Apple is misleading people on iMessage security

CryptoLocker Ransomware

Details

Posted on Saturday, October 05, 2013

CryptoLocker

We recently dealt with a local business that was infected with this dangerous piece of software. While this business was not a client or managed customer we received a call from them for malware removal.

The Facts:

• Windows XP Professional.
• Machine was infected with several known backdoor infections not just cryptolocker.
• CryptoLocker alerted user via popup letting them know their files were encrypted and to decrypt they must send 2 bitcoins or $300 via MoneyPak.
• 28,000 files encrypted/useless.

We discovered sure enough their documents and pictures were encrypted.  We then went to their backup and found that this too was encrypted.  We discovered that any mapped shares accessible (write access) via the infected machine were also encrypted.  It did not however encrypt network shares not mapped but accessible.  We immediately began research into the software.  In this case (worst case) the conclusion was made to gamble on making payment, after all there was nothing really more to lose after discovering their backup was also bad. Once payment was made the software took a few hours then started decrypting all the files it originally encrypted.  Obviously many measures have since been taken to aid in this sort of "ransomware" instance, including the most basic, a working backup.  At this time Malwarebytes claims to catch this however with the machine being infected with other known viruses we conclude cryptolocker was passed via backdoor trojan or RAT. It is likely most AV software would have alerted to the prior infections.

Basic pro-active advice to anyone else that encounters this software:

1. Consider becoming a managed client!!
2. A working backup both offsite and onsite with rotation. Not just a simple file based backup.  The backup location should not be mounted to any one system and should contain EVERYTHING, not just user locations. Encrypted IMAGE backup.
3. Stop running Windows XP, this is going out anyway next April 2014. In this case, had it been a Windows 7+ machine we likely would have been able to "restore previous version" of the encrypted files avoiding payment to them.
4. Always run more than a single instance of anti-virus/antimalware software. Not one solution will catch everything.
5. UPDATE UPDATE UPDATE, this includes 3rd party software along with Microsoft updates.
6. Consistently educate/remind best practice regarding web/email usage.
7. Enable SHOW file extensions for ALL files. The more someone sees the extensions for their files such as a PDF or DOCX they may be inclined to question something via email purported to be a doc with an extension ZIP or EXE.
8. And finally again..consider becoming a managed client!!

Up to date information:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-26#entry3165383

http://www.geek.com/apps/disk-encryptiing-cryptolocker-malware-demands-300-to-decrypt-your-files-1570402/

We have posted some specific information below to possibly aid in the takedown of this software. The "privatekey" does not appear in the registry until payment is made.

