Tag Archives: BigSurveillance

“Bypassing” Encryption is the same as “Breaking” Encryption

According to the Vault 7 WikiLeaks data the CIA made phone malware that can read your private chats without breaking encryption.

Anyone with half a clue always knew that the best way to subvert encryption was to bypass encryption as we at TMG Corporate Services have always done. From our blog post Am I Being Surveilled? on 29th March 2016:

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good location (easy access to and plenty of space behind the plastic covering the B pillar to store the bits).

Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on. Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

Most successful hacks are low tech

Today I have seen a bunch of publications and experts trying to assure people that this is nothing to worry about. The purity of encryption is in tact. It is an academic point.

If you are in the business of handling sensitive data then don’t use your cell phone to transmit it. It’s that simple.

* In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA “cracked” the encryption used by popular secure messaging software including Signal and WhatsApp.

WikiLeaks asserted that: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken. No, it hasn’t. Instead, the CIA has tools to gain access to entire phones, which would of course “bypass” encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.

The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.

It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he’s still typing, this doesn’t mean that the security of the app the target is using has any issue.

In that case, it also doesn’t matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.

But this also doesn’t mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, “This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem.”

* From The Hacker News

ENDS

“All uR devICE r belong 2 US”, Vault 7, Weeping Angel, the CIA & Your Samsung TV

CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation). The DDI is one of the five major directorates of the CIA.

The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS.

The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.

The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is it’s most emblematic realization.

After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on.

In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

ENDS

Extracted entirely from Vault 7: CIA Hacking Tools Revealed

Official Government Response to “Repeal the new Surveillance Laws (Investigatory Powers Act)” Petition

Dear Graham Penrose,

The Government has responded to the petition you signed – “Repeal the new Surveillance laws (Investigatory Powers Act)”.

Government responded:

The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers. It protects both privacy and security and underwent unprecedented scrutiny before becoming law.

The Government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.

The Investigatory Powers Act transforms the law relating to the use and oversight of Investigatory powers. It strengthens safeguards and introduces world-leading oversight arrangements.

The Act does three key things. First, it brings together powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It makes these powers – and the safeguards that apply to them – clear and understandable.

Second, it radically overhauls the way these powers are authorised and overseen. It introduces a ‘double-lock’ for the most intrusive powers, including interception and all of the bulk capabilities, so warrants require the approval of a Judicial Commissioner. And it creates a powerful new Investigatory Powers Commissioner to oversee how these powers are used.

Third, it ensures powers are fit for the digital age. The Act makes a single new provision for the retention of internet connection records in order for law enforcement to identify the communications service to which a device has connected. This will restore capabilities that have been lost as a result of changes in the way people communicate.

Public scrutiny

The Bill was subject to unprecedented scrutiny prior to and during its passage.

The Bill responded to three independent reports: by David Anderson QC, the Independent Reviewer of Terrorism Legislation; by the Royal United Services Institute’s Independent Surveillance Review Panel; and by the Intelligence and Security Committee of Parliament. All three of those authoritative independent reports agreed a new law was needed.

The Government responded to the recommendations of those reports in the form of a draft Bill, published in November 2015. That draft Bill was submitted for pre-legislative scrutiny by a Joint Committee of both Houses of Parliament. The Intelligence and Security Committee and the House of Commons Science and Technology Committee conducted parallel scrutiny. Between them, those Committees received over 1,500 pages of written submissions and heard oral evidence from the Government, industry, civil liberties groups and many others. The recommendations made by those Committees informed changes to the Bill and the publication of further supporting material.

A revised Bill was introduced in the House of Commons on 1 March, and completed its passage on 16 November, meeting the timetable for legislation set by Parliament during the passage of the Data Retention and Investigatory Powers Act 2014. Over 1,700 amendments to the Bill were tabled and debated during this time.

The Government has adopted an open and consultative approach throughout the passage of this legislation, tabling or accepting a significant number of amendments in both Houses of Parliament in order to improve transparency and strengthen privacy protections. These included enhanced protections for trade unions and journalistic and legally privileged material, and the introduction of a threshold to ensure internet connection records cannot be used to investigate minor crimes.

Privacy and Oversight

The Government has placed privacy at the heart of the Investigatory Powers Act. The Act makes clear the extent to which investigatory powers may be used and the strict safeguards that apply in order to maintain privacy.

