Sen. Feinstein’s NSA Alleged Reform Bill To Add Surveillance Authority

A bipartisan group of US senators is trying to ban the NSA’s blanket surveillance program in a radical bill proposed to the Senate Intelligence Committee. But a milder bill from chairwoman Diane Feinstein would sanction more snooping on US citizens.

Thursday’s Committee hearing on reforming the Foreign Intelligence Surveillance Act (FISA) reviewed the two rival bills in an effort to find a balance between security and privacy. The Committee is expected to have further lively debate on the proposed legislation next week, before the bill is sent for consideration by the full Senate.

 Feinstein’s bill would also seek to expand the US government’s spying capabilities by authorizing the monitoring of terror suspects the NSA is tracking overseas when they arrive in the US. 

Currently, when a suspected terrorist arrives in America, the NSA has to halt its surveillance, creating a legal loophole.

“I call it the terrorist lottery loophole,” said Republican Senator Mike Rogers, the chairman of the House Intelligence Committee. “If you can find your way from a foreign country where we have reasonable suspicion that you are … a terrorist … and get to the United States, under a current rule, they need to turn it off and do a complicated handoff to   the FBI,” Rogers said.

The new bill would allow the NSA to legally continue eavesdropping on a person for seven days after arriving to the US without asking for authorization from a court.

Democratic Senator Wyden, who has been for years working with classified data as a member of the Senate Intelligence Committee, also derided the NSA’s complaints about the damage to US national security caused by the recent leaks.

“You talk about the damage that has been done by disclosures, but any government official who thought this would never be disclosed was ignoring history. The truth always manages to come out,” he said.

http://rt.com/usa/nsa-snooping-senators-feinstein-439/

Advertisements

How Safe is Your Web Use? What You Need to Know About Email and IP Headers

After a few decades of being in existence among average, everyday human beings, the internet has become quite ubiquitous and pervasive in our lives. Most of us take it for granted like we do electricity and water. But when we send emails, do we really understand how it is delivered to the final destination, and what computers are involved in taking our emails and routing it to our friends and families? And when we visit a website, do we really understand how those clicks and personal data we entered is packaged and delivered to the ultimate website?

With what we now know about the major weaknesses the National Security Agency (NSA) and other intelligence agencies have injected into our common communication paths (telephone (traditional, mobile and Voice over IP, or VOIP), television, desktop and mobile internet), it’s probably time we at least have a basic idea of how the internet works. I will avoid getting too bogged down in technical detail and keep the conversation as short and simple as possible (though at times I may have to touch on some fairly technical terms if it can’t be avoided).

Let’s go over some common ways you communicate with friends and family first, and then go into details about how the communication happens. We’ll cover text messaging, email, and voice calls.

Text Messaging Basics

When you send a text, you probably think only you and your friend’s mobile devices are involved. Yeah, you probably know that AT&T, Verizon, Sprint, T Mobile, or other provider has a network that sends your message to your friend, but there’s a bit more to it. When you turn on your phone, it automatically connects to your provider’s network. This means that every so often, your phone says “Hi, I’m still here” to make sure your texts and voice calls are able to either be sent by you to a friend, or from a friend to you.  So let’s say you decide to say “hello” as a text to a friend. When you click Send, your mobile phone packages your message in a way very similar to what the postman or Fedex shipper does with a regular mailing. A physical mail needs a From address and a To address in order to get it to its destination.  Similarly, your phone puts the From and To info into the text message. In order to keep your provider’s network from confusing the From and To info with the actual body of your text message, the From and To info, along with date and time, is put into a “Header.” A header is like your envelope that you put your letter in. The letter and envelope are two separate things, and the letter is inserted into the envelope. Similarly, your text message is put into an electronic envelope that contains the header info (the From and To info – your phone number plus the number of your friend). Once the electronic envelope is ready, your phone sends it to your provider’s network.

The first point your electronic envelope goes to is your provider’s closest tower. This is similar to your mail going to the nearest post office to get entered into the system. From there, your regular mail goes to a major area postal hub, where it is then routed to the next logical postal hub closest to your final destination: the intended mail recipient. Similarly, the local phone tower sends your text to the nearest satellite, which then sends your text message to the next logical satellite en route to your friend. The process is reversed once your friend’s nearest phone tower is found: the final satellite in the route sends the text to your friend’s nearest phone tower, which then sends it to your friend’s mobile phone. The phone then unpacks the text and displays it on your friend’s phone.