[HKEY_CURRENT_USER\Software\CryptoLocker]
"VersionInfo"=hex:2a,30,9c,81,c3,37,d2,d3,b4,3a,ce,d3,f4,5e,f6,f8,c7,56,f1,f4,\
  c1,51,ff,f6,dc,4b,ed,af,c0,56,e8,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,b0,96,5a,d9,fb,98,02,\
  ab,c5,c1,77,ec,b9,ed,7d,cd,d4,d7,4a,ee,eb,ed,50,df,b6,f6,70,db,c5,c8,06,cf,\
  d7,cc,33,d1,81,c1,33,f2,81,cb,33,e5,81,fe,33,fd,81,c5,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,aa,81,9e,33,a4,81,98,\
  33,ad,81,96,33,ad,81,9c,33,a4,81,98,33,aa,81,9a,33,a5,81,9a,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,9d,33,ac,81,9e,33,bc,81,fb,33,cf,81,ea,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,9d,0b,ff,b4,ca,00,f9,b5,9e,07,fa,b0,cc,52,\
  a5,e0,9f,00,fa,b2,cb,51,a4,b9,99,04,fd,e4,9d,05,f9,b8,c8,0b,f9,b6,9d,51,fa,\
  b0,ae,33,9c,81
"PublicKey"=hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00,00,01,00,01,00,6b,\
  4e,b3,ff,72,08,32,03,84,35,7c,84,5b,89,1a,35,87,37,6a,ba,5f,af,0a,f3,2b,be,\
  35,85,41,70,c8,f9,36,ff,19,3d,81,1f,e9,37,dd,d2,2c,47,b9,53,4f,01,34,51,fb,\
  a9,d1,5b,fd,88,59,c2,ee,d6,e2,c4,e0,8e,1f,ca,85,6a,4b,cb,b9,e7,d9,79,32,f7,\
  52,7f,13,03,54,3e,0b,c2,c5,7b,23,36,a1,c1,db,d9,06,f1,fc,20,71,ab,d0,13,3a,\
  b5,53,f4,f9,cf,8e,a8,38,23,d3,f4,54,1e,7e,b4,a6,38,16,75,1a,e9,ea,cf,6c,83,\
  6e,ce,f0,61,88,12,cc,50,3e,a8,a5,0e,c2,4d,45,29,a4,81,6d,1f,81,66,69,48,df,\
  af,2f,08,2b,8a,30,5c,87,9e,63,ca,56,d6,c6,f6,8a,6c,66,ec,29,2a,96,57,08,00,\
  56,a6,12,ee,fe,39,37,ee,92,ac,c9,ab,b2,21,9c,57,90,7a,d4,84,a9,7d,b3,24,d3,\
  20,2a,21,1d,64,6e,dd,5b,f5,07,7b,df,10,58,a0,e8,91,b8,56,1a,ac,f5,95,a2,86,\
  ba,2b,5b,5c,24,11,fd,5a,59,9b,42,85,53,08,ef,78,74,dc,e6,83,10,ee,b9,59,9e,\
  0d,b1,73,4e,e4
"Wallpaper"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,\
  00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,\
  67,00,73,00,5c,00,55,00,73,00,65,00,72,00,5c,00,4c,00,6f,00,63,00,61,00,6c,\
  00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,\
  70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,\
  00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,\
  57,00,61,00,6c,00,6c,00,70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,\
  00,70,00,00,00,92,84,e1,b9,f9,f1,4e,80,20,50,d7,8a,20,e7,70,8a,20,e7,70,8a,\
  9e,f0,ee,b9,38,7a,da,8a,18,99,de,8a,b0,02,d5,8a,e0,8a,d3,8a,20,e7,70,8a,00,\
