Sunday 25 August 2013

After Snowden revelations U.S. spy agency edges into the light

There was a time when the U.S. National Security Agency was so secretive that government officials dared not speak its name in public. NSA, the joke went, stood for "No Such Agency."
That same agency this month held an on-the-record conference call with reporters, issued a lengthy press release to rebut a newspaper story, and posted documents on a newly launched open website - icontherecord.tumblr.com (which stands for intelligence community on the record).
The steps were taken under pressure as President Barack Obama's administration tries to calm a public storm over disclosures by former NSA contractor Edward Snowden that the surveillance agency and its British counterpart scoop up far more Internet and phone data than previously known.
The NSA's moves out of the shadows were meant to show that it operates lawfully and fixes mistakes when they are detected, but not everyone is convinced that it is a fundamental shift toward more openness at the intelligence agencies.
Some steps toward openness were unprecedented.
The government for the first time released opinions - previously labeled Top Secret - from the Foreign Intelligence Surveillance Court, which never publicly airs its decisions on the electronic eavesdropping and communications collection by the NSA.
The move came despite resistance from some Justice Department lawyers and some NSA and CIA officials concerned about the amount of unredacted material going public in the three FISA Court opinions released, U.S. sources told Reuters.
In the end, Director of National Intelligence James Clapper made the decision on how much material was released from the previously secret court opinions.
"There is no disagreement across the community with regard to whether or not we need to be more transparent and it is just a question of determining how far we can safely go," Shawn Turner, DNI spokesman, said.
Obama and other officials have said the NSA surveillance programs are lawful, have been approved by Congress and the FISA Court, and are aimed at detecting and disrupting terrorist plots.
The FISA court said the NSA may unintentionally have collected as many as 56,000 emails of Americans a year from 2008 to 2011 and may have violated the Constitution before adjustments were made.
Some analysts said intelligence agencies had not necessarily entered a brand new world of public displays of information.
"I wouldn't call it a seismic shift towards a greater transparency. The federal government put these documents out under duress," said Darrell West, director of governance studies at the Brookings Institution, a Washington think tank.
"The problem is they just keep releasing materials bit by bit and so the scandal never goes away."
Recent efforts by U.S. intelligence agencies to appear more open follow earlier comments by top-level officials that in hindsight raised questions of veracity.
Clapper was asked at a congressional hearing in March whether the NSA collected any type of data on millions of Americans to which he responded: "No sir."
After the Snowden revelations were published in June, Clapper told NBC his response at the hearing had been given in the "most truthful, or least untruthful, manner."
General Keith Alexander, director of the NSA, told Reuters in May that the agency had no interest in reading the emails of U.S. citizens, and quipped: "The great irony is we're the only ones not spying on the American people."
Government officials are loath to say that Snowden's disclosures prompted greater openness, but analysts say it did have an effect.
"The amount of knowledge that people now have about what NSA does means that we can't simply pretend it doesn't exist. That's where Snowden changed things," said James Lewis, a senior fellow, at the Center for Strategic and International Studies.
To make the disclosed NSA programs palatable to the public, more openness is required, he said. "There is a link between transparency and accountability and political acceptance."
Jameel Jaffer, deputy legal director at the American Civil Liberties Union, said the organization was pleased with the recent release of documents and hoped the government would release more in the coming weeks.
But it should not be viewed as a huge shift toward transparency by the administration, said Jaffer, whose group has also sued the federal government for more information on its use of unmanned drones.
"In fact, on the same day the president promised more transparency on surveillance issues, the CIA filed a brief in one of our 'targeted killing' cases arguing that it could not release legal memos about the drone program, could not release civilian casualty numbers, and for that matter could not even acknowledge that the agency had played any role in targeted killings," Jaffer said.