Keep in mind that though this is a simplified example, notice that there are multiple devices involved: towers, satellites, and your provider’s computer servers for coordinating the sending of messages from one satellite to another and for archiving. I will explain why this is important to remember shortly.

Email

Email works pretty much the same way that text messaging does. Assuming you’re at your laptop typing an email up while logged in to your internet provider’s system, you will ultimately include the email address of a friend or team member from work. You click Send or Submit, and off your email goes. But it’s not quite that simple. Your email software (presumably Outlook or some free online email provider like Yahoo or Gmail) has to package your email just like with text messaging. But there’s far more info that gets added to the electronic envelope (aka “email header”) than just email addresses; Wikipedia has a good listing that I’ll provide a snippet of here (please forgive the technical jargon):

Common header items for email include:

  • To: The email address(es), and optionally name(s) of the message’s recipient(s). Indicates primary recipients (multiple allowed), for secondary recipients see Cc: and Bcc: below.
  • Subject: A brief summary of the topic of the message. Certain abbreviations are commonly used in the subject, including “RE:” and “FW:”.
  • Bcc: Blind Carbon Copy; addresses added to the SMTP delivery list but not (usually) listed in the message data, remaining invisible to other recipients.
  • Cc: Carbon Copy; Many email clients will mark email in your inbox differently depending on whether you are in the To: or Cc: list.
  • Content-Type: Information about how the message is to be displayed, usually a MIME type.
  • Precedence: commonly with values “bulk”, “junk”, or “list”; used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail, e.g. to prevent vacation notices from being sent to all other subscribers of a mailinglist. Sendmail uses this header to affect prioritization of queued email, with “Precedence: special-delivery” messages delivered sooner. With modern high-bandwidth networks delivery priority is less of an issue than it once was. Microsoft Exchange respects a fine-grained automatic response suppression mechanism, the X-Auto-Response-Suppress header.[57]
  • References: Message-ID of the message that this is a reply to, and the message-id of the message the previous reply was a reply to, etc.
  • Reply-To: Address that should be used to reply to the message.
  • Sender: Address of the actual sender acting on behalf of the author listed in the From: field (secretary, list manager, etc.).
  • Archived-At: A direct link to the archived form of an individual email message.[58]

Note that the To: field is not necessarily related to the addresses to which the message is delivered. The actual delivery list is supplied separately to the transport protocol, SMTP, which may or may not originally have been extracted from the header content. The “To:” field is similar to the addressing at the top of a conventional letter which is delivered according to the address on the outer envelope. In the same way, the “From:” field does not have to be the real sender of the email message. Some mail servers apply email authentication systems to messages being relayed. Data pertaining to server’s activity is also part of the header, as defined below.

SMTP defines the trace information of a message, which is also saved in the header using the following two fields:[59]

  • Received: when an SMTP server accepts a message it inserts this trace record at the top of the header (last to first).
  • Return-Path: when the delivery SMTP server makes the final delivery of a message, it inserts this field at the top of the header.

Other header fields that are added on top of the header by the receiving server may be called trace fields, in a broader sense.[60]

  • Authentication-Results: when a server carries out authentication checks, it can save the results in this field for consumption by downstream agents.[61]
  • Received-SPF: stores the results of SPF checks.[62]
  • Auto-Submitted: is used to mark automatically generated messages.[63]
  • VBR-Info: claims VBR whitelisting[64]

Source: http://en.wikipedia.org/wiki/Email#Message_header

 

I know that was a lot of information. All you need to really understand is that email messaging has more header info than text messaging, but is quite similar in concept. An email can have messages that contain more than just text. It can contain pictures, songs, video, voice recordings and other data as determined by what’s called a MIME type. I won’t go into details about MIME types, but just know that in order for the email server to know how to handle your email, it must know what kind of content it has inside your electronic envelope. Just like when you send a DVD or CD along with a letter, it is good to let the post office know if your envelope contains fragile content for special handling.