  00,00,00,ff,ff,ff,ff,00,00,00,00,08,00,00,00,2c,2c,71,a7,f9,f1,4e,80,e8,8e,\
  d3,8a,20,e7,70,8a,00,a9,d5,8a,59,94,ed,b9,68,2c,71,a7,70,2c,71,a7,80,2f,de,\
  8a,ed,b6,54,80,00,00,00,00,20,e7,70,8a,c8,2c,98,89,18,99,de,8a,30,e7,70,8a,\
  00,7a,da,8a,94,2c,71,a7,00,22,de,8a,ed,b6,54,80,00,00,00,00,b0,2c,98,89,00,\
  00,00,00,10,38,a1,8a,10,38,a1,8a,00,2c,98,89,38,2d,98,89,00,00,00,00,00,00,\
  00,00,98,00,00,00,73,10,5c,80,00,00,00,00,05,00,00,00,b4,2c,71,a7,d7,10,5c,\
  80,a8,2c,98,89,46,69,6c,e5,00,a9,e0,8a,00,00,00,00,a8,2c,98,89,a8,2c,98,89,\
  cc,2c,71,a7,e6,b4,5b,80,00,00,00,00,b0,2c,98,89,c8,2c,98,89,00,a9,e0,8a,fc,\
  2c,71,a7,e2,67,52,80,c8,2c,98,89,00,00,00,00,cc,02,00,00,b0,2c,98,89,00,00,\
  00,00,b3,c3,5b,80,88,c6,88,89,20,6a,f4,e6,20,b0,58,89,00,a9,e0,8a,44,2d,71,\
  a7,49,c4,5b,80,20,6a,f4,e6,c8,2c,98,89,cc,02,00,00,01,00,00,00,9f,01,12,00,\
  00,00,00,00,64,2d,71,a7,2c,f5,42,01,64,c5,5b,80,c8,2c,98,89,70,9c,00,00,02,\
  00,00,00,00,00,00,00
"PrivateKey"=hex:07,02,00,00,00,a4,00,00,52,53,41,32,00,08,00,00,01,00,01,00,\
  6b,4e,b3,ff,72,08,32,03,84,35,7c,84,5b,89,1a,35,87,37,6a,ba,5f,af,0a,f3,2b,\
  be,35,85,41,70,c8,f9,36,ff,19,3d,81,1f,e9,37,dd,d2,2c,47,b9,53,4f,01,34,51,\
  fb,a9,d1,5b,fd,88,59,c2,ee,d6,e2,c4,e0,8e,1f,ca,85,6a,4b,cb,b9,e7,d9,79,32,\
  f7,52,7f,13,03,54,3e,0b,c2,c5,7b,23,36,a1,c1,db,d9,06,f1,fc,20,71,ab,d0,13,\
  3a,b5,53,f4,f9,cf,8e,a8,38,23,d3,f4,54,1e,7e,b4,a6,38,16,75,1a,e9,ea,cf,6c,\
  83,6e,ce,f0,61,88,12,cc,50,3e,a8,a5,0e,c2,4d,45,29,a4,81,6d,1f,81,66,69,48,\
  df,af,2f,08,2b,8a,30,5c,87,9e,63,ca,56,d6,c6,f6,8a,6c,66,ec,29,2a,96,57,08,\
  00,56,a6,12,ee,fe,39,37,ee,92,ac,c9,ab,b2,21,9c,57,90,7a,d4,84,a9,7d,b3,24,\
  d3,20,2a,21,1d,64,6e,dd,5b,f5,07,7b,df,10,58,a0,e8,91,b8,56,1a,ac,f5,95,a2,\
  86,ba,2b,5b,5c,24,11,fd,5a,59,9b,42,85,53,08,ef,78,74,dc,e6,83,10,ee,b9,59,\
  9e,0d,b1,73,4e,e4,e1,1f,66,6a,df,96,03,4d,d8,c5,11,89,97,dd,a2,7e,c7,45,27,\
  f6,b6,21,dd,61,b8,ed,cf,c5,e4,cf,3a,da,d8,16,09,62,e9,e4,f2,7e,02,f5,d3,38,\
  21,9b,ee,95,4f,ab,4f,9a,89,7b,28,4c,37,7a,68,5d,b7,07,f8,a0,24,ff,62,97,7f,\
  e4,64,c4,e0,f8,c9,91,c6,e5,c4,84,6c,20,e9,4b,08,d9,13,f8,f6,6b,bd,3a,29,69,\
  16,2a,e0,74,98,87,de,7a,c6,45,d9,23,05,72,9e,81,bd,80,a8,57,dd,07,20,96,aa,\
  88,8f,91,2f,84,cb,fc,52,f5,cb,e7,74,08,42,cd,2b,2b,1a,52,fa,62,30,6d,f4,a6,\
  72,76,62,35,b1,63,1c,03,a1,98,86,57,1e,78,f3,94,ec,9a,3e,f5,4b,40,93,53,eb,\
