Menu
Navigation

Global articles on espionage, spying, bugs, and other interesting topics.

Keep abreast of the espionage threats facing your organisation.

What’s Worse, Illegally Spying on Americans or Talking About It?

Obama’s hypocrisy on whistle-blowers

NSA.jpg

It isn’t everyday that you hear this from a former NSA employee: “I should apologize to the American people. It’s violated everyone’s rights. It can be used to eavesdrop on the whole world.”

That’s Bill Binney, who spoke to Jane Mayer about Thin Thread, a program he invented to track America’s enemies abroad, but that was used after the September 11 terrorist attacks to spy on countless Americans completely innocent of any ties to terrorism. You’ll recall what happened when The New York Times broke the story, thanks to a leak from a patriotic whistle-blower:

 

Democrats, including then Senator Obama, denounced the program as illegal and demanded congressional hearings. A FISA court judge resigned in protest. In March, 2006, Mark Klein, a retired A.T.T. employee, gave a sworn statement to the Electronic Frontier Foundation, which was filing a lawsuit against the company, describing a secret room in San Francisco where powerful Narus computers appeared to be sorting and copying all of the telecom’s Internet traffic–both foreign and domestic… Soon, USA Today reported that A.T.T., Verizon, and BellSouth had secretly opened their electronic records to the government, in violation of communications laws. Legal experts said that each instance of spying without a warrant was a serious crime, and that there appeared to be hundreds of thousands of infractions. 

That was in 2005. In the aftermath of the leak, the Bush administration insisted it had acted legally, and that the methods it used were necessities in the War on Terrorism. But folks inside the NSA new better. One former staffer told Jane Mayer the following: “This was a violation of everything I knew and believed as an American. We were making the Nixon administration look like pikers.” That’s Thomas Drake, whose conscience got the best of him. He leaked information about the NSA to a Baltimore Sun reporter (he insists that he never gave her anything classified). He now faces 35 years in prison for having allegedly retained five classified documents at his house.

Many are alarmed by the government’s behavior in the case:

 

Jack Goldsmith, a Harvard law professor who served in the Bush
Justice Department, laments the lack of consistency in leak
prosecutions. He notes that no investigations have been launched into
the sourcing of Bob Woodward’s four most recent books, even though “they
are filled with classified information that he could only have received
from the top of the government.” Gabriel Schoenfeld, of the Hudson
Institute, says, “The selectivity of the prosecutions here is
nightmarish. It’s a broken system.” 

Mark Feldstein, a professor of
media and public affairs at George Washington University, warns that,
if whistle-blowers and other dissenters are singled out for prosecution,
“this has gigantic repercussions. You choke off the information that
the public needs to judge policy.”

During his campaign, President Obama said of whistle-blowers that their “acts of courage and patriotism, which can sometimes save lives and often save taxpayer dollars, should be encouraged rather than stifled.” Mayer’s story is yet another example of the gulf that separates his rhetoric before he came to power and his White House behavior. Says J. Kirk Wieb, another former NSA employee, “I feel I’m living in the very country I worked for years to defeat: the Soviet Union. We’re turning into a police state.” Maybe he’s being hyperbolic, or he’s got an axe to grind. But I get chills when so many former staffers from that agency are publicly making remarks of that sort.

One wonders what we’d hear if whistle-blowers weren’t made targets of criminal investigations that could imprison them for decades, even as leakers who don’t embarrass the government or have the right friends in high places are seemingly free to break the very same laws with impunity.

Image credit: Jason Reed/Reuters

 


Mobiles fall prey to hack attacks


Mobile surveillance

Please turn on JavaScript. Media requires JavaScript to play.

Security researchers demonstrate the vulnerability of the GSM system. Mark Ward and his BBC colleagues agreed to have their calls monitored

Stroll around a park making or receiving mobile phone calls and it is hard to believe that anyone could be listening in.

Who could possibly eavesdrop on your modern, digitally encrypted handset?

It should take the kind of technology and resources only available to the security services.

Yet two men wearing hoodie tops have managed to crack the system.

