Gadget Gurus
  
Wikileaks Unveils 'Vault 7': "The Largest Ever Publication Of Confidential CIA Documents"; Another Snowden Emerges | Zero Hedge

Image/photo

WikiLeaks has published what it claims is the "largest ever publication of confidential documents on the CIA." It includes more than 8,000 documents as part of ‘Vault 7’, a series of leaks on the agency which expose the agency's massive hacking arsenal.


#Privacy #CIA #Spying #Hacking #Snooping #Surveillance #WikiLeaks #Leaks #Vault 7 #Vault7 #Weeping Angel #HIVE @LibertyPod+
... "Surprise"!

Gadget Gurus
  
Technology | The GuardianTechnology | The Guardian wrote the following post Fri, 13 Jan 2017 05:00:16 -0600

WhatsApp backdoor allows snooping on encrypted messages

Exclusive: Privacy campaigners criticise WhatsApp vulnerability as a ‘huge threat to freedom of speech’ and warn it could be exploited by government agencies

A security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.
Continue reading...


#WhatsApp #Signal #Encryption #Social Networking #Communications #Surveillance #Snooping #Privacy
Apple Logs Your iMessage Contacts — and May Share Them with Police

Gadget Gurus
  
The InterceptThe Intercept wrote the following post Wed, 28 Sep 2016 09:00:52 -0500

Apple Logs Your iMessage Contacts — and May Share Them with Police

Apple promises that your iMessage conversations are safe and out of reach from anyone other than you and your friends. But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for of systems known as “pen registers” or “tap and trace devices,” orders that are not particularly onerous to obtain, requiring only that a government lawyer represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

The Intercept received the document about Apple’s Messages logs as part of a larger cache originating from within the Florida Department of Law Enforcement’s Electronic Surveillance Support Team, a state police agency that facilitates police data collection using controversial tools like the Stingray, along with conventional techniques like pen registers. The document, titled “iMessage FAQ for Law Enforcement,” is designated for “Law Enforcement Sources” and “For Official Use Only,” though it’s unclear who wrote it or for what specific audience — metadata embedded in the PDF cites an author only named “mrrodriguez.” (The term “iMessages” refers to an old name for the Messages app, a name still commonly used to refer to it.)

Phone companies routinely hand over metadata about calls to law enforcement in response to pen register warrants. But it’s noteworthy that Apple is able to provide information on iMessage contacts under such warrants given that Apple and others have positioned the messaging platform as a particularly secure alternative to regular texting.

The document like a fairly standard overview that one might forward to a clueless parent (questions include “How does it work?” and “Does iMessage use my cellular data plan?”), until the final section, “What will I get if I serve Apple with a [Pen Register/Tap and Trace] court order for an iMessage account?”:

Image/photo

This is a lot of bullet points to say one thing: Apple maintains a log of phone numbers you’ve entered into Messages, and potentially elsewhere on an Apple device, like the Contacts app, even if you never end up communicating with those people. The document implies that Messages transmits these numbers to Apple when you open a new chat window and select a contact or number with whom to communicate, but it’s unclear exactly when these queries are triggered, and how often—an Apple spokesperson confirmed only that the logging information in the iMessage FAQ is “generally accurate,” but declined to elaborate on the record.

Image/photo

Illustration: Selman Design for The Intercept

Apple provided the following statement:
“When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place.”

And it’s true, based on the sample information provided in the FAQ, that Apple doesn’t appear to provide any indication whatsoever that an iMessage conversation took place. But a list of the people you choose to associate with can be just as sensitive as your messages with those people. It requires little stretching of the imagination to come up with a scenario in which the fact that you swapped numbers with someone at some point in the past could be construed as incriminating or compromising.

Andrew Crocker, an attorney with the Electronic Frontier Foundation, said the document prompted further questions:
“How often are lookups performed? Does opening [an iMessage] thread cause a lookup? Why is Apple retaining this information?”

The Florida Department of Law Enforcement did not return a request for comment.

The fact that Apple is able and willing to help the government map the communications networks of its users doesn’t necessarily undermine the company’s posturing (and record) as a guardian of privacy, though this leaked document provides more detail about how the iMessages system can be monitored than has been volunteered in the past. Ideally, customers wouldn’t need to read documents marked “For Official Use Only” in order to know what information Apple may or may not disclose to the police. In a section of its website devoted to touting the privacy safeguards in its products, Apple claims that “your iMessages and FaceTime calls are your business, not ours… Unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to.”