  18,a8,d7,b8,d8,d0,a3,b1,24,21,de,8b,5e,9f,e8,95,be,ab,d3,dd,8e,5c,1c,b4,6f,\
  c3,76,31,62,45,68,93,c8,6f,8c,22,f0,49,f2,46,64,7c,14,ac,17,c2,2f,0f,25,3a,\
  12,88,dd,b1,75,8f,13,95,96,06,98,e6,a1,69,90,01,1f,17,c8,a4,84,6e,ee,cc,2b,\
  9a,36,cf,28,3e,9b,81,ca,4a,e1,3d,ee,a1,ba,1f,49,6e,4f,68,5e,de,a4,13,0f,c1,\
  88,7a,74,3f,91,cb,e8,e5,a1,39,96,01,84,22,c2,3e,86,ac,4e,ee,6c,53,ec,2b,d8,\
  04,c4,ae,e7,a4,85,b3,69,7e,2b,ea,14,ef,54,20,e8,3f,44,ce,b5,0b,9c,17,a6,2a,\
  bd,4f,b3,23,39,a2,92,9e,4d,cb,08,a8,44,e1,6f,c3,a0,f3,48,eb,ba,30,71,13,56,\
  c4,ed,66,27,af,0b,da,a9,83,60,4a,f6,28,bf,9d,10,53,f0,f5,46,42,4c,68,8f,8c,\
  0c,c7,18,3b,c0,80,85,e6,a4,39,68,53,30,f3,32,ef,8f,96,d3,b7,d3,59,09,24,6b,\
  fd,8f,a6,81,2d,be,51,10,3a,e7,64,d7,e7,e6,b7,d2,c3,cb,8d,26,e4,0c,a1,fa,d1,\
  4d,aa,6c,33,da,f2,4e,eb,ae,9a,69,fa,e7,84,c4,7a,62,27,0c,84,12,12,bf,1d,ab,\
  04,f6,27,27,d1,ae,58,3a,7a,85,2b,c1,bc,ad,a1,bf,bc,76,47,1c,ca,88,a6,10,c6,\
  c7,6d,ab,d5,70,df,18,72,11,8e,b7,07,b6,01,5e,ec,55,ab,36,af,b9,be,05,6d,2c,\
  55,4a,99,90,e0,7e,21,97,8f,86,ea,a0,4b,ad,68,90,34,06,a9,2d,7c,46,a5,04,6b,\
  58,02,d9,0c,a6,22,74,58,b7,ec,c5,f4,9b,9d,5e,1d,33,ba,65,a2,e2,52,41,92,9a,\
  04,1a,65,57,8d,a8,8c,ac,93,43,1e,47,09,27,69,31,d2,f1,5d,8d,93,36,da,28,7a,\
  47,79,46,92,df,80,fe,28,29,05,7a,9d,b8,35,68,8b,13,81,00,73,9c,b0,22,04,4a,\
  c0,e6,db,49,7e,05,dd,df,99,73,c4,a3,b5,50,b2,34,5c,bb,32,d9,81,7d,8d,06,91,\
  e1,a0,0c,54,b5,98,e9,13,5c,15,9f,7f,f4,b0,80,5c,df,c9,af,f5,7f,81,3b,1c,36,\
  b7,16,fd,7d,73,12,35,06,0c,72,2c,ea,73,fd,db,be,2e,11,61,85,b3,b6,59,83,ff,\
  31,b5,e9,48,11,94,97,3e,16,be,cb,f1,00,10,3f,71,aa,a9,fb,f0,35,1c,3c,aa,56,\
  33,4a,72,79,c3,a9,7c,64,d9,1c,dc,86,51,a1,91,97,72,15,fc,3e,c7,56,c2,04,bc,\
  33,27,34,16,44,5f,6f,f0,51,e6,74,fc,bd,84,79,4b,a1,c8,56,5e,29,12,75,94,01,\
  0e,59,a5,ac,b6,c0,bb,78,70,e2,22,73,d0,d9,e9,33,0c,b9,c3,d4,c4,86,db,ee,a4,\
  e4,f9,f0,71,c3,c1,e6,15,6b,d1,74,90,3f,47,b7,ba,c4,1d,57,20,63,f0,ae,3a,aa,\
  47,c3,56,c7,d7,87,7a,bb,65,4d,a0,1b,39,bd,f1,74,7a,af,7f,a0,1f,67,00,60,4d,\
  ae,5f,51,2a,68,dc,c9,fa,2f,35,09,aa,28,48,95,b4,b6,af,2e,e2,6d,f6,d0,c8,72,\
  7e,07,ea,0d,7b,04,b1,81,d3,12,c3,b7,c1,f1,e9,52,3e,9e,96,00,6e,85,1f,23,6e,\
  ff,16,db,32,28,db,ef,03,8f,79,19,42,0e,31,4d,09,36,4e,d0,8b,1a,b8,05,66,df,\
  48,6e

