The New York Times by Charlie Savage August 21, 2013
The federal government is making progress on developing a surveillance system that would pair computers with video cameras to scan crowds and automatically identify people by their faces, according to newly disclosed documents and interviews with researchers working on the project.
The Department of Homeland Security tested a crowd-scanning project called the Biometric Optical Surveillance System — or BOSS — last fall after two years of government-financed development. Although the system is not ready for use, researchers say they are making significant advances. That alarms privacy advocates, who say that now is the time for the government to establish oversight rules and limits on how it will someday be used.
FBI spooks use MALWARE to spy on suspects’ Android mobes – report
Spear-phishing: It’s not just for the bad guys
The Register / UK by Bill Ray August 2, 2013
The Federal Bureau of Investigation is using mobile malware to infect, and control, suspects’ Android handsets, allowing it to record nearby sounds and copy data without physical access to the devices.
That’s according to “former officers” interviewed by the Wall Street Journal ahead of privacy advocate Christopher Soghoian’s presentation at hacker-conflab Black Hat later today.
The FBI’s Remote Operations Unit has been listening in to desktop computers for years, explains the paper, but mobile phones are a relatively new target.
It would never work with tech-savvy suspects, though: suspects still need to infect themselves with the malware by clicking a dodgy link or opening the wrong attachment. This is why computer hackers are never targeted this way – they might notice and publicise the technique, said the “former officers”, who noted that in other cases it had proved hugely valuable.
Such actions do require judicial oversight, but if one is recording activities rather than communications, the level of authorisation needed is much reduced. A US judge is apparently more likely to approve reaching out electronically into a suspect’s hardware than a traditional wiretap, as the latter is considered a greater intrusion into their privacy.
Gaining control of that hardware still requires a hole to crawl through; ideally a zero-day exploit of which the platform manufacturer is unaware.
Given the convergence of mobile and desktop, it’s no surprise to see desktop techniques being applied to mobile phone platforms by both hackers and law enforcement agencies.
The usual techniques of not opening unknown attachments or unsigned downloads should protect you against the FBI, just as it would against any spear-phishing attempt. But then again, if you know that, they probably wouldn’t try using it against you.
Feds Are Suspects in New Malware That Attacks Tor Anonymity
WIRED / Threat Level by Kevin Poulsen August 5, 2013
Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.
The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.
“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsyrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”
If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.
Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.
The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.
The broad Freedom Hosting deployment of the malware coincides with the arrest of Eric Eoin Marques in Ireland on Thursday on an U.S. extradition request. The Irish Independent reports that Marques is wanted for distributing child pornography in a federal case filed in Maryland, and quotes an FBI special agent describing Marques as “the largest facilitator of child porn on the planet.”
Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network.
Freedom Hosting is a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion — that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network.
Tor hidden services are ideal for websites that need to evade surveillance or protect users’ privacy to an extraordinary degree – which can include human rights groups and journalists. But it also naturally appeals to serious criminal elements.
Shortly after Marques’ arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail.
By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.
Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network.
“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based,” the non-profit Tor Project wrote in a blog post Sunday. “We’re investigating these bugs and will fix them if we can.”
The inevitable conclusion is that the malware is designed specifically to attack the Tor browser. The strongest clue that the culprit is the FBI, beyond the circumstantial timing of Marques’ arrest, is that the malware does nothing but identify the target.
But the Magneto code doesn’t download anything. It looks up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request.
The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.
In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.
But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it?
Update 8.5.13 12:50:According to Domaintools, the malware’s command-and-control IP address in Virginia is allocated to Science Applications International Corporation. Based in McLean, Virginia, SAIC is a major technology contractor for defense and intelligence agencies, including the FBI. I have a call in to the firm.
13:50Tor Browser Bundle users who installed or manually updated after June 26 are safe from the exploit, according to the Tor Project’s new security advisory on the hack.
14:30:SAIC has no comment.
15:10:There are incorrect press reports circulating that the command-and-control IP address belongs to the NSA. Those reports are based on a misreading of domain name resolution records. The NSA’s public website, NSA.gov, is served by the same upstream Verizon network as the Tor malware command-and-control server, but that network handles tons of government agencies and contractors in the Washington DC area.