Karsten Nohl and Sylvain Munaut don’t look like secret agents, sitting behind their fold-out table next to a pile of old Motorola phones.

But these two security researchers have discovered a cheap, relatively simple way of intercepting mobile calls.

“We have been looking at GSM technology for a while and we find it to be pretty much outdated in every aspect of security and privacy,” said Mr Nohl.

The Global System for Mobile Communications (GSM) is the dominant cellular phone technology, used in billions of handsets around the world.

Large parts of it were developed in the 1980s and it is now vulnerable to 21st century hackers

Future attack

Mobile calls normally remain private thanks to digital encryption and because base stations rapidly change the way they identify a particular handset.

Karsten and Sylvain managed to reverse engineer the mathematical algorithm behind the encryption process, and use it decode voice calls.

Old mobile phone, BBCOld mobile technology is proving vulnerable to powerful computers and cheap storage

The tools of their trade are a laptop and a particular model of Motorola phone whose base operating system, or “firmware” had previously been pulled apart and its details posted online.

Programmers used that information to create their own customised software, capable of displaying hidden technical information on mobile phone base stations.

The pair set up a demonstration for the BBC, in which they showed how to locate a handset, track its movements from a distance of more than 500m and steal copies of all the calls made on it.

Karsten and Sylvain say they do not plan to release their eavesdropping tools, but warned that it was only a matter of time before someone else re-created them.

That could lead to vandals, criminals and snoopers going on “war drives” – travelling around scooping up interesting conversations.

Such a situation is reminiscent of the early days of analogue mobile phones, when anyone with a radio scanner could listen in on calls.

“It’s a real concern,” said Oliver Crofton, director of Vigilante Bespoke which provides security services to high value individuals including sports stars, celebrities and chief executives.

“It will not take long for someone else to invest time and effort in this,” he said.

Vigilante Bespoke’s own experiences showed that there was already an interest in getting at the phones of the famous and powerful.

About 25% of the handsets analysed by the company are found to contain software or hardware modifications capable of reporting a phone’s location, texts and contacts, said Mr Crofton.

“We’re not talking about teenagers in a bedroom,” he said. “It’s organised crime, malicious journalists and blackmailers.”

Find and fix

The GSM Association (GSMA) said that the weaknesses found by Karsten and Sylvain related to older technologies. However, it conceded that those were still used in networks around the world.

Continue reading the main story

Start Quote

It will not take long for someone else to invest time and effort in this.”

End Quote
Oliver Crofton
Vigilante Bespoke

Charles Brookson, chair of the GSMA’s security group for the past two decades, explained that when the first and second generation mobile standards were created, no-one expected them to be in use 20 years later.

“We knew that as the technology aged there was going to be more loopholes in it,” he said.

Those pioneering designers, of which he was one, also had to respect strict controls on the type and strength of encryption they could use.

“It was as strong as we could make it,” said Mr Brookson.

The GSMA was advising its 750 operator members to improve security on networks as they were upgraded, he explained.

It had also added functions that let people spot if they are connecting to a fake base station.

Despite the remaining weaknesses, Mr Brookson said he doubted that others could easily copy Karsten and Sylvain’s hack.

“Yes, the attacks are feasible but they are not exactly the sort of thing that the average person will be doing,” he said.

His view is shared by telecoms analyst Nigel Stanley who has been carrying out his own tests on mobile security.

Press photographers, GettyThe handsets of celebrities and sports stars are already being targeted by phone hackers

“It is relatively easy to set this up in a laboratory environment where you have controlled access to the technology,” he said.

“The issue might be if people are out and about driving in the street maybe hoping to intercept people in a real-time live environment,” he added. “I think it might be just a bit more difficult.”

He pointed out that the growing focus on mobile security by researchers and criminals was leading mobile providers to take action.

“Operators have reputational risks and they do not want to be associated with running an insecure network,” he said.

Those worried about mobile security can, if they have the right phone, force it to only use third-generation networks that use much stronger encryption.

Mobile owners can also opt for add-on software that encrypts calls to prevent eavesdropping.