More information from INFOSECURITY, Posted October 14th 2013.

A ransomware threat known as CryptoLocker is making the rounds, scrambling files in the process. And once it’s triggered, there is no way to recover them.

Adobe Servers Breached - 3 million users data stolen, source code stolen

Details

Posted on Thursday, October 03, 2013

Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident. We’re taking the following steps:

• As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.

• We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.

• We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.

• We have contacted federal law enforcement and are assisting in their investigation.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. For more information, please see the blog post here.

We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you. If you would like additional information, please refer to Adobe’s Customer Support page.

Brad Arkin
Chief Security Officer

Private email service fights court order demanding SSL keys then shutsdown.

Details

Posted on Thursday, October 03, 2013

The U.S. government in July obtained a search warrant demanding that Edward Snowden’s e-mail provider, Lavabit, turn over the private SSL keys that protected all web traffic to the site, according to to newly unsealed documents.

The July 16 order came after Texas-based Lavabit refused to circumvent its own security systems to comply with earlier orders intended to monitor a particular Lavabit user’s metadata, defined as “information about each communication sent or received by the account, including the date and time of the communication, the method of communication, and the source and destination of the communication.”

The name of the target is redacted from the unsealed records, but the offenses under investigation are listed as violations of the Espionage Act and theft of government property — the exact charges that have been filed against NSA whistleblower Snowden in the same Virginia court.

The records in the case, which is now being argued at the 4th U.S. Circuit Court of Appeals, were unsealed today by a federal judge in Alexandria, Virginia. They confirm much of what had been suspected about the conflict between the pro-privacy e-mail company and the federal government, which led to Lavabit voluntarily closing in August rather than compromise the security it promised users.

The filings show that Lavabit was served on June 28 with a so-called “pen register” order requiring it to record, and provide the government with, the e-mail “from” and “to” lines on every e-mail, as well as the IP address used to access the mailbox. Because they provide only metadata, pen register orders can be obtained without “probable cause” that the target has committed a crime.

In the standard language for such an order, it required Lavabit to provide all “technical assistance necessary to accomplish the installation and use of the pen/trap device”

A conventional e-mail provider can easily funnel email headers to the government in response to such a request. But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

Lavabit founder Ladar Levison balked at the demand, and the government filed a motion to compel Lavabit to comply. Lavabit told the feds that the user had “enabled Lavabit’s encryption services, and thus Lavabit would not provide the requested information,” the government wrote.

“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.

U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.

By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”

With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site, though the documents indicate the bureau still trying only to capture metadata on one user.

Levison went to court to fight the demand on August 1, in a closed-door hearing before Claude M. Hilton, Senior U. S. District Court Judge for the Eastern District of Virginia.

“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”

By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested.

“Anything done by Mr. Levison in terms of writing code or whatever, we have to trust Mr. Levison that we have gotten the information that we were entitled to get since June 28th,” prosecutor James Trump told the judge. “He’s had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn’t.”

“We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”

“So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”

“All right,” said Hilton. “Well, I think that’s reasonable.”

Hilton ruled for the government. “[The] government’s clearly entitled to the information that they’re seeking, and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that
information just as they could from any telephone company or any other e-mail source that could provide it easily,” said Hilton.

The judge also rejected Lavabit’s motion to unseal the record. “This is an ongoing criminal investigation, and there’s no leeway to disclose any information about it.”

In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”

“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.

The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.

On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levison wrote at the time. “After significant soul searching, I have decided to suspend operations.”

Lavabit has raised approximately $30,000 in an online fundraising drive to finance its appeal to the 4th Circuit. Today the appeals court extended the deadline for opening briefs to October 10.

The complete document set follows.

Your "Social" connections are gathered and put together by NSA

Details

Posted on Saturday, September 28, 2013

Since 2010, the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials.  The spy agency began allowing the analysis of phone call and e-mail logs in November 2010 to examine Americans’ networks of associations for foreign intelligence purposes after N.S.A. officials lifted restrictions on the practice, according to documents provided by Edward J. Snowden, the former N.S.A. contractor.

The policy shift was intended to help the agency “discover and track” connections between intelligence targets overseas and people in the United States, according to an N.S.A. memorandum from January 2011. The agency was authorized to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness” of every e-mail address, phone number or other identifier, the document said. Because of concerns about infringing on the privacy of American citizens, the computer analysis of such data had previously been permitted only for foreigners.

The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners.

N.S.A. officials declined to say how many Americans have been caught up in the effort, including people involved in no wrongdoing. The documents do not describe what has resulted from the scrutiny, which links phone numbers and e-mails in a “contact chain” tied directly or indirectly to a person or organization overseas that is of foreign intelligence interest.