8.6.13 17:10:SAIC’s link to the IP addresses may be an error in Domaintools’ records. The official IP allocation records maintained by the American Registry for Internet Numbers show the two Magneto-related addresses are not part of SAIC’s publicly-listed allocation. They’re part of a ghost block of eight IP addresses that have no organization listed. Those addresses trace no further than the Verizon Business data center in Ashburn, Virginia, 20 miles northwest of the Capital Beltway. (Hat tip: Michael Tigas)
Direct Link: http://www.wired.com/threatlevel/2013/08/freedom-hosting/
NSA loophole allows warrantless search for US citizens’ emails and phone calls
Exclusive: Spy agency has secret backdoor permission to search databases for individual Americans’ communications
The Guardian / UK by James Ball & Spencer Ackerman August 9, 2013
The National Security Agency has a secret backdoor into its vast databases under a legal authority enabling it to search for US citizens’ email and phone calls without a warrant, according to a top-secret document passed to the Guardian by Edward Snowden.
The previously undisclosed rule change allows NSA operatives to hunt for individual Americans’ communications using their name or other identifying information. Senator Ron Wyden told the Guardian that the law provides the NSA with a loophole potentially allowing “warrantless searches for the phone calls or emails of law-abiding Americans”.
The authority, approved in 2011, appears to contrast with repeated assurances from Barack Obama and senior intelligence officials to both Congress and the American public that the privacy of US citizens is protected from the NSA’s dragnet surveillance programs.
The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.
The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.
But this is the first evidence that the NSA has permission to search those databases for specific US individuals’ communications.
A secret glossary document provided to operatives in the NSA’s Special Source Operations division – which runs the Prism program and large-scale cable intercepts through corporate partnerships with technology companies – details an update to the “minimization” procedures that govern how the agency must handle the communications of US persons. That group is defined as both American citizens and foreigners located in the US.
“While the FAA 702 minimization procedures approved on 3 October 2011 now allow for use of certain United States person names and identifiers as query terms when reviewing collected FAA 702 data,” the glossary states, “analysts may NOT/NOT [not repeat not] implement any USP [US persons] queries until an effective oversight process has been developed by NSA and agreed to by DOJ/ODNI [Office of the Director of National Intelligence].”
The term “identifiers” is NSA jargon for information relating to an individual, such as telephone number, email address, IP address and username as well as their name.
The document – which is undated, though metadata suggests this version was last updated in June 2012 – does not say whether the oversight process it mentions has been established or whether any searches against US person names have taken place.
Wyden, an Oregon Democrat on the Senate intelligence committee, has obliquely warned for months that the NSA’s retention of Americans’ communications incidentally collected and its ability to search through it has been far more extensive than intelligence officials have stated publicly. Speaking this week, Wyden told the Guardian it amounts to a “backdoor search” through Americans’ communications data.
“Section 702 was intended to give the government new authorities to collect the communications of individuals believed to be foreigners outside the US, but the intelligence community has been unable to tell Congress how many Americans have had their communications swept up in that collection,” he said.
“Once Americans’ communications are collected, a gap in the law that I call the ‘back-door searches loophole’ allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.”
Wyden, along with his intelligence committee colleague Mark Udall, have attempted repeatedly to warn publicly about the ability of the intelligence community to look at the communications of US citizens, but are limited by their obligation not to reveal highly classified information.
But in a letter they recently wrote to the NSA director, General Keith Alexander, the two senators warned that a fact sheet released by the NSA in the wake of the initial Prism revelations to reassure the American public about domestic surveillance was misleading.
In the letter, they warned that Americans’ communications might be inadvertently collected and stored under Section 702, despite rules stating only data on foreigners should be collected and retained.
“[W]e note that this same fact sheet states that under Section 702, ‘Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorised purpose nor evidence of a crime,'” they said.
“We believe that this statement is somewhat misleading, in that it implied the NSA has the ability to determine how many American communications it has collected under Section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”
The foreign intelligence surveillance (Fisa) court issues approvals annually authorizing such operations, with specific rules on who can be targeted and what measures must be taken to minimize any details “inadvertently” collected on US persons.
Secret minimization procedures dating from 2009, published in June by the Guardian, revealed that the NSA could make use of any “inadvertently acquired” information on US persons under a defined range of circumstances, including if they held usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted or are believed to contain any information relevant to cybersecurity.
At that stage, however, the rules did not appear to allow for searches of collected data relating to specific US persons.
Assurances from Obama and senior administration officials to the American public about the privacy of their communications have relied on the strict definition of what constitutes “targeting” while making no mention of the permission to search for US data within material that has already been collected.
The day after the Guardian revealed details of the NSA’s Prism program, President Obama said: “Now, with respect to the internet and emails, this doesn’t apply to US citizens and it doesn’t apply to people living in the United States.”
Speaking at a House hearing on 18 June this year, deputy attorney general James Cole told legislators “[T]here’s a great deal of minimization procedures that are involved here, particularly concerning any of the acquisition of information that deals or comes from US persons.
“As I said, only targeting people outside the United States who are not US persons. But if we do acquire any information that relates to a US person, under limited criteria only can we keep it.”
