Microsoft and NSA. Encryption provided by Microsoft useless.

This article originally written and posted here:

• Secret files show scale of Silicon Valley co-operation on Prism
• encryption unlocked even before official launch
• Skype worked to enable Prism collection of video calls
• Company says it is legally compelled to comply

Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

The files provided by Edward Snowden illustrate the scale of co-operation between Silicon Valley and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new portal;

• The agency already had pre-encryption stage access to email on, including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;

• Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in that allows users to create email aliases;

• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;

• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a "team sport".

The latest NSA revelations further expose the tensions between Silicon Valley and the Obama administration. All the major tech firms are lobbying the government to allow them to disclose more fully the extent and nature of their co-operation with the NSA to meet their customers' privacy concerns. Privately, tech executives are at pains to distance themselves from claims of collaboration and teamwork given by the NSA documents, and insist the process is driven by legal compulsion.

In a statement, Microsoft said: "When we upgrade or update products we aren't absolved from the need to comply with existing or future lawful demands." The company reiterated its argument that it provides customer data "only in response to government demands and we only ever comply with orders for requests about specific accounts or identifiers".

In June, the Guardian revealed that the NSA claimed to have "direct access" through the Prism program to the systems of many major internet companies, including Microsoft, Skype, Apple, Google, Facebook and Yahoo.

Blanket orders from the secret surveillance court allow these communications to be collected without an individual warrant if the NSA operative has a 51% belief that the target is not a US citizen and is not on US soil at the time. Targeting US citizens does require an individual warrant, but the NSA is able to collect Americans' communications without a warrant if the target is a foreign national located overseas.

Since Prism's existence became public, Microsoft and the other companies listed on the NSA documents as providers have denied all knowledge of the program and insisted that the intelligence agencies do not have back doors into their systems.

Microsoft's latest marketing campaign, launched in April, emphasizes its commitment to privacy with the slogan: "Your privacy is our priority."

Similarly, Skype's privacy policy states: "Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content."

But internal NSA newsletters, marked top secret, suggest the co-operation between the intelligence community and the companies is deep and ongoing.

The latest documents come from the NSA's Special Source Operations (SSO) division, described by Snowden as the "crown jewel" of the agency. It is responsible for all programs aimed at US communications systems through corporate partnerships such as Prism.

The files show that the NSA became concerned about the interception of encrypted chats on Microsoft's portal from the moment the company began testing the service in July last year.

Within five months, the documents explain, Microsoft and the FBI had come up with a solution that allowed the NSA to circumvent encryption on chats

A newsletter entry dated 26 December 2012 states: "MS [Microsoft], working with the FBI, developed a surveillance capability to deal" with the issue. "These solutions were successfully tested and went live 12 Dec 2012."

Two months later, in February this year, Microsoft officially launched the portal.

Another newsletter entry stated that NSA already had pre-encryption access to Outlook email. "For Prism collection against Hotmail, Live, and emails will be unaffected because Prism collects this data prior to encryption."

Microsoft's co-operation was not limited to An entry dated 8 April 2013 describes how the company worked "for many months" with the FBI – which acts as the liaison between the intelligence agencies and Silicon Valley on Prism – to allow Prism access without separate authorization to its cloud storage service SkyDrive.

The document describes how this access "means that analysts will no longer have to make a special request to SSO for this – a process step that many analysts may not have known about".

The NSA explained that "this new capability will result in a much more complete and timely collection response". It continued: "This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established."

A separate entry identified another area for collaboration. "The FBI Data Intercept Technology Unit (DITU) team is working with Microsoft to understand an additional feature in which allows users to create email aliases, which may affect our tasking processes."

The NSA has devoted substantial efforts in the last two years to work with Microsoft to ensure increased access to Skype, which has an estimated 663 million global users.

One document boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture'," it says.

Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.

According to the NSA documents, work had begun on smoothly integrating Skype into Prism in November 2010, but it was not until 4 February 2011 that the company was served with a directive to comply signed by the attorney general.

