Category Archives: NSA Spying

Turkey Hacks Library of Congress During Coup

Posted on by

Primer:

In part from Time: Kerry raised the question of Turkey’s NATO membership, suggesting that anti-democratic behavior by Erdogan could imperil the country’s place in the alliance. “NATO also has a requirement with respect to democracy,” Kerry said, and added said NATO would “measure” Turkey’s actions in days to come. “Obviously, a lot of people have been arrested and arrested very quickly,” Kerry said. “The level of vigilance and scrutiny is obviously going to be significant in the days ahead. Hopefully we can work in a constructive way that prevents a backsliding.”

Turkey’s membership in the NATO alliance is a matter of major strategic importance to the U.S., and talk of the country being ousted caught some experts by surprise in the U.S. Amb. Bryza of the Atlantic Council said Kerry’s comments were being taken as threats in Turkey, and that it was an “extreme misinterpretation that we would kick them out of NATO.” Much more detail here.

Turkish hackers claim credit for Library of Congress attack

FCW: A hacking group called the Turk Hack Team is taking credit for a shutdown of the Library of Congress website and hosted systems including Congress.gov, the Copyright Office, Congressional Research Service and other sites.

The group claimed credit on an online message board where users go for updates on the availability of websites.

The attack was launched July 17, in the midst of Turkey’s response to the military coup targeting the elected government of President Recep Tayyip Erdogan. Prominent Turkish officials have accused the U.S. of fomenting the coup; Secretary of State John Kerry issued a stern denial of such accusations.

The Turk Hack Team is not considered at the level of a nation-state sponsored group or an advanced persistent threat, former U.S. CERT director Ann Barron-DiCamillo told FCW. They’re more of a “middle-tier, hacktivist” type group, she said. They’ve gone after targets for perceived slights to Turkey’s honor in the past, including an April 2015 hack on the Vatican website made in response to comments from Pope Francis characterizing the 1915 massacres of Turkish Armenians as a genocide.

The group has not gone after U.S. targets in the past, but Baron-DiCamillo, currently partner and CTO at Strategic Cyber Ventures, said U.S. officials would likely be on the lookout for more hacktivist activity emanating from Turkey. “This is the first kind of visible activity generated post-coup, but it doesn’t mean it’s going to be the last,” she said.

Library of Congress CIO Bernard Barton said on July 20 that the attack had been successfully thwarted.

“This was a massive and sophisticated DNS assault, employing multiple forms of attack, adapting and changing on the fly,” he wrote in a blog post. “We’ve turned over key evidence to the appropriate authorities who will investigate and hopefully bring the instigators of this assault to justice.”

 

 

Congress is not covered by the Federal Information Security Management Act and is not required to report cyber incidents to the Department of Homeland Security.

Spokesperson Gayle Osterberg told FCW that the Library of Congress reports all cyber-related criminal activity to the FBI.

DHS is aware of the incident but is not involved in the investigation or mitigation of the attacks, according to an agency source.

DDOS attacks can be expensive to deal with, requiring network operators to obtain specialized routing services from their internet service providers. They can also potentially front for other attacks, or test systems to see what kind of defenses are in place.

Related reading: Turkey blocks access to WikiLeaks after ruling party email dump

Mostly, Barron-DiCamillo said, they are “distracting, causing pain to both users and customers, but not impacting back-end systems and more critical data.”

It is possible the hackers imagined that the Congress.gov and LOC.gov domains represented a more critical target than they actually are. Congress.gov is mostly a public-facing information warehouse that is not integral to the legislative function of the House and Senate. Most of the complaints about the site being down came from librarians and researchers looking to execute catalog searches.

The outage also affected the Congressional Research Service, the in-house think tank for Congress. CRS reports, available only to members and staff, are not published elsewhere except on an ad hoc basis legislators and public interest groups that obtain the odd document. A bill introduced by Rep. Mike Quigley (D-Ill.) just days before the hack would open up CRS reports to the public, and have the effect of creating a backup site for the material on the Government Publishing Office website.

Obama/DoJ Allowing Foreigners to Serve Warrants

Posted on by

This sounds like selective investigations, prosecutions and collaborated witch hunts which all add up to an offshore shadow NSA and new type of Interpol. Is this something else that also will be under the purview of the United Nations? Hello Google?