Dianne Feinstein, the California Democrat who chairs the Senate intelligence committee, said in June 2012 that she believed the intelligence agencies and the Justice Department were sufficiently mindful of Americans’ privacy.
“The intelligence community is strictly prohibited from using Section 702 to target a US person, which must at all times be carried out pursuant to an individualized court order based upon probable cause,” Feinstein stated in a report provided to the Senate record.
While there are several congressional proposals to constrain the NSA’s bulk collection of Americans’ phone records, there has to date been much less legislative appetite to abridge its powers under Section 702 – as lawmakers are satisfied it doesn’t sufficiently violate Americans’ privacy.
“702 is focused outside the United States at non-citizens,” said Adam Schiff, a member of the House intelligence committee. “The evidence of the effectiveness of 702 is much more substantial than 215 [the bulk phone records collection]. So I think there are fewer fourth amendment concerns and more evidence of the saliency of the program.”
Wyden and Udall – both of whom say foreign surveillance conducted under Section 702 has legitimate value for US national security – have tried and failed to restrict the NSA’s ability to collect and store Americans’ communications that it accidentally acquires.
Wyden told the Guardian that he raised concerns about the loophole with President Obama during an August 1 meeting with legislators about the NSA’s surveillance powers.
“I believe that Congress should reform Section 702 to provide better protections for Americans’ privacy, and that this could be done without losing the value that this collection provides,” he said.
The Guardian put the latest revelations to the NSA and the Office of the Director of National Intelligence but no response had been received by the time of publication.
Top secret documents submitted to the court that oversees surveillance by US intelligence agencies show the judges have signed off on broad orders which allow the NSA to make use of information “inadvertently” collected from domestic US communications without a warrant.
The Guardian is publishing in full two documents submitted to the secret Foreign Intelligence Surveillance Court (known as the Fisa court), signed by Attorney General Eric Holder and stamped 29 July 2009. They detail the procedures the NSA is required to follow to target “non-US persons” under its foreign intelligence powers and what the agency does to minimize data collected on US citizens and residents in the course of that surveillance.
The documents show that even under authorities governing the collection of foreign intelligence from foreign targets, US communications can still be collected, retained and used.
The procedures cover only part of the NSA’s surveillance of domestic US communications. The bulk collection of domestic call records, as first revealed by the Guardian earlier this month, takes place under rolling court orders issued on the basis of a legal interpretation of a different authority, section 215 of the Patriot Act.
The Fisa court’s oversight rolehas been referenced many times by Barack Obama and senior intelligence officials as they have sought to reassure the public about surveillance, but the procedures approved by the court have never before been publicly disclosed.
The top secret documents published today detail the circumstances in which data collected on US persons under the foreign intelligence authority must be destroyed, extensive steps analysts must take to try to check targets are outside the US, and reveals how US call records are used to help remove US citizens and residents from data collection.
However, alongside those provisions, the Fisa court-approved policies allow the NSA to:
• Keep data that could potentially contain details of US persons for up to five years;
• Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;
• Preserve “foreign intelligence information” contained within attorney-client communications;
• Access the content of communications gathered from “U.S. based machine[s]” or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.
The broad scope of the court orders, and the nature of the procedures set out in the documents, appear to clash with assurances from President Obama and senior intelligence officials that the NSA could not access Americans’ call or email information without warrants.
The documents also show that discretion as to who is actually targeted under the NSA’s foreign surveillance powers lies directly with its own analysts, without recourse to courts or superiors – though a percentage of targeting decisions are reviewed by internal audit teams on a regular basis.
Since the Guardian first revealed the extent of the NSA’s collection of US communications, there have been repeated calls for the legal basis of the programs to be released. On Thursday, two US congressmen introduced a bill compelling the Obama administration to declassify the secret legal justifications for NSA surveillance.
The disclosure bill, sponsored by Adam Schiff, a California Democrat, and Todd Rokita, an Indiana Republican, is a complement to one proposed in the Senate last week. It would “increase the transparency of the Fisa Court and the state of the law in this area,” Schiff told the Guardian. “It would give the public a better understanding of the safeguards, as well as the scope of these programs.”
Section 702 of the Fisa Amendments Act (FAA), which was renewed for five years last December, is the authority under which the NSA is allowed to collect large-scale data, including foreign communications and also communications between the US and other countries, provided the target is overseas.
FAA warrants are issued by the Fisa court for up to 12 months at a time, and authorise the collection of bulk information – some of which can include communications of US citizens, or people inside the US. To intentionally target either of those groups requires an individual warrant.
One such warrant seen by the Guardian shows that they do not contain detailed legal rulings or explanation. Instead, the one-paragraph order, signed by a Fisa court judge in 2010, declares that the procedures submitted by the attorney general on behalf of the NSA are consistent with US law and the fourth amendment.
