Tag Archives: surveillance of citizens

Private Espionage for Free

SHODANHackAlerts-Webcam, image from wikipedia

…With so many cheap or free tools out there, it is easy for anyone to set up their own NSA-esque operations and collect data. Though breaching systems and taking data without authorisation is against the law, it is possible to do a decent amount of surveillance entirely legally using open-source intelligence (OSINT) tools…. Daniel Cuthbert, chief operating officer of security consultancy Sensepost, has been happily using OSINT tool Maltego (its open-source version is charmingly called Poortego) [pdf] to track a number of people online.

Over a few days this summer, he was “stalking” a Twitter user who appeared to be working at the Central Intelligence Agency. Maltego allowed him to collect all social media messages sent out into the internet ether in the area around the CIA’s base in Langley, Virginia. He then picked up on the location of further tweets from the same user, which appeared to show her travelling between her own home and a friend or partner’s house. Not long after Cuthbert started mapping her influence, her account disappeared.

But Cuthbert has been retrieving far more illuminating data by running social network accounts related to Islamic State through Maltego. By simply adding names to the OSINT software and asking it to find links between accounts using commands known as “transforms”, Maltego draws up real-time maps showing how users are related to each other and then uncovers links between their followers. It is possible to gauge their level of influence and which accounts are bots rather than real people. Where GPS data is available, location can be ascertained too, though it is rare to find accounts leaking this – only about 2% of tweets have the feature enabled, says Cuthbert.

He has been trying, with mixed results thanks to Twitter’s deletion of accounts spreading Isis propaganda, to determine how tech savvy its members are and how they operate online. Over the past month, Cuthbert has looked at links between a number of pro-Isis users, including one with the handle @AbuHussain104, who has only tweeted 28 times, yet has more than 1,300 followers already. The prominent pro-sharia law Islamic activist Anjem Choudary has been a keen retweeter of Hussain’s words.  The London-based professional hacker has noted the group’s ability to attract followers online; his research shows how a handful of Isis-affiliated accounts have myriad links and wide influence.

…, Cuthbert is now on the lookout for slipups that reveal the true identity or location of the tweeter. “This is a concern for high-ranking Isis leaders, so much so, they issued a guide on using social media,” he notes, referring to reports of an as-yet unconfirmed document.,,,

Metagoofil, which runs on Linux or Mac machines, is an ideal software for uncovering data businesses have mistakenly leaked onto the internet. Running this free tool in a Linux distribution, hackers can command it to hunt for files related to a particular domain, specifying how many Google searches to look through and how many documents to download. It will then extract whatever metadata the user is looking for and store it all in a file for perusal later on.

For those who want instant visual results, the Shodan search tool is a remarkable piece of work. Simple searches can reveal miraculous details. For instance, type “IP camera” into the search bar and more than 1.3m internet-connected IP cameras show up from across the world. Add “country:gb” and you’ll be shown more than 54,000 based in Great Britain. You could specify a manufacturer too, such as Samsung. That provides just 13 results. From there, it’s a matter of clicking on the IP addresses to see which ones allow you to view live footage either with or without a password (if you guess the password, even if it’s a default one such as “admin”, it will mean you are likely to have broken the Computer Misuse Act).  Either way, it is very easy to find poorly secured cameras – many have a username of “admin” and no password whatsoever, according to previous research. It is that straightforward: no coding skills required….

“The tools are mostly for reconnaissance,” says Christian Martorella, creator of Metagoofil and theHarvester, another OSINT software that pentesters – or “ethical hackers” – use to map their clients’ internet footprint. “This helps the pentester to have as much information as possible about the targets and plan the attacks. This phase is very important but … pentesters usually overlook this phase or dedicate little time, while attackers seem to spend more time in this phase.”

