Tag Archives: Alphabet Agencies

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #20 – CouchPotato

CouchPotato enabled CIA agents to remotely use the tool to stealthily collect RTSP/H.264 video streams (RTSP/H.264: Real Time Streaming Protocol is a network control protocol designed for use in entertainment and communication systems and is a control mechanism for streaming media servers).

The tool provided CIA operatives with a number of options:

  • Collect the media stream as a video file (AVI);
  • Capture still images (JPG) of frames from the media stream;
    • This function was capable of being triggered only when there was change (threshold setting) in the pixel count from the previous capture;

The tool uses FFmpeg to encode and decode video and images and Real Time Streaming Protocol connectivity. The CouchPotato tool works stealthily without leaving any evidence on the attacked systems facilitated by ICE v3 “Fire and Collect” loader.

This is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.

Neither Wikileaks, nor the leaked user guide explains how the agency penetrates the attacked systems, but as many CIA malware, exploits and hacking tools have already leaked in the Vault 7 publications, the agency has probably used CouchPotato in combination with other tools.” – TAD Group

The 10th August 2017 WikiLeaks release overview:

“Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.”

One document was published alongside this release:

CouchPotato v1.0 — User Guide

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

In Chamberlain-esque Pose EU Declares “Privacy in our Time”

The notional purpose of the EU-US Privacy Shield is to establish a framework that allows personal data for commercial purposes to be transferred between the European Union and the United States.

Personal data that is received by US companies operating in Europe is ostensibly governed by EU privacy laws. Pick any notable US organization and they have an office in Europe, typically serving the EMEA region.

But for the purposes of this rant suffice to say that we need only consider Google, Apple, Microsoft, Twitter, and Facebook (a.k.a “Farcebook”).

Do not buy into the high profile privacy battles that these organizations now raise high as examples of their commitment to their customers’ privacy. These are PR tactics.

All of these organizations were more than happy to be secretly willing accomplices to US intelligence agency antics and law-breaking before their activities were exposed and they suffered a backlash. They have been vigourously back-pedalling and papering over the cracks ever since. It is all meaningless posturing.

They are inherently compromised, every day, and in every way.

The EU-US Privacy Shield replaces what was called the International Safe Harbor Privacy Principles (ISHPP). Lofty names for a veneer that actually contains no verifiable substance or oversight when you examine the vast amount of exceptions and undermining laws that in fact render them all moot.

In late 2015 , the ISHPP was declared invalid in its entirety by the EU at a hearing in the European Court of Justice.

But like a smarmy salesperson, the US simply flicked the pages on the sales brochure asking “well, what about this?” – “no?” – “this?” – “no?” – “this?” – until some browbeaten Brussels technocrat bought the bullshit and agreed a new name for the same abuses.

In the usual garbled and meaningless language of the European Commission it was declared on 2nd February 2016 that the EU and the US had found new common ground on the privacy issue and an “Adequacy Decision” was published. (What exactly is an “Adequacy Decision” when it is at home eating chips and eavesdropping on its neighbours?)

In a Chamberlain-esque pose the EU held up this new agreement and declared that it was “…. equivalent to the protections offered by EU law.”

It is not.

ENDS

For more scholarly and considered thinking, read Joint letter to European Commission on EU-US Privacy Shield (July 26, 2017) from Human Rights Watch and Amnesty International to the European Commission to urge a re-evaluation of its Implementing Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield on the basis that the United States of America (United States) does not ensure a level of fundamental rights protection regarding the processing of personal data that is essentially equivalent to that guaranteed within the European Union (EU).

So, So Reasonable, The Politics of Fear – Retrofitting Abnormality

I have read many, many reasonable articles about the need for law enforcement and intelligence agencies to have the ability to access the communications of person’s of interest.

