix references) that is responsible for hijacking the OS loading. It works by carefully altering the loading mechanism to include malicious code that the OS blindly "swallows." The BBSVC service is another GRAYFISH mechanism used when the Pill cannot be injected, for some unknown reason. It loads further stages of Grayfish at the time the OS starts. In essence, it's a weaker mechanism than the pill, because it exposes one single malicious executable on the hard drive of the victims. This is why BBSVC is a polymorphic executable, filled with gibberish and random data to make it hard to detect. The platform kernel "fvexpy.sys" is one of the core components of Grayfish. It is designed to run in Windows kernel mode and provide functions for the platform components. GrayFish is the crowning achievement of the Equation Group. The malware platform is so complex that Kaspersky researchers still understand only a fraction of its capabilities and inner workings. Key to the sophistication of GrayFish is its bootkit, which allows it to take extraordinarily granular control of the machines it infects. "This allows it to control the launching of Windows at each stage," Kaspersky's written report explained. "In fact, after infection, the computer is not run by itself anymore: it is GrayFish that runs it step by step, making the necessary changes on the fly." Fanny: A computer worm that exploited what in 2008 were two zero-day vulnerabilities in Windows to self-replicate each time an infected USB stick was inserted into a targeted computer. The main purpose of Fanny was to conduct reconnaissance on sensitive air-gapped networks. After infecting a computer not connected to the Internet, Fanny collected network information and saved it to a hidden area of the USB drive. If the stick was later plugged in to an Internet-computer, it would upload the data to attacker servers and download any attacker commands. If the stick was later plugged into the air-gapped machine, the downloaded commands would be executed. This process would continue each time the stick was switched between air-gapped and Internet-connected machines. No matter how elite a hacking group may be, Raiu said, mistakes are inevitable. Equation Group made several errors that allowed Kaspersky researchers to glean key insights into an operation that went unreported for at least 14 years. Kaspersky first came upon the Equation Group in March 2014, while researching the Regin software that infected Belgacom and a variety of other targets. In the process, company researchers analyzed a computer located in the Middle East and dubbed the machine "Magnet of Threats" because, in addition to Regin, it was infected by four other highly advanced pieces of malware, including Turla, Careto/Mask, ItaDuke, and Animal Farm. A never-before-seen sample of malware on the computer piqued researchers' interest and turned out to be an EquationDrug module. Following the discovery, Kaspersky researchers combed through their cloud-based Kaspersky Security Network of exploits and infections reported by AV users and looked for similarities and connections. In the following months, the researchers uncovered additional pieces of malware used by Equation Group as well as the domain names used to host command channels. Perhaps most costly to the attackers was their failure to renew some of the domains used by these servers. Out of the 300 or so domains used, about 20 were allowed to expire. Kaspersky quickly registered the domains and, over the past ten months, has used them to "sinkhole" the command channels, a process in which researchers monitor incoming connections from Equation Group-infected machines. One of the most severe renewal failures involved a channel that controlled computers infected by "EquationLaser," an early malware platform abandoned around 2003 when antivirus programs began to detect it. The underlying domain name remained active for years until one day, it didn't; Kaspersky acquired it and EquationLaser-infected machines still report to it. "It's really surprising to see there are victims around the world infected with this malware from 12 years ago," Raiu said. He continues to see about a dozen infected machines that report from countries that include Russia, Iran, China, and India. Raiu said 90 percent or more of the command and control servers were closed last year, although some remained active as recently as last month. "We understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown." The sinkholes have allowed Kaspersky researchers to gather key clues about the operation, including the number of infected computers reporting to the seized command domains, the countries in which these compromised computers are likely located, and the types of operating systems they run. Another key piece of information gleaned by Kaspersky: some machines infected by Equation Group are the "patients zero" that were used to seed the Stuxnet worm so it would travel downstream and infect Iran's Natanz facility. "It is quite possible that the Equation Group malware was used to deliver the Stuxnet payload," Kaspersky researchers wrote in their report. Other key mistakes were variable names, developer account