Tag Archives: surveillance state

The Wikipedia Lawsuit against the National Security Agency


Excerpts from the Lawsuit of Wikipedia against the NSA


Case 1:15-cv-00662-RDB

Filed 03/10/15

Plaintiff Wikimedia Foundation communicates with the hundreds of millions of individuals who visit Wikipedia webpages to read or contribute to the vast  repository of human knowledge that Wikimedia maintains online. The ability to exchange information in confidence, free from warrantless government monitoring, is essential to each of the Plaintiffs’ work. The challenged surveillance violates Plaintiffs’ privacy and underminestheir ability to carry out activities crucial to their missions. Plaintiffs respectfully request that the Court declare the government’s Upstream surveillance to be unlawful; enjoin the government from continuing to conduct Upstream surveillance of Plaintiffs’ communications; and require the government to purge from its databases all of Plaintiffs’ communications that Upstream surveillance has already allowed the government to obtain….

The government conducts at least two kinds of surveillance under the The Foreign Intelligence Surveillance Amendments Act of 2008 (FAA).  Under a program called “PRISM,” the government obtains stored and real-time communications directly from U.S. companies—such as Google, Yahoo, Facebook, and Microsoft—that provide communications services to targeted accounts.

This case concerns a second form of surveillance, called Upstream. Upstream surveillance involves the NSA’s seizing and searching the internet communications of U.S. citizens and residents en masse as those communications travel across the internet “backbone” in the United States. The internet backbone is the network of high-capacity cables, switches, and routers that facilitates both domestic and international communication via the internet. The NSA conducts Upstream surveillance by connecting surveillance devices to multiple major internet cables, switches, and routers inside the United States. These access points are controlled by the country’s largest telecommunications providers, including Verizon Communications, Inc. and AT&T, Inc. ….

. With the assistance of telecommunications providers, the NSA intercepts a wide variety of internet communications, including emails, instant messages, webpages, voice calls, and video chats. It copies and reviews substantially all international emails and other “text-based” communications—i.e., those whose content includes searchable text.

More specifically, Upstream surveillance encompasses the following processes, some of which are implemented by telecommunications providers acting at the NSA’s direction:

• Copying. Using surveillance devices installed at key access points, the NSA makes a copy of substantially all international text-based communications—and many domestic ones—flowing across certain high-capacity cables, switches, and routers. The copied traffic includes email, internet-messaging communications, web-browsing content, and search-engine queries.

• Filtering. The NSA attempts to filter out and discard some wholly domestic communications from the stream of internet data, while preserving international communications. The NSA’s filtering out of domestic communications is incomplete, however, for multiple reasons. Among them, the NSA does not eliminate bundles of domestic and international communications that transit the internet backbone together. Nor does it eliminate domestic communications that happen to be routed abroad.

• Content Review. The NSA reviews the copied communications—including their full content—for instances of its search terms. The search terms, called “selectors,” include email addresses, phone numbers, internet protocol (“IP”) addresses, and other identifiers that NSA analysts believe to be associated with foreign intelligence targets. Again, the NSA’s targets are not limited to suspected foreign agents and terrorists, nor are its selectors limited to individual email addresses. The NSA may monitor or “task” selectors used by large groups of people who are not suspected of any wrongdoing— such as the IP addresses of computer servers used by hundreds of different people.

• Retention and Use. The NSA retains all communications that contain selectors associated with its targets, as well as those that happened to be bundled with them in transit….

, NSA analysts may read, query, data-mine, and analyze these communications with few restrictions, and they may share the results of those efforts with the FBI, including in aid of criminal investigations….. In other words, the NSA copies and reviews the communications of millions of innocent people to determine whether they are discussing or reading anything containing the NSA’s search terms. The NSA’s practice of reviewing the content of communications for selectors is sometimes called “about” surveillance. This is because its purpose is to identify not just communications that are to or from the NSA’s targets but also those that are merely “about” its targets. Although it could do so, the government makes no meaningful effort to avoid the interception of communications that are merely “about” its targets; nor does it later purge those communications.