Voice Calls

By now, you probably get the pattern. Voice calls are very similar to text messages and emails. You dial a friend’s number and click Send or Talk. A connection is established from your phone to the nearest phone tower (wireless calls) or landline home office for landline phone calls. The call is routed to the next satellite or server along a path that is the shortest distance to your friend. Once your friend clicks Send or Talk (or whatever graphical icon on your smart phone represents picking up the call), your provider establishes and monitors the quality of the call until one of you hangs up – or the network drops your call for whatever reason. Voice over IP (VOIP) uses your internet connection instead of the plain old telephone network and is very similar to text messaging, except the message content is your voice being sent in a continuous stream of electronic envelopes (called packets. Refer to http://en.wikipedia.org/wiki/VoIP for more info). Digital television transmission works very similarly, but is broadcast by TV stations and content providers in a way that is closer to what Twitter does with each tweet.

Websites

You have a few common ways we discover websites to visit. You do a search through Google, Bing or other service. You need to pay a bill or buy stuff online. A TV program we’re watching mentions a website. You get the idea. So what do You do to display that site on your computer or mobile phone/device? You either click on it or type it in to the part of your internet web browser called the Address box near the top. It starts off with http:// or similar.  But what is happening to make that web page display on your browser? It’s not magic, but several hardware and software components at work:

1)      Your web browser, which has to package your request for a web page into an electronic envelope similar to text messaging described earlier

2)      Your internet provider’s set of big computer servers (called the Provider Network)

3)      The website owner’s website, which is software that is inside a computer that either the website owner directly owns, or rents from its internet hosting provider if it is too expensive to own a dedicated computer server

When you click on a link (or enter it in manually in the Address bar at the top of the browser and click a button to send it), your web browser puts your request for the page in an electronic envelope and places a header on it that, among other things, has your computer or mobile device’s IP address (mobile phones have IP address, too, for internet purposes). Your browser sends the request to your internet provider’s computer server, which in turn passes it on to the nearest computer server that can forward it on to another one until it gets to the website computer server you asked for. The website server has the equivalent of a “bodyguard” who’s job is to make sure the request won’t cause trouble in paradise. This bodyguard snoops through your electronic envelope, makes sure there’s nothing bad in it, and passes it along to the web application of the website you requested. Every website has some kind of application software that offers the features that you come to expect in a modern website. So when you go to pay a bill online and click “Checkout” or “Pay Now,” the logic for making that happen is within the website application software that is housed on the website. A website can have one or more web applications, which is why it is important to keep the two separate in your mind. When the web application needs to send a confirmation back to you, it also puts that confirmation inside an electronic envelope and sends it back to you as a response to your request.

 

What Can Go Wrong?

Now that we’ve gotten that out of the way, have you noticed any potential problem areas with the various ways you communicate? Earlier I asked you to keep some things in mind regarding the multiple devices involved in establishing and maintaining your communications. It’s the fact that it takes several devices (called routing points) between you and your friends, family members and co-workers that is something to consider. Similar to wire-tapping of traditional phones, tapping of text messages, emails, digital voice calls and website visits can occur on any device. Each computer server and each satellite between you and your friend or the website you request has a unique address assigned to it that can be tapped into and compromised without your even knowing it. A server administrator working on any of the computer servers your communications rely on can compromise the system and secretly allow access to it at a price to the highest bidder. There are technology companies that specialize in IP tracing and recording that are already gathering tons of information on your communications and have been for many years. The Eric Snowden NSA leak scandal has become a wakeup call for the entire world, not for just governments, but businesses and individuals as well. The NSA has intentionally created weaknesses (called back doors) in every online security encryption method you use every day. So when you buy stuff online at a site that has an HTTPS in the beginning, that “s” (which stands for “secure”) should now become “I” for “insecure” because it has been very compromised. IP tracing is one of the key areas of compromise that you have to deal with.

What is IP tracing?

Ip-address.org has this to say:

Tracking down an IP address will give you a general idea of what city, state and other geographical information pertains to the original sender. You can also determine what ISP a computer user is networked with through an IP address lookup tool…Tracing an email gives other information, such as how many times an email was sent to various servers and is an important method used for determining the original source of an email. By tracing an email you can determine the original sender’s IP address, therefore giving you a geographical location of the email sender…Email tracer tools take out the confusion of searching and tracing headers and are an easy and convenient way to track down an email. By copying and pasting the header information into the form the tool will return results showing you the IP address of the original email sender…You can determine the sender’s IP address manually but it takes more time. Though you won’t be able to determine an exact name of the original sender, the received information is valuable and will offer you many clues as to the original sender.