Privacy-conscious folk can also benefit from OSINT. While looking into how his internet service provider [ISP] was interfering with his internet connection, in a method similar to that used by Verizon for its controversial “permacookie” tracking software, researcher Lee Brotherston last month used Shodan to find servers that intercepted his traffic. The wide range of Perftech servers he found were based across the world, and though his ISP was simply using a “man-in-the-middle” technique to add a warning banner to a website he visited, … But what if the ISP was coerced by a government and dropped malware onto people’s machines as they tried to access websites? The much-maligned surveillance tool FinSpy is used for just for that purpose: it is placed into the data centres of ISPs and intercepts traffic to force surreptitious downloads of surveillance software. Instead of dropping banners, as Brotherston’s ISP did, it injects malicious JavaScript.  “When you hear about repressive governments that start installing malware on activists’ machines and then arresting them… it’s the same technique. They’re injecting data into a webpage,” says Brotherston, a Canada-based Brit. “If you’re injecting this, you may have a valid business case for doing, it but someone could break in and start dropping malware on people’s machines.”

A number of developers, inspired by the success of Shodan creator John Matherly, have drawn up search sites for hackable systems. Perhaps the most useful for security professionals, whether of the blackhat or whitehat variety, is the Kickstarter-funded PunkSPIDER, a web app vulnerability search engine, which issues an alert as soon as the visitor arrives: “Please do not use this site for malicious purposes … use it wisely or we’ll have to take it away”. It’s remarkably simple. Type or paste in a URL and it will reveal what vulnerabilities have been documented for the related site.

Such is the openness of the web, and such is the carelessness of so many web denizens, any determined citizen can gather up reams of sensitive information on others and collect enough data to create a decent picture of who they are, where they are and what they are doing. The tools are now accessible for the typical web user.

Excerpts fromTom, Fox-Brewster, Tracking Isis, stalking the CIA: how anyone can be big brother online, Guardian, Nov. 12, 2014

The Equinet: decentralization v. enclosure of internet

Internet, image from wikipedia

“The Internet governance should be multilateral, transparent, democratic,and representative, with the participation of governments, private sector, civil society, and international organizations, in their respective roles. This should be one of the foundational principles of Internet governance,” the external affairs ministry says in its initial submission to the April 23-24 Global Multistakeholder Meeting on the Future of Internet Governance, also referred as NETmundial, in Sao Paulo, Brazil.  The proposal for a decentralised Internet is significant in view of Edward Snowden’s Wikileaks revelations of mass surveillance in recent months.

“The structures that manage and regulate the core Internet resources need to be internationalized, and made representative and democratic. The governance of the Internet should also be sensitive to the cultures and national interests of all nations.”The mechanism for governance of the Internet should therefore be transparent and should address all related issues. The Internet must be owned by the global community for mutual benefit and be rendered impervious to possible manipulation or misuse by any particular stake holder, whether state or non-state,” the ministry note says.  NETmundial will see representatives from nearly 180 countries participating to debate the future of Internet…

The US announced last month of its intent to relinquish control of a vital part of Internet Corporation for Assigned Names and Numbers (ICANN) – the Internet Assigned Numbers Authority (IANA).  “Many nations still think that a multilateral role might be more suitable than a multistakeholder approach and two years back India had proposed a 50-nation ‘Committee of Internet Related Policies’ (CIRP) for global internet governance,” Bhattacharjee added.

The concept of Equinet was first floated by Communications Minister Kapil Sibal in 2012 at the Internet Governance Forum in Baku, Azerbaijan.  Dr. Govind, chief executive officer, National Internet Exchange of India, is hopeful that Equinet is achievable. “Equinet is a concept of the Internet as a powerful medium benefiting people across the spectrum. It is all the more significant for India as we have 220 million Internet users, standing third globally after China and the US.”  “Moreover, by the year-end India’s number of Internet users are expected to surpass that of the US. The word Equinet means an equitable Internet which plays the role of an equaliser in the society and not limited only to the privileged people.”

He said the role of government in Internet management is important as far as policy, security and privacy of the cyber space is concerned, but the roles of the private sector, civil society and other stakeholders are no less. “Internet needs to be managed in a more collaborative, cooperative, consultative and consensual manner.”  Talking about the global strategy of renaming Internet as Equinet, he said: “Globally the US has the largest control over the management of the Internet, which is understandable since everything about Internet started there. Developing countries have still not much say over the global management of the Internet. But it is important that the Internet management be more decentralised and globalised so that the developing countries have more participation, have a say in the management where their consent be taken as well.”  The ministry note said: “A mechanism for accountability should be put in place in respect of crimes committed in cyberspace, such that the Internet is a free and secure space for universal benefaction. A ‘new cyber jurisprudence’ needs to be evolved to deal with cyber crime, without being limited by political boundaries and cyber-justice can be delivered in near real time.”