Those procedures state that the “NSA determines whether a person is a non-United States person reasonably believed to be outside the United States in light of the totality of the circumstances based on the information available with respect to that person, including information concerning the communications facility or facilities used by that person”.
It includes information that the NSA analyst uses to make this determination – including IP addresses, statements made by the potential target, and other information in the NSA databases, which can include public information and data collected by other agencies.
Where the NSA has no specific information on a person’s location, analysts are free to presume they are overseas, the document continues.
“In the absence of specific information regarding whether a target is a United States person,” it states “a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person unless such person can be positively identified as a United States person.”
If it later appears that a target is in fact located in the US, analysts are permitted to look at the content of messages, or listen to phone calls, to establish if this is indeed the case.
Referring to steps taken to prevent intentional collection of telephone content of those inside the US, the document states: “NSA analysts may analyze content for indications that a foreign target has entered or intends to enter the United States. Such content analysis will be conducted according to analytic and intelligence requirements and priorities.”
Details set out in the “minimization procedures”, regularly referred to in House and Senate hearings, as well as public statements in recent weeks, also raise questions as to the extent of monitoring of US citizens and residents.
NSA minimization procedures signed by Holder in 2009 set out that once a target is confirmed to be within the US, interception must stop immediately. However, these circumstances do not apply to large-scale data where the NSA claims it is unable to filter US communications from non-US ones.
The NSA is empowered to retain data for up to five years and the policy states “communications which may be retained include electronic communications acquired because of limitations on the NSA’s ability to filter communications”.
Even if upon examination a communication is found to be domestic – entirely within the US – the NSA can appeal to its director to keep what it has found if it contains “significant foreign intelligence information”, “evidence of a crime”, “technical data base information” (such as encrypted communications), or “information pertaining to a threat of serious harm to life or property”.
Domestic communications containing none of the above must be destroyed. Communications in which one party was outside the US, but the other is a US-person, are permitted for retention under FAA rules.
The minimization procedure adds that these can be disseminated to other agencies or friendly governments if the US person is anonymised, or including the US person’s identity under certain criteria.
A separate section of the same document notes that as soon as any intercepted communications are determined to have been between someone under US criminal indictment and their attorney, surveillance must stop. However, the material collected can be retained, if it is useful, though in a segregated database:
“The relevant portion of the communication containing that conversation will be segregated and the National Security Division of the Department of Justice will be notified so that appropriate procedures may be established to protect such communications from review or use in any criminal prosecution, while preserving foreign intelligence information contained therein,” the document states.
In practice, much of the decision-making appears to lie with NSA analysts, rather than the Fisa court or senior officials.
A transcript of a 2008 briefing on FAA from the NSA’s general counsel sets out how much discretion NSA analysts possess when it comes to the specifics of targeting, and making decisions on who they believe is a non-US person. Referring to a situation where there has been a suggestion a target is within the US.
“Once again, the standard here is a reasonable belief that your target is outside the United States. What does that mean when you get information that might lead you to believe the contrary? It means you can’t ignore it. You can’t turn a blind eye to somebody saying: ‘Hey, I think so and so is in the United States.’ You can’t ignore that. Does it mean you have to completely turn off collection the minute you hear that? No, it means you have to do some sort of investigation: ‘Is that guy right? Is my target here?” he says.
“But, if everything else you have says ‘no’ (he talked yesterday, I saw him on TV yesterday, even, depending on the target, he was in Baghdad) you can still continue targeting but you have to keep that in mind. You can’t put it aside. You have to investigate it and, once again, with that new information in mind, what is your reasonable belief about your target’s location?”
The broad nature of the court’s oversight role, and the discretion given to NSA analysts, sheds light on responses from the administration and internet companies to the Guardian’s disclosure of the PRISM program. They have stated that the content of online communications is turned over to the NSA only pursuant to a court order. But except when a US citizen is specifically targeted, the court orders used by the NSA to obtain that information as part of Prism are these general FAA orders, not individualized warrants specific to any individual.
Once armed with these general orders, the NSA is empowered to compel telephone and internet companies to turn over to it the communications of any individual identified by the NSA. The Fisa court plays no role in the selection of those individuals, nor does it monitor who is selected by the NSA.
The NSA’s ability to collect and retain the communications of people in the US, even without a warrant, has fuelled congressional demands for an estimate of how many Americans have been caught up in surveillance.
Two US senators, Ron Wyden and Mark Udall – both members of the Senate intelligence committee – have been seeking this information since 2011, but senior White House and intelligence officials have repeatedly insisted that the agency is unable to gather such statistics.