PDF document of Lawsuit

Private Espionage for Free

SHODANHackAlerts-Webcam, image from wikipedia

…With so many cheap or free tools out there, it is easy for anyone to set up their own NSA-esque operations and collect data. Though breaching systems and taking data without authorisation is against the law, it is possible to do a decent amount of surveillance entirely legally using open-source intelligence (OSINT) tools…. Daniel Cuthbert, chief operating officer of security consultancy Sensepost, has been happily using OSINT tool Maltego (its open-source version is charmingly called Poortego) [pdf] to track a number of people online.

Over a few days this summer, he was “stalking” a Twitter user who appeared to be working at the Central Intelligence Agency. Maltego allowed him to collect all social media messages sent out into the internet ether in the area around the CIA’s base in Langley, Virginia. He then picked up on the location of further tweets from the same user, which appeared to show her travelling between her own home and a friend or partner’s house. Not long after Cuthbert started mapping her influence, her account disappeared.

But Cuthbert has been retrieving far more illuminating data by running social network accounts related to Islamic State through Maltego. By simply adding names to the OSINT software and asking it to find links between accounts using commands known as “transforms”, Maltego draws up real-time maps showing how users are related to each other and then uncovers links between their followers. It is possible to gauge their level of influence and which accounts are bots rather than real people. Where GPS data is available, location can be ascertained too, though it is rare to find accounts leaking this – only about 2% of tweets have the feature enabled, says Cuthbert.

He has been trying, with mixed results thanks to Twitter’s deletion of accounts spreading Isis propaganda, to determine how tech savvy its members are and how they operate online. Over the past month, Cuthbert has looked at links between a number of pro-Isis users, including one with the handle @AbuHussain104, who has only tweeted 28 times, yet has more than 1,300 followers already. The prominent pro-sharia law Islamic activist Anjem Choudary has been a keen retweeter of Hussain’s words.  The London-based professional hacker has noted the group’s ability to attract followers online; his research shows how a handful of Isis-affiliated accounts have myriad links and wide influence.

…, Cuthbert is now on the lookout for slipups that reveal the true identity or location of the tweeter. “This is a concern for high-ranking Isis leaders, so much so, they issued a guide on using social media,” he notes, referring to reports of an as-yet unconfirmed document.,,,

Metagoofil, which runs on Linux or Mac machines, is an ideal software for uncovering data businesses have mistakenly leaked onto the internet. Running this free tool in a Linux distribution, hackers can command it to hunt for files related to a particular domain, specifying how many Google searches to look through and how many documents to download. It will then extract whatever metadata the user is looking for and store it all in a file for perusal later on.

For those who want instant visual results, the Shodan search tool is a remarkable piece of work. Simple searches can reveal miraculous details. For instance, type “IP camera” into the search bar and more than 1.3m internet-connected IP cameras show up from across the world. Add “country:gb” and you’ll be shown more than 54,000 based in Great Britain. You could specify a manufacturer too, such as Samsung. That provides just 13 results. From there, it’s a matter of clicking on the IP addresses to see which ones allow you to view live footage either with or without a password (if you guess the password, even if it’s a default one such as “admin”, it will mean you are likely to have broken the Computer Misuse Act).  Either way, it is very easy to find poorly secured cameras – many have a username of “admin” and no password whatsoever, according to previous research. It is that straightforward: no coding skills required….

“The tools are mostly for reconnaissance,” says Christian Martorella, creator of Metagoofil and theHarvester, another OSINT software that pentesters – or “ethical hackers” – use to map their clients’ internet footprint. “This helps the pentester to have as much information as possible about the targets and plan the attacks. This phase is very important but … pentesters usually overlook this phase or dedicate little time, while attackers seem to spend more time in this phase.”