Patrick Gray recently wrote in “No encryption was harmed in the making of this intercept” that:

“Over the last few days people have been losing their minds over an announcement by the Australian government that it will soon introduce laws to compel technology companies to hand over the communications of their users. This has largely been portrayed as some sort of anti-encryption push, but that’s not my take. At all. Before we look at the government’s proposed “solution,” it might make sense to define some problems, as far as law enforcement and intelligence agencies are concerned. The first problem has very little to do with end-to-end encryption and a lot more to do with access to messaging metadata.”

he continues …

“Thanks to our pal Phineas Fisher, we’ve had a glimpse into the sausage factory that is the law enforcement trojanware industry. Gamma Group and Hacking Team, two companies that make surveillance software for mobile phones, were both hacked by Mr. Fisher and the gory details of their operations laid bare. What we learned is that law enforcement organisations already have perfectly functional trojans that they can install on a target’s phone. These trojans canalready intercept communications from encrypted apps.”

and then …

“Do we believe that law enforcement bodies should have the authority to monitor the communications of people suspected of serious criminal offences? If so, what should the legal process for provisioning that access look like? I mentioned auditing access under this scheme a couple of paragraphs ago. If we’re going to have a regime like this, can we have a decent access auditing scheme please? These are the sorts of things I would prefer to be talking about.”

Think about everything that is happening at the moment in terms of the erosion of your privacy, free speech, and civil liberties. And then ask yourself the following:

  1. Do I think that politicians are concerned with striking an appropriate balance between the right to privacyfreedom of speech, and the preservation of civil liberties with the need to maintain the rule of law;
  2. Do I think that the current wave of proposed surveillance legislation is an attempt to normalise abnormal and illegal  practices by our governments and intelligence agencies, now that they have been exposed;
  3. Do I think that all of this proposed legislation is engineered to save our governments and intelligence agencies the bother of the endless crisis room PR;
  4. Do I think that our governments and intelligence agencies are tired of having to react to the publication of their illegal practices by whistleblowers;
  5. Do I think instead that they wish to fob off all objections to Mass Surveillance with a dismissive “we’ve heard it all before” hand wave, the benefit of a statute, while mumbling “imminent threat”, “terrorists”, “pedophiles”, “dark markets”;

ENDS

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon

BothanSpy is Microsoft Windows implant that targets the SSH client program Xshell and steals user credentials for all active SSH sessions. Gyrfalcon is a CentOS, Debian, RHEL, SUSE, and Ubuntu Linux Platform implant that targets the OpenSSH client not only steals user credentials of active SSH sessions but is also capable of collecting full or partial OpenSSH session traffic. Both implants save the collected information in an encrypted file for later exfiltration while the BothanSpy implant also implements exfiltration in real time to a CIA server thus leaving no footprint on the target system storage disk(s).

The 6th July 2017 WikiLeaks release overview:

“Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted [sic] file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine. Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Three documents were also published alongside this release BothanSpy V1.0 Tool Documentation, Gyrfalcon V2.0 User’s Guide, and Gyrfalcon 1.0 User Manual.

Previous and subsequent Vault 7 WikiLeaks dumps #1 – #14 and #16 synopses are available on WikiLeaks and analysis of BothanSpy & Gyrfalcon at The Hacker News.

ENDS

Edited Image courtesy of The Hacker News – Twitter @TheHackersNews – Original Image edited to add extract from BothanSpy Tool Documentation Page 8 Screenshot 07/16/2017.

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #16 – HighRise

HighRise is an android (V4.0 to V4.3) implant for SMS redirect to listening posts.

The 13th July 2017 WikiLeaks release overview:

“Today, July 13th 2017, WikiLeaks publishes documents from the HighRise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP. HighRise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.”

A HighRise User’s Guide was also published.

Previous Vault 7 WikiLeaks dumps #1 – #15 synopses are available on WikiLeaks and analysis of HighRise at The Hacker News.