In and of itself, IP tracing is not bad. But in the wrong hands, it can be damaging. There are already technology companies that are proudly selling advanced tracking and recording technology to intelligence and military organizations around the world, chiefly the NSA, FBI, CIA, and others. There’s a company in France that sells web browser vulnerability information to the highest bidder, thus it has no incentive to privately inform the browser maker (Internet Explorer, Chrome, Safari, etc) of weaknesses it is exploiting. So not only can you communications be tapped into, your keystrokes at your computer can be recorded to go along with the IP tracing profile that snoopers can summarize about you.

The game of internet and telecommunications security is a cat and mouse game that both the honest and dishonest are working at every day. And we have seen that sometimes, our government can fail us (they’re human) and so we need to ask our representatives to strengthen laws regarding surveillance and recording as the risk of a major terrorist attack do not rise to the level of damaging digital security and privacy rights violations. As we see with the Navy Shooter massacre in September 2013, acts of terror are not always preventable even with all of the NSA/CIA/FBI surveillance going on now. So why compromise our security online and push us several steps closer to widespread paranoia?

Alert: NSA Buys Zero-Day Exploits from French security firm Vupen

A contract that’s come to light with the recent release of documents from a successful Freedom of Information Act request shows that the NSA bought software exploits from a French hacking firm called Vupen, headquartered in Montpelier. 

The NSA contracted with Vupen for a year-long “subscription” to zero day exploits, previously unknown vulnerabilities in software and hardware. Knowledge of zero day exploits allows for both defense against their use and offensive use for the purposes of surveillance and data theft. 

In 2011, according to leaked documents, the U.S. launched 231 offensive cyber-operations.  Other leaks, reported last week, indicated that the country spends $4.3 billion on such operations.

Vupen CEO Chaouki Bekrar told Slate’s Ryan Gallagher that his company’s services include highly technical documentation and private exploits written by Vupen’s team of researchers for critical vulnerabilities affecting major software and operating systems.” 

The amount paid for this subscription was redacted on the document, and Bekrar did not divulge it, but the company pulled in $1.2 million in 2011—86 percent from non-French clients. 

French investigative hackers Reflets.info has had their eye on Vupen for some time, the publication’s Fabrice Epelboin told the Daily Dot. Hacker and Reflets journalist Kitetoa wrote about the group yesterday

Among his discoveries: Vupen has close ties with the French Army and is deeply involved in the French Army cyber-command’s offensive online initiatives

Read more at http://www.dailydot.com/politics/nsa-malware-vupen/

One of the latest reports claims that the NSA is able to access data from Apple iPhones, BlackBerry devices, and phones that use Google’s Android operating system. In addition, following document leaks which suggested the NSA was accessing email records, a number of companies offering secure email shut down, and in their place, encrypted mobile phone communication applications have risen.

A fresh report, brought on by a Freedom of Information (FOI) request by government transparency site MuckRock, shows that the NSA purchased data on zero-day vulnerabilities and the software to use them from French security company Vupen.

According to the documents, the NSA signed up to a one-year “binary analysis and exploits service” contract offered by Vupen last September.

Vupen describes itself as “the leading provider of defensive and offensive cyber security intelligence and advanced vulnerability research.” In other words, the security firm finds flaws in software and systems and then sells this data on to governments.

In addition, Vupen offers offensive security solutions, including “extremely sophisticated and government grade zero-day exploits specifically designed for critical and offensive cyber operations.”

Zero-day vulnerabilities are security flaws in systems discovered by researchers and cyberattackers which have not been found or patched by the vendor.

Read more at http://www.zdnet.com/nsa-purchased-zero-day-exploits-from-french-security-firm-vupen-7000020825/

 

Slate.com: Should the secretive hacker zero-day exploit market be regulated?

Behind computer screens from France to Fort Worth, Texas, elite hackers hunt for security vulnerabilities worth thousands of dollars on a secretive unregulated marketplace.

Using sophisticated techniques to detect weaknesses in widely used programs like Google Chrome, Java, and Flash, they spend hours crafting “zero-day exploits”—complex codes custom-made to target a software flaw that has not been publicly disclosed, so they can bypass anti-virus or firewall detection to help infiltrate a computer system.