 Photo: Leaksource

 Photo: Security Affairs

WSJ: The Obama administration is working on a series of agreements with foreign governments that would allow them for the first time to serve U.S. technology companies with warrants for email searches and wiretaps—a move that is already stirring debates over privacy, security, crime and terrorism.

Brad Wiegmann, a senior official at the Justice Department, discussed the administration’s efforts during a public forum on Friday at a congressional office building in Washington, D.C. The first such agreement is being assembled with the U.K., he said.

Word of the plans came one day after a federal appeals court ruled that federal warrants couldn’t be used to search data held overseas by Microsoft Corp. MSFT -0.07 % , dealing the agency a major legal defeat.

The court’s decision in favor of Microsoft could prove to be a major barrier to the Obama administration’s proposed new rules to share data with other nations in criminal and terrorism probes, which would be sharply at odds with the ruling. It might lead some companies to reconfigure their networks to route customer data away from the U.S., putting it out of the reach of federal investigators if the administration’s plan fails.

The Justice Department has indicated it is considering appealing the Microsoft ruling to the Supreme Court.

Meanwhile, Justice Department officials are pressing ahead with their own plan for cross-border data searches.

Under the proposed agreements described by Mr. Wiegmann, foreign investigators would be able to serve a warrant directly on a U.S. firm to see a suspect’s stored emails or intercept their messages in real time, as long as the surveillance didn’t involve U.S. citizens or residents.

Such deals would also give U.S. investigators reciprocal authority to search data in other countries.

“They wouldn’t be going to the U.S. government, they’d be going directly to the providers,’’ said Mr. Wiegmann. Any such arrangement would require that Congress pass new legislation, and lawmakers have been slow to update electronic privacy laws.

That U.K. agreement, which must be approved by the legislatures of both countries, could become a template for similar deals with other countries, U.S. officials said.

Mr. Wiegmann said the U.S. would strike such deals only with nations that have clear civil liberties protections to ensure that the search orders aren’t abused.

“These agreements will not be for everyone. There will be countries that don’t meet the standards,’’ he said.

Greg Nojeim, a privacy advocate at the Center for Democracy and Technology, criticized the plan. He said it would be “swapping out the U.S. law for foreign law’’ and argued that U.K. search warrants have less stringent judicial protections than U.S. law.

British diplomat Kevin Adams disputed that, saying the proposal calls for careful judicial scrutiny of such warrants. Privacy concerns over creating new legal authorities are overblown, he added.

“What is really unprecedented is that law enforcement is not able to access the data they need,’’ Mr. Adams said. The ability to monitor a suspect’s communications in real time “is really an absolutely vital tool to protect the public.’’

While Thursday’s court decision represented a victory for Microsoft, which strives to keep data physically near its customers, it may not be viewed as a positive development for all internet companies, said University of Kentucky law professor Andrew Woods. Yahoo Inc., YHOO -0.63 % Facebook Inc. FB -0.37 % and Alphabet Inc. GOOGL -0.02 % ’s Google operate more centralized systems. They didn’t file briefs in support of Microsoft’s position in the case, he noted.

Mr. Woods warned that increased localization of data could have the unintended consequence of encouraging governments to become more intrusive.

“If you erect barriers needlessly to states getting data in which they have a legitimate interest, you make this problem worse,’’ he said. “You increase the pressure that states feel to introduce backdoors into encryption.”

Microsoft President and Chief Legal Officer Brad Smith said the company shares concerns about the “unintended consequences” of excessive data localization requirements.

“But rather than worry about the problem, we should simply solve it” through legislation, Mr. Smith said. Microsoft supports the proposed International Communications Privacy Act. That legislation would, among other provisions, create a framework for law enforcement to obtain data from U.S. citizens, regardless of where the person or data was located.

Companies and governments generally agree that the current legal framework for cross-border data searches is far too slow and cumbersome. Though major tech firms don’t always agree on the particular changes they would like to see, the industry has long sought to get clearer rules from the U.S. and other governments about what their legal obligations are.

A coalition of the country’s largest tech companies, including Microsoft, Facebook and Google, created a group called Reform Government Surveillance that is pushing for updating data-protection laws. The group has said it was “encouraged by discussions between the U.S. and the U.K.”

Thursday’s ruling could lead some Microsoft rivals that offer email, document storage, and other data storage services, but which haven’t designed systems to store data locally, to alter their networks, said Michael Overly, a technology lawyer at Foley & Lardner in Los Angeles.