ENDS

Image courtesy of The Hacker News – Twitter @TheHackersNews

Related Posts: #WikiLeaks #Vault7 Leak #16: #HighRise, #android implant for #SMS redirect #LP @TheHackersNews

https://airgapanonymitycollective.com/2017/07/15/wikileaks-cia-vault7-leak-16-highrise/

Silencing the Canary & The Key Powers & Reach of The IPA

Please Note: This post is not an advertisement for or an endorsement of ProtonMail 

The Investigatory Powers Bill (IPB) was approved by the UK Parliament and after receiving Royal Assent this week will become The Investigatory Powers Act (IPA) coming into force in 2017. The law gives broad new powers to the UK’s intelligence agencies (GCHQ, MI5, MI6) and law enforcement.

In theory, companies offering encryption services, that are not based in the UK, do not fall under the jurisdiction of the IPA – but that is not actually the reality. Strong encryption isn’t just important for privacy, but also key to providing security in the digital age.

Laws like the IPA pose an unprecedented threat to democracy, and are strikingly similar to surveillance laws from totalitarian states but there are tools today that can help protect your digital rights.

Below is a short summary of the most relevant points of the IPA which was written by ProtonMail, a Swiss based firm that offers encrypted email services. The key powers of the Investigatory Powers Act are:

(Start of ProtonMail Summary – Paraphrased)

Retention of Internet browsing records for 1 year

This is in our opinion the worst part of the law. Imagine your browsing history for the entire past year accessible to the government or police without a warrant. This would allow the construction of detailed profiles on every citizen, and categorization based on political views, personal beliefs, and much more. All UK communication service providers (so Internet providers, phone companies, email providers, etc), will be required to retain 1 year of your internet connection records in a central database. This database includes what sites you visited, when you visited the site, for how long, who you called, who you emailed, etc. All of this data will be stored in a central database accessible to the government and law enforcement. More troubling is that no warrant or judicial oversight is required to gain access to this database, the police will have sole discretion to decide when they need to access this database.

Bulk collection of communications data

British communications providers will be required by law to assist in intercepting communications data in relation to an investigation. So far, foreign companies are not required to comply, but as we will discuss below, there are some caveats to this.

Breaking Encryption

Communication providers will be mandated by law to remove encryption whenever it is “practical”. The law is particularly dangerous because it doesn’t well define what is the meaning of “practical”, which means this can be subject to the government’s interpretation.

Enforcement of gag orders

When a communications provider receives a request for data, it is not permitted to reveal that the request took place. Under the IPA, it is now a criminal offense for either the communications provider, or somebody working for the provider, to reveal a data request. Thus, if the powers of the IPA are abused, a whistleblower would be committing a criminal offense by revealing the abuse.

Impact of the IPA outside of the UK

In theory, the IPA only applies to UK companies, but today with the rise of large multinational tech companies, even non-UK companies can be pressured to comply if they have a significant UK presence and employees in the UK.

Since any such requests will happen behind the scenes, we will never know if foreign companies do comply with the IPA. Since the UK is a member of the Five Eyes network, along with the USA, Canada, Australia, and New Zealand, the intelligence scooped up by the IPA will also be shared with US intelligence so UK residents could find their private data being shared beyond UK borders.

Encrypted email accounts can protect your email communications from being intercepted or read by government agencies. The rest of your online activities can also be protected. In particular, using VPN services that don’t have a physical presence in the UK, and also using apps like Signal for text messaging, or Tresorit for file sharing.

Most importantly, everyone needs to spread the word that more surveillance and less encryption isn’t the solution to today’s security challenges.

(End of ProtonMail Summary)

Silencing the Canary 

A warrant canary is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. The canary is a reference to the canaries used to provide warnings in coal mines, which would become sick before miners from carbon monoxide poisoning, warning of the danger.

Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed. Warrant canaries are often provided in conjunction with a transparency report, listing the process the service provider can publicly say it received over the course of a particular time period.

A company might issue a semi-annual transparency report, stating that it had not received any national security letters in the six month period. NSLs under the Patriot Act come with a gag, which purports to prevent the recipient from saying it has received one. (While a federal court has ruled that the NSL gags are unconstitutional, that order is currently stayed pending the government’s appeal). When the company who is in receipt of an NSL issues a subsequent transparency report without that statement, the reader may infer from the silence that the company has now received an NSL.

The IPA has a different approach to this Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR .

END