names, and similar artifacts left in various pieces of Equation Group malware. In the same way cat burglars wear gloves to conceal their fingerprints, attackers take great care to scrub such artifacts out of their code before releasing it. But in at least 13 cases, they failed. Possibly the most telling artifact is the string "-standalonegrok_2.1.1.1" that accompanies a highly advanced keylogger tied to Equation Group. Another potentially damaging artifact found by Kaspersky is the Windows directory path of "c:\users\rmgree5" belonging to one of the developer accounts that compiled Equation Group malware. Assuming the rmgree5 wasn't a randomly generated account name, it may be possible to link it to a developer's real-world identity if the handle has been used for other accounts or if it corresponds to a developer's real-world name such as "Richard Gree" or "Robert Greenberg." Kaspersky researchers still don't know what to make of the 11 remaining artifacts, but they hope fellow researchers can connect the strings to other known actors or incidents. The remaining artifacts are: * SKYHOOKCHOW * prkMtx - unique mutex used by the Equation Group's exploitation library ( gPrivLib h) * "SF" - as in "SFInstall", "SFConfig" * "UR", "URInstall" - "Performing UR-specific post-install..." * "implant" - from "Timeout waiting for the "canInstallNow" event from the implant-specific EXE!" * STEALTHFIGHTER (VTT/82055898/STEALTHFIGHTER/2008-10-16/14:59:06.229-04:00 * DRINKPARSLEY - (Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00) * STRAITACID - (VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00) * LUTEUSOBSTOS - (VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00) * STRAITSHOOTER - STRAITSHOOTER30.exe * DESERTWINTER - c:\desert~2\desert~3\objfre_w2K_x86\i386\DesertWinterDriver.pdb Hacking without a budget The money and time required to develop the Equation Group malware, the technological breakthroughs the operation accomplished, and the interdictions performed against targets leave little doubt that the operation was sponsored by a nation-state with nearly unlimited resources to dedicate to the project. The countries that were and weren't targeted, the ties to Stuxnet and Flame, and the Grok artifact found inside the Equation Group keylogger strongly support the theory the NSA or a related US agency is the responsible party, but so far Kaspersky has declined to name a culprit. Update: Reuters reporter Joseph Menn said the hard-drive firmware capability has been confirmed by two former government employees. He wrote: A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it. Update: Several hours ater this post went live, NSA officials e-mailed the following statement to Ars: We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details. On January 17, 2014, the President gave a detailed address about our signals intelligence activities, and he also issued Presidential Policy Directive 28 (PPD-28). As we have affirmed publicly many times, we continue to abide by the commitments made in the President's speech and PPD-28. The U.S. Government calls on our intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats - including terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against ourselves and our allies; and international criminal organizations. What is safe to say is that the unearthing of the Equation Group is a seminal finding in the fields of computer and national security, as important, or possibly more so, than the revelations about Stuxnet. "The discovery of the Equation Group is significant because this omnipotent cyber espionage entity managed to stay under the radar for almost 15 years, if not more," Raiu said. "Their incredible skills and high tech abilities, such as infecting hard drive firmware on a dozen different brands, are unique across all the actors we have seen and second to none. As we discover more and more advanced threat actors, we understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown." (3) US IT companies lose sales over complicity in NSA spying http://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-companies.html Revelations of N.S.A. Spying Cost U.S. Tech Companies By CLAIRE CAIN MILLERMARCH 21, 2014 SAN FRANCISCO -- Microsoft has lost customers, including the government of Brazil. IBM is spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government. And tech companies abroad, from Europe to South America, say they are gaining customers that are shunning United States providers, suspicious because of the revelations by Edward J. Snowden that tied these providers to the National Security Agency's vast surveillance program. Even as Washington grapples with the diplomatic and political fallout of Mr. Snowden's leaks, the more urgent issue, companies and analysts say, is economic. Technology executives, including Mark Zuckerberg of Facebook, raised the issue when they went to the White House on Friday for a meeting with President Obama. It is impossible to see now the full economic ramifications of the spying disclosures -- in part because most companies are locked in multiyear contracts -- but the pieces are beginning to add up as businesses question the trustworthiness