But other experts doubt the possibility of an Equinet or equalising the Internet globally.  Sivasubramanian Muthusamy, president, Internet Society India, Chennai, who is also a participant in the NETmundial, told IANS that the idea of Equinet is not achievable.  “Totally wrong idea. Internet provides a level playing field already. It is designed and operated to be universally accessible, free and open. Internet as it is operated today offers the greatest hope for developing countries to access global markets and prosper.”  “The idea of proposing to rename the Internet as Equinet has a political motive, that would pave way for telecom companies to have a bigger role to bring in harmful commercial models that would destabilize the open architecture of the Internet. If India is considering such a proposal, it would be severely criticized. The proposal does not make any sense. It is wrong advice or misplaced input that must have prompted the government of India to think of such a strange idea,” he said.

Excerpt from India wants Internet to become Equinet, Business Standard, Apr. 20, 2014

State Surveillance of Internet Protests

image from wikipedia

Enthusiasts called protesters in Egypt, Iran, Moldova and Tunisia “Twitter revolutionaries”. That was premature: much of the social-media content supporting the pro-democracy cause came from supporters abroad. But protests in Turkey and Brazil, where digital media are especially popular, do show how technology can muster, manage and amplify demonstrations. Zeynep Tufekci of Princeton University interviewed scores of Turkish protesters. Most cited social media as a spur.

Social media mean that pictures and video spread rapidly; supporters arrive more quickly than police can cart them away, so governments can no longer rely on quelling minor protests by force. A video circulating in Brazil advises citizen journalists to work in packs, adopting military formations to catch government wrongdoing from every available angle.

Highlighting outrageous police behaviour can prompt people to get involved. It also can show more innocuous scenes than the punch-ups and arrests that attract news photographers. These may encourage the hesitant or timid, showing that “protesters are not hooligans or terrorists but people just like you,” says Ethan Zuckerman of MIT.   Social media also counter inflammatory or complacent official channels. When a Turkish television station broadcast a documentary about penguins instead of the street protests, wags photoshopped the bedraggled birds into images of police soaking youths with water cannon, and circulated them in disgust.

Swelling the number of protesters is one thing. Co-ordinating them is another. Several hundred social-media pages advertised demonstrations across Brazil, offering tips on dodging water cannon; some sought volunteers to care for demonstrators’ children. They also helped to direct people who wished to protest in cities abroad. Brazilian hackers used denial of service attacks to briefly disable government websites, including one for next year’s costly football World Cup. All this can help give startling momentum in the real world and online. But it does not necessarily make the protests effective. An amorphous digital crowd can find it hard to agree on demands, accept compromises, or discipline provocateurs. Online voting and other clever e-democracy tools may solve this problem. But not yet.

In the meantime technology can serve the powerful, too. Protesters in Turkey and Brazil say their mobile internet access was throttled, though congestion, not censorship, may be the real culprit. Instructions issued over social networks are easily monitored by police. Amateur footage provides authorities with visual records of those who attend. Witness, an American charity which trains citizen journalists, says that where official snooping is a danger, protesters should be filmed only from behind; last July YouTube, an online video site, introduced a face-blurring tool.

Most protesters are not so careful, and police are getting better at capturing this information themselves. Since 2011 cops in Brazil have tried head-mounted face-detection cameras, which authorities claim can capture up to 400 faces a second. Hoisting them on cheap drones would offer an even better view. Police forces can also recognise demonstrators without actually seeing them: some officers in America have kit capable of recording the identifying code of all the mobile phones within a given area, and officials can also beg or seize the data from mobile operators.

More sought-after is technology that can help forestall protests. Digital marketers have long analysed social-media messages to gauge opinions about products and brands. Brazil’s security services are said to be increasing online monitoring: this can alert police to impending unrest, and spot the main troublemakers. Such tools are experimental. Technology still gives protesters the upper hand, though what they do with it is another question.