DIY Craigslist email collecting tools empower spammers with access to fresh/valid email addresses

In need of a good reason to start using Craigslist ‘real email anonymization’ option? We’re about to give you a pretty good one. For years, the popular classified Web site has been under fire from spammers using DIY email collecting tools, allowing them to easily obtain fresh and valid emails to later be abused in fraudulent/malicious campaigns.
Let’s take a peek at some of the DIY Craigslist themed spamming tools currently in (commercial) circulation.
More details:

Sample screenshots of the tools in action:
Craigslist_Emails_Harvesting
Craigslist_Emails_Harvesting_01
Craigslist_Emails_Harvesting_02 Craigslist_Emails_Harvesting_03 Craigslist_Emails_Harvesting_04
What makes an impression is not just the degree of customization of these tools, but also the fact that logical development in terms of introducing ubiquitous features typical for these DIY tools took place. Such features include, but are not limited to, the introduction for proxy support, outsourcing the CAPTCHA solving process, QA in terms of avoiding the collection of anonymous Cragislist emails, as well as the ability to tailor the collection process to the needs of the spammer though the use of custom keywords or a specific period of time.
Sadly, Craigslist isn’t the only Web site that’s efficiently targeted by spammers. Despite raising awareness on the concept of harvesting fresh and valid emails from Twitter, in real-time, back in 2009, the practice is still taking place, empowering spammers with access to an endless pool of email addresses. And that’s just the tip of the iceberg.
Craigslist users are advised to take advantage of the site’s ‘email anonymization‘ feature, in an attempt to prevent spammers from successfully collecting their emails.