The NSA was able to start tasking Skype communications the following day, and collection began on 6 February. "Feedback indicated that a collected Skype call was very clear and the metadata looked complete," the document stated, praising the co-operation between NSA teams and the FBI. "Collaborative teamwork was the key to the successful addition of another provider to the Prism system."

ACLU technology expert Chris Soghoian said the revelations would surprise many Skype users. "In the past, Skype made affirmative promises to users about their inability to perform wiretaps," he said. "It's hard to square Microsoft's secret collaboration with the NSA with its high-profile efforts to compete on privacy with Google."

The information the NSA collects from Prism is routinely shared with both the FBI and CIA. A 3 August 2012 newsletter describes how the NSA has recently expanded sharing with the other two agencies.

The NSA, the entry reveals, has even automated the sharing of aspects of Prism, using software that "enables our partners to see which selectors [search terms] the National Security Agency has tasked to Prism".

The document continues: "The FBI and CIA then can request a copy of Prism collection of any selector…" As a result, the author notes: "these two activities underscore the point that Prism is a team sport!"

In its statement to the Guardian, Microsoft said:

    We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues. First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes.

    Second, our compliance team examines all demands very closely, and we reject them if we believe they aren't valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate.

    Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues.

In a joint statement, Shawn Turner, spokesman for the director of National Intelligence, and Judith Emmel, spokeswoman for the NSA, said:

    The articles describe court-ordered surveillance – and a US company's efforts to comply with these legally mandated requirements. The US operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy.

They added: "In practice, US companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the US and other countries in which they operate."

• This article was amended on 11 July 2013 to reflect information from Microsoft that it did not make any changes to Skype to allow Prism collection on or around July 2012.

Encryption, Capitalism, and the Law

Article originally posted here


Thank you for choosing cyberpunk dystopia.

encryption, capitalism, and law

June has been a pretty surreal month. As the Guardian and the Washington Post continue to publish internal NSA documents in what has become a torrential TOP SECRET/NOFORN early Christmas bonanza, many of us in hacker and activist communities have now seen what we long suspected confirmed: that the government is indiscriminately collecting and storing massive quantities of data, and that the distinction between the “law enforcement” and foreign intelligence use of this data has become increasingly blurred. For people who have family ties in Pakistan or regularly attend Mosque,for those who were a part of Occupy Wall Street, or have participated in the blockade of the KXL Pipeline, the fact that the national security apparatus conducts domestic operations on a racial and political basis is no surprise; it has often been a daily fact of life for years.

Yet, being right is obviously not reassuring, and how to turn these revelations into substantive change is far from clear. Unlike in 1976, when the Church Committee was formed to address the abuses of the Nixon era, there is now a broad spectrum of established legal precedent and business practices which make widespread surveillance both legal and profitable. The courts have consistently ruled that when we turn our data over to a third party, we have no reasonable expectation of privacy. Never mind that it is pretty much impossible to communicate online today without handing your information to a third party, whether that is Apple, Facebook, Google, Dropbox, or any email server, for that matter. At the same time, the dominant business model for online services has come to be based on user data exploitation and targeted advertisements. Companies that can’t access their users’ data because it is encrypted deny themselves revenue from targeted ads. Users who have become accustomed to not having to pay to access online services are less likely to buy into a fee-for service business model that might offer them greater privacy. These two aspects of the world we now find ourselves in, the legal architecture supporting surveillance and the profit motive driving private data exploitation, together compose a mutually re-enforcing bulwark defending the state’s panopticon from both passive individual resistance and organized direct attack. All of this is happening in a world where the real-time location tracking of millions of people has become trivial, where commercial facial recognition is becoming ubiquitous, and in which the president reserves the right to murder anyone, at any time, with a flying killer robot. If there are prophets of our time, they are Kafka, Alan Moore, and Phillip K. Dick.