Internet protests: The digital demo, Economist, June 29, 2013, at 56

Web Mining and Beyond: FBI against Internet Freedom

Google-Says-the-FBI-Is-Secretly-Spying-on-Some-of-Its-Customers

National Security Letters [NSLs] are written demands from the FBI that compel internet service providers, credit companies, financial institutions and others to hand over confidential records about their customers, such as subscriber information, phone numbers and e-mail addresses, websites visited and more.  NSLs are a powerful tool because they do not require court approval, and they come with a built-in gag order, preventing recipients from disclosing to anyone that they have even received an NSL. An FBI agent looking into a possible anti-terrorism case can self-issue an NSL to a credit bureau, ISP or phone company with only the sign-off of the Special Agent in Charge of their office. The FBI has to merely assert that the information is “relevant” to an investigation into international terrorism or clandestine intelligence activities.

The lack of court oversight raises the possibility for extensive abuse of NSLs under the cover of secrecy, which the gag order only exacerbates. In 2007 a Justice Department Inspector General audit found that the FBI had indeed abused its authority and misused NSLs on many occasions. After 9/11, for example, the FBI paid multimillion-dollar contracts to AT&T and Verizon requiring the companies to station employees inside the FBI and to give these employees access to the telecom databases so they could immediately service FBI requests for telephone records. The IG found that the employees let FBI agents illegally look at customer records without paperwork and even wrote NSLs for the FBI.

The first challenge to NSLs occurred around an NSL that was sent in 2005 to Library Connection, a consolidated back office system for several libraries in Connecticut. The gag order was challenged and found to be unconstitutional because it was a blanket order and was automatic. As a result of that case, the government revised the statute to allow recipients to challenge the gag order. .  Now companies can simply notify the FBI in writing that they oppose the gag order, leaving the burden on the FBI to prove in court that disclosure of an NSL would harm a national security case. The case also led to changes in Justice Department procedures. Since Feb. 2009, NSLs must include express notification to recipients that they have a right to challenge the built-in gag order that prevents them from disclosing to anyone that the government is seeking customer records.

Few recipients, however, have ever used this right to challenge the letters or gag orders.

When recipients have challenged NSLs, the proceedings have occurred mostly in secret, with court documents either sealed or redacted heavily to cover the name of the recipient and other identifying details about the case.

On March 2013  U.S. District Judge Susan Illston (California) ordered the government to stop issuing so-called NSLs across the board, in a stunning defeat for the Obama administration’s surveillance practices. She also ordered the government to cease enforcing the gag provision in any other cases. However, she stayed her order for 90 days to give the government a chance to appeal to the Ninth Circuit Court of Appeals.

“We are very pleased that the Court recognized the fatal constitutional shortcomings of the NSL statute,” said Matt Zimmerman, senior staff attorney for the Electronic Frontier Foundation, which filed a challenge to NSLs on behalf of an unknown telecom that received an NSL in 2011. “The government’s gags have truncated the public debate on these controversial surveillance tools. Our client looks forward to the day when it can publicly discuss its experience.”  The telecommunications company received the ultra-secret demand letter in 2011 from the FBI seeking information about a customer or customers. The company took the extraordinary and rare step of challenging the underlying authority of the National Security Letter, as well as the legitimacy of the gag order that came with it.

After the telecom challenged the NSL, the Justice Department took its own extraordinary measure and sued the company, arguing in court documents that the company was violating the law by challenging its authority.

In her ruling, Judge Illston agreed with EFF, saying that the NSL nondisclosure provisions “significantly infringe on speech regarding controversial government powers.”  She noted that the telecom had been “adamant about its desire to speak publicly about the fact that it received the NSL at issue to further inform the ongoing public debate” on the government’s use of the letters.  She also said that the review process for challenging an order violated the separation of powers. Because the gag order provisions cannot be separated from the rest of the statute, Illston ruled that the entire statute was unconstitutional.

Illston found that although the government made a strong argument for prohibiting the recipients of NSLs from disclosing to the target of an investigation or the public the specific information being sought by an NSL, the government did not provide compelling argument that the mere fact of disclosing that an NSL was received harmed national security interests.  A blanket prohibition on disclosure, she found, was overly broad and “creates too large a danger that speech is being unnecessarily restricted.” She noted that 97 percent of the more than 200,000 NSLs that have been issued by the government were issued with nondisclosure orders.