of American technology products. The confirmation hearing last week for the new N.S.A. chief, the video appearance of Mr. Snowden at a technology conference in Texas and the drip of new details about government spying have kept attention focused on an issue that many tech executives hoped would go away. Despite the tech companies' assertions that they provide information on their customers only when required under law -- and not knowingly through a back door -- the perception that they enabled the spying program has lingered. "It's clear to every single tech company that this is affecting their bottom line," said Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who predicted that the United States cloud computing industry could lose $35 billion by 2016. Forrester Research, a technology research firm, said the losses could be as high as $180 billion, or 25 percent of industry revenue, based on the size of the cloud computing, web hosting and outsourcing markets and the worst case for damages. Continue reading the main story The business effect of the disclosures about the N.S.A. is felt most in the daily conversations between tech companies with products to pitch and their wary customers. The topic of surveillance, which rarely came up before, is now "the new normal" in these conversations, as one tech company executive described it. "We're hearing from customers, especially global enterprise customers, that they care more than ever about where their content is stored and how it is used and secured," said John E. Frank, deputy general counsel at Microsoft, which has been publicizing that it allows customers to store their data in Microsoft data centers in certain countries. At the same time, Mr. Castro said, companies say they believe the federal government is only making a bad situation worse. "Most of the companies in this space are very frustrated because there hasn't been any kind of response that's made it so they can go back to their customers and say, 'See, this is what's different now, you can trust us again,' " he said. In some cases, that has meant forgoing potential revenue. Though it is hard to quantify missed opportunities, American businesses are being left off some requests for proposals from foreign customers that previously would have included them, said James Staten, a cloud computing analyst at Forrester who has read clients' requests for proposals. There are German companies, Mr. Staten said, "explicitly not inviting certain American companies to join." He added, "It's like, 'Well, the very best vendor to do this is IBM, and you didn't invite them.' " The result has been a boon for foreign companies. Runbox, a Norwegian email service that markets itself as an alternative to American services like Gmail and says it does not comply with foreign court orders seeking personal information, reported a 34 percent annual increase in customers after news of the N.S.A. surveillance. Brazil and the European Union, which had used American undersea cables for intercontinental communication, last month decided to build their own cables between Brazil and Portugal, and gave the contract to Brazilian and Spanish companies. Brazil also announced plans to abandon Microsoft Outlook for its own email system that uses Brazilian data centers. Mark J. Barrenechea, chief executive of OpenText, Canada's largest software company, said an anti-American attitude took root after the passage of the Patriot Act, the counterterrorism law passed after 9/11 that expanded the government's surveillance powers. But "the volume of the discussion has risen significantly post-Snowden," he said. For instance, after the N.S.A. surveillance was revealed, one of OpenText's clients, a global steel manufacturer based in Britain, demanded that its data not cross United States borders. "Issues like privacy are more important than finding the cheapest price," said Matthias Kunisch, a German software executive who spurned United States cloud computing providers for Deutsche Telekom. "Because of Snowden, our customers have the perception that American companies have connections to the N.S.A." Security analysts say that ultimately the fallout from Mr. Snowden's revelations could mimic what happened to Huawei, the Chinese technology and telecommunications company, which was forced to abandon major acquisitions and contracts when American lawmakers claimed that the company's products contained a backdoor for the People's Liberation Army of China -- even though this claim was never definitively verified. Silicon Valley companies have complained to government officials that federal actions are hurting American technology businesses. But companies fall silent when it comes to specifics about economic harm, whether to avoid frightening shareholders or because it is too early to produce concrete evidence. "The companies need to keep the priority on the government to do something about it, but they don't have the evidence to go to the government and say billions of dollars are not coming to this country," Mr. Staten said. Some American companies say the business hit has been minor at most. John T. Chambers, the chief executive of Cisco Systems, said in an interview that the N.S.A. disclosures had not affected Cisco's sales "in a major way." Although deals in Europe and Asia have been slower to close, he said, they are still being completed -- an experience echoed by several other computing companies. Still, the business blowback can be felt in other ways than lost customers. Security analysts say tech companies have collectively spent millions and possibly billions of dollars adding state-of-the-art encryption features to consumer services, like Google search and Microsoft Outlook, and to the cables that link data centers at Google, Yahoo and other companies. IBM said in January that it would spend $1.2 billion to build 15 new data centers, including in London, Hong Kong and Sydney, Australia, to lure foreign customers that are sensitive about the location of their data. Salesforce.com announced similar plans this month. Germany and Brazil, where it was revealed that the N.S.A. spied on government leaders, have been particularly adversarial toward American companies and the government. Lawmakers, including in Germany, are considering legislation that would make it costly or even technically impossible for American tech companies to operate inside their borders. Yet some government officials say laws like this could have a motive other than protecting privacy. Shutting out American companies "means more business for local companies," Richard A. Clarke, a former White House counterterrorism adviser, said last month. Contributing reporting were Quentin Hardy and Nicole Perlroth from San Francisco, David E. Sanger from Washington, Mark Scott from London, Dan Horch from São Paulo, Brazil, and Ian Austen from Ottawa. A version of this article appears in print on March 22, 2014, on page A1 of the New York edition with the headline: N.S.A. Spying Imposing Cost on Tech Firms. (4) NSA and GCHQ hack mobile phones http://abcnews.go.com/International/wireStory/rights-groups-call-action-reported-us-uk-phone-29099593 Rights Groups Call for Action Over Reported US-UK Phone Hack LONDON -- Feb 20, 2015, 1:55 PM ET By SYLVIA HUI Associated Press Rights organizations on Friday called for urgent steps to be taken to protect private calls and online communications after allegations that U.S. and British agencies hacked into the networks of a major SIM card maker. The World Wide Web Foundation, founded by Web inventor Tim Berners-Lee, said the alleged hacking by the National Security Agency and its British counterpart, GCHQ, was "another worrying sign that these agencies think they are above the law." The claims of the hack into Netherlands-based company Gemalto came from documents given to journalists by whistleblower Edward Snowden. A story about the documents posted Thursday on the website The Intercept said the agencies hacked into Gemalto's networks to steal codes that allow both governments to seamlessly eavesdrop on mobile phones worldwide. In an email to The Associated Press on Friday, GCHQ said it does not comment on intelligence matters. However, it said all of its work was legal and its "interception regime" fully complies with the European Convention on Human Rights. Privacy International, which recently won an unprecedented court victory against GCHQ in the wake of the Snowden revelations, said that the electronic eavesdropping agency had lost its way. "In stealing the SIM card encryption keys of millions of mobile phone users they have shown there are few lines they aren't willing to cross," Privacy International Deputy Director Eric King said in a statement. "Hacking into law-abiding companies, spying on their employees and stealing their data should never be considered 'fair game,'" he added. "Their actions have undermined the security of us all." Yet hacking into law-abiding companies, and inducing foreigners to commit treason by spilling secrets, are standard practices of spy agencies throughout the world. The U.S. and Britain happen to be more proficient than most. There is no international treaty laying out the rules of espionage, cyber or otherwise. The NSA hacks into companies in friendly nations for all sorts of reasons, say former intelligence officials who declined to be quoted discussing classified operations. The CIA, and its Russian, Chinese, French and British counterparts, pay foreigners to supply information in violation of the laws of their countries. One question being raised by some of the Snowden leaks is whether the public in the U.S. and Europe are willing to reign in their digital spying services if it means rendering them less effective. Another question is whether the benefits of a particular surveillance method are worth the fallout in the event it is disclosed. In Germany, opposition lawmakers have called for a parliamentary hearing on the reported hacking. An aide to Green Party lawmaker Konstantin von Notz said the hearing would likely take place Wednesday and could call on witnesses from Germany's domestic and foreign intelligence agencies to testify. Germany is the only country that has launched a parliamentary inquiry into the activities of the NSA and GCHQ in the wake of the Snowden revelations. ------ AP Intelligence Writer Ken Dilanian in Washington D.C. and Frank Jordans in Berlin contributed to this report. (5) UK surveillance tribunal finds GCHQ-NSA intelligence sharing unlawful Date: Sun, 22 Feb 2015 23:18:48 +0000 From: "penninecottage@hush.com" <penninecottage@hush.com> https://www.privacyinternational.org/?q=node/485 Victory! UK surveillance tribunal finds GCHQ-NSA intelligence sharing unlawful by Eric King 6 February 2015 Privacy International, Bytes for All and other human rights groups are celebrating a major victory against the Five Eyes today as the UK surveillance tribunal rules that GCHQ acted unlawfully in accessing millions of private communications collected by the NSA up until December 2014. Today’s judgement represents a monumental leap forward in efforts to make intelligence agencies such as GCHQ and NSA accountable to the millions of individuals whose privacy they have violated. The case was only possible thanks to NSA whistleblower Edward Snowden whose leaked documents provided the facts needed to challenge the long-standing intelligence sharing relationship. His greatest fear was that "nothing would change." Today's success vindicates his admirable acts and shows the power of public scrutiny and transparency of State power. Numbers game The receipt of unanalysed intercepted material from partners like NSA makes up a huge percentage of the raw data that GCHQ crunches through. Through their secret intelligence sharing relationship with the NSA, GCHQ has had intermittently unrestricted access to PRISM - NSA's means of directly accessing data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple. GCHQ also has had access to the NSA’s mass surveillance programme UPSTREAM, that exploits the US geographical position as the internet and telecommunications switching center for the world and involves the interception of fibre optic cables running through the country. Other programmes part of UPSTREAM to which GCHQ has had access include CO-TRAVELLER, which collects five billion locational records a day, and DISHFIRE which harvests 194 million text messages daily. The top five programmes within UPSTREAM created 160 billion interception records in one month alone. GCHQ’s access to NSA material therefore makes up the large bulk of all surveillance material handled by the security services; some ex- GCHQ staffers estimated that “95 per cent of all SIGINT [signals intelligence material] handled at GCHQ is American”. Indeed, in his witness statement to the Investigatory Powers Tribunal in May 2014, Charles Farr attested that “The immense value of [GCHQ’s relationships with the NSA] for the UK in part reflects the fact that the US intelligence agencies are far larger and much better resourced than the Intelligence Services… In simple terms, the US can provide the UK with intelligence that the UK with its far more limited resources could not realistically obtain by itself.” Historical illegality But this has been going on for far longer than PRISM has been in existence. For more than 60 years GCHQ has been recieving raw intercept from NSA. Indeed, the original 1946 Five Eyes agreement (the UKUSA agreement) stipulates that "all raw traffic shall continue to be exchanged except in cases where one or the other party agrees to forgo its copy.” The details of the modern day UKUSA arrangement remain secret, despite legal attempts to obtain them, including FOI requests in all Five Eyes countries and an ongoing legal challenge from Privacy International in the European Court of Human Rights. However, significant quantities of intelligence material are almost certainly being shared between the parties. Indeed, in an essay by an ex-NSA employee marked UNCLASSIFIED and approved for public release by the NSA's office of Pre-Publication Review it was confirmed that: "If you are a citizen of the UK, Canada, New Zealand, or Australia, you may also be glad, because everything the NSA collects is by default shared with your government.” The extraordinary implications of today's judgement is that all historical sharing of raw intelligence between NSA and GCHQ took place without an adequate legal framework, and thus was unlawful. The fight continues The UK surveillance tribunal agreed with Privacy International that intelligence sharing between the United States and the United Kingdom was unlawful prior to December 2014, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. But the fight has to continue at the European Court of Human Rights. In the coming weeks Privacy International will appeal the tribunal's earlier decision that GCHQ’s access to NSA data was lawful from December 2014 onward because secret policies governing the US-UK intelligence relationship were made public during Privacy International’s case against the security services. It does not need to be this way. Our intelligence agencies do not need to be run relying on secret interpretations of secret laws. With independent reviews of RIPA already underway we hope this success encourages the call for root and branch reform, to bring our intelligence agencies under the rule of law once and for all. (6) Spooks can track a mobile phone by looking at battery power http://rt.com/usa/234403-phone-hacking-power-location/ Hackers can track phone users' location by looking at power supply Published time: February 21, 2015 16:02 Researchers have found out it is possible to track someone's mobile phone by looking at how much battery has been used. The data does not need the users' permission to be shared, while it can help track a phone with up to 90 percent accuracy. The findings were carried out by a group of researchers at Stanford University and the Israeli defense company Rafael. The created a technique, which they have named PowerSpy and can gather information concerning the location of Android phones. It does this by simply tracking how much power has been used over a certain time. How much power is used depends on a number of factors. For example, the further away the phone is from a transmitter, the more power is needed to get a signal. Physical objects such as mountains or buildings also have an impact on the amount of battery needed as these obstacles can block the phone's signal, meaning there are temporary 'power drains' on the devices. "A sufficiently long power measurement (several minutes) enables the learning algorithm to 'see' through the noise," the researchers said, which was reported by Wired. "We show that measuring the phone's aggregate power consumption over time completely reveals the phone's location and movement." However, there is a catch. The spying technique only works if the person has traveled along that route before. It is also impossible to gain any data if the hacker has not walked along the same routes previously. The researchers gathered data from phones as they drove around the Bay Area in California and the Israeli city of Haifa. They then compared the data they had collected with an LG Nexus 4 cell phone. For each test which was carried out, the team chose a different, unknown route. Wired magazine reports that they were able to identify the correct one with 90 percent accuracy. "If you take the same ride a couple of times, you'll see a very clear signal profile and power profile," says Yan Michalevsky, one of the researchers from Stanford. "We show that those similarities are enough to recognize among several possible routes that you're taking this route or that one, that you drove from Uptown to Downtown, for instance, and not from Uptown to Queens," according to the Wired. The researchers also found out that phones with a very few number of apps were easier to track as the power used was more consistent in comparison to phones, which had a number of apps because they would use power unpredictably. What can users do to stop it? Basically, nothing aside from not using the phone. With certain apps, such as Instagram or Facebook, the user is asked whether they want to provide their current geo-location. However, the data from the power supply on a phone is freely available. Michalevsky says this is a problem that Google needs to address. "You could install an application like Angry Birds that communicates over the network but doesn't ask for any location permissions. It gathers information and sends it back to me to track you in real time, to understand what routes you've taken when you drove your car or to know exactly where you are on the route. And it does it all just by reading power consumption," Michalevsky concluded. (7) Smart TVs & phones listen in on users' personal conversations http://www.abc.net.au/news/2015-02-10/samsung-warns-customers-new-smart-tvs-listen-in-on-users/6082144 Samsung warns customers new Smart TVs 'listen in' on users' personal conversations AM By Nick Grimm Updated Tue 10 Feb 2015, 12:59pm Customers with Samsung's new Smart televisions are being warned that what they say could be recorded and distributed to a third party. The company is warning people as part of its privacy policy that anything they say around their new television will be "among the data captured and transmitted to a third party" because of a voice recognition feature. The policy advises customers to "please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition." Voice recognition technology is already used on most smartphones, but what troubles some observers about smart household goods like televisions is that customers may not always be aware when their new gadget is listening in. "I suppose the interesting difference between the televisions and the phone example is when you're dictating into a phone you know exactly what you're doing, whereas with a television you might just be sitting around chatting to your friends and you're inadvertently activating this voice command technology which will start recording what you're saying," Jake Goldenfein, from the centre for media and communications law at the University of Melbourne, said. Luke Hopewell, editor of online technology journal Gizmodo, said "big brother" may not be actually listening to what we say just yet, but more how we say it. "When it says don't discuss personal information in front of your TV, what it's actually saying is that identifiers of your voice are being sent to third party services when you're using this television," he said. "LG has a very similar clause in its terms and conditions as well." Mr Hopewell said the third party sources are not so much