Sen. Feinstein’s NSA Alleged Reform Bill To Add Surveillance Authority

A bipartisan group of US senators is trying to ban the NSA’s blanket surveillance program in a radical bill proposed to the Senate Intelligence Committee. But a milder bill from chairwoman Diane Feinstein would sanction more snooping on US citizens.

Thursday’s Committee hearing on reforming the Foreign Intelligence Surveillance Act (FISA) reviewed the two rival bills in an effort to find a balance between security and privacy. The Committee is expected to have further lively debate on the proposed legislation next week, before the bill is sent for consideration by the full Senate.

 Feinstein’s bill would also seek to expand the US government’s spying capabilities by authorizing the monitoring of terror suspects the NSA is tracking overseas when they arrive in the US. 

Currently, when a suspected terrorist arrives in America, the NSA has to halt its surveillance, creating a legal loophole.

“I call it the terrorist lottery loophole,” said Republican Senator Mike Rogers, the chairman of the House Intelligence Committee. “If you can find your way from a foreign country where we have reasonable suspicion that you are … a terrorist … and get to the United States, under a current rule, they need to turn it off and do a complicated handoff to   the FBI,” Rogers said.

The new bill would allow the NSA to legally continue eavesdropping on a person for seven days after arriving to the US without asking for authorization from a court.

Democratic Senator Wyden, who has been for years working with classified data as a member of the Senate Intelligence Committee, also derided the NSA’s complaints about the damage to US national security caused by the recent leaks.

“You talk about the damage that has been done by disclosures, but any government official who thought this would never be disclosed was ignoring history. The truth always manages to come out,” he said.

http://rt.com/usa/nsa-snooping-senators-feinstein-439/

Advertisements

Senate Intelligence Committee Hearing: The NSA Wants Unlimited Citizen and Business Data in National Database

[NSA Director Keith] Alexander acknowledged that the NSA is interested in compiling the largest national database possible, and that there is no limit to the number of records that can be gathered. The storehouse holds billions of records, former officials have told The Washington Post.

Is it the goal of the NSA to collect the phone records of all Americans?” Udall asked.

I believe it is in the nation’s best interests to put all the phone records into a lockbox that we could search when the nation needs to do it, yes,” Alexander said.

 

The government has claimed the authority to gather the data under Section 215 of the USA Patriot Act, also known as the “business records” provision of the Foreign Intelligence Surveillance Act. The FISA court in 2006 agreed that the government could use that statute to order phone companies to hand over “all call detail records” daily to the NSA.

 

Asked by Udall if that statute gave NSA the authority to collect other data — such as utility bills — Deputy Attorney General James M. Cole offered a qualified answer. “It’s given them the authority to collect other bulk records if they can show that it is necessary to find something relevant to a foreign intelligence investigation of particular types. . . . It’s not just all bulk records. But it’s also not no business records. It’s all dependent on the purpose.”

 

 

[Sen. Ron Wyden (D-Oregon)], Udall and other lawmakers have introduced reform legislation that would, among other things, end the phone records collection, while allowing for a more limited program.

On Thursday, Wyden accused U.S. officials of not being more forthcoming about intelligence-collection programs.

“The leadership of your agencies built an intelligence-collection system that repeatedly deceived the American people,” he said. “Time and time again, the American people were told one thing about domestic surveillance in public forums while government agencies did something else in private.”

 

http://www.washingtonpost.com/world/national-security/nsa-leaks-extremely-damaging-national-intelligence-director-tells-senate-hearing/2013/09/26/a01b4e08-26d3-11e3-b75d-5b7f66349852_story.html

 

Wyden infamously showed down with Clapper earlier this year when he asked the lawmaker if the intelligence community collects information on millions of Americans. Clapper responded “not wittingly,” then later apologized to Committe Chairwoman Dianne Feinstein (D-California) for his “clearly erroneous” remark after Snowden’s leaks suggested otherwise only weeks later.

So that he would be prepared to answer, I sent the question to Director Clapper’s office a day in advance. After the hearing was over, my staff and I gave his office a chance to amend his answer,” Wyden told the Washington Post after the March meeting. “Now public hearings are needed to address the recent disclosures, and the American people have the right to expect straight answers from the intelligence leadership to the questions asked by their representatives.”