The Failed Cypherpunk Insurgency

That to defy the surveillance state should be harder today than it was twenty years ago is tragically ironic, since today there are publicly available cryptographic tools that can effectively shield individuals’ communications from interception. Free software such as LUKS, GnuPG, and OTR theoretically allow anyone to secure their hard drive, their email, and their conversations online. For much of the 1990s, there was a fight to make these tools publicly available. Many of the most secure crypto algorithms, such as RSA, were patented and couldn’t be used without first paying a hefty license fee. Cryptography was legally considered to be a type of “munition” by the US government, and anyone who developed software that employed crypto risked being prosecuted in the US for unlawfully trafficking in ordinance. The cypherpunks of the 1990s were committed to spreading cryptography through any means necessary. Phil Zimmermann, who wrote PGP, the free software for encrypting email, successfully circumvented the legal blockade on the export of cryptography by publishing his source code as a book, “PGP Source Code and Internals.” The text was written in machine readable format, so that anyone who purchased a copy of the book would be able to scan in the software, then use it or distribute it themselves. Although he was charged with violating the ban on munitions exports, Zimmermann was able to successfully argue that his book was not software, but first amendment protected speech. The 90s are littered with similar cypherpunk battles; some hackers set off to countries with laws favorable to exporting cryptography, so that they could safely write code and share it with the world. They believed that if encryption was widely available, government surveillance would be impossible, censorship would become a historical relic, and untraceable digital currency would become ubiquitous. Without the ability to monitor citizens or collect tax revenue, governments would fall and the people of the world would build a new society on the ashes of the old. If this sounds grandiose or naive, that’s because it was.

The cypherpunks believed that with cryptography, the internet could exist as a platonic space, free from the coercive influence of organized violence. Since no amount of force can solve a math problem, and since individuals online become place-less avatars of their physical selves, then theoretically a cryptographic net could become the ultimate state-proof reality. They failed, though, to anticipate that the hegemonic forces of organized capital would exert the same disproportionate influence over people online as in the physical world, and that these new internet capitalists would be just as welcoming to the coercive influence of the state as their predecessors had been.

Today, the cypherpunk mindset lives on among technically inclined people who have fallen in love with cryptography. I know because I’m one of them. I think the way the Diffie-Hellman exchange appears to defy logic is utterly fascinating. I make one time pads for fun, I occasionally tune into shortwave number stations based out of Russia, and if you get me drunk I will explain public key cryptography in detail to anyone present regardless of their expressed level of interest in the subject. That people would freely choose to use cryptography and become enthralled with its mathematical simplicity seems natural to me. However, if I’m honest, I have to admit that I go well out of my way to use crypto tools on a daily basis. The online spaces most of us frequent aren’t designed to protect our data from the people who built them, because if they were, those same people would very quickly be out of business.

Free Choice Isn’t Free

All of us express our agency within a given set of restrictions. If I live in a neighborhood without stores that sell fresh fruits and vegetables, then my “choice” to eat healthy food comes with higher costs in travel time and money that I may not have. When all of my friends use cell phones to make plans and meet up, then my choice not to carry an insecure tracking device expands to include the choice not to spend as much time with my friends. If most all of my friends are planning parties on Facebook, then my choice not to use Facebook expands to include the choice not to go to most parties. These are choices that aren’t really free choices; they are all weighted by the influence of dominant players who define the shape of the terrain in which I make my choice.

The terrain of online communication is similarly shaped and defined by hegemonic players: companies that profit off of user data exploitation and seek to keep users within their internally coherent fiefdoms. Once a company achieves a certain critical mass of users, it is no longer in their interest to be compatible with other platforms and technologies; since their users have already become dependent upon them, it is now in that company’s interest to force a choice away from their competitors, rather than offer users more choice. Google, for example, recently decided to stop supporting XMPP, an open chat protocol that allows GTalk users to chat with a wide variety of other platforms, including Facebook, Outlook, and free software applications such as Pidgin that support true end-to-end encryption. Since GTalk is tied to GMail, Hangouts, and Google+, users who are upset at losing the freedom of XMPP will have to decide if they are mad enough to forgo the benefits of those other Google products. Even if a user were to leave Google, in order for them to be able to chat with all of their friends, they would have to convince them all to use Jabber instead of GTalk. Their choice then, is not really a free choice.