A new overarching ‘privacy clause’ was added to make absolutely clear that the protection of privacy is at the heart of this legislation. This privacy clause ensures that in each and every case a public authority must consider whether less intrusive means could be used, and must have regard to human rights and the particular sensitivity of certain information. The powers can only be exercised when it is necessary and proportionate to do so, and the Act includes tough sanctions – including the creation of new criminal offences – for those misusing the powers.
The safeguards in this Act reflect the UK’s international reputation for protecting human rights. The unprecedented transparency and the new safeguards – including the ‘double lock’ for the most sensitive powers – set an international benchmark for how the law can protect both privacy and security.

Home Office

Click this link to view the response online:

https://petition.parliament.uk/petitions/173199?reveal_response=yes

This petition has over 100,000 signatures. The Petitions Committee will consider it for a debate. They can also gather further evidence and press the government for action.

The Committee is made up of 11 MPs, from political parties in government and in opposition. It is entirely independent of the Government. Find out more about the Committee: https://petition.parliament.uk/help#petitions-committee

Thanks,
The Petitions Team
UK Government and Parliament

State Surveillance in Ireland Part 2: Establishing Credibility & Demonstrating A Culture of Silence

In Part 2, I simply briefly describe my attempts to acquire information from the various entities – organisations, government departments and individuals – responsible for oversight with respect to the 1993 interception of Postal Packets and telecommunications messages Act and the 2009 Criminal Justice (Surveillance) Act.

I sought their opinions on certain matters in order to inform my findings on the subject of accountability and the chain of command and oversight with respect to state sponsored surveillance programmes in the Republic of Ireland.

In July 2014, after issuing multiple unanswered requests under The Freedom of Information Act 1997 (FOI) as amended by the Freedom of Information (Amendment) Act 2003 I then proceeded to send information packets by registered post to multiple organisations, government departments and individuals.

The packets contained detailed background information on the reasons for my questions and a detailed articulation of each of the questions I was seeking answers to / opinions on (including their views on why they thought that I had not received the requested information via the FOI process) :

  1. Mr. Michael Noonan TD, Minister for Finance, Department of Finance, Government Buildings, Upper Merrion Street, Dublin2
  2. Ms. Frances Fitzgerald TD, Minister for Justice & Equality, Department of Justice, Government Buildings, Upper Merrion Street, dublin 2
  3. Ms. Claire Loftus, Director of Public Prosecutions, The Office of the Director of public Prosecutions, Infirmary Road, Dublin 2
  4. Ms. Nóirín O’Sullivan, Garda Commissioner, Office of the Garda Commissioner, Garda HQ, Phoenix Park, Dublin 8
  5. Citizens Information Board, Ground Floor, George’s Quay House, 43 Townsend St, Dublin 2
  6. Blanchardstown / D15 Citizens Information Centre, Westend House, Snugborough Rd, Blanchardstown, Co. Dublin
  7. Office of the Revenue Commissioners, The Revenue Solicitors Office, Ship Street Gate, Dublin Castle, Dublin 2
  8. Ms.Marie-Claire Maney, Revenue Solicitor, The Revenue Solicitors Office, Ship Street Gate, Dublin Castle, Dublin 2
  9. Ms.Josephine Feehily, Chairman, Office of the Revenue Commissioners, Castle Yard, Dublin Castle, Dublin 2
  10. Mr.Michael Gladney, Collector General, Sarsfield House, Francis Street, Limerick
  11. Principal Officer, Office of the Revenue Commissioners, Dublin Region, investigations District, BlockD, Ashtowngate, Navan Road, Dublin 15
  12. Principal Officer, Office of the Revenue Commissioners, Dublin Region, South County District, Plaza Complex, Belgard Road, Tallaght, Dublin 24
  13. Principal Officer, Office of the Revenue Commissioners, Investigations & Prosecutions Unit, Castle View, 52-57 South Great George’s St, Dublin 2
  14. Principal Officer, Office of the Revenue Commissioners, Customs Criminal Investigations, 5th Floor, block D, Ashtowngate, Navan Road, Dublin 15
  15. Principal Officer,, Office of the Revenue Commissioners, Customs Enforcement Unit, M:TEKII Building, Armagh Road, Monaghan, Co.Monaghan
  16. The Hon. Mrs. Justice Ms. Susan Denham, Chief Justice of supreme court of Ireland, Four Courts, Inns Quay, Dublin 7
  17. The Hon. Mr. Justice Mr. Nicholas Kearns, President of the High Court, Four Courts, Inns Quay, Dublin 7
  18. Simon O’Brien, Commissioner, Garda Siochana Ombudsman Commission, 150 Upper Abbey Street, Dublin 1
  19. The Office of the Ombudsman
  20. The Office of Garda Siochana Ombudsman Commission

I received one response – from the secretary to Mr. Michael Noonan TD, Minister for Finance, Department of finance – acknowledging receipt of my correspondence.