Google, for example, stores user data across data centers around the world, with attention on efficiency and security rather than where the data is physically stored. A given email message, for instance, may be stored in several data centers far from the user’s location, and an attachment to the message could be stored in several other data centers. The locations of the message, the attachment and copies of the files may change from day to day.

“[Internet companies] themselves can’t tell where the data is minute from minute because it’s moving dynamically,” Mr. Overly said.

The ruling could encourage tech companies to redesign their systems so that the data, as it courses through networks, never hits America servers.

A person familiar with Google’s networks said that such a move wouldn’t be easy for the company.

John Kerry, Iran is Cheating on JPOA, Germany Report

Posted on by

Paging Mr. Kerry, paging Mr. Obama, paging Ben Rhodes..paging anyone, pick up on line 4.

Do we have to rely on Angela Merkel of Germany to get the truth?

In 2015: The number two man at the CIA said today he has a “high degree of confidence” that if Iran cheats on the newly-signed, controversial nuclear deal, the U.S. intelligence community would catch them in the act.

“Our assessment of the provisions that are in the JCPOA (Joint Comprehensive Plan of Action) that provide the real-time, persistent access to the cleared sites, as well as a mechanism for getting scheduled access to suspicious sites, combined with other capabilities and information that we have available to us, gives us a reasonably high degree of confidence that we would be able to detect Iran if it were trying to deviate from the requirements that they’ve signed up to in the JCPOA,” David Cohen, Deputy Director of the Central Intelligence Agency said at the Aspen Security Forum today. “So I think our assessment is that the JCPOA gives us a good ability to detect Iranian deviation from the limitations on enrichment and the other specific elements in the JCPOA.”

When referring to access to Iranian sites, Cohen was presumably referring to the access provided to International Atomic Energy Agency inspectors, as stipulated in the agreement, not access by the CIA. More here from ABC.

***** So….under Obama and Kerry, is the CIA allowed to track Iranian actions and report cheating and violations?

*****

Iran cheats on nuclear deal

Elliott Abrams is a senior fellow for Middle East Studies at the Council on Foreign Relations. This piece is reprinted with permission and can be found on Abrams’ blog “Pressure Points.”

Hayom: The greatest imminent danger in last year’s nuclear deal, the Joint Comprehensive Plan of Action, was always that Iran would cheat — taking all the advantages of the deal, but then seeking to move forward more quickly toward a nuclear weapon — and that the Obama administration would be silent in the face of that cheating.

This was always a reasonable prospect, given the history of arms control agreements. Those who negotiate such agreements wish to defend them. They do not wish to say, six or 12 months and even years later, that they were duped and that the deals must be considered null and void.

Last week, Germany’s intelligence agency produced a report detailing Iranian cheating. Here is an excerpt from the news story:

“Germany’s domestic intelligence agency said in its annual report that Iran has a ‘clandestine’ effort to seek illicit nuclear technology and equipment from German companies ‘at what is, even by international standards, a quantitatively high level.’ The findings by the Federal Office for the Protection of the Constitution, Germany’s equivalent of the FBI, were issued in a 317-page report last week.

“German Chancellor Angela Merkel underscored the findings in a statement to parliament, saying Iran violated the United Nations Security Council’s anti-missile development regulations. ‘Iran continued unabated to develop its rocket program in conflict with the relevant provisions of the U.N. Security Council,’ Merkel told the Bundestag. … The German report also stated, ‘It is safe to expect that Iran will continue its intensive procurement activities in Germany using clandestine methods to achieve its objectives.’

“According to an Institute for Science and International Security July 7 report by David Albright and Andrea Stricker, Iran is required to get permission from a UN Security Council panel for ‘purchases of nuclear direct-use goods.’

“While the German intelligence report did not say what specifically Iran had obtained or attempted to obtain, the more recent report said dual use goods such as carbon fiber must be reported. Iran did not seek permission from the U.N.-affiliated panel for its proliferation attempts and purchases in Germany, officials said.”

Here is a summary of that report by the Institute for Science and International Security:

“The Institute for Science and International Security has learned that Iran’s Atomic Energy Organization recently made an attempt to purchase tons of controlled carbon fiber from a country. This attempt occurred after Implementation Day of the Joint Comprehensive Plan of Action. The attempt to acquire carbon fiber was denied by the supplier and its government. Nonetheless, the AEOI had enough carbon fiber to replace existing advanced centrifuge rotors and had no need for additional quantities over the next several years, let alone for tons of carbon fiber. This attempt thus raises concerns over whether Iran intends to abide by its JCPOA commitments. In particular, Iran may seek to stockpile the carbon fiber so as to be able to build advanced centrifuge rotors far beyond its current needs under the JCPOA, providing an advantage that would allow it to quickly build an advanced centrifuge enrichment plant if it chose to leave or disregard the JCPOA during the next few years. The carbon fiber procurement attempt is also another example of efforts by the P5+1 to keep secret problematic Iranian actions.”

So Iran isn’t only being more aggressive since the signing of the JCPOA — in Iraq and Syria, for example, or in cyber attacks on the United States — but is also cheating on the deal. And what is the reaction from the Obama administration, and other cheerleaders for the JCPOA? Nothing.

John Kerry famously said, “Iran deserves the benefits of the agreement they struck.” They do not deserve to be allowed to cheat. Kerry said in April when asked if Iran would “stick to the key terms of this deal for the next 20 years” that “I have faith and confidence that we will know exactly what they’re doing during that period of time. And if they decide to try to cheat, we will know it, and there are plenty of options available to us. That I have complete faith and confidence in.”

That’s nice. But now we know they are cheating, and the option the administration appears to have chosen is silence: just ignore the problem. When asked about the German intel report and the Institute for Science and International Security report, the State Department spokesman replied, “We have absolutely no indication that Iran has procured any materials in violation of the JCPOA.”

Needless to say this kind of response will only encourage Iran to cheat more, secure in the knowledge that Obama administration officials will not call them out on it, nor choose any serious one of the “plenty of options” it says it has. This means that Iran’s breakout time will diminish, and the danger to its neighbors and to the United States will grow and grow.

From “Pressure Points” by Elliott Abrams. Reprinted with permission from the Council on Foreign Relations.

Grid Hacking Tool Found, Have a Generator Yet?

Posted on by

Researchers Found a Hacking Tool that Targets Energy Grids on the Dark Web

Motherboard: A sophisticated piece of government-made malware, designed to do reconnaissance on energy grid’s system ahead of an eventual cyberattack on critical infrastructure, was found on a dark web hacking forum.

Cybersecurity researchers usually catch samples of malicious software like spyware or viruses when a victim who’s using their software such as an antivirus, gets infected. But at times, they find those samples somewhere else. Such was the case for Furtim, a newly discovered malware, caught recently by researchers from the security firm SentinelOne.

SentinelOne’s researchers believe the malware was created by a team of hackers working for a government, likely from eastern Europe, according to a report published on Tuesday.

Hacking forums, of course, are home to a lot of malicious data and software. But they are usually not places where sophisticated government-made hacking tools get exchanged.

Udi Shamir, chief security officer at SentinelOne, said that it’s normal to find reused code and malware on forums because “nobody tries to reinvent the wheel again and again and again.” But in this case, “it was very surprising to see such a sophisticated sample” appear in hacking forums, he told Motherboard in a phone interview.

“This was not the work of a kid. […] It was cyberespionage at its best.”

Shamir said that the malware, dubbed Furtim, was “clearly not” made by cybercriminals to make some money but for a government spying operations.

Furtim is a “dropper tool,” a platform that infects a machine and then serves as a first step to launch further attacks. It was designed to target specifically European energy companies using Windows, was released in May, and is still active, according to SentinelOne.

Another interesting characteristic is that Furtim actively tries to avoid dozens of common antivirus products, as well as sandboxes and virtual machines, in an attempt to evade detection and stay hidden as long as possible. The goal is “to remove any antivirus software that is installed on the system and drop its final payload,” SentintelOne’s report reads.

Security experts believe that critical infrastructure, such as the energy grid, is highly vulnerable to cyberattacks, and believe a future conflict might start with taking down the power using malware. While it might sound far-fetched, at the end of last year, hackers believed to be working for the Russian government caused a blackout in parts of Ukraine after gaining access to the power grid using malware.

It’s unclear who’s behind this cyberespionage operation, but Shamir said it’s likely a government from Eastern Europe, with a lot of resources and skills. The malware’s developers were very familiar with Windows; they knew it “to the bone,” according to him.

“This was not the work of a kid,” he said. “It was cyberespionage at its best.”

****

The dropper’s principle mission is to avoid detection; it will not execute if it senses it’s being run in a virtualized environment such as a sandbox, and it also can bypass antivirus protection running on compromised machines.

The sample also includes a pair of privilege escalation exploits for patched Windows vulnerabilities (CVE-2014-4113 and CVE-2015-1701), as well as a bypass for Windows User Account Control (UAC), which limits user privileges.

“It escalates privileges after all these checks and registers a hidden binary that it drops onto the hard drive that runs early in the boot process,” SentinelOne senior security researcher Joseph Landry said. “It will go through and systematically remove any AV on the machine that it targets. Then it drops another payload to the Windows directory and runs it during login time.” More from ThreatPost

Facebook Faces $1 Billion Lawsuit, Aids Terror

Posted on by

Privacy is one thing, but offering encrypted platforms with no oversight for terror communications is quite another. Since at least 2014, Islamic State, al Qaeda and  al Nusra have all used Facebook and other social media platforms where Twitter has been especially uncooperative with security and investigation officials fighting against terrorist exploitation. Is it really a 1st Amendment protection when communications are generated by declared enemy combatants? Then there is the New Black Panthers and Black Lives Matters. The debate continues.

Due mostly to Edward Snowden revealing abilities of the United States to capture intelligence of terror networks, global terrorists have successfully sought other platforms.

Some popular social media platforms are seeing a drop in use by terror groups, yet there are countless others replacing them including apps like Telegram and WhatsApp. Islamic State has a robust program on these apps for their sex trade.

Facebook began rolling out a new end-to-end encryption feature on Friday called “secret conversations” with the goal of making users feel more comfortable chatting about sensitive subjects in the app.

“We’ve heard from you that there are times when you want additional safeguards — perhaps when discussing private information like an illness or a health issue with trusted friends and family, or sending financial information to an accountant,” the company said in a release announcing the new feature.

With the new feature, Facebook Messenger’s 900 million users can choose to encrypt specific conversations so that the messages can only be read on one specific device. Facebook is also giving users the option to determine how long each message can be read for. More from CNN

Families of Victims of Hamas Terror Sue Facebook for $1 Billion

 

PJMedia: Facebook is being hit with a $1 billion lawsuit after allegedly allowing the Palestinian terrorist group Hamas use its platform to plot attacks in Israel and the West Bank that killed and wounded Americans. According to Bloomberg News: “Plaintiffs include the families of Yaakov Naftali Fraenkel, a 16-year-old abducted and murdered in June 2014 after hitching a ride in the West Bank, and 3-year-old Chaya Braun, whose stroller was struck intentionally by a Palestinian driver in October 2014 at a train station in Jerusalem.”

“Facebook has knowingly provided material support and resources to Hamas in the form of Facebook’s online social network platform and communication services,” making it liable for the violence against the five Americans, according to the lawsuit sent to Bloomberg by the office of the Israeli lawyer on the case, Nitsana Darshan-Leitner.“Simply put, Hamas uses Facebook as a tool for engaging in terrorism,” it said.

Hamas is considered a terrorist organization by the U.S., European Union and Israel. The suit said the group used Facebook to share operational and tactical information with members and followers, posting notices of upcoming demonstrations, road closures, Israeli military actions and instructions to operatives to carry out the attacks.

Mushir al-Masri, a senior Hamas leader, said by phone that “suing Facebook clearly shows the American policy of fighting freedom of the press and expression” and is evidence of U.S. prejudice against the group and “its just cause.”

It’s not at all clear that Facebook CEO Mark Zuckerberg — an influential Obama ally — would disagree with al-Masri. It’s not clear that the president would either.

While Hamas has been designated a foreign terrorist organization by the U.S. Department of State since 1997 President Obama and his national security team seem to have a far more favorable view of them. Rather than reject the Hamas and the Palestinian Authority unity government that was formed in 2014, the Obama administration continued to fund it to the tune of $500 million a year.

This alarmed American lawmakers so much, 88 senators from across party lines sent a message of “grave concern” to the White House, warning that the new PA unity effort might jeopardize direct negotiations with Israel. “Any assistance should only be provided when we have confidence that this new government is in full compliance with the restrictions contained in current law,” the letter read. More here.