ACLU Reveals FBI Hacking Contractors

James Bimen Associates of Virginia and Harris Corporation of Florida have contracts with the U.S. Federal Bureau of Investigation (FBI) to hack into computers and phones of surveillance targets, according to Chris Soghoian, principal technologist at the American Civil Liberties Union’s Speech, Privacy and Technology Project.
“Bimen and Harris employees actively hack into target computers for the FBI,” Soghoian told CorpWatch.
James Bimen Associates did not return phone calls asking for comment. Jaime O’Keefe, a spokesman for Harris, and Jennifer Shearer, an FBI spokeswoman, both declined to comment for this story.
However, the FBI has not denied these capabilities. The agency “hires people who have hacking skill, and they purchase tools that are capable of doing these things,” a former official in the FBI’s cyber division told the Wall Street Journal recently. “When you do, it’s because you don’t have any other choice.
Soghoian verified the information from other sources, after uncovering the information from Freedom of Information Act requests filed by the Electronic Freedom Foundation (EFF) and other publicly available information
“The government doesn’t have the resources to directly monitor every American or let alone every foreigner but they want to read the communications of every foreigner and they want to collect information on every American,” explains Soghoian. “What do you do when you don’t have the manpower to collect everyone’s communications?”
The answer, he says, is spy software. This is not unprecedented among government agencies. For example, the U.S. Food and Drug Administration (FDA) bought commercial products from a company named SpectorSoft in Florida to track five staff whom they suspected of whistleblowing in 2009.
The software allowed them to capture “screen images from the government laptops of five scientists as they were being used at work or at home, tracked their keystrokes, intercepted their personal e-mails, copied the documents on their personal thumb drives and even followed their messages line by line as they were being drafted,” the New York Times reported last year.
Other companies like Gamma International from Germany and Hacking Team from Italy have also been aggressively marketing their products for purchase by local police officers. A number of national governments like Egypt and Mexico have also reportedly bought such systems that allow them to listen to regular phone and Skype conversations and read email.
But what agencies like the FBI are now worried about is that individuals are “going dark” by using freely available encryption software to prevent their email and phone conversations to be captured by law enforcement agencies.
In order to combat this, Soghoian says the FBI wanted custom designed products, so they turned to a little known internal team named the “Remote Operations Unit” inside the Operational Technology Division, which set up a project called “Going Dark”.
Eric Chuang, the head of the Remote Operations Unit in Quantico, Virginia, who has a doctorate in clinical psychology from Indiana University of Pennsylvania, and a law degree from Temple University in Philadelphia, was put in charge of this task.
Bimen Associates, which has its headquarters in McLean, Virginia, near the headquarters of the Central Intelligence Agency, provided custom designed software tools developed exclusively for the FBI to crack encrypted conversations, says Soghoian. Agency staff and contractors access computers of suspects remotely to install this software to allow them to watch everything that the target types or says.
In February 2008, Bimen Associates hired Amanda Hemmila, a former U.S. Air Force computer technician, who was working on an online undergraduate degree in computer science with Grantham University in Missouri, to help test their new software.
Hemmila’s LinkedIn resume says that she was responsible for “building, testing, deploying, maintaining and tracking software kits and hardware deployed from the Remote Operations Unit Deployment Operations Center” as well as training them in “processing and viewing software and providing End User phone support.” She also helped write policies, guidance and training material to keep the software secret.
After spending a little over a year at Bimen Associates, Hemmila returned to her studies and graduated in 2012. A few months after she left, Mark Muller, who had an undergraduate degree in information technology from George Mason university, went to work for Bimen Associates in Quantico.
Muller says he wrote up the standard operating procedures for the FBI to use proprietary company software “we use to gain access to criminal subject machines in the field.”
He also conducted “pre-deployment meetings with the FBI agents and management to coordinate details of a case and implement an operational plan to track a subject(s).” After the agents completed monitoring of a target, Muller says he archived information on “previous implant(s) installed on subject’s machine, if any, as a knowledge base for the field agents.”
Bimen Associates does not appear to be a big or well known intelligence contractor – the only public contract that the company has been awarded lists zero income – but it is well connected.
Jerry Menchhoff, president of Bimen Associates, has been with the company since it was founded in 1998, after working for Booz Allen Hamilton, a company famous for two other employees – James Clapper and Michael McConnell, both of whom have worked as U.S. director of national intelligence, the top spy job in the country.
(Booz also made the news more recently when Edward Snowden, another former employee, blew the whistle on the surveillance activities of the U.S. National Security Agency).
The other company that supplies tracking software to the FBI is Melbourne, Florida-based Harris Corporation, which has been awarded almost seven million dollars in contracts by the agency since 2001, mostly for radio communication equipment. In 1999 Harris designed the software for the agency’s National Crime Information Centre database that keeps track of criminal histories, fugitives, missing persons, and stolen property.
Harris made it into the news a couple of years ago when the Wall Street Journal revealed that the company was selling a gadget called a “Stingray” to the FBI that allows the agency to track cellphone locations of users without their knowledge.
At the time Sherry Sabol, chief of the Science & Technology Office for the FBI’s Office of General Counsel, refused to provide any background on the subject because she said that information about Stingrays and related technology was “considered Law Enforcement Sensitive, since its public release could harm law enforcement efforts by compromising future use of the equipment.”
However, legal depositions by FBI agents, together with contract data dating back to 2002, confirmed the existence of the Stingray.
The big question is whether or not the FBI obtains warrants before using tracking software. In the case of the Stingray, the agency claimed that it was okay to use such devices without obtaining a warrant, on the grounds that it was like tracking down phone numbers, which the U.S. Supreme Court has ruled is permissible.
But privacy advocates say that tracking the “metadata” of phone and computer communications and the information on it involves a far greater invasion of privacy, and should require a warrant from a judge. (This discussion is still ongoing in the courts, notably after a U.S. court ruled it was okay for the government to track cell phone location data without a warrant).
Soghoian believes there needs to be a public debate on the use and potential misuse of these tools.
“There hasn’t been a (Congressional) debate about the FBI getting into the hacking business,” Soghoian told attendees at DEFCON, an annual hacker convention that took place earlier this month in Las Vegas. “People should understand that local cops are going to be hacking into surveillance targets. Particularly for dragnet searches where they want to do a keyword search or a social network analysis, you need everyone’s communications.”

Anonymous Attack New Zealand Spy Site

Worldwide activist group Anonymous is believed to be behind a hack attack on the Government Communications Security Bureau website on Friday.
On Thursday, Anonymous posted a threatening video on YouTube, claiming that Prime Minister John Key, the Act Party and veteran politician Peter Dunne were to be held responsible for the destruction of internet freedom and basic human rights of New Zealand citizens by passing the GCSB bill, "which allows your government to spy on you".
It is understood the GCSB website suffered a saturation of external communication requests, to the point where it could not respond to legitimate traffic.
The communications interception agency confirmed the attack slowed its gateway for about 30 minutes.
In the warning video, a man wearing a black hooded outfit and Guy Fawkes mask said: "We, as Anonymous have decided to take action. To the Government of New Zealand, you now have our full attention and we will be watching your every move ... this is your final warning."
A spokesman for GCSB said there could have been some temporary degradation of service.