This effect of choices that aren’t choices applies to anyone trying to secure their online communications with cryptography as well. Since any end-to-end crypto tool requires that both people are using the tool to communicate, an individual who wants to use crypto has to convince other members of her social network to adopt the same tool she is using. This means that anyone designing a crypto tool today, no matter how easy to use, is swimming upstream against the closed networks of the established players.

This network effect inherent to successful platform adoption means that secure communication is a social phenomenon as much as a technical one; whenever there is a large community of people using a particular technology, that network is healthy and there is an incentive for other people to join it. A technology with a small network faces large barriers to widespread use. Generally, we can say that successful technologies are (a) easy to use and (b) have large networks. It’s clear that these two qualities are mutually re-enforcing and together encourage widespread adoption of a platform. What’s not clear is whether an easy to use tool naturally leads to widespread adoption.

Some cryptographers are attempting to address the user adoption friction caused by difficult to use software like PGP by making elegant, easy crypto tools that work where users already are: their phone and the browser. Moxie Marlinspike and Nadim Kobeissi are two of the most prominent developers doing this kind of work. Moxie founded Whisper Systems, and brought encrypted VoIP and texts to smart phones with Red Phone and Text Secure. Nadim built Crypto Cat, the first in-browser encrypted chat platform (Note: Crypto Cat has apparently just been hit with the discovery of another major security flaw, Both have simple interfaces that are pleasant to use. Whether they will be widely adopted largely depends on the hope that good design leads to a larger user base, which by way of the network effect will accelerate user adoption.

There is some reason to believe that this may not be the case. A software tool’s ease of use is not just a function of design, but interoperability with other existing stuff that people are already using. Red Phone and Text Secure are deliberately grafted into existing users’ habits by seamlessly replacing the default phone and texting applications in Android. However, because Google defines the state of play by controlling the platform on which both of these programs run, Red Phone and Text Secure function more or less at the mercy of Google. What happens to Red Phone if Google tries to force out competitors and make Hangouts, their video chat and VoIP client, the replacement for standard calls on Android? That might be back to the drawing board for Whisper Systems. Crypto Cat, on the other hand, runs as a Chrome and Firefox plugin, so while it seems unlikely that it would be swept off of either of those platforms, people still have to go out of their way to use Crypto Cat; people go there for secure communication, but it isn’t built into any of the increasingly closed online worlds they inhabit. Companies that are able to generate mass revenue through user data exploitation are able to construct a constellation of interdependent services whose convenience is primarily derived not from their user design in and of itself, but from the fact that they are part of a large, internally coherent ecosystem. This is the “sandbox effect” of monopolistic design. Without the ability to derive revenue from user data, most user friendly encryption applications are either run out of pocket like Whisper Systems and Crypto Cat, or are fee-for-service, like Silent Circle.

User choice isn’t just restricted by the coercive effect of the rent seeking and anti-competitive behavior of hegemonic companies like Google; their entire business model is based on undermining privacy. No major internet company is interested in offering true end-to-end encryption, because this would mean that they would no longer have access to the user’s plaintext data: the lifeblood of their ad-based business model. These companies effectively offer what Bruce Schneier has dubbed “feudal security.” Google promises to keep your inbox free of competitors’ spam in exchange for discretely offering you some of its own. Data exploiting companies effectively secure their users’ against their competitors and against malicious exploitation, but they horde users’ plaintext data for themselves. Which, since almost all of these companies are US based and subject to US law (whatever that may happen to be these days), means that Google, Facebook, Skype, etc. also horde users’ data for the NSA.

Cyberspace Isn’t Space: Trouble With The Law

Quite obviously, when the fourth amendment was written, there was no internet. Personal papers were largely kept at home or at an office,and the protection against “unreasonable searches and seizures” referred to trespass by government officials. This has created problems when the deterritorializing effect of technology confuses the nature of private space. However, much of this apparent confusion in the courts is fairly recent, and there is a strong historical precedent of US courts adapting to new technologies while upholding the intent of the fourth amendment.