On Thursday, Alexander phrased questioning directed at Gen. Alexander in an attempt to determine if the NSA collected information from cell phone towers that could be used to locate customers. Alexander decline to provide a straight answer during an unclassified hearing.

 

If you’re responding to my question by not answering it because you think thats a classified matter, that is certainly your right,” said Wyden. “ We will continue to explore that because I believe that is something the American people deserve to know.”

 

http://rt.com/usa/fisa-hearing-nsa-surveillance-410/

Alert: NSA Buys Zero-Day Exploits from French security firm Vupen

A contract that’s come to light with the recent release of documents from a successful Freedom of Information Act request shows that the NSA bought software exploits from a French hacking firm called Vupen, headquartered in Montpelier. 

The NSA contracted with Vupen for a year-long “subscription” to zero day exploits, previously unknown vulnerabilities in software and hardware. Knowledge of zero day exploits allows for both defense against their use and offensive use for the purposes of surveillance and data theft. 

In 2011, according to leaked documents, the U.S. launched 231 offensive cyber-operations.  Other leaks, reported last week, indicated that the country spends $4.3 billion on such operations.

Vupen CEO Chaouki Bekrar told Slate’s Ryan Gallagher that his company’s services include highly technical documentation and private exploits written by Vupen’s team of researchers for critical vulnerabilities affecting major software and operating systems.” 

The amount paid for this subscription was redacted on the document, and Bekrar did not divulge it, but the company pulled in $1.2 million in 2011—86 percent from non-French clients. 

French investigative hackers Reflets.info has had their eye on Vupen for some time, the publication’s Fabrice Epelboin told the Daily Dot. Hacker and Reflets journalist Kitetoa wrote about the group yesterday

Among his discoveries: Vupen has close ties with the French Army and is deeply involved in the French Army cyber-command’s offensive online initiatives

Read more at http://www.dailydot.com/politics/nsa-malware-vupen/

One of the latest reports claims that the NSA is able to access data from Apple iPhones, BlackBerry devices, and phones that use Google’s Android operating system. In addition, following document leaks which suggested the NSA was accessing email records, a number of companies offering secure email shut down, and in their place, encrypted mobile phone communication applications have risen.

A fresh report, brought on by a Freedom of Information (FOI) request by government transparency site MuckRock, shows that the NSA purchased data on zero-day vulnerabilities and the software to use them from French security company Vupen.

According to the documents, the NSA signed up to a one-year “binary analysis and exploits service” contract offered by Vupen last September.

Vupen describes itself as “the leading provider of defensive and offensive cyber security intelligence and advanced vulnerability research.” In other words, the security firm finds flaws in software and systems and then sells this data on to governments.

In addition, Vupen offers offensive security solutions, including “extremely sophisticated and government grade zero-day exploits specifically designed for critical and offensive cyber operations.”

Zero-day vulnerabilities are security flaws in systems discovered by researchers and cyberattackers which have not been found or patched by the vendor.

Read more at http://www.zdnet.com/nsa-purchased-zero-day-exploits-from-french-security-firm-vupen-7000020825/

 

Slate.com: Should the secretive hacker zero-day exploit market be regulated?

Behind computer screens from France to Fort Worth, Texas, elite hackers hunt for security vulnerabilities worth thousands of dollars on a secretive unregulated marketplace.

Using sophisticated techniques to detect weaknesses in widely used programs like Google Chrome, Java, and Flash, they spend hours crafting “zero-day exploits”—complex codes custom-made to target a software flaw that has not been publicly disclosed, so they can bypass anti-virus or firewall detection to help infiltrate a computer system.

Like most technologies, the exploits have a dual use. They can be used as part of research efforts to help strengthen computers against intrusion. But they can also be weaponized and deployed aggressively for everything from government spying and corporate espionage to flat-out fraud. Now, as cyberwar escalates across the globe, there are fears that the burgeoning trade in finding and selling exploits is spiralling out of control—spurring calls for new laws to rein in the murky trade.