The new disclosures add to the growing body of knowledge in recent months about the N.S.A.’s access to and use of private information concerning Americans, prompting lawmakers in Washington to call for reining in the agency and President Obama to order an examination of its surveillance policies. Almost everything about the agency’s operations is hidden, and the decision to revise the limits concerning Americans was made in secret, without review by the nation’s intelligence court or any public debate. As far back as 2006, a Justice Department memo warned of the potential for the “misuse” of such information without adequate safeguards.

An agency spokeswoman, asked about the analyses of Americans’ data, said, “All data queries must include a foreign intelligence justification, period.”

“All of N.S.A.’s work has a foreign intelligence purpose,” the spokeswoman added. “Our activities are centered on counterterrorism, counterproliferation and cybersecurity.”

The legal underpinning of the policy change, she said, was a 1979 Supreme Court ruling that Americans could have no expectation of privacy about what numbers they had called. Based on that ruling, the Justice Department and the Pentagon decided that it was permissible to create contact chains using Americans’ “metadata,” which includes the timing, location and other details of calls and e-mails, but not their content. The agency is not required to seek warrants for the analyses from the Foreign Intelligence Surveillance Court.

N.S.A. officials declined to identify which phone and e-mail databases are used to create the social network diagrams, and the documents provided by Mr. Snowden do not specify them. The agency did say that the large database of Americans’ domestic phone call records, which was revealed by Mr. Snowden in June and caused bipartisan alarm in Washington, was excluded. (N.S.A. officials have previously acknowledged that the agency has done limited analysis in that database, collected under provisions of the Patriot Act, exclusively for people who might be linked to terrorism suspects.)

But the agency has multiple collection programs and databases, the former officials said, adding that the social networking analyses relied on both domestic and international metadata. They spoke only on the condition of anonymity because the information was classified.

The concerns in the United States since Mr. Snowden’s revelations have largely focused on the scope of the agency’s collection of the private data of Americans and the potential for abuse. But the new documents provide a rare window into what the N.S.A. actually does with the information it gathers.

A series of agency PowerPoint presentations and memos describe how the N.S.A. has been able to develop software and other tools — one document cited a new generation of programs that “revolutionize” data collection and analysis — to unlock as many secrets about individuals as possible.

The spy agency, led by Gen. Keith B. Alexander, an unabashed advocate for more weapons in the hunt for information about the nation’s adversaries, clearly views its collections of metadata as one of its most powerful resources. N.S.A. analysts can exploit that information to develop a portrait of an individual, one that is perhaps more complete and predictive of behavior than could be obtained by listening to phone conversations or reading e-mails, experts say.

Phone and e-mail logs, for example, allow analysts to identify people’s friends and associates, detect where they were at a certain time, acquire clues to religious or political affiliations, and pick up sensitive information like regular calls to a psychiatrist’s office, late-night messages to an extramarital partner or exchanges with a fellow plotter.

“Metadata can be very revealing,” said Orin S. Kerr, a law professor at George Washington University. “Knowing things like the number someone just dialed or the location of the person’s cellphone is going to allow them to assemble a picture of what someone is up to. It’s the digital equivalent of tailing a suspect.”

The N.S.A. had been pushing for more than a decade to obtain the rule change allowing the analysis of Americans’ phone and e-mail data. Intelligence officials had been frustrated that they had to stop when a contact chain hit a telephone number or e-mail address believed to be used by an American, even though it might yield valuable intelligence primarily concerning a foreigner who was overseas, according to documents previously disclosed by Mr. Snowden. N.S.A. officials also wanted to employ the agency’s advanced computer analysis tools to sift through its huge databases with much greater efficiency.

The agency had asked for the new power as early as 1999, the documents show, but had been initially rebuffed because it was not permitted under rules of the Foreign Intelligence Surveillance Court that were intended to protect the privacy of Americans.

A 2009 draft of an N.S.A. inspector general’s report suggests that contact chaining and analysis may have been done on Americans’ communications data under the Bush administration’s program of wiretapping without warrants, which began after the Sept. 11 attacks to detect terrorist activities and skirted the existing laws governing electronic surveillance.