That is all.

END

What’s the French word for PRISM?

In December 2014, the French government published a decree enacting an internet surveillance law that was passed a year before. The measure allowed authorities ‘administrative access to connection data,’ and came into force on the 1st January 2015.

The decree, provided French officials with access to data including phone calls, text messages and internet access by both private users and operators. The enactment of the law came as a surprise as less than two months previously, François Hollande, had expressed his “deep disapproval” to Barack Obama at revelations that the NSA had been intercepting millions of phone calls in France. He described it as an “unacceptable practice.”

STASI - HOLLANDE

The new powers created an “interdepartmental group” in charge of security interceptions and administrative access, gathering requests for certain data and obtaining it from operators. Several branches within the French Interior Ministry, the Ministry of Defense and a directorate at the Ministry of Finance are now entitled to “order” intercepts.

These powers have been granted under the flag of protection from the terrorist threat. An oversight body called the National Control Commission for Security Interceptions (CNCIS) was also setup to supervise these new governmental data control powers.

Conveniently (for the French authorities) it is allowed to oversee documents and information asked to be disclosed to the authorities but it has no power to sanction anyone, or alert any third party of abuse of the new powers.

A snapshot of the “bag of tricks” now available to the participating departments include:

  • Monitor emails and phone calls of suspects and their contacts without seeking authorization from a judge;
  • Obligation on telecommunications and internet companies to automatically filter vast amounts of metadata to flag suspicious patterns;
  • Make all of this data freely available to intelligence services;
  • The intelligence services are also now permitted to plant cameras and bugs in the homes of suspects without court orders;
  • And the use of keystroke-loggers to track their online behavior is also sanctioned at the discretion of the French departments and intelligence agencies.

Privacy International, Amnesty International, human rights organizations, the French National Digital Council and several French web hosting companies have expressed alarm over the laws. The commercial outfits though are more concerned that the threat of constant government intrusion would undermine their business/profits rather than result in illegal and unwarranted surveillance of citizens.

Under the law, internet service providers would have to install monitoring mechanisms — referred to by the French media as “black boxes” — that would use algorithms to detect, in real time, suspicious behaviors in internet metadata.

Supporters stress that this metadata would remain anonymous and that content of communications would not be automatically swept up, but the behaviors that would constitute a “terrorist-like” pattern are still unclear.

Critics say it is mass surveillance on a disproportionately large scale. Under the bill, recordings could be stored for up to one month, and metadata for up to five years.

The often quoted East German Stasi method of using a network of 2,000,000 HUMINT assets as the largest government sanctioned breach of privacy rights in history now seems like amateur day when compared to the 66,000,000 SIGINT black boxes now monitoring the French population.

END.

The “FVEY” SIGINT Espionage Alliance

The French, Belgian, Egyptian and Yemeni authorities have all in the last 12 months failed to connect the dots on available data that might have prevented or lessened the Hebdo, Bataclan, Zaventem & Maalbeek atrocities.

Some of their foreign counterparts however are part of an exclusive alliance that shares intelligence that does in many cases provide insights that the individual portions do not.

The Five Eyes intelligence alliance is led by the USA. Often abbreviated as “FVEY” the alliance comprises Australia, Canada, New Zealand, the United Kingdom, and the United States. They are bound by the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence.

STASI - FIVE EYES

FVEY’s origins can be traced back to the Atlantic Charter issued by the Allies to lay out their goals for a post-war world in 1945. During the Cold War, the ECHELON surveillance system was initially developed by the FVEY to monitor the communications of the former Soviet Union and the Eastern Bloc. Later, it was alleged that it was also used to monitor billions of private communications worldwide.

ECHELON’s existence was disclosed in the late 1990’s and it triggered a major debate in the European Parliament. As part of efforts in the so called War on Terror the FVEY further expanded their surveillance capabilities, with much emphasis placed on monitoring internet communications.

Snowden describes the Five Eyes as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”. Documents leaked by Snowden in 2013 revealed that the FVEY have been spying on one another’s citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens.

The leaked documents also revealed the existence of numerous surveillance programs jointly operated by the Five Eyes including:

  • PRISM – Operated by the NSA together with the GCHQ and the ASD;
  • XKeyscore – Operated by the NSA with contributions from the ASD and the GCSB;
  • Tempora – Operated by the GCHQ with contributions from the NSA;
  • MUSCULAR – Operated by the GCHQ and the NSA;
  • STATEROOM – Operated by the ASD, CIA, CSEC, GCHQ, and NSA.

Despite the disclosures no amount of outrage will affect the Five Eyes which remains the most extensive known espionage alliance in history.

END.