In a 1928 case before the Supreme Court, Olmstead v.United States, the defendant argued that the evidence gathered against him by a phone wiretap should not be admissible in court, since the government hadn’t bothered to obtain a warrant to do so. The federal government argued that no such warrant was necessary, since no “search or seizure” of the defendant’s home had taken place. The court ruled with the defendant, arguing that:

Applying to the Fourth and Fifth Amendments the established rule of construction, the defendants’ objections to the evidence obtained by wiretapping must, in my opinion, be sustained. It is, of course, immaterial where the physical connection with the telephone wires leading into the defendants’ premises was made. And it is also immaterial that the intrusion was in aid of law enforcement. Experience should teach us to be most on our guard to protect liberty when the Government’s purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding.

The court went on to conclude that:

By the laws of Washington, wiretapping is a crime. [n13] Pierce’s [p480] Code, 1921, § 8976(18). To prove its case, the Government was obliged to lay bare the crimes committed by its officers on its behalf. A federal court should not permit such a prosecution to continue.

You would think that such an astounding instance of common sense would equally apply to the protection of email from warrantless seizure, but you’d be wrong. In United States v. Miller (1976) and other similar recent cases, the court has repeatedly bought the argument that since sending an email involves “voluntarily disclosing information to a third party” the person sending that email therefore has no valid expectation of privacy in their communications. If there were no precedent analogous to email upon which to base their decision, it might make sense that the court was just confused, but that’s not the case. As far back as 1876, in Ex parte Jackson - 96 U.S. 727, the government has previously argued that the fourth amendment does not protect against the interception of mail, since the sender has entrusted it to a third party, the US Postal Service. The court rejected that line of argument, declaring that:

Letters and sealed packages of this kind in the mail are as fully guarded from examination and inspection, except as to their outward form and weight, as if they were retained by the parties forwarding them in their own domiciles. The constitutional guaranty of the right of the people to be secure in their papers against unreasonable searches and seizures extends to their papers, thus closed against inspection, wherever they may be. Whilst in the mail, they can only be opened and examined under like warrant, issued upon similar oath or affirmation, particularly describing the thing to be seized, as is required when papers are subjected to search in one’s own household.

Unfortunately, the effect of recent decisions in line with United States v. Miller, which perpetuate the notion that privacy is obviated if a third party is involved, has not just undermined our online privacy, it has also produced a myriad of insidious structural changes in how the judicial review of executive power operates, often in ways which are not immediately apparent.

One of the virtues of the post-feudal common law legal tradition is the principle of equality before the law. Individuals are all theoretically subjected to the same set of laws via the same legal process, whether they are a part of the state power structure, are wealthy “private” parties, or are ordinary persons. Of course, people with more access to societal privilege or with connections to people of influence almost always fair far better than those who don’t have such access, but this sort of corruption of the judicial process is quite different from its structural abrogation, which is what we are seeing now between the state and internet companies, a relationship which has come to resemble more a series of feudal fiefdoms negotiating their position with a ruling state than it does the functioning of a healthy judicial system in a democratic society.

In the physical world, if the government wants to search my house, then they (theoretically) get a warrant to do so. I would have the opportunity to fight over the legitimacy of that warrant in court. Today, my data is stored with a few very large companies, and so the government instead goes straight to them, via an administrative subpoena or similar rubber-stamp instrument to get my data. While a warrant to search my house might be issued on an ex parte basis, meaning that I am not notified of the warrant hearing and do not have the opportunity to object beforehand, I would nonetheless be able to argue that the warrant was issued illegitimately afterwards, and get any evidence associated with the improper warrant tossed out of court as well. This isn’t the case with National Security Letters, which are served to ISPs and internet companies and include a gag order, effectively banning the company that receives them from ever notifying the customer being targeted that they have received such an order. ISPs and companies like Google and Twitter which receive these orders can fight them in court, but unlike the actual defendants, they lack a strong incentive to do so; resisting these types of requests is a civic service that private companies have little reason to pursue. Beyond maintaining their reputation with their customers, Google or Facebook have a weak incentive to spend thousands of dollars in legal fees just to stick up for any individual user.