keeping recording as keeping data point. "Those data points mean what your voice inflection sounds like, which words that you said," he said. "For example, the Australian accent in particular is very difficult to decode. "Samsung work with people at Macquarie University to actually figure out what people were saying before they could bring voice recognition to Australia. Angus Kidman from website Lifehacker said voice recognition technology looked for specific information. Media player: "Space" to play, "M" to mute, "left" and "right" to seek. Video: Angus Kidman discusses Samsung's latest warning (ABC News) "It's looking for you to say 'I want to watch this show' or 'I want to watch this channel'. It's not hanging around going 'I want to grab your credit card number'," he said. Mr Kidman said data points needed to be sent to an online third party to be analysed. "It requires a lot of processing power so it's not going to happen in your television; it's going to get sent online to be analysed," he said. "That's why they have to tell you they're doing that." He said consumers have a tendency to take the convenience of technology without realising there is a trade-off. "In order to make things simpler and easier for us using technology, that often requires us to give up some personal information and we haven't perhaps thought as hard as we should about the fact that we're doing that," he said. Mr Hopewell said it's "about getting a better quality of service, but it really raises questions about what we're going to do in the smart home in the future. "This is the first time people have actually recognised that this might be a problem if we start giving all our information over in our smart home to third party services." (8) Energy companies need insurance cover for cyber attack 'time bomb' http://www.reuters.com/article/2014/04/08/us-energy-cybercrime-idUSBREA371DO20140408 BY MICHAEL SZABO LONDON Tue Apr 8, 2014 11:44am EDT (Reuters) - Energy companies have no insurance against major cyber attacks, reinsurance broker Willis said on Tuesday, likening the threat to a "time bomb" that could cost the industry billions of dollars. Willis highlighted the industry's vulnerability to cyber threats in its annual review of the energy sector's insurance market, which called on insurers to find a way to provide cover. "A major energy catastrophe - on the same scale as ... Exxon Valdez or Deepwater Horizon - could be caused by a cyber attack, and, crucially, that cover for such a loss is generally not currently provided by the energy insurance market," the insurance broker said. Most insurance products currently available will cover minor things such as data losses or downtime caused by IT issues, but not major events like explosions at multiple facilities triggered remotely by hackers, Willis said. It said the lack of coverage stemmed from a clause included in most energy sector insurance agreements over the past 10 years that explicitly excludes loss or damage caused by software, viruses or other malicious computer code. "There can be little doubt that the removal of this exclusion would be the most effective way for coverage to be provided to the energy industry," it said. But the exclusion clause has remained because cyber security is not well-understood by the insurance industry, making it difficult to design comprehensive products. Additionally, problems lie with how insurers agree to cover damage to multiple plants or platforms caused by a single attack. The issue is attracting more attention after high-profile events including Stuxnet - a virus that afflicted a uranium enrichment facility in Iran - and Shamoon - a virus linked to cyber assaults on energy firms in Saudi Arabia and Qatar in 2012. Technology now allows entire oil and gas networks to be operated remotely, but connecting that infrastructure via the internet has also opened the door for hackers and computer viruses to target anything from refineries to pipelines. The effects of such attacks can range from viruses spreading across a network of household smart electric meters to hackers triggering oil spills or explosions. Britain estimates that cyber security breaches cost UK energy firms around 400 million pounds ($664 million) annually. The U.S. Department of Homeland Security said over 40 percent of attacks on the United States' critical infrastructure assets were aimed at the energy industry in the year to September 2012. Research firm ABI estimates that global cyber security spending by the industry on critical oil and gas infrastructure will reach $1.87 billion by 2018. Willis also said companies are also coming under pressure from shareholders and the government to beef up cyber defenses, a trend that could lead to the introduction of regulatory requirements aimed at protecting key infrastructure. "While many in the energy industry may not see regulation as the answer to the problem of cyber-attacks, it remains a strong possibility that energy companies will increasingly be accountable for demonstrating that they have taken every possible step to counter this threat," it added. ($1 = 0.6020 British Pounds) (Editing by Jane Merriman) -- Peter Myers Australia |
Archives >