Courtesy Dan Goodin, Ars Technica
Underscoring the insecurity of many online dating, job, and e-mail services, security researchers said that they have tracked almost 360 million compromised login credentials for sale in underground crime forums over the past three weeks.
The haul, which included an additional 1.25 billion records containing only e-mail addresses, came from multiple breaches, according to a statement posted Tuesday by Hold Security. The biggest single list contained 105 million details, making it among the bigger online finds, the firm told Reuters. The cache included e-mail addresses that most likely served as user names and corresponding passwords. It remains unclear what service the account credentials unlock.
Or, how to go from "123456" to "XBapfSDS3EJz4r42vDUt."
Hold Security is the same firm that in October discovered the circulation of 153 million user names and passwords stolen during a massive breach of Adobe’s corporate network. A month later, the security firm uncovered 42 million plaintext passwords taken during a hack on niche dating service Cupid Media.
At 360 million, Hold Security’s latest find is big enough that it likely also came from hacks on poorly secured Web service servers that store large caches of user credentials. The risk of these types of attacks are biggest for users who choose the same password for multiple services. Once an attacker has someone’s e-mail address and password for one site, the credentials can be used to compromise every other site account that uses the same user name and password. Ars has long advised readers to use a long, randomly generated password that’s unique for each online account. You can find a much more detailed how-to here.
Courtesy Ryan Gallagher, ArsTechnica
The National Security Agency’s spying tactics are being intensely scrutinized following the recent leaks of secret documents. However, the NSA isn’t the only US government agency using controversial surveillance methods.
Monitoring citizens’ cell phones without their knowledge is a booming business. From Arizona to California, Florida to Texas, state and federal authorities have been quietly investing millions of dollars acquiring clandestine mobile phone surveillance equipment in the past decade.
Earlier this year, a covert tool called the “Stingray” that can gather data from hundreds of phones over targeted areas attracted international attention. Rights groups alleged that its use could be unlawful. But the same company that exclusively manufacturers the Stingray—Florida-based Harris Corporation—has for years been selling government agencies an entire range of secretive mobile phone surveillance technologies from a catalogue that it conceals from the public on national security grounds.
Details about the devices are not disclosed on the Harris website, and marketing materials come with a warning that anyone distributing them outside law enforcement agencies or telecom firms could be committing a crime punishable by up to five years in jail.
These little-known cousins of the Stingray cannot only track movements—they can also perform denial-of-service attacks on phones and intercept conversations. Since 2004, Harris has earned more than $40 million from spy technology contracts with city, state, and federal authorities in the US, according to procurement records.
In an effort to inform the debate around controversial covert government tactics, Ars has compiled a list of this equipment by scrutinizing publicly available purchasing contracts published on government websites and marketing materials obtained through equipment resellers. Disclosed, in some cases for the first time, are photographs of the Harris spy tools, their cost, names, capabilities, and the agencies known to have purchased them.
What follows is the most comprehensive picture to date of the mobile phone surveillance technology that has been deployed in the US over the past decade.
Courtesy GregoryFerenstein, TechCrunch
While the world parses the ramifications of the National Security Agency’s massive snooping operation, it’s important to remember an earlier government attempt at data collection and, more important, how a group of hackers and activists banded together to stop it.
In the early 1990s, the military was petrified that encryption technologies would leave them blind to the growing use of mobile and digital communications, so they hatched a plan to ban to place a hardware patch that gave the NSA backdoor wiretap access, the so-called “Clipper Chip“.
After hearing about the plan, a grassroots cabal of hackers, engineers, and academics erupted in protest, sparking a nationwide campaign to discredit the security and business implications of the Clipper chip, ultimately bringing the NSA’s plans to a screeching halt.
Now, the anti-authority community of programmers and tech execs are gearing up for another fight against the NSA’s top-secret Internet Snooping apparatus, PRISM, and there are some important lessons they could learn from their victorious predecessors.