Some legitimate companies operate in a legal gray zone within the zero-day market, selling exploits to governments and law enforcement agencies in countries across the world. [Blog Editor’s Note: Clearly this article was written long before the June 2013 NSA leaks by Edward Snowden showed how pervasive a threat has been posed by NSA extra-judicial surveillance tactics]. Authorities can use them covertly in surveillance operations or as part of cybersecurity or espionage missions. But because sales are unregulated, there are concerns that some gray market companies are supplying to rogue foreign regimes that may use exploits as part of malicious targeted attacks against other countries or opponents. There is also an anarchic black market that exists on invite-only Web forums, where exploits are sold to a variety of actors—often for criminal purposes.

http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html

 

RT: NSA Accessed Private networks of Businesses Petrobras, Google Inc.

Despite earlier US assurances that its Department of Defense does not “engage in economic espionage in any domain,” a new report suggests that the intelligence agency NSA spied on Brazilian state-run oil giant Petrobras.

Brazil‘s biggest television network Globo TV reported that the information about the NSA spying on Petroleo Brasileiro SA came from Glenn Greenwald, the American journalist who first published secrets leaked by whistleblower Edward Snowden.

Globo TV aired slides from an NSA presentation from 2012 that revealed the agency’s ability to gain access to private networks of companies such as Petrobras and Google Inc.

One slide specified an ‘economic’ motive for spying, along with diplomatic and political reasons.

This seems to contradict a statement made by an NSA spokesman to the Washington Post on August 30, which said that the US Department of Defense “does not engage in economic espionage in any domain, including cyber.”

An official from the NSA told Globo that the agency gathers economic information not to steal secrets, but to watch for financial instability.

http://rt.com/news/us-spied-brazil-oil-588/

RT: NSA can tap into BlackBerry, iOS, and Android systems

The US National Security Agency (NSA) can access data on smart phones using the world’s most popular systems including iOs, Android, and even BlackBerry – which markets itself to be highly secure, according to a new report.

The NSA has tapped into all the leading mobile operating systems to gain access to contact lists, SMS traffic, notes, and users’ current and past locations, Der Spiegel reported, citing internal NSA documents.

The leaked information also revealed that the NSA has organized a working group for each operating system. The groups are responsible for clandestine operations to gather data saved on the phones. 

The NSA has reportedly been most successful in accessing iPhone user data, and at times has been able to hack into the computer used to sync with the mobile device. This allows the agency to run a mini-program dubbed “scripts,” which enables additional access to at least 38 more iPhone features.

The documents noted that similar successes took place using BlackBerry mobile devices. According to the report, 2009 was the only year that the NSA had a problem accessing BlackBerry data. That lack of access was due to changes in the way the company compressed data. But in March 2010, the NSA was able to hack back in, celebrating with the word “champagne!”

http://rt.com/news/nsa-smart-phones-spying-563/

RT: NSA spying ‘weakens US security’, Encryption

A cryptographer at Johns Hopkins University, Professor Mathew Green, had his blog about NSA spying techniques taken down by the university a short while ago.

RT: Professor, before we talk about what happened to your blog, your brief reaction to this revelation of data-sharing with Israel. What do you think Americans will make of the fact that information about them is going to Israel?

Mathew Green: I think what we’re learning is that no matter what we think about the story, we cannot get a fix on it, and the story keeps changing. This is probably the most upsetting part: we don’t know who our data is being shared, and who is spying on whom at this point.

RT: You are a cryptographer, what exactly do you do and what was it about your post that prompted Johns Hopkins University to react? What did you write?

MG: I wrote a post about these new revelations that came out last week about the NSA breaking encryption, breaking cryptography. That’s my research area, so one of the things I do is write a blog for technical people, but also for journalists and people who are not cryptographers themselves. I try to explain these complicated terms and try to explain what it all means.

So I tried to take a pass at this story and explain what it meant that the NSA was breaking this technology, and I put it on a blog post that a lot of people read.

MG: I think what we learnt is that the NSA has a hard time breaking encryptions, so what they’ve done is they actually tried to take the products that perform encryptions and make them worse, make it weaker so it is easier for them to break that encryption.

MG: What we learnt is that the NSA is willing to make the US security a little bit weaker. Because remember, it is not just non-US citizens using these products, it’s Americans, too.

http://rt.com/op-edge/nsa-spying-weakens-us-security-768/