As a result of the courts’ ongoing habit of upholding the notion that we somehow forfeit our expectation of privacy when storing information with a third party, the conversation in the court system has contracted from a very broad based series of diffuse opinions written in many courts by judges hearing objections from many defendants’ attorneys to a very narrowly based series of secret conflicts between large internet companies and the government, most often before the secret and unaccountable FISA court. Effectively this has bypassed any thoroughgoing legal examination of the legitimacy of the government’s broad surveillance practices by transforming common law judicial review into a series negotiations between internet companies and the government over how much information they are willing to share about their users. This isn’t equality before the law, since individuals are powerless to question the legitimacy of the surveillance directed at them. Instead, the companies that “own” the data choose whether they want to resist government requests at their own expense.

All of this is to say that the situation we now find ourselves in is quite complex; a series of interdependent and mutually re-enforcing edifices which support mass state surveillance have metastasized over the past decade: in the legal sphere, through the ad-based services we use, and due to a deficit of viable, easy to use online tools that incorporate true end-to-end crypto. Without a business model that can support end-to-end crypto and a robust court challenge to the current widespread (mis)interpretation of the fourth amendment by the judiciary, the future looks very bleak. Think Blade Runner meets Minority Report.

Please Note: This piece is highly indebted to the ideas of Moxie Marlinspike, Jacob Appelbaum, and to a lesser extent Bruce Schneier. The stuff on the history of the cypherpunk movement in particular, and the bit on the false nature of liberal choice theory is ripped almost directly from a talk Moxie gave at Defcon 18. Hopefully people who haven’t come across these ideas elsewhere will feel curious to look those fine people up on the interwebs.

U.S. Emergency Alert System open to false messages

It's fair to say that should you see one of these warnings on your television as you're drinking your wake-up coffee, you're probably not going to have the best of days. Though, when you're told that the "bodies of the dead are rising from their graves and attacking the living," one might meet such reports — despite the official standing of such interruptions — with some skepticism.

That's exactly what happened in Montana in February, when hackers broke in to the U.S. Emergency Alert System (EAS), which interrupts television and radio broadcasts in times of local and national warnings. The default password wasn't changed, allowing the hackers to walk in to the Internet-connected appliance.

But a new security advisory warning warns that the EAS system is wide open to remote attacks by hackers, who can broadcast fake reports and materials.

The "critical" rating from IOActive [PDF] warns that DASDEC-I and DASDEC-II application servers, made by Digital Alert Systems, are left wide open to attackers, following a recent firmware update that also disseminated the secure-shell (SSH) key.

The key allows anyone with limited knowledge to log in at the root level of the server and "manipulate any system function," including browse key directories and access its peering arrangement.

From the advisory, an attacker who gains control of one or more DASDEC systems "can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," which in some cases could be "forwarded to and mirrored" by other systems," spreading false information over a wider area.

The key is now in the public domain, and "cannot be easily removed except by a root privileged user on the server." The security advisory warns the maker of these appliances to "re-evaluate their firmware and push updates to all appliances."

Other advisories were published, including one by the U.S. CERT team, which notes that firmware version 2.0-2 resolves this vulnerability.

Attack on South Korean targets part of a larger cyber-espionage campaign

The March 20 cyber-attack on South Korean financial services and media firms, known as Dark Seoul, was thought to be significant not only for the high-profile nature of the targets but also for the use of a Master Boot Record (MBR) wiping functionality that erased the hard drives of infected PCs.

According to McAfee Labs, however, Dark Seoul is notable for another reason: it can be linked back to an ongoing, persistent operation against South Korea known as Operation Troy, which has been targeting the world’s most wired nation since at least 2009. And, the threat appears to come from within.

“McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities,” the security firm noted in a white paper dissecting the issue.

“The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident. From our analysis we have established that Operation Troy had a focus from the beginning to gather intelligence on South Korean military targets. We have also linked other high-profile public campaigns conducted over the years against South Korea to Operation Troy, suggesting that a single group is responsible.”

