Kim Zetter
The Crisis of Election Security
How did our election system get so vulnerable, and why haven’t officials tried harder to fix it? The answer, ultimately, comes down to politics and money: The voting machines are made by well-connected private companies that wield immense control over their proprietary software, often fighting vigorously in court to prevent anyone from examining it when things go awry. The valuable work of testing system security has been taken up voluntarily by security researchers.
Malware Attacks Used by US Government Retain Potency for Many Years
A new report from Rand Corp may help shed light on the government’s arsenal of malicious software, including the size of its stockpile of so-called “zero days” — hacks that hit undisclosed vulnerabilities in computers, smartphones, and other digital devices. The report also provides evidence that such vulnerabilities are long lasting.
The findings are of particular interest because not much is known about the US government’s controversial use of zero days. Officials have long refused to say how many such attacks are in the government’s arsenal or how long it uses them before disclosing information about the vulnerabilities they exploit so software vendors can patch the holes. Rand’s report is based on unprecedented access to a database of zero days from a company that sells them to governments and other customers on the “gray market.” The collection contains about 200 entries — about the same number of zero days some experts believe the government to have. Rand found that the exploits had an average lifespan of 6.9 years before the vulnerability each targeted was disclosed to the software maker to be fixed, or before the vendor made upgrades to the code that unwittingly eliminated the security hole. Some of the exploits survived even longer than this. About 25 percent had a lifespan of a decade or longer. But another 25 percent survived less than 18 months before they were patched or rendered obsolete through software upgrades.
Internet Archive Successfully Fends Off Secret FBI Order
Ten years ago, the FBI sent Brewster Kahle, founder of the Internet Archive, a now-infamous type of subpoena known as a National Security Letter, demanding the name, address and activity record of a registered Internet Archive user. The letter came with an everlasting gag order, barring Kahle from discussing the order with anyone but his attorney — not even his wife could know. But Kahle did eventually talk about it, calling the order “horrendous,” after challenging its constitutionality in a joint legal effort with the Electronic Frontier Foundation and the American Civil Liberties Union. As a result of their fight, the FBI folded, rescinding the NSL and unsealing associated court records rather than risk a ruling that their surveillance orders were illegal.
Now, Kahle and the archive are notching another victory, one that underlines the progress their original fight helped set in motion. The archive, a nonprofit online library, has disclosed that it received another NSL in August, its first since the one it received and fought in 2007. Once again it pushed back, but this time events unfolded differently: The archive was able to challenge the NSL and gag order directly in a letter to the FBI, rather than through a secretive lawsuit. In November, the bureau again backed down and, without a protracted battle, has now allowed the archive to publish the NSL in redacted form.
iPhone Secretly Send Call History To Apple, Security Firm Says
Apple emerged as a guardian of user privacy this year after fighting FBI demands to help crack into San Bernardino (CA) shooter Syed Rizwan Farook’s iPhone. The company has gone to great lengths to secure customer data in recent years, by implementing better encryption for all phones and refusing to undermine that encryption. But private information still escapes from Apple products under some circumstances.
The latest involves the company’s online syncing service iCloud. Russian digital forensics firm Elcomsoft has found that Apple’s mobile devices automatically send a user’s call history to the company’s servers if iCloud is enabled — but the data gets uploaded in many instances without user choice or notification. “You only need to have iCloud itself enabled” for the data to be sent, said Vladimir Katalov, CEO of Elcomsoft. The logs surreptitiously uploaded to Apple contain a list of all calls made and received on an iOS device, complete with phone numbers, dates and times, and duration. They also include missed and bypassed calls. Elcomsoft said Apple retains the data in a user’s iCloud account for up to four months, providing a boon to law enforcement, who may not be able to obtain the data either from the user’s carrier, who may retain the data for only a short period, or from the user’s device, if it’s encrypted with an unbreakable passcode.
Researchers Find and Decode the Spy Tools Governments Use to Hijack Phones
Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones.
The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab at the University of Toronto’s Munk School of Global Affairs in Canada, who say the findings provide great insight into the trade craft behind Hacking Team’s tools.
The new components target Android, iOS, Windows Mobile, and BlackBerry users and are part of Hacking Team’s larger suite of tools used for targeting desktop computers and laptops. But the iOS and Android modules provide cops and spooks with a robust menu of features to give them complete dominion over targeted phones.
This is the first time that the modules used to spy on mobile phone users have been uncovered in the wild and reverse-engineered. Kaspersky has tracked more than 350 command-and-control servers created for this purpose in more than 40 countries. While Kaspersky found only one or two servers in most of these countries, the researchers found 64 in the United States -- by far the most. Kazakhstan followed with 49, Ecuador with 35 and the United Kingdom with 32.
As Kaspersky notes, it makes little sense for governments to maintain their command servers in foreign countries where they run the risk of losing control over the servers.
Has the NSA Been Using the Heartbleed Bug as an Internet Peephole?
When ex-government contractor Edward Snowden exposed the National Security Agency’s widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort.
Even Snowden touted encryption as a saving grace in the face of the spy agency’s snooping. “Encryption works,” the whistleblower said in June 2013. “Properly implemented strong crypto systems are one of the few things that you can rely on.”
But Snowden also warned that crypto systems aren’t always properly implemented. “Unfortunately,” he said, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”
Since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery. Now that caveat has hit home -- in a big way -- when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic.
“It would not at all surprise me if the NSA had discovered this long before the rest of us had,” Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania says. “It’s certainly something that the NSA would find extremely useful in their arsenal.” So far, though, there’s no evidence to suggest this is the case. For one thing, the bug did not affect every website.
How a Chinese Tech Firm Became the NSA’s Surveillance Nightmare
The National Security Agency’s global spy operation may seem unstoppable, but there’s at least one target that has proven to be a formidable obstacle: the Chinese communications technology firm Huawei, whose growth could threaten the agency’s much-publicized digital spying powers.
An unfamiliar name to American consumers, Huawei produces products that are swiftly being installed in the Internet backbone in many regions of the world, displacing some of the western-built equipment that the NSA knows -- and presumably knows how to exploit -- so well. That obstacle is growing bigger each year as routers and other networking equipment made by Huawei Technologies and its offshoot, Huawei Marine Networks, become more ubiquitous. The NSA and other US agencies have long been concerned that the Chinese government or military -- Huawei’s founder is a former officer in the People’s Liberation Army -- may have installed backdoors in Huawei equipment, enabling it for surveillance. But an even bigger concern is that with the growing ubiquity of Huawei products, the NSA’s own surveillance network could grow dark in areas where the equipment is used. For that reason, as the latest Snowden revelations showed, the spy agency reportedly hacked Huawei as part of an operation launched in 2007. The plan involved stealing source code for some of Huawei’s products in the hope of finding vulnerabilities. Such security holes could allow the NSA to exploit the products and spy on traffic in countries where Huawei equipment is used -- such as Iran, Afghanistan, Pakistan, Kenya, and Cuba. “Many of our targets communicate over Huawei-produced products,” an internal NSA document obtained by Snowden noted in 2010, according to the New York Times. “We want to make sure that we know how to exploit these products … to gain access to networks of interest” around the world.