In 2013, after Apple was revealed to be among the tech companies caught up in an NSA surveillance program known as PRISM, which tapped into customer information on the central servers of nine leading internet companies, the company released a rare statement regarding its “commitment to customer privacy,” insisting that it would be unable to share sensitive customer data even if it wanted to:
For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.

Questions of how much Apple could or would aid police if asked vaulted back into headlines following the mass shooting in San Bernardino last year, which left the FBI in possession of the shooter’s iPhone, which it was unable initially to decrypt. Apple balked at demands that it help crack the phone, allowing it to enjoy a reputation as not just a maker of expensive electronics, but a determined privacy advocate. We need more technology companies that are willing to take public, principled stands in defense of our private lives, but these same companies should follow through with technical transparency, not just statements.

Sign up for The Intercept Newsletter here.

The post Apple Logs Your iMessage Contacts — and May Share Them with Police appeared first on The Intercept.


#Privacy #Surveillance #Tracking @LibertyPod+
Long-Secret Stingray Manuals Detail How Police Can Spy on Phones

Gadget Gurus
  
The InterceptThe Intercept wrote the following post Mon, 12 Sep 2016 13:33:47 -0500

Long-Secret Stingray Manuals Detail How Police Can Spy on Phones

Harris Corp.’s Stingray surveillance device has been one of the most closely-guarded secrets in law enforcement for more than 15 years. The company and its police clients across the United States have fought to keep information about the mobile-phone-monitoring boxes from the public against which they are used. The Intercept has obtained several Harris instruction manuals spanning roughly 200 pages and meticulously detailing how to create a cellular surveillance dragnet.

Harris has fought to keep its surveillance equipment, which carry price tags in the low six figures, hidden from both privacy activists and the general public, arguing that information about the gear could help criminals. Accordingly, an older Stingray manual released under the the Freedom of Information Act to news website TheBlot.com last year was almost completely redacted. So too have law enforcement agencies at every level, across the country, evaded almost all attempts to learn how and why these extremely powerful tools are being used—though court battles have made it clear Stingrays are often deployed without any warrant. The San Bernardino Sheriff’s Department alone has snooped via Stingray, sans warrant, over 300 times.

Richard Tynan, a technologist with Privacy International, told The Intercept that the “manuals released today offer the most up to date view on the operation of” Stingrays and similar cellular surveillance devices, with powerful capabilities that threaten civil liberties, communications infrastructure, and potentially national security. He noted that the documents show the “Stingray II” device can impersonate four cellular communications towers at once, monitoring up to four cellular provider networks simultaneously, and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.

“There really isn’t  any place for innocent people to hide from a device such as this,” he wrote in an email message.

“As more of our infrastructure, homes, environment, and transportation are connected wirelessly to the internet, such technologies really do pose a massive risk to public safety and security.”

And the Harris software isn’t just extremely powerful, Tynan adds, but relatively simple, providing any law enforcement agent with a modicum of computer literacy the ability to spy on large groups of people:
The ease with which the StingRay II can be used is quite striking and there do not seem to be any technical safeguards against misuse… It also allows the operator to configure virtually every aspect of the operation of the fake cell tower… The Gemini platform also allows for the logging and analysis of data to and from the network and “Once a message to/from any active subscriber in the Subscriber list is detected, Gemini will notify the user.” How many innocent communications of the public are analyzed during this process?

Tynan also raised questions about the extent to which Stingrays may be disrupting the communications infrastructure, including existing cellular towers.

Harris declined to comment. In a 2014 letter to the FCC, the company argued that if the owner’s manuals were released under the Freedom of Information Act this would “harm Harris’ competitive interests” and that “criminals and terrorist[s] would have access to information that would allow them to build countermeasures.” But Stingrays are known for spying on low-level marijuana dealers and other domestic targets, not al Qaeda; as the Electronic Frontier Foundation’s Jennifer Lynch said in December,  “I am not aware of any case in which a police agency has used a cell-site simulator to find a terrorist.” Meanwhile, it is already publicly known that the NSA uses Stingray-like devices to locate suspected terrorists as part of a system known as Gilgamesh. Nathan Wessler, an attorney with the ACLU, told The Intercept that “when the most likely ‘countermeasure’ is someone turning their phone off or leaving it at home, it is hard to understand how public release of a manual like this could cause harm.” And furthermore, says Wessler, “it is in the public interest to understand the general capabilities of this technology, so that lawmakers and judges can exercise appropriate oversight and protect people’s privacy rights.”