A Clash Of Tech And Culture
The MYK-78, a.k.a “Clipper Chip”
Intelligence agencies were as eager to monitor the digital schemings of terrorists during the days of Full House as they are today. Worried that the U.S.’ brilliant academic minds would inadvertently arm its enemies with cutting edge encryption, it banned the export of any technologies that could conceal communication.
“If you simply took this technology and released it widely, you were also potentially creating an opportunity for very small terrorist groups, criminals and the like to use this technology to get a kind of perfect information security,” recalls former NSA Attorney General, Stewart Baker.
So, encryption programs on the early Internet browsers were officially treated like a munition, like a missile rocket or sniper scope. This is why you often saw mentions of nuclear weaponry in terms of service for programs using cryptography.
The ban wasn’t sustainable because a quickly growing segment of shopaholics wanted the ability to safely buy Captain Planet t-shirts through the World Wide Web, so the NSA knew it couldn’t hold back the entirety of secure e-commerce for national security purposes. As a first step in allowing technology exports, the Clinton White House lobbied for a pencil-eraser-size hardware patch that would, at the very least, allow intelligence agencies the ability to extend their cherished practice of wiretapping to Zack Morris-style cellular telephones.
Ultimately, the plan was defeated by the very same contingent of technologists and businesses that are fighting the NSA’s PRISM program. “Every technology has with it a predominant ideology part of the culture,” says Baker. “There is a predominant ideology that is handed down from professor to student that says, you know, ‘we have to lean against abuses of this technology to make the state stronger’…people will write code that maximizes individual autonomy and reduces the authority of the government.”
Baker recalls how a coordinated ideological effort, with alternative encryption software, academic attacks on Clipper’s vulnerabilities, and big business lobbying took town the NSAs plan.
“A subculture clash became a battle between Microsoft at the height of its powers and a national security establishment,” recalls Baker, who argues that the need to export products, especially for e-commerce, compelled the business community to win over members of Congress.
Ray Ozzie, Microsoft’s former Chief Software Architect, testified before Congress, and let vulnerable members know that encryption regulations could have cost them between $6 and 9 billion in lost annual revenue. It worked.
“The Government should not be in the business of mandating particular technologies,” said career Senator, Patrick Leahy (still in office).
“They go to the White House, they go to congress, and they explain how it’s going to hurt their business,” adds Steven Levy, who wrote the book on the Clipper Chip wars, Crypto.
Even more than in the ’90′s, the technology industry has close friends in government. The Bay Areafundraised more for Obama than either Hollywood (LA) or Wall Street (New York). Silicon Valley’s massive DC presence is paying off: Google’s intensive lobbying of the Federal Trade Commission’s monopoly charges got their potential multi-million dollar fine reduced to a stern warning.
Already we’re seeing Google’s request to disclose more data on NSA spying practices pay off: the Obama administration has indicated that it may loosen the gag order over which details it can publicize. The industry is just beginning to fight, but Silicon Valley paid big bucks during the campaigns and they have favors waiting to be called in.
The First Amendment Is Your Friend
Lobbying alone didn’t topple the Clipper Chip and export controls. Three months before the White House caved into the tech industry, the Ninth Circuit of appeals struck down export controls on First Amendment grounds.
“Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption bounty,” explained the landmark Bernstein vs. US Department of Justice decision.
Though the government officially appealed the ruling, it knew it had a weakened position. “Then the government came to us and said, ‘We want to settle the case’.,” says John Gilmore, founder of the Electronic Frontier Foundation.
Today, the issue of government phone and internet snooping is largely a First Amendment issue. The NSA has gagged both senators and tech companies alike from talking about the program.
There is fierce disagreement over whether email spying has produced results. While the NSA claims that it helped stop the 2009 New York City subway bombing plot, public documents indicate that law enforcement got their best tip from documents in a hard drive, recovered by police in the course of normal investigations.
Google has filed a First Amendment complaint with the Attorney General and Senator Leahy has proposed legislation to disclose more info to members of congress (yes, intelligence info is even hidden from Congress).
So, when tech companies and civil liberty groups sue the government, know that they have a history of winning.
Build Tools Like the Dickens
The nail in the coffin for Clipper was the discovery of its inescapable vulnerabilities. Renowned hacker and Bell Labs engineer, Matt Blaze, “uncovered a flaw in Clipper that would allow a user to bypass the security function of the chip,” wrote Levy, back in 1994. Clipper wasn’t just a backdoor for the government, but any hacker who took over its weak security wall.
On the offense, super-programmers were building free, open source encryption tools, such as Philip Zimmerman’s “Pretty Good Privacy,” which allowed better public oversight of their vulnerabilities and weren’t subject to export regulations. In other words, the government couldn’t stop the grassroots hacker community from spreading the very technology that it aimed to stop.
Today, tools for subverting the NSA have had limited appeal. There’s TOR for secure Internet browsing, and Redphone for secure calling, but they either require everyone to be using the same software or have complex implementations.
“Cryptography isn’t easy and the concepts behind it are not easy to understand. Generally, hiding the complexity of the problem only puts the user at greater risk,” says the TOR project’s Andrew Lewman.
So, while citizens have tech companies and civil rights organizations on their side, the 4th Amendment needs a good user-interface designer.
A Winnable Fight
If history tells us anything, the fight against NSA secrecy is a winnable. Intelligence leaders are ruled by elected officials, military practices are still susceptible to the courts, and hackers can create tools to mask users from broad Internet snooping. Every citizen, whether they vote, support a civil liberties organization, and builds encryption tools, has a role to play.
As John Gilmore reminds me, “the one advantage we have over the NSA is that there are a lot more of us than there are of them.”
Courtesy Edward Wong, NY Times
BEIJING — Name a target anywhere in China, an official at a state-owned company boasted recently, and his crack staff will break into that person’s computer, download the contents of the hard drive, record the keystrokes and monitor cellphone communications, too.
Pitches like that, from a salesman for Nanjing Xhunter Software, were not uncommon at a crowded trade show this month that brought together Chinese law enforcement officials and entrepreneurs eager to win government contracts for police equipment and services.
“We can physically locate anyone who spreads a rumor on the Internet,” said the salesman, whose company’s services include monitoring online postings and pinpointing who has been saying what about whom.
The culture of hacking in China is not confined to top-secret military compounds where hackers carry out orders to pilfer data from foreign governments and corporations. Hacking thrives across official, corporate and criminal worlds. Whether it is used to break into private networks, track online dissent back to its source or steal trade secrets, hacking is openly discussed and even promoted at trade shows, inside university classrooms and on Internet forums.
Courtesy Mother Jones
If you’re a hacker living in your mom’s basement causing trouble for a world power, can NATO call in an air strike to put a stop to your cybermischief?
That was one question raised this month with the release of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a NATO-commissioned handbook that could be the first step toward codifying the rules under which NATO members will wage cyberwarfare in future conflicts. The project had the input of the International Committee of the Red Cross and US Cyber Command.
The Tallinn Manual is not NATO doctrine; it is the result of a three-year project funded by the NATO Cooperative Cyber Defence Centre of Excellence and conducted by 20 legal experts working in a private capacity. The document could very well influence future rules of engagement for NATO and governments around the world. But for now, it’s a scholarly endeavor; a follow-up three-year project, which digs even deeper into questions pertaining to cyberoperations and state responses, is in the works.
When details of the manual were first reported in the Guardian last week, the rule was widely interpreted as NATO declaring war on hackers and civilian hacktivists. But in terms of wartime precedent, there’s nothing unique about NATO’s "Rule 29"; civilians who directly participate in hostilities have long been deemed legitimate battlefield targets. So of course the same principle would apply to a hacker in an armed conflict, if the hacker’s actions rose to the level of violence. "If someone is causing planes to crash [in a war] using a computer, it’s not really all that different if they’re using a computer rather than some other tool," Julian Sanchez, a Cato Institute research fellow specializing in technology and civil liberties issues, says. "So, sure; go after Alan Cumming," referring to the actor’s character Boris Grishenko, a backstabbing and chauvinist computer programmer targeted by James Bond and the CIA in Goldeneye.