Privacy-conscious folk can also benefit from OSINT. While looking into how his internet service provider [ISP] was interfering with his internet connection, in a method similar to that used by Verizon for its controversial “permacookie” tracking software, researcher Lee Brotherston last month used Shodan to find servers that intercepted his traffic. The wide range of Perftech servers he found were based across the world, and though his ISP was simply using a “man-in-the-middle” technique to add a warning banner to a website he visited, … But what if the ISP was coerced by a government and dropped malware onto people’s machines as they tried to access websites? The much-maligned surveillance tool FinSpy is used for just for that purpose: it is placed into the data centres of ISPs and intercepts traffic to force surreptitious downloads of surveillance software. Instead of dropping banners, as Brotherston’s ISP did, it injects malicious JavaScript.  “When you hear about repressive governments that start installing malware on activists’ machines and then arresting them… it’s the same technique. They’re injecting data into a webpage,” says Brotherston, a Canada-based Brit. “If you’re injecting this, you may have a valid business case for doing, it but someone could break in and start dropping malware on people’s machines.”

A number of developers, inspired by the success of Shodan creator John Matherly, have drawn up search sites for hackable systems. Perhaps the most useful for security professionals, whether of the blackhat or whitehat variety, is the Kickstarter-funded PunkSPIDER, a web app vulnerability search engine, which issues an alert as soon as the visitor arrives: “Please do not use this site for malicious purposes … use it wisely or we’ll have to take it away”. It’s remarkably simple. Type or paste in a URL and it will reveal what vulnerabilities have been documented for the related site.

Such is the openness of the web, and such is the carelessness of so many web denizens, any determined citizen can gather up reams of sensitive information on others and collect enough data to create a decent picture of who they are, where they are and what they are doing. The tools are now accessible for the typical web user.

Excerpts fromTom, Fox-Brewster, Tracking Isis, stalking the CIA: how anyone can be big brother online, Guardian, Nov. 12, 2014

The Equinet: decentralization v. enclosure of internet

Internet, image from wikipedia

“The Internet governance should be multilateral, transparent, democratic,and representative, with the participation of governments, private sector, civil society, and international organizations, in their respective roles. This should be one of the foundational principles of Internet governance,” the external affairs ministry says in its initial submission to the April 23-24 Global Multistakeholder Meeting on the Future of Internet Governance, also referred as NETmundial, in Sao Paulo, Brazil.  The proposal for a decentralised Internet is significant in view of Edward Snowden’s Wikileaks revelations of mass surveillance in recent months.

“The structures that manage and regulate the core Internet resources need to be internationalized, and made representative and democratic. The governance of the Internet should also be sensitive to the cultures and national interests of all nations.”The mechanism for governance of the Internet should therefore be transparent and should address all related issues. The Internet must be owned by the global community for mutual benefit and be rendered impervious to possible manipulation or misuse by any particular stake holder, whether state or non-state,” the ministry note says.  NETmundial will see representatives from nearly 180 countries participating to debate the future of Internet…

The US announced last month of its intent to relinquish control of a vital part of Internet Corporation for Assigned Names and Numbers (ICANN) – the Internet Assigned Numbers Authority (IANA).  “Many nations still think that a multilateral role might be more suitable than a multistakeholder approach and two years back India had proposed a 50-nation ‘Committee of Internet Related Policies’ (CIRP) for global internet governance,” Bhattacharjee added.

The concept of Equinet was first floated by Communications Minister Kapil Sibal in 2012 at the Internet Governance Forum in Baku, Azerbaijan.  Dr. Govind, chief executive officer, National Internet Exchange of India, is hopeful that Equinet is achievable. “Equinet is a concept of the Internet as a powerful medium benefiting people across the spectrum. It is all the more significant for India as we have 220 million Internet users, standing third globally after China and the US.”  “Moreover, by the year-end India’s number of Internet users are expected to surpass that of the US. The word Equinet means an equitable Internet which plays the role of an equaliser in the society and not limited only to the privileged people.”