The documents described and linked below, instruction manuals for the software used by Stingray operators, were provided to The Intercept as part of a larger cache believed to have originated with the Florida Department of Law Enforcement. Two of them contain a “distribution warning” saying they contain “Proprietary Information and the release of this document and the information contained herein is prohibited to the fullest extent allowable by law.”

Although “Stingray” has become a catch-all name for devices of its kind, often referred to as “IMSI catchers,” the manuals include instructions for a range of other Harris surveillance boxes, including the Hailstorm, ArrowHead, AmberJack, and KingFish. They make clear the capability of those devices and the Stingray II to spy on cell phones by, at minimum, tracking their connection to the simulated tower, information about their location, and certain “over the air” electronic messages sent to and from them. Wessler added that parts of the manuals make specific reference to permanently storing this data, something that American law enforcement has denied doing in the past.

Image/photo

One piece of Windows software used to control Harris’ spy boxes, software that appears to be sold under the name “Gemini,” allows police to track phones across 2G, 3G, and LTE networks. Another Harris app, “iDen Controller,” provides a litany of fine-grained options for tracking phones. A law enforcement agent using these pieces of software along with Harris hardware could not only track a large number of phones as they moved throughout a city but could also apply nicknames to certain phones to keep track of them in the future. The manual describing how to operate iDEN, the lengthiest document of the four at 156 pages, uses an example of a target (called a “subscriber”) tagged alternately as Green Boy and Green Ben:

Image/photo

The documents also make clear just how easy it is to execute a bulk surveillance regime from the trunk of a car: a Gemini “Quick Start Guide”, which runs to 54 pages, contains an entire chapter on logging, which “enables the user to listen and log over the air messages that are being transmitted between the Base Transceiver Station (BTS) and the Mobile Subscriber (MS).” It’s not clear exactly what sort of metadata or content would be captured in such logging. The “user” here, of course, is a police officer.

Image/photo

In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example knocking a connection from LTE to 2G:

Image/photo

A video of the Gemini software installed on a personal computer, obtained by The Intercept and embedded below, provides not only an extensive demonstration of the app but also underlines how accessible the mass surveillance code can be: Installing a complete warrantless surveillance suite is no more complicated than installing Skype. Indeed, software such as Photoshop or Microsoft Office, which require a registration key or some other proof of ownership, are more strictly controlled by their makers than software designed for cellular interception.

“While this device is being discussed in the context of US law enforcement,” said Tynan, “this could be used by foreign agents against the US public and administration. It is no longer acceptable for our phones and mobile networks to be exploited in such an invasive and indiscriminate way.”

Documents published with this article:Sign up for The Intercept Newsletter here.

The post Long-Secret Stingray Manuals Detail How Police Can Spy on Phones appeared first on The Intercept.


#Privacy #Surveillance #Stingray #Snooping #Communications #Freedom #Liberty #Policing @LibertyPod+
Researchers Discover Tor Nodes Designed to Spy on Hidden Services

Seth Martin
  last edited: Sat, 21 Jan 2017 11:49:04 -0600  
Suspicion Confirmed.

Schneier on SecuritySchneier on Security wrote the following post Fri, 08 Jul 2016 07:01:18 -0500

Researchers Discover Tor Nodes Designed to Spy on Hidden Services

Two researchers have discovered over 100 Tor nodes that are spying on hidden services. Cory Doctorow explains:
These nodes -- ordinary nodes, not exit nodes -- sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used "honeypot" .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions' existence. They didn't advertise the honions' existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.

No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of "infowar" weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).

The Tor project is working on redesigning its system to block this attack.

Vice Motherboard article. Defcon talk announcement.


#Tor #Security #Cybersecurity #Spying #Surveillance @LibertyPod+  @Gadget Guru+