Such applications are widely available for smartphones and include Redphone and Kryptos.

“The work that’s been undertaken out there in the community looking at security algorithms and technologies is actually very good,” said Mr Stanley.

“It does inform the network operators and the associations and helps them put in place a more secure infrastructure.”


Taxi eavesdrop plan to boost security

cab

EVERY word uttered in a cab could soon be recorded.
Source: The Courier-Mail


EVERY word uttered in a cab could soon be recorded and stored under proposed State Government changes to the operation of taxi security cameras.

Simply opening the door or starting the meter would activate the recording of trips in an industry that claims to transport 90 million passengers in Queensland each year.

The move has alarmed civil libertarians, the state Opposition and even concerned some members of the taxi industry.

Queensland’s Privacy Commissioner Linda Matthews, who was not consulted about the proposal detailed in a Transport and Main Roads’ discussion paper, said there would be no such thing as “an anonymous taxi ride” once audio recordings were introduced.

“The public would want to be reassured the record is used for genuine law enforcement purpose and the protections that are in place should be sufficient. I guess time will tell,” she said.

When security cameras were first introduced to Queensland cabs in 2006, the recording of audio was not permitted under law for privacy reasons.

But the discussion paper states that “enabling of audio is not considered to increase any risk of breaches of privacy”.

Under the proposal, stickers in taxis would inform passengers that “security cameras and microphones are fitted, you will be photographed, conversations will be recorded”.

Once downloaded by a taxi company, the audio would be able to be held for a maximum 35 days before it had to be deleted or destroyed.

Michael Cope from the Queensland Council of Civil Liberties said the new proposal was “extraordinary and unnecessary”.

“I haven’t seen anything that justifies adding audio to the footage recorded in cabs,” Mr Cope said.

“It wasn’t considered necessary when security cameras were first introduced. You’d really need some strong evidence that it would make a difference to cabbies’ safety to justify it.”

QCCL vice-president Terry O’Gorman said audio was “a totally unjustified intrusion into people’s taxi conversations”.

“We would say that if it goes ahead, downloads should only be done on the order of a magistrate where there’s reasonable cause to think it would assist in investigating a crime,” Mr O’Gorman said.

Lee Sims, from the Cab Drivers’ Association of Queensland, who recently launched a “word of mouth campaign” against the Bligh Government, said there were already too many regulations on downloading material from security cameras.

“As far as I’m concerned we’ve gone too far with privacy and we should not have to jump through so many hoops to get access to material from the security cameras,” Mr Sims said. “A lot more fare evaders would be caught if it was easier to access downloads.”

Queensland Taxi Advisers Incorporated also raised concerns about safeguards, but spokesman John Rahilly said they supported the introduction of audio recordings.

“Greater transparency and certainty will be provided in investigations where there are conflicting statements from drivers and passengers,” Mr Rahilly said. “(But) the security and integrity of the process, especially in the area of downloading, is of paramount importance in protecting the privacy issues of all parties.”

Opposition transport spokesman Scott Emerson questioned why the discussion paper was not advertised by the State Government, with only taxi industry members aware of the document.

Submissions closed last Saturday.

Mr Emerson said it was vital the public had an opportunity to comment on an issue that had the potential to impact everyone who got into a cab.

“This would be a very significant change and it is important that the public is well and truly aware that this is being considered,” Mr Emerson said.

Top five topics raised in cabs (provided by Lee Sims, Cab Drivers Association of Queensland)

1. Personal issues, particularly relationships

2. Weather

3. Sport

4. Politics and current affairs

5. Happenings and events around the city

Mr Sims said despite the commonly held belief cabbies were barometers of social opinion, that was not really the case.

“Conversations in cabs vary greatly. Drivers are told not to initiate conversations but some do of course,” Mr Sims said.

“We do hear some very personal information, kind of like hairdressers I guess. People seem to see cabs as confessional boxes.”


UI investigates Use of Baby Monitor to Eavesdrop on Employees

IOWA CITY, Iowa (AP) — The University of Iowa has launched an investigation after employees at a medical clinic complained their supervisors hid a baby monitor to eavesdrop on them.

John Stellmach, president of a union that represents university employees, said Department of Urology workers discovered the monitor hidden on a shelf near a reception area on Monday. He says it would have picked up chatter by five secretaries and clerical workers.

Stellmach says managers explained the monitor was being used to determine whether secretaries were chatting too much and it was removed after they complained. He says employees feel their privacy was violated by the monitoring, which may have also picked up confidential medical information.

UI Vice President for Strategic Communication Tysen Kendig said Tuesday that human resources officials are leading the investigation.


Windows IPv4 Networks Vulnerable To IPv6 Attack

Users of Internet Protocol version 4 (IPv4) networks, beware man-in-the-middle attacks. That’s because such networks can be exploited using capabilities built into IPv6, the next-generation standard for expanding the number of addresses for Internet-connected devices.

In particular, someone with malicious intent could “impose a parasitic IPv6 overlay network on top of an IPv4-only network, so that an attacker can carry out man-in-the-middle attacks on IPv4 traffic,” said Alec Waters, a security researcher for InfoSec Institute, in a blog post. While his proof-of-concept attack scenario targets Windows 7, it should also work against Windows Vista, Windows 2008 Server, or “any operating system that ships with IPv6 installed and operational by default,” he said.

The attack works by introducing an IPv6 router into an IPv4 network, but only connecting the router to the IPv4 Internet. Using router advertising (RA) to create addresses–via a process known as Stateless Address Auto Configuration (SLAAC)–the attacker can control where traffic travels. Next, an attacker can use NAT-PT, “an experimental protocol used to connect IPv6 only networks to the legacy IPv4 network,” said Johannes Ullrich, chief research officer for the SANS Institute, in a blog post that analyzes this so-called SLAAC attack.

“By combining the fake RA advertisements with NAT-PT, the attacker has the ability to intercept traffic that would normally use IPv4,” he said. “To make things more interesting, if a host has IPv6 and IPv4 connectivity, the IPv6 connection is preferred, causing this attack to work even better.”

 

One mitigating factor, however, is that an attacker would have to physically place a router in the targeted environment–although that could also be a public Wi-Fi hotspot.

This vulnerability was filed with MITRE on April 6, though a Windows fix was absent from this month’s mega-Patch Tuesday.

But is this a vulnerability or a feature? In fact, there’s a dispute over whether this is a bug at all. According to the MITRE vulnerability listing, “it can be argued that preferring IPv6 complies with [the IPv6 protocol], and that attempting to determine the legitimacy of an RA is currently outside the scope of recommended behavior of host operating systems.”

“The severity of the attack is disputed, because this is the default configuration of Windows Vista/7/2008 OSes, and it also follows the RFC recommended implementation of a ‘dual stack’ (IPv4 and IPv6) network stack,” said Jack Koziol, a senior instructor and security program manager at InfoSec Institute, and co-author of The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, in an email interview. Regardless of how it’s labeled, he said, IPv4 is still “vulnerable to the traffic interception and the SLAAC attack.”

The IPv6 story has been a tale of slow adoption. But as IPv4 addresses dwindle, organizations have been urged to increase their adoption of IPv6, for which a standard was developed by the Internet Engineering Task Force (IETF) in 2003. Even the White House has put its muscle behind such a message, releasing a transition tool to emphasize the importance of adopting the newer protocol.

So, how can IPv4-using organizations protect themselves against a SLAAC attack? “IPv6 is a wonderful protocol. But if you don’t need it: Turn it off. If you need it, then monitor and defend it like IPv4,” said Ullrich.

Interestingly, there’s a defense against the SLAAC attack, known as the Secure Neighbor Discovery (SEND) protocol, said Koziol. Except that Microsoft doesn’t use SEND in its current products. “It seems after the engineers from Microsoft and Ericsson finished writing the IETF document, they also wrote and filed a patent on the process. So Microsoft has concerns implementing SEND, due to legal concerns with Ericsson,” he said.