In 2006, months after the wiretapping program was disclosed by The New York Times, the N.S.A.’s acting general counsel wrote a letter to a senior Justice Department official, which was also leaked by Mr. Snowden, formally asking for permission to perform the analysis on American phone and e-mail data. A Justice Department memo to the attorney general noted that the “misuse” of such information “could raise serious concerns,” and said the N.S.A. promised to impose safeguards, including regular audits, on the metadata program. In 2008, the Bush administration gave its approval.

A new policy that year, detailed in “Defense Supplemental Procedures Governing Communications Metadata Analysis,” authorized by Defense Secretary Robert M. Gates and Attorney General Michael B. Mukasey, said that since the Supreme Court had ruled that metadata was not constitutionally protected, N.S.A. analysts could use such information “without regard to the nationality or location of the communicants,” according to an internal N.S.A. description of the policy.

After that decision, which was previously reported by The Guardian, the N.S.A. performed the social network graphing in a pilot project for 1 ½ years “to great benefit,” according to the 2011 memo. It was put in place in November 2010 in “Sigint Management Directive 424” (sigint refers to signals intelligence).

In the 2011 memo explaining the shift, N.S.A. analysts were told that they could trace the contacts of Americans as long as they cited a foreign intelligence justification. That could include anything from ties to terrorism, weapons proliferation or international drug smuggling to spying on conversations of foreign politicians, business figures or activists.

Analysts were warned to follow existing “minimization rules,” which prohibit the N.S.A. from sharing with other agencies names and other details of Americans whose communications are collected, unless they are necessary to understand foreign intelligence reports or there is evidence of a crime. The agency is required to obtain a warrant from the intelligence court to target a “U.S. person” — a citizen or legal resident — for actual eavesdropping.

The N.S.A. documents show that one of the main tools used for chaining phone numbers and e-mail addresses has the code name Mainway. It is a repository into which vast amounts of data flow daily from the agency’s fiber-optic cables, corporate partners and foreign computer networks that have been hacked.

The documents show that significant amounts of information from the United States go into Mainway. An internal N.S.A. bulletin, for example, noted that in 2011 Mainway was taking in 700 million phone records per day. In August 2011, it began receiving an additional 1.1 billion cellphone records daily from an unnamed American service provider under Section 702 of the 2008 FISA Amendments Act, which allows for the collection of the data of Americans if at least one end of the communication is believed to be foreign.

The overall volume of metadata collected by the N.S.A. is reflected in the agency’s secret 2013 budget request to Congress. The budget document, disclosed by Mr. Snowden, shows that the agency is pouring money and manpower into creating a metadata repository capable of taking in 20 billion “record events” daily and making them available to N.S.A. analysts within 60 minutes.

The spending includes support for the “Enterprise Knowledge System,” which has a $394 million multiyear budget and is designed to “rapidly discover and correlate complex relationships and patterns across diverse data sources on a massive scale,” according to a 2008 document. The data is automatically computed to speed queries and discover new targets for surveillance.

A top-secret document titled “Better Person Centric Analysis” describes how the agency looks for 94 “entity types,” including phone numbers, e-mail addresses and IP addresses. In addition, the N.S.A. correlates 164 “relationship types” to build social networks and what the agency calls “community of interest” profiles, using queries like “travelsWith, hasFather, sentForumMessage, employs.”

A 2009 PowerPoint presentation provided more examples of data sources available in the “enrichment” process, including location-based services like GPS and TomTom, online social networks, billing records and bank codes for transactions in the United States and overseas.

At a Senate Intelligence Committee hearing on Thursday, General Alexander was asked if the agency ever collected or planned to collect bulk records about Americans’ locations based on cellphone tower data. He replied that it was not doing so as part of the call log program authorized by the Patriot Act, but said a fuller response would be classified.

If the N.S.A. does not immediately use the phone and e-mail logging data of an American, it can be stored for later use, at least under certain circumstances, according to several documents.

One 2011 memo, for example, said that after a court ruling narrowed the scope of the agency’s collection, the data in question was “being buffered for possible ingest” later. A year earlier, an internal briefing paper from the N.S.A. Office of Legal Counsel showed that the agency was allowed to collect and retain raw traffic, which includes both metadata and content, about “U.S. persons” for up to five years online and for an additional 10 years offline for “historical searches.”