Saturday, November 30, 2013

Weird PHP-poking Linux worm slithers into home routers, Internet of Things

Weird PHP-poking Linux worm slithers into home routers, Internet of Things

November 28th 2013

Targets x86 but ARM, MIPS, PPC mutants lurking, we're told

Symantec has stumbled across a worm that exploits various vulnerabilities in PHP to infect Intel x86-powered Linux devices. The security biz warns the malware threatens to compromise home broadband routers and similar equipment.

However, home internet kit with x86 chips are few and far between – most network-connected embedded devices are powered by ARM or MIPS processors – so the threat seems almost non-existent.

But the security company warns that ARM and MIPS flavours of the Linux worm may be available, which could compromise broadband routers, TV set-top boxes, and similar gadgets now referred to as the "Internet of Things".

The software nasty attempts to use username and password pairs commonly used to log into home internet gear while compromising the device.

Specifically, the software nasty Linux.Darlloz takes advantage of web servers running PHP that can't grok query strings safely, allowing an attacker to execute arbitrary commands.

Once a system is infected, the worm scans the network for other systems running a web server and PHP. It then tries to compromise those devices by exploiting PHP to download and run an ELF x86 binary – if necessary, logging in with trivial username-password pairs such as admin-admin, as found in poorly secured broadband routers and similar kit. Once running on the newly infiltrated gadget, the worm kills off access to any telnet services running.

The malware does not appear to perform any malicious activity other than silently spreading itself and wiping a load of system files. Again, this software is built for x86 processors, which aren't really used widely in embedded kit, but ARM, PPC and MIPS versions may be available to download that will be more effective at targeting equipment present in millions of homes.

"Many users may not be aware that they are using vulnerable devices in their homes or offices," Symantec's Kaoru Hayashi wrote in a report about the malicious code.

"Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software."

To protect devices from attack, the company recommends users and administrators put basic security protections in place, such as changing device passwords from default settings, updating software and firmware on their devices, and monitoring network connections and architecture.

You can find more technical details here on Symantec's blog. ®


WTF is the Internet of Things and how it will be used against you

WTF is the Internet of Things and how insurers will use it against you

November 27th 2013

The humbling sensation of having your stupidity monitored

Sysadmin Blog What is "the internet of things" and why should we care? Put simply, the internet of things is a catch-all term for ultra-low-power embedded devices that mostly consist of sensors and control systems.

This market segment is expanding rapidly; devices falling into this category will soon outnumber all other types of computers on the planet, if they don't already. The internet of things also signals new threats to personal privacy.

The widgetry

Devices that make up the internet of things are typically those which require minimal – or no – human interaction. Many of these are already in homes: they range from network addressable lightbulbs to the bleeding-edge biosensors and medical equipment that enable body hacking aka "the quantified self".

Despite Intel's belated recognition of its own utter irrelevance in this space, it isn't a credible player. When we talk about the widgets powering the internet of things, we are talking almost exclusively about specialty ARM chips, the lower power the better.

Most devices that fall into the internet of things category don't need any real processing power, just enough guts to poll a sensor of some variety, wake up an ultra-low-power radio, fire off its findings and go back to sleep.

The overwhelming majority of first-wave internet of things devices will be dumb network-connected sensors providing raw data. The number-crunching and analysis will occur elsewhere.

You'll notice I said "ultra-low-power" a lot. That's because the power goal behind most internet of things devices is usually something seemingly absurd, like a Bluetooth device that can run for two years off a watch battery or ambient backscatter (PDF) devices that use so little power they can sustain themselves on the kinds of radio energy put out by everything from television stations to your home Wi-Fi.

There are a multitude of low-power wireless technologies. There is also research going on into passive data dispersion devices; think of small sensors with dynamic RFID tags that your smartphone could gather information from as you walk by and you're on the right track.

These are the kinds of technologies upon which the internet of things is built. Naturally, more complicated automated computing devices will take more power. As such, the internet of things can stretch from a tiny infrequently changing dynamic RFID sensor sipping photons on a shelf to a massively complex, juice-guzzling industrial control unit keeping a nuclear power plant ticking along. The term is rather broad.

Why do we want the internet of things?

Many of the "sensory and control" possibilities unlocked by internet of things technologies are pretty self-explanatory. Retrofitting an existing building with traditional centralised automation technologies aimed at lighting or HVAC is expensive.

It also tends not to be particularly granular; at best you're getting the ability to turn on or off everything you could have controlled with the light switch, in some cases you're limited to the breaker box.

The internet of things approach would be to bypass all that hullabaloo and simply install wireless light bulbs. These could be added as existing bulbs fail and each new bulb added gives your system individual control of that bulb.

Add some sensors and you can have the lights in your home turn on and off when they sense you (via cell phone, implant, watch, etc) enter or leave the room. In commercial or industrial buildings you could preprogram lighting cycles, typically augmented by sensors looking for movement or the presence of an employee cell phone.