He said the role of government in Internet management is important as far as policy, security and privacy of the cyber space is concerned, but the roles of the private sector, civil society and other stakeholders are no less. “Internet needs to be managed in a more collaborative, cooperative, consultative and consensual manner.”  Talking about the global strategy of renaming Internet as Equinet, he said: “Globally the US has the largest control over the management of the Internet, which is understandable since everything about Internet started there. Developing countries have still not much say over the global management of the Internet. But it is important that the Internet management be more decentralised and globalised so that the developing countries have more participation, have a say in the management where their consent be taken as well.”  The ministry note said: “A mechanism for accountability should be put in place in respect of crimes committed in cyberspace, such that the Internet is a free and secure space for universal benefaction. A ‘new cyber jurisprudence’ needs to be evolved to deal with cyber crime, without being limited by political boundaries and cyber-justice can be delivered in near real time.”

But other experts doubt the possibility of an Equinet or equalising the Internet globally.  Sivasubramanian Muthusamy, president, Internet Society India, Chennai, who is also a participant in the NETmundial, told IANS that the idea of Equinet is not achievable.  “Totally wrong idea. Internet provides a level playing field already. It is designed and operated to be universally accessible, free and open. Internet as it is operated today offers the greatest hope for developing countries to access global markets and prosper.”  “The idea of proposing to rename the Internet as Equinet has a political motive, that would pave way for telecom companies to have a bigger role to bring in harmful commercial models that would destabilize the open architecture of the Internet. If India is considering such a proposal, it would be severely criticized. The proposal does not make any sense. It is wrong advice or misplaced input that must have prompted the government of India to think of such a strange idea,” he said.

Excerpt from India wants Internet to become Equinet, Business Standard, Apr. 20, 2014

Man-in-the Middle Attack: UK against Belgium

man-in-the-middle attack

According to Spiegel, documents from the archive of whistleblower Edward Snowden indicate that Britain’s GCHQ intelligence service was behind a cyber attack against Belgacom, a partly state-owned Belgian telecoms company. A “top secret” Government Communications Headquarters (GCHQ) presentation seen by SPIEGEL indicate that the goal of project, conducted under the codename “Operation Socialist,” was “to enable better exploitation of Belgacom” and to improve understanding of the provider’s infrastructure.

The presentation is undated, but another document indicates that access has been possible since 2010. The document shows that the Belgacom subsidiary Bics, a joint venture between Swisscom and South Africa’s MTN, was on the radar of the British spies.  Belgacom, whose major customers include institutions like the European Commission, the European Council and the European Parliament, ordered an internal investigation following the recent revelations about spying by the United States’ National Security Agency (NSA) and determined it had been the subject of an attack. The company then referred the incident to Belgian prosecutors. Last week, Belgian Prime Minister Elio di Rupo spoke of a “violation of the public firm’s integrity.”

When news first emerged of the cyber attack, suspicions in Belgium were initially directed at the NSA. But the presentation suggests that it was Belgium’s own European Union partner Britain that is behind “Operation Socialist,” even though the presentation indicates that the British used spying technology for the operation that the NSA had developed.  According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a “Quantum Insert” (“QI”). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had “good access” to important parts of Belgacom’s infrastructure, and this seemed to please the British spies, according to the slides.

The documents also suggest that GCHQ continued to probe the areas of infrastructure to which the targeted employees had access. The undated presentation states that they were on the verge of accessing the Belgians’ central roaming router. The router is used to process international traffic. According to the presentation, the British wanted to use this access for complex attacks (“Man in the Middle” attacks)* on smartphone users. The head of GCHQ’s Network Analysis Centre (NAC) described Operation Socialist in the presentation as a “success.”

From Wikipedia: The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker

Belgacom Attack: Britain’s GCHQ Hacked Belgian Telecoms Firm, Der Spiegel, Sept. 20, 2013