——

Number of NSLs Issued by FBI

2003——-39,346

2004——56,507

2005—–47,221

2006—-49,425

2007—-16,804

2008—-24,744

2009—14,788

2010—24,287

2011—16,511

(Source: DoJ reports)

She also noted that since the gag order on NSL’s is indefinite — unless a recipient files a petition with the court asking it to modify or set aside the nondisclosure order — it amount to a “permanent ban on speech absent the rare recipient who has the resources and motivation to hire counsel and affirmatively seek review by a district court.”

This case is remarkable for a number of reasons, among them the fact that a telecom challenged the NSL in the first place, and that EFF got the government to agree to release some of the documents to the public, though the telecom was not identified in them. The Wall Street Journal, however, used details left in the court records, and narrowed the likely plaintiffs down to one, a small San-Francisco-based telecom named Credo. The company’s CEO, Michael Kieschnick, didn’t confirm or deny that his company is the unidentified recipient of the NSL, but did release a statement following Illston’s ruling.

“This ruling is the most significant court victory for our constitutional rights since the dark day when George W. Bush signed the Patriot Act,” Kieschnick said. “This decision is notable for its clarity and depth. From this day forward, the U.S. government’s unconstitutional practice of using National Security Letters to obtain private information without court oversight and its denial of the First Amendment rights of National Security Letter recipients have finally been stopped by our courts.”

The case began sometime in 2011, when Credo or another telecom received the NSL from the FBI.EFF filed a challenge on behalf of the telecom.   In May that year on First Amendment grounds, asserting first that the gag order amounted to unconstitutional prior restraint and, second, that the NSL statute itself “violates the anonymous speech and associational rights of Americans” by forcing companies to hand over data about their customers.

The redacted documents don’t indicate the exact information the government was seeking from the telecom, and EFF won’t disclose the details. But by way of general explanation, Zimmerman said that the NSL statute allows the government to compel an ISP or web site to hand over information about someone who posted anonymously to a message board or to compel a phone company to hand over “calling circle” information, that is, information about who has communicated with someone by phone.

An FBI agent could give a telecom a name or a phone number, for example, and ask for the numbers and identities of anyone who has communicated with that person. “They’re asking for association information – who do you hang out with, who do you communicate with, [in order] to get information about previously unknown people.

“That’s the fatal flaw with this [law],” Zimmerman told Wired last year. “Once the FBI is able to do this snooping, to find out who Americans are communicating with and associating with, there’s no remedy that makes them whole after the fact. So there needs to be some process in place so the court has the ability ahead of time to step in on behalf of Americans

Excerpts, Kim Zetter, Federal Judge Finds National Security Letters: Unconstitutional, Bans Them, Wired,  Mar. 15, 2013

Who is Trapwire? CIA’s surveillance machinery

Trapwire is the name of a program revealed in the latest Wikileaks bonanza—it is the mother of all leaks, by the way….. “Former senior intelligence officials have created a detailed surveillance system more accurate than modern facial recognition technology—and have installed it across the U.S. under the radar of most Americans, according to emails hacked by Anonymous.  Every few seconds, data picked up at surveillance points in major cities and landmarks across the United States are recorded digitally on the spot, then encrypted and instantaneously delivered to a fortified central database center at an undisclosed location to be aggregated with other intelligence. It’s part of a program called TrapWire and it’s the brainchild of the Abraxas, a Northern Virginia company (has been acquired by Cubic corporation) staffed with elite from America’s intelligence community.  The employee roster at Arbaxas reads like a who’s who of agents once with the Pentagon, CIA and other government entities according to their public LinkedIn profiles, and the corporation’s ties are assumed to go deeper than even documented. The details on Abraxas and, to an even greater extent TrapWire, are scarce, however, and not without reason. For a program touted as a tool to thwart terrorism and monitor activity meant to be under wraps, its understandable that Abraxas would want the program’s public presence to be relatively limited. But thanks to last year’s hack of the Strategic Forecasting intelligence agency, or Stratfor, all of that is quickly changing.”  So: those spooky new “circular” dark globe cameras installed in your neighborhood park, town, or city—they aren’t just passively monitoring. They’re plugged into Trapwire and they are potentially monitoring every single person via facial recognition.

Excerpts, David Seaman, WIKILEAKS: Surveillance Cameras Around The Country Are Being Used In A Huge Spy Network, Businessinsider.com, Aug. 10, 2012

See also Top Secret America

wikileaks page