Alternatively, you could use it to play video games on buildings, though youmay want to get permission first.

I'm wiring up my fish tank to the internet. The newest incarnation will automatically top itself up when the water gets low, feed the fish and other mundane tasks. I am working on sensors for PH, conductivity, and even a spectrometer so I can test for ammonia, nitrate, nitrite and phosphate levels.


Quantify and automate: this fish tank will be assimilated --

Deviances in any of these parameters can tell me ahead of time of there are problems, allowing me to proactively solve environmental issues for my fish. This is a big change over what was possible even five years ago. Test strips and chemical tests were time-intensive and subject to human fallibility; many aquarists simply had to wait until fish got sick to know something was wrong, by then it was often too late.

The humbling sensation of having your stupidity monitored

IoT as the insurers' don't-be-stoopid enforcer

It's not all roses. Consider the humble smoke detector. People are reinventing it, this time with extra internet.

While that could be great for me, how long do you think it will be before the cost of home insurance will depend on my purchasing, properly maintaining and configuring several of these devices to report back to the insurance company? In a single family home that's a minor annoyance to have to do. In a multi-unit dwelling there's a case to be made that their use be mandated by law.

What about other sensors? How warm do you keep your home? Based on your heating usage and the statistics on your house have you failed to invest in the proper insulation and eco-friendly upgrades? The value of a home could depend on such things; I know that for my next house purchase I'll be using a whole bunch of cheap sensors to determine the value of any house I fancy.

Wouldn't the bank that holds my mortgage or the company that insures it have a financial interest in real-time monitoring as well?

Go deeper. Did you leave the stove on and the leave the house? Did you usethe wrong kind of toilet paper the last time you used the washroom, or flush grease, paint or other no-nos down the drain?

If your insurance company could prove these were the factors that led to related claims they would not have to cover it. Your utilities provider or local fire hall might have an interest in monitoring as well. In many cases, this sort of monitoring could be added to the utilities-owned infrastructure where it meets your house, thus not requiring your cooperation at all.

Today, internet of things technologies can be used to help prove qualification for fitness tax credits. It is not inconceivable that one day they might be required in order to qualify.

The merging of the physical and the virtual worlds offers the carrot of increased efficiency, safety, and gentle reminders for those things we've forgotten. The internet of things brings with it ethical issues with which legislators are already struggling.

It is also the future of IT. "Wearable computing" is far more likely to manifest as a subset of the internet of things than be "yet another general computing platform". Innovation in mobile computing is levelling off, so growth stagnation can't be too far behind.

The bulk of new IT jobs – the IT practised by our successors – will be managing, maintaining and developing the internet of things. So what do you want to monitor today?


FBI Spooks Use Malware to Spy on Android Devices

FBI spooks use MALWARE to spy on suspects' Android mobes - report

August 2nd 2013

Magic Quadrant for Enterprise Backup/Recovery

The Federal Bureau of Investigation is using mobile malware to infect, and control, suspects' Android handsets, allowing it to record nearby sounds and copy data without physical access to the devices.

That's according to "former officers" interviewed by the Wall Street Journal ahead of privacy advocate Christopher Soghoian's presentation at hacker-conflab Black Hat later today.

The FBI's Remote Operations Unit has been listening in to desktop computers for years,explains the paper, but mobile phones are a relatively new target.

It would never work with tech-savvy suspects, though: suspects still need to infect themselves with the malware by clicking a dodgy link or opening the wrong attachment. This is why computer hackers are never targeted this way – they might notice and publicise the technique, said the "former officers", who noted that in other cases it had proved hugely valuable.

Such actions do require judicial oversight, but if one is recording activities rather than communications, the level of authorisation needed is much reduced. A US judge is apparently more likely to approve reaching out electronically into a suspect's hardware than a traditional wiretap, as the latter is considered a greater intrusion into their privacy.

Gaining control of that hardware still requires a hole to crawl through; ideally a zero-day exploit of which the platform manufacturer is unaware.

The WSJ cites UK-based lawful spook spyware supplier Gamma International as selling such exploits to the Feds. The company was recently in the news after allegations that it was also supplying dodgy governments with kit - allegedly including malware disguised as the Firefox browser.

Given the convergence of mobile and desktop, it's no surprise to see desktop techniques being applied to mobile phone platforms by both hackers and law enforcement agencies.

The usual techniques of not opening unknown attachments or unsigned downloads should protect you against the FBI, just as it would against any spear-phishing attempt. But then again, if you know that, they probably wouldn't try using it against you. ®

Hackers Courted by Government for Cyber Security Jobs

Hackers Courted by Government for Cyber Security Jobs - Rolling Stone

Inside a darkened conference room in the Miami Beach Holiday Inn, America’s most badass hackers are going to war – working their laptops between swigs of Bawls energy drink as Bassnectar booms in the background. A black guy with a soul patch crashes a power grid in North Korea. A stocky jock beside him storms a database of stolen credit cards in Russia. And a gangly geek in a black T-shirt busts into the Chinese Ministry of Information, represented by a glowing red star on his laptop screen. “Is the data secured?” his buddy asks him. “No,” he replies with a grin. They’re in.

Fortunately for the enemies, however, the attacks aren’t real. They’re part of a war game at HackMiami, a weekend gathering of underground hackers in South Beach. While meatheads and models jog obliviously outside, 150 code warriors hunker inside the hotel for a three-day bender of booze, break-ins and brainstorming. Some are felons. Some are con artists. But they’re all here for the same mission: to show off their skills and perhaps attract the attention of government and corporate recruiters. Scouts are here looking for a new breed of soldier to win the war raging in the online shadows. This explains the balding guy prowling the room with an “I’m Hiring Security Engineers. Interested?” button pinned to his polo shirt.

Hackers like these aren’t the outlaws of the Internet anymore. A 29-year-old who goes by the name th3_e5c@p15t says he’s ready to fight the good fight against the real-life bad guys. “If they topple our government, it could have disastrous results,” he says. “We’d be the front line, and the future of warfare would be us.”

Related: Sex, Drugs and the Biggest Cybercrime of All Time

After decades of seeming like a sci-fi fantasy, the cyberwar is on. China, Iran and other countries reportedly have armies of state-sponsored hackers infiltrating our critical infrastructure. The threats are the stuff of a Michael Bay blockbuster: downed power grids, derailed trains, nuclear meltdowns. Or, as then-Defense Secretary Leon Panetta put it last year, a “cyber-Pearl Harbor... an attack that would cause physical destruction and the loss of life, paralyze and shock the nation and create a profound new sense of vulnerability.” In his 2013 State of the Union address, President Obama said that “America must also face the rapidly growing threat from cyberattacks.…We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The pixelated mushroom cloud first materialized in 2010 with the discovery of Stuxnet, a computer worm said to be designed by the Israeli and U.S. governments, which targeted uranium-enrichment facilities in Iran. Last fall, Iranian hackers reportedly erased 30,000 computers at a Middle Eastern oil company. In February, security researchers released a report that traced what was estimated to be hundreds of terabytes of stolen data from Fortune 500 companies and others by hackers in Shanghai. A leaked report from the Department of Homeland Security in May found “increasing hostility” aimed online against “U.S. critical infrastructure organizations” – power grids, water supplies, banks and so on.

Dave Marcus, director of threat intelligence and advance research at McAfee Federal Advanced Programs Groups, part of McAfee Labs, a leading computer-security firm, says the effects would be devastating. “If you shut off large portions of power, you’re not bringing people back to 1960, you’re bringing them back to 1860,” he says. “Shut off an interconnected society’s power for three weeks in this country, you will have chaos.”

Related: Meet the Legendary Hacker the Government Set Out to Destroy

Hence, events like HackMiami, where the competition to hire cyberwarriors is increasingly intense. “There’s too much demand and not enough talent,” says Jeff “The Dark Tangent” Moss, founder of the largest hacker convention, DefCon, held annually in Las Vegas. Despite the threats, a report by the Commission on the Theft of American Intellectual Property, a group comprised of former U.S. government, corporate and academic officials, recently concluded that so far the feds have been “utterly inadequate [in dealing] with the problem.” While Uncle Sam is jockeying for the Internet’s best troops, private security firms are offering way more pay and way less hassle. Charlie Miller, a famous hacker who exposed vulnerabilities in the MacBook Air and iPhone, spent five years with the National Security Agency before joining Twitter’s security team. Earlier this year, the DHS lost four top cybersecurity officials. In April, Peiter “Mudge” Zatko, a renowned member of the pioneering hacker collective Cult of the Dead Cow who was working at the DOD’s Defense Advanced Research Projects Agency, split for Silicon Valley to join his former DARPA boss, Regina Dugan. “Goodbye DARPA,” he tweeted. “Hello Google!”

As a result, there’s a metawar taking place: one between government and industry to score the country’s toughest geeks – like the ones here this weekend – to join their front lines before it’s too late. “We need hackers,” Janet Napolitano, secretary of the Department of Homeland Security, toldRolling Stone in June, “because this is the fastest-growing and fastest-changing area of threat that we’re confronting.” A month later, however, she announced that she was leaving DHS too – stepping down from her post to head the University of California system.

Anonymous Hacker Claims FBI Directed LulzSec Hacks

Anonymous Hacker Claims FBI Directed LulzSec Hacks

 | Aug 27th 2013
Admitted hacker Jeremy Hammond alleges FBI used informer Sabu to persuade LulzSec and Anonymous to hack into foreign governments' networks.

Sentencing for former LulzSec leader Hector Xavier Monsegur, better known as Sabu, has again been delayed.

Monsegur was scheduled to be sentenced Friday morning in New York federal court. But in a letter to the court, the U.S. attorney general's office requested that Monsegur's sentencing be delayed "in light of the defendant's ongoing cooperation with the government." His sentencing has now been rescheduled for Oct. 25.

The requested delay has become a pattern, reflecting Monsegur's continued cooperation with the FBI since he was arrested in June 2011 and turned informer. "Since literally the day he was arrested, the defendant has been cooperating with the government proactively," U.S. district attorney James Pastore, the prosecuting lawyer, told a judge presiding over a secret August 2011 hearing into the 12 charges filed against Monsegur. "He has been staying up sometimes all night engaging in conversations with co-conspirators that are helping the government to build cases against those co-conspirators," Pastore added.

Monsegur, who faces up to 122.5 years in prison, avoided a trial by pleading guilty to all of the charges filed against him in federal court. Some of those charges relate to launching distributed denial of service (DDoS) attacks against PayPal, MasterCard and Visa, as well as accessing servers belonging to Fox, InfraGard Atlanta and PBS.

[ After two breaches this year, do you think the DOE is serious about cybersecurity? See Department Of Energy Cyberattack: 5 Takeaways. ]

On the eve of Sabu's scheduled sentencing last week, one of the hackers he helped bust -- Jeremy Hammond, who in May pleaded guilty to hacking intelligence service Stratfor, and who now faces up to 10 years in jail and $2.5 million in restitution -- alleged that the FBI used LulzSec and Anonymous as a private hacker army.

"Sabu was used to build cases against a number of hackers, including myself. What many do not know is that Sabu was also used by his handlers to facilitate the hacking of targets of the government's choosing -- including numerous websites belonging to foreign governments," claimed Hammond, who's himself due to be sentenced next month, and who offered no evidence to support his assertions. "What the United States could not accomplish legally, it used Sabu, and by extension, me and my co-defendants, to accomplish illegally."

The FBI didn't immediately respond to a request for comment on Hammond's allegations, but the bureau has previously been criticized for its failure to stop the Stratfor hacks and resulting data dump, which occurred after Sabu turned informer. Timing-wise, Hammond -- using the hacker handle "Sup_g" -- gave Sabu a heads-up on the planned intrusion on Dec. 6, 2011, then hacked into Stratfor on December 13. The next day, he informed Sabu about what he'd done, and Sabu, at the direction of the FBI, told him to upload the stolen data onto a server that was secretly controlled by the FBI. On Dec. 24, the hackers defaced the Stratfor site and published the stolen data. Two days later, Sabu tied Sup_g to another alias, "Anarchaos," that the bureau knew that Hammond used. But the FBI didn't arrest Hammond until three months later, which has led some conspiracy theorists to posit that the bureau had another agenda, such as building Sabu's bona fides to try to ensnare WikiLeaks chief Julian Assange.

The bureau has previously denied suggestions that it looked the other way during the Stratfor hack, perhaps as part of some larger agenda. "That's "patently false," an FBI official, speaking on condition of anonymity,told The New York Times last year. "We would not have let this attack happen for the purpose of collecting more evidence."

By some accounts, the FBI may have been overwhelmed with hacking-related intelligence, as Sabu received daily updates on multiple planned and executed attacks, as well as information on dozens of vulnerabilities that hackers reported to him directly. In addition, one legal expert told the Timesthat the paperwork required to arrest someone on hacking charges could easily take six months to prepare.

The ongoing legal drama involving Monsegur and Hammond stands in sharp contrast to the fate of LulzSec and Anonymous members in Britain that Sabu, after he turned snitch, apparently helped authorities identify and arrest. For example, Jake Davis, the former LulzSec spokesman Topiary, has now served his time and been released.

Davis, who as part of his parole is allowed to go online but not contact any of his former LulzSec or Anonymous comprades, recently said in an ongoing Ask.fm question-and-answer session that he pleaded guilty to charges against him so that he could move on with his life. Likewise, he said that when six plainclothes officers showed up in Scotland's remote Shetland Islands, where he lived, and announced that they were there to seize his computer equipment and arrest him on charges that he'd launched a DDoS attack against Britain's Serious Organized Crime Agency, he knew the jig was up. So that morning, when an officer requested the password to his encrypted drive, which contained evidence of his attacks, he divulged it.

"Why did you turn over your encryption keys to Scotland Yard?" asked one Ask.fm questioner. Davis defended his decision in no uncertain terms. "What, and be hunted/monitored mercilessly for the rest of my life by begrudging authorities with the power to flip the tables on your life with a few pieces of paper at any given turn?" he said.

"No thanks, I'll play ball with the encryption keys and say, 'you caught me, I wasn't good enough, fair play, let's get this over with.' And now it's over -- for me. Perhaps not for others. Probably the snitches," he said. "Ironic, isn't it?"


Hack Prompts European Parliament to Shut Down Public Wifi

Hack prompts European Parliament to shut down public Wi-Fi

November 28th 2013 8:13 PM

The European Parliament has shut down its public wireless network following the detection of a man-in-the-middle attack that could snoop on communications from smartphones and tablets.

The organisation posted a note online detailing how the parliament had been subjected to the attack. It said some individual’s inboxes had been compromised and all affected users have already been contacted and asked to change their passwords.

“As a precaution, the Parliament has therefore decided to switch off the public Wi-Fi network until further notice, and we invite you to contact the ITEC Service Desk [IT Desk] in order to install an EP software certificate on all the devices that you use to access the EP IT systems (email, etc),” the note read.

Employees were advised to change passwords and use only known secured wireless networks.

"In the medium term, the Parliament will take additional measures to further secure the communication to the Parliament,” it added.

Another post suggests hackers set up an “evil twin” wireless router near the building in Strasbourg and had stolen the usernames and passwords of 14 people at the European Parliament.

IT Pro has contacted the European Parliament to find out when the public wireless network will come back online, but at the time of publication, no response had been received.

Experts said the increasing use of employee’s own personal devices is aggravating the problem.

"As more employees bring their own devices into the workplace, businesses face the challenge of enforcing corporate security policies on consumer devices that are not solely controlled by the IT department," said Jason Hart, vice president of cloud solutions at security firm SafeNet. 

"Most employees now store a wide range of both personal and business information on their mobile devices, so this lack of control exposes businesses to serious security vulnerabilities in the form of data breaches and unauthorised access."


The Spy Files

The Spy Files

 | Dec 1st 2011

WikiLeaks: The Spy Files

Mass interception of entire populations is not only a reality, it is a secret new industry spanning 25 countries

It sounds like something out of Hollywood, but as of today, mass interception systems, built by Western intelligence contractors, including for ’political opponents’ are a reality. Today WikiLeaks began releasing a database of hundreds of documents from as many as 160 intelligence contractors in the mass surveillance industry. Working with Bugged Planet and Privacy International, as well as media organizations form six countries – ARD in Germany, The Bureau of Investigative Journalism in the UK, The Hindu in India, L’Espresso in Italy, OWNI in France and the Washington Post in the U.S. Wikileaks is shining a light on this secret industry that has boomed since September 11, 2001 and is worth billions of dollars per year. WikiLeaks has released 287 documents today, but the Spy Files project is ongoing and further information will be released this week and into next year.

International surveillance companies are based in the more technologically sophisticated countries, and they sell their technology on to every country of the world. This industry is, in practice, unregulated. Intelligence agencies, military forces and police authorities are able to silently, and on mass, and secretly intercept calls and take over computers without the help or knowledge of the telecommunication providers. Users’ physical location can be tracked if they are carrying a mobile phone, even if it is only on stand by.

But the WikiLeaks Spy Files are more than just about ’good Western countries’ exporting to ’bad developing world countries’. Western companies are also selling a vast range of mass surveillance equipment to Western intelligence agencies. In traditional spy stories, intelligence agencies like MI5 bug the phone of one or two people of interest. In the last ten years systems for indiscriminate, mass surveillance have become the norm. Intelligence companies such as VASTech secretly sell equipment to permanently record the phone calls of entire nations. Others record the location of every mobile phone in a city, down to 50 meters. Systems to infect every Facebook user, or smart-phone owner of an entire population group are on the intelligence market.

Selling Surveillance to Dictators

When citizens overthrew the dictatorships in Egypt and Libya this year, they uncovered listening rooms where devices from Gamma corporation of the UK, Amesys of France, VASTech of South Africa and ZTE Corp of China monitored their every move online and on the phone.

Surveillance companies like SS8 in the U.S., Hacking Team in Italy and Vupen in France manufacture viruses (Trojans) that hijack individual computers and phones (including iPhones, Blackberries and Androids), take over the device, record its every use, movement, and even the sights and sounds of the room it is in. Other companies like Phoenexia in the Czech Republic collaborate with the military to create speech analysis tools. They identify individuals by gender, age and stress levels and track them based on ‘voiceprints’. Blue Coat in the U.S. and Ipoque in Germany sell tools to governments in countries like China and Iran to prevent dissidents from organizing online.

Trovicor, previously a subsidiary of Nokia Siemens Networks, supplied the Bahraini government with interception technologies that tracked human rights activist Abdul Ghani Al Khanjar. He was shown details of personal mobile phone conversations from before he was interrogated and beaten in the winter of 2010-2011.

How Mass Surveillance Contractors Share Your Data with the State

In January 2011, the National Security Agency broke ground on a $1.5 billion facility in the Utah desert that is designed to store terabytes of domestic and foreign intelligence data forever and process it for years to come.

Telecommunication companies are forthcoming when it comes to disclosing client information to the authorities - no matter the country. Headlines during August’s unrest in the UK exposed how Research in Motion (RIM), makers of the Blackberry, offered to help the government identify their clients. RIM has been in similar negotiations to share BlackBerry Messenger data with the governments of India, Lebanon, Saudi Arabia, and the United Arab Emirates.

Weaponizing Data Kills Innocent People

There are commercial firms that now sell special software that analyze this data and turn it into powerful tools that can be used by military and intelligence agencies.

For example, in military bases across the U.S., Air Force pilots use a video link and joystick to fly Predator drones to conduct surveillance over the Middle East and Central Asia. This data is available to Central Intelligence Agency officials who use it to fire Hellfire missiles on targets.

The CIA officials have bought software that allows them to match phone signals and voice prints instantly and pinpoint the specific identity and location of individuals. Intelligence Integration Systems, Inc., based in Massachusetts - sells a “location-based analytics” software called Geospatial Toolkit for this purpose. Another Massachusetts company named Netezza, which bought a copy of the software, allegedly reverse engineered the code and sold a hacked version to the Central Intelligence Agency for use in remotely piloted drone aircraft.

IISI, which says that the software could be wrong by a distance of up to 40 feet, sued Netezza to prevent the use of this software. Company founder Rich Zimmerman stated in court that his “reaction was one of stun, amazement that they (CIA) want to kill people with my software that doesn’t work."

Orwell’s World

Across the world, mass surveillance contractors are helping intelligence agencies spy on individuals and ‘communities of interest’ on an industrial scale.

The Wikileaks Spy Files reveal the details of which companies are making billions selling sophisticated tracking tools to government buyers, flouting export rules, and turning a blind eye to dictatorial regimes that abuse human rights.

How to use the Spy Files

To search inside those files, click one of the link on the left pane of this page, to get the list of documents by type, company date or tag.

To search all these companies on a world map use the following tool from Owni

The Government Is Spying On You Through Your iPhone

Wikileaks: The Government Is Spying On You Through Your iPhone

December 2nd 2011

Your iPhone could be spying on you, according to the latest trove of documents from Wikileaks, which looks like it could be the biggest scandal yet.

Called the Spyfiles, it’s a trove of documents about the “mass interception industry” — the massive post-9/11 surveillance community that electronically snoops on entire populations.

The industry is selling software to government agencies — some of it delivered by Trojans — that can take over your iPhone. It can track its every use, follow your movements (even in standby), recognize your voice, record conversations, and even capture video and audio from the room it is in.

It’s not just limited to iPhones, of course. There are various spyware packages that run on PCs, Android and Blackberry. The uses are mind-boggling. The CIA, for example, is using phone-tracking software to target drone strikes in the Middle East and Central Asia. It recognizes the subject by their voice print, but the actual targeting isn’t terribly accurate.

One of the most sophisticated spying packages — The FinFisher program, produced by the British company, Gamma International — is delivered via a phony iTunes update. The Wall Street Journal hasmore details on the FinFisher spyware, which is sold to police and government agencies. (Der Speigel has a fascinating article about how it is marketed).

Apple just patched the vulnerability in iTunes update 10.5.1. (The vulnerability appears to be Windows only, but it’s not clear. It’s claimed Apple knew about the problem for three years).

FinFisher says the spyware is legal and the company doesn’t know of abuses. But there’s evidence spyware was used to monitor political activists in Tunisia, Egypt and Libya during the Arab Spring, according to a big story about the latest Wikileaks leak in The Washington Post:

“We are seeing a growing number of repressive regimes get hold of the latest, greatest Western technologies and use them to spy on their own citizens for the purpose of quashing peaceful political dissent or even information that would allow citizens to know what is happening in their communities,” Michael Posner, assistant secretary of state for human rights, said in a speech last month in California. “We are monitoring this issue very closely.”

The Post mostly covers the sale of this technology by U.S. companies to repressive regimes, which are using it to spy on citizens and squish political dissent. But Wikileaks claims mass surveillance systems could be widely deployed in western countries:

Surveillance companies like SS8 in the U.S., Hacking Team in Italy and Vupen in France manufacture viruses (Trojans) that hijack individual computers and phones (including iPhones, Blackberries and Androids), take over the device, record its every use, movement, and even the sights and sounds of the room it is in. Other companies like Phoenexia in the Czech Republic collaborate with the military to create speech analysis tools. They identify individuals by gender, age and stress levels and track them based on ‘voiceprints’. Blue Coat in the U.S. and Ipoque in Germany sell tools to governments in countries like China and Iran to prevent dissidents from organizing online.

And you thought Carrier IQ was bad?

Wikileaks has promised to release hundreds of documents about 160 intelligence contractors in the mass surveillance industry through the rest of this month and next year. It released 278 documents on Thursday. Wikileaks is working with several privacy and media organizations.


NSA Report Outlines Goals for MORE Power

N.S.A. Report Outlined Goals for More Power

November 22nd 2013

WASHINGTON — Officials at the National Security Agency, intent on maintaining its dominance in intelligence collection, pledged last year to push to expand its surveillance powers, according to a top-secret strategy document.


Document

In a February 2012 paper laying out the four-year strategy for the N.S.A.’s signals intelligence operations, which include the agency’s eavesdropping and communications data collection around the world, agency officials set an objective to “aggressively pursue legal authorities and a policy framework mapped more fully to the information age.”

Written as an agency mission statement with broad goals, the five-page document said that existing American laws were not adequate to meet the needs of the N.S.A. to conduct broad surveillance in what it cited as “the golden age of Sigint,” or signals intelligence. “The interpretation and guidelines for applying our authorities, and in some cases the authorities themselves, have not kept pace with the complexity of the technology and target environments, or the operational expectations levied on N.S.A.’s mission,” the document concluded.

Using sweeping language, the paper also outlined some of the agency’s other ambitions. They included defeating the cybersecurity practices of adversaries in order to acquire the data the agency needs from “anyone, anytime, anywhere.” The agency also said it would try to decrypt or bypass codes that keep communications secret by influencing “the global commercial encryption market through commercial relationships,” human spies and intelligence partners in other countries. It also talked of the need to “revolutionize” analysis of its vast collections of data to “radically increase operational impact.”

The strategy document, provided by the former N.S.A. contractor Edward J. Snowden, was written at a time when the agency was at the peak of its powers and the scope of its surveillance operations was still secret. Since then, Mr. Snowden’s revelations have changed the political landscape.

Prompted by a public outcry over the N.S.A.’s domestic operations, the agency’s critics in Congress have been pushing to limit, rather than expand, its ability to routinely collect the phone and email records of millions of Americans, while foreign leaders have protested reports of virtually unlimited N.S.A. surveillance overseas, even in allied nations. Several inquiries are underway in Washington; Gen. Keith B. Alexander, the N.S.A.’s longest-serving director, has announced plans to retire; and the White House has offered proposals to disclose more information about the agency’s domestic surveillance activities.

The N.S.A. document, titled “Sigint Strategy 2012-2016,” does not make clear what legal or policy changes the agency might seek. The N.S.A.’s powers are determined variously by Congress, executive orders and the nation’s secret intelligence court, and its operations are governed by layers of regulations. While asserting that the agency’s “culture of compliance” would not be compromised, N.S.A. officials argued that they needed more flexibility, according to the paper.

Senior intelligence officials, responding to questions about the document, said that the N.S.A. believed that legal impediments limited its ability to conduct surveillance of terrorism suspects inside the United States. Despite an overhaul of national security law in 2008, the officials said, if a terrorism suspect who is under surveillance overseas enters the United States, the agency has to stop monitoring him until it obtains a warrant from the Foreign Intelligence Surveillance Court.

“N.S.A.’s Sigint strategy is designed to guide investments in future capabilities and close gaps in current capabilities,” the agency said in a statement. “In an ever-changing technology and telecommunications environment, N.S.A. tries to get in front of issues to better fulfill the foreign-intelligence requirements of the U.S. government.”

Critics, including some congressional leaders, say that the role of N.S.A. surveillance in thwarting terrorist attacks — often cited by the agency to justify expanded powers — has been exaggerated. In response to the controversy about its activities after Mr. Snowden’s disclosures, agency officials claimed that the N.S.A.’s sweeping domestic surveillance programs had helped in 54 “terrorist-related activities.” But under growing scrutiny, congressional staff members and other critics say that the use of such figures by defenders of the agency has drastically overstated the value of the domestic surveillance programs in counterterrorism.

Agency leaders believe that the N.S.A. has never enjoyed such a target-rich environment as it does now because of the global explosion of digital information — and they want to make certain that they can dominate “the Sigint battle space” in the future, the document said. To be “optimally effective,” the paper said, “legal, policy and process authorities must be as adaptive and dynamic as the technological and operational advances we seek to exploit.”

Intent on unlocking the secrets of adversaries, the paper underscores the agency’s long-term goal of being able to collect virtually everything available in the digital world. To achieve that objective, the paper suggests that the N.S.A. plans to gain greater access, in a variety of ways, to the infrastructure of the world’s telecommunications networks.

Reports based on other documents previously leaked by Mr. Snowden showed that the N.S.A. has infiltrated the cable links to Google and Yahoo data centers around the world, leading to protests from company executives and a growing backlash against the N.S.A. in Silicon Valley.

Yet the paper also shows how the agency believes it can influence and shape trends in high-tech industries in other ways to suit its needs. One of the agency’s goals is to “continue to invest in the industrial base and drive the state of the art for high performance computing to maintain pre-eminent cryptanalytic capability for the nation.” The paper added that the N.S.A. must seek to “identify new access, collection and exploitation methods by leveraging global business trends in data and communications services.”

And it wants to find ways to combine all of its technical tools to enhance its surveillance powers. The N.S.A. will seek to integrate its “capabilities to reach previously inaccessible targets in support of exploitation, cyberdefense and cyberoperations,” the paper stated.

The agency also intends to improve its access to encrypted communications used by individuals, businesses and foreign governments, the strategy document said. The N.S.A. has already had some success in defeating encryption, The New York Timeshas reported, but the document makes it clear that countering “ubiquitous, strong, commercial network encryption” is a top priority. The agency plans to fight back against the rise of encryption through relationships with companies that develop encryption tools and through espionage operations. In other countries, the document said, the N.S.A. must also “counter indigenous cryptographic programs by targeting their industrial bases with all available Sigint and Humint” — human intelligence, meaning spies.

The document also mentioned a goal of integrating the agency’s eavesdropping and data collection systems into a national network of sensors that interactively “sense, respond and alert one another at machine speed.” Senior intelligence officials said that the system of sensors is designed to protect the computer networks of the Defense Department, and that the N.S.A. does not use data collected from Americans for the system.

One of the agency’s other four-year goals was to “share bulk data” more broadly to allow for better analysis. While the paper does not explain in detail how widely it would disseminate bulk data within the intelligence community, the proposal raises questions about what safeguards the N.S.A. plans to place on its domestic phone and email data collection programs to protect Americans’ privacy.

N.S.A. officials have insisted that they have placed tight controls on those programs. In an interview, the senior intelligence officials said that the strategy paper was referring to the agency’s desire to share foreign data more broadly, not phone logs of Americans collected under the Patriot Act.

Above all, the strategy paper suggests the N.S.A.’s vast view of its mission: nothing less than to “dramatically increase mastery of the global network.”

Other N.S.A. documents offer hints of how the agency is trying to do just that. One program, code-named Treasure Map, provides what a secret N.S.A. PowerPoint presentation describes as “a near real-time, interactive map of the global Internet.” According to the undated PowerPoint presentation, disclosed by Mr. Snowden, Treasure Map gives the N.S.A. “a 300,000 foot view of the Internet.” 

Relying on Internet routing data, commercial and Sigint information, Treasure Map is a sophisticated tool, one that the PowerPoint presentation describes as a “massive Internet mapping, analysis and exploration engine.” It collects Wi-Fi network and geolocation data, and between 30 million and 50 million unique Internet provider addresses — code that can reveal the location and owner of a computer, mobile device or router — are represented each day on Treasure Map, according to the document. It boasts that the program can map “any device, anywhere, all the time.” 

The documents include addresses labeled as based in the “U.S.,” and because so much Internet traffic flows through the United States, it would be difficult to map much of the world without capturing such addresses.

But the intelligence officials said that Treasure Map maps only foreign and Defense Department networks, and is limited by the amount of data available to the agency. There are several billion I.P. addresses on the Internet, the officials said, and Treasure Map cannot map them all. The program is not used for surveillance, they said, but to understand computer networks.

The program takes advantage of the capabilities of other secret N.S.A. programs. To support Treasure Map, for example, the document states that another program, called Packaged Goods, tracks the “traceroutes” through which data flows around the Internet. Through Packaged Goods, the N.S.A. has gained access to “13 covered servers in unwitting data centers around the globe,” according to the PowerPoint. The document identifies a list of countries where the data centers are located, including Germany, Poland, Denmark, South Africa and Taiwan as well as Russia, China and Singapore.

Despite the document’s reference to “unwitting data centers,” government officials said that the agency does not hack into those centers. Instead, the officials said, the intelligence community secretly uses front companies to lease space on the servers.

Despite the N.S.A.’s broad surveillance powers, the strategy paper shows that N.S.A. officials still worry about the agency’s ability to fend off bureaucratic inertia while keeping pace with change.

“To sustain current mission relevance,” the document said, Signals Intelligence Directorate, the N.S.A.’s signals intelligence arm, “must undertake a profound and revolutionary shift from the mission approach which has served us so well in the decades preceding the onset of the information age.”

© 2013 The New York Times Company.

The content you have chosen to save (which may include videos, articles, images and other copyrighted materials) is intended for your personal, noncommercial use. Such content is owned or controlled by The New York Times Company or the party credited as the content provider. Please refer to nytimes.com and the Terms of Service available on its website for information and restrictions related to the content.