Aside from the obvious reference to trojan viruses, the term “Operation Troy” has been given to the campaign because of a liberal sprinkling of Roman and Trojan terms throughout the attack code, which McAfee said most likely points to a group called the NewRomanic Cyber Army Team as the perpetrators.

The latest attacks managed to create a significant disruption of ATM networks in South Korea, while denying access to funds. But in addition to wiping the MBR to render systems unusable, creating an instant slowdown to operations within the target, Operation Troy is also focused on stealing and holding data hostage and announcing the theft in an Anonymous-style hacktivist approach.

“Public news media have reported only that tens of thousands of computers had their MBRs wiped by the malware,” McAfee said. “But there is more to this story: The main group behind the attack claims that a vast amount of personal information has been stolen. This type of tactic is consistent with Anonymous operations and others that fall within the hacktivist category, in which they announce and leak portions of confidential information.”

McAfee uncovered that in 2011, one of the same financial institutions was hit with destructive malware that caused a denial of service. “The attackers left a calling card a day after the attacks in the form of a web pop-up message claiming that the NewRomanic Cyber Army Team was responsible and had leaked private information from several banks and media companies,” the firm said, noting that they also referenced destroying the data on a large number of machines (i.e., MBR wiping).

The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools. While analyzing malware components from before the March 20 incident, McAfee found both similar and identical attributes of the files involved that link them to the 3Rat remote administration tool client used on March 20, as well as to samples dating to 2010. The firm said that it’s also possible that the campaign known as 10 Days of Rain is a byproduct of Operation Troy; some of the analysis suggests that the malware Concealment Troy was present in these attacks.

“This spying operation had remained hidden and only now has been discovered through diligent research and collaboration,” McAfee noted. “We also suspect the attackers had knowledge of the security software running within the environment before they wiped the systems, given that some of the variants used in the attack were made to look as if they were antimalware update files from before March 20.”

In all, McAfee’s investigation found a long-term domestic spying operation underway since at least 2009, all based on the same code, attempting to infiltrate specific South Korean targets.

“Typically this sort of advanced persistent threat (APT) campaign has targeted a number of sectors in various countries, but Operation Troy, as these attacks are now called, targets solely South Korea,” it noted. “From our analysis of unique attributes within the malware samples we have determined that…the malware used in these attacks were compiled to specifically target South Korea and used Korean-language resources in the binaries. The malware connected to legitimate Korean domains that were running a bulletin board and sent a specific command to a PHP page to establish an IRC channel and receive commands.”

Top Five IT Security Cyber Threats

As cybercrime expands and evolves, a new study categorizes and describes the top five threats: data breaches, malware, DDoS, mobile threats and the industrialization of fraud – and they're all interrelated.

  1. Data Breach
  2. Malware
  3. DDoS
  4. Mobile Threats
  5. Industrialisation of Fraud 

Security firm 41st Parameter describes each threat in turn. The data breach threat is illustrated by the LivingSocial breach earlier this year. 50 million records were compromised in April. Although no financial records were stolen, they probably weren’t the direct target: “consumers don’t realize that the real concern behind the theft of personal data (such as email addresses, birthdates and encrypted passwords) is potential exposure to various forms of identity theft.”

The real problem with large data heists comes in the following months when the attackers use the data they have stolen to engineer compelling phishing attacks “to dupe unsuspecting victims into revealing sensitive data that can be used to open new accounts or take over existing ones.” In this instance there were two difficulties – firstly consumers still tend to reuse passwords over multiple accounts, and secondly LivingSocial’s business model sends out ‘daily deals’ emails to its subscribers. A forged email could look like a genuine LivingSocial mail but actually contain a disguised link to a malicious site.

That malicious site would contain the second of the major threats: malware. Malware delivery from a malicious URL, otherwise known as drive-by downloading, is one of the three top delivery mechanisms of 2012. The others are app repackaging for mobile devices, and smishing. The first takes a genuine app, alters it for bad intent, and then redistributes it via a different channel. Smishing is the use of “unsolicited text messages that prompt users to provide credentials.”