Despite the fairly mundane nature of the rule, Michael Schmitt, chairman of the international law department at the US Naval War College and director of the project that produced the Tallinn Manual, has been flooded with questions about whether NATO is now allowed to send drones to take out Anonymous hackers who they find annoying. "Frankly, I was surprised that part even caught anyone’s attention," Schmitt tells me. "It’s been generating a lot of blowback. But I can assure you NATO is not going to launch jets to hunt down Anonymous members tomorrow. An unexceptional statement has been taken out of context in rather dramatic ways."
Many of these rules would come in handy in a wartime scenario in which Live Free or Die Hard is happening in real life.
The main reason your average hacker doesn’t need to worry about getting blown up by NATO anytime soon is because the Tallinn Manual (which, again, is not official NATO doctrine) is relevant only to (a) an armed conflict or declared war between two states or (b) a civil war within a state. Rule 29 from the 282-page manual (which you can read here for free) addresses a scenario in which a civilian hacker starts working with one side of a conflict to, for instance, execute operations via cyberspace that would hack into enemy intelligence networks, disable command and control electronics, hinder combat capabilities, or harm or kill civilians. This establishes a high bar for what a hacker has to do to trigger an armed response from NATO commanders. And despite much recent hype about cyberwarfare from state actors (China, North Korea, Iran, Israel, etc.) and the growing costs of cybercrime, much of this NATO-commissioned handbook focuses on the abstract, simply because the realm of modern cyberwarfare is relatively new and has yet to be deeply explored. Many of these rules would come in handy in a wartime scenario in which Live Free or Die Hard is happening in real life.
"Cyberwarfare in the future will become a prominent part of the battlefield when prominent countries come to blows," says Martin Libicki, an expert in cyberwar and senior management scientist at the RAND Corporation. "But for now, at least, you don’t just automatically send your drone in after hackers. That’s not the way it works. The worst people like Anonymous are doing nowadays is weapons of mass annoyance."
There’s a real-world test case for this. In the summer of 2011, individuals identifying themselves as Anonymous claimed to have hacked NATO’s website, perhaps as indirect reprisal for the FBI’s arrest of over a dozen alleged hackers. Under current NATO structure, as well as recommendations made in the Tallinn Manual, such a breach would absolutely not warrant violent retribution. "Can you imagine Luxembourg, Estonia, the United States, France, and Spain, getting together and agreeing through the process that NATO demands, and going to the North Atlantic Council, and deciding to drop a bomb on some ordinary hacker?" Schmitt says, with a hint of irritation. "Are you kidding me?"
However, this is where the hypotheticals get a bit muddled. Suppose a civilian hacker who has taken sides in an armed conflict is waging cyberwar remotely from a neutral country. Suppose a terrorist used his or her MacBook Pro to sabotage a major city’s traffic lights in a time of peace, resulting in mass carnage? When discussing such hypotheticals, experts often point to analogous situations such as the bin Laden raid or modern drone warfare. But this is still all uncharted territory. "The real problem here is not whether the basic rules of war should apply when cyberspace is involved; the real problem here is that the rules of war have, for the most part, a long traditional of being defined through kinetic warfare and physical conflict," Sanchez says. "But we’ve found that in some cases when we’ve tried to apply the laws and rules of war to cyberspace, that translation is not always so obvious."
But as for the conspiracy theories sprouting up regarding the recently published Tallinn Manual, the situation isn’t murky. "If somebody defaces my or NATO’s desktop, that’s hardly direct participation in armed conflict, and NATO would not be allowed to resort to armed force," Schmitt says. "It would make great TV, though—pure Hollywood."
NATO did not respond to requests for comment, which I can only assume indicates they have already sent a drone to vaporize my laptop.