Like most technologies, the exploits have a dual use. They can be used as part of research efforts to help strengthen computers against intrusion. But they can also be weaponized and deployed aggressively for everything from government spying and corporate espionage to flat-out fraud. Now, as cyberwar escalates across the globe, there are fears that the burgeoning trade in finding and selling exploits is spiralling out of control—spurring calls for new laws to rein in the murky trade.

Some legitimate companies operate in a legal gray zone within the zero-day market, selling exploits to governments and law enforcement agencies in countries across the world. [Blog Editor’s Note: Clearly this article was written long before the June 2013 NSA leaks by Edward Snowden showed how pervasive a threat has been posed by NSA extra-judicial surveillance tactics]. Authorities can use them covertly in surveillance operations or as part of cybersecurity or espionage missions. But because sales are unregulated, there are concerns that some gray market companies are supplying to rogue foreign regimes that may use exploits as part of malicious targeted attacks against other countries or opponents. There is also an anarchic black market that exists on invite-only Web forums, where exploits are sold to a variety of actors—often for criminal purposes.

http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html

 

Jim Bird, SWReflections Blog: What is Important in Secure Software Design?

There are many basic architectural and design mistakes that can compromise the security of a system:

  1. Missing something important in security features like access control or auditing, privacy and compliance requirements;
  2. Technical mistakes in understanding and implementing defence-against-the-dark-arts security stuff like crypto, managing secrets and session management (you didn’t know enough to do something or to do it right);
  3. Misunderstanding architectural responsibilities and trust zones, like relying on client-side validation, or “I thought that the data was already sanitized”;
  4. Leaving the attack surface bigger than it has to be – because most developers don’t understand what a system’s attack surface is, or know that they need to watch out when they change it;
  5. Allowing access by default, so when an error happens or somebody forgets to add the right check in the right place, the doors and windows are left open and the bad guys can walk right in;
  6. Choosing an insecure development platform or technology stack or framework or API and inheriting somebody else’s design and coding mistakes;
  7. Making stupid mistakes in business workflows that allow attackers to bypass checks and limits and steal money or steal information.

 

Learning about Secure Software Design

If you want to build a secure system, you need to understand secure design.

Read more at http://swreflections.blogspot.com/2013/06/what-is-important-in-secure-software.html

InformationWeek: 5 Most-Ignored IT Security Best Practices

 More than half of IT departments are failing at basic security measures, with 82% falling short on key practices, a new survey shows. Are you on top of these five issues?

1. Rotate SSH Keys Annually: 82% of IT departments fail to rotate SSH keys every 12 months

2. Train Users In Best Practices

3. Encrypt Cloud Data: 64% of IT organizations don’t encrypt all of their cloud data and cloud transactions.

4. Use Appropriately Strong Encryption Keys: According to a February 2011 report from the National Institute of Standards and Technology, 1024-bit encryption keys have depreciated in effectiveness, and 2048-bit encryption should be used for all symmetric keys. Only 44% of IT departments use recommended key strengths.

5. Have A Plan For Replacing Breached Certificate Authorities: a majority of IT departments–55%–have no management processes in place to ensure business continuity by quickly replacing a compromised certificate and its accompanying encryption keys.

Read more details at http://www.informationweek.com/security/management/5-most-ignored-it-security-best-practice/231500128 

RT: NSA Accessed Private networks of Businesses Petrobras, Google Inc.

Despite earlier US assurances that its Department of Defense does not “engage in economic espionage in any domain,” a new report suggests that the intelligence agency NSA spied on Brazilian state-run oil giant Petrobras.

Brazil‘s biggest television network Globo TV reported that the information about the NSA spying on Petroleo Brasileiro SA came from Glenn Greenwald, the American journalist who first published secrets leaked by whistleblower Edward Snowden.

Globo TV aired slides from an NSA presentation from 2012 that revealed the agency’s ability to gain access to private networks of companies such as Petrobras and Google Inc.

One slide specified an ‘economic’ motive for spying, along with diplomatic and political reasons.

This seems to contradict a statement made by an NSA spokesman to the Washington Post on August 30, which said that the US Department of Defense “does not engage in economic espionage in any domain, including cyber.”

An official from the NSA told Globo that the agency gathers economic information not to steal secrets, but to watch for financial instability.

http://rt.com/news/us-spied-brazil-oil-588/