There is no single solution to malware, but the threat can be mitigated by the use of up-to-date anti-malware software, and improved visibility into the devices – especially mobile devices – that connect to the corporate network.

The third threat is DDoS. DDoS attacks are disruptive, driving costs up and reputations down; and there are more than 7000 DDoS attacks every day. But there is a growing issue “more prevalent now than it’s ever been,” when the target site is a bank. Possibly using account credentials stolen by the malware distributed after a data breach, it’s now “common for fraudsters to access a group of accounts, perform reconnaissance and money movement activities and then immediately launch a DDoS attack in order to create a diversion.”

The fourth threat is that posed by and to the mobile market – 700 million smartphones were sold in 2012 alone. “Since fraudsters typically attack the weakest point of ingress,” warns 41st Parameter, “and without the proper device recognition and detection systems in place, the mobile channel may soon emerge as their channel of choice.” Overall, 2012 saw a 163% increase in mobile threats, with 95% of mobile threats attacking the Android platform. In all, 32.8 million mobile devices were infected with malware.

Finally, the report discusses the industrialization of fraud. Since online transactions are by their nature ‘machine-to-machine’ they lend themselves to automation. But just as the banks automate their own processes, so too are criminals automating fraud. “Recently, 41st Parameter has seen the standardization of fraud software building blocks and data formats, which make it easier to collaborate and exchange information between fraud rings.” And there are more than 10,000 of these fraud rings in the US alone.

One of the problems that comes from this automation is that criminals can just as easily perpetrate hundreds or thousands of small frauds to gain the same financial return as a few large ones – but staying small they are more likely to slip under the banks’ fraud detection systems.

All of these threats could stem from that initial data breach: stolen personal data leading to phishing and the installation of malware that steals account data (although the mobile arena is increasingly used to do the same), in turn leading to financial fraud which is increasingly industrialized and disguised by DDoS attacks. In fact, “The increase in large-scale data breaches and high-volume, coordinated fraud attacks are byproducts of the industrialization of fraud driven by the movement of services online,” says Eli Katz, vice president of financial industry solutions at 41st Parameter. “Financial institutions and consumers must each take steps to adjust to this evolving threat landscape.”

Malware Infections Are Usually From "Legitimate" Websites

You're more likely to encounter malware through reputable, hacked services than seedy, illict websites.

If you've spent even a small amount of time on the internet, you're probably aware of a simple fact: Malware is everywhere. Everywhere. Hiding in your computer, tracking your private data, and generally being a pain in everyone's digital rear end. Thankfully, there's lots of advice on avoiding malware infections, the most common being to show discretion with the pages you visit. Just avoid obscure and untrusted "phishing" websites asking for personal information, and you'll bypass 90-95% of the bad stuff, right? According to Google, no, not really. The web giant has updated its Transparency Report with breakdowns on common infection sources, revealing the biggest malware culprits to be compromised "legitimate" pages that unwittingly take advantage of visitors.

Let's make one thing clear: It is still a horrible idea to just visit some illict porn site and start downloading everything you see. That will turn out badly. What Google's saying is that the vast majority of malware infections come from perfectly legal services which most users assume are safe. Some are small Mom-and-Pop operations, others could be significantly larger, but all have vulnerabilities that hackers took advantage of. Google blocks approximately 10,000 of these websites per day to stem the tide, but with up to 90,000 infections detected during especially infectious weeks, the company is clearly involved in a long-term struggle.

That said, it's not all bad news. As webmasters become more aware of online security, the response time between detecting an infection and repairing it has dropped dramatically in recent years. Google's Safe Browsing, for example, informs users and webmasters when websites have been compromised, discouraging traffic until the problem is fixed. We'll probably never fully get rid of malware, considering that approximately 100 million browsers see warnings each week. Still, while the number seems daunting, the fact that we know about it at all is a step in the right direction.

Source: Google Transparency Report, via Ars Technica

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles