Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide. When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept. We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team.
Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.” A Niche for Commercial Spyware How It Works. Adobe’s e-book reader sends your reading logs back to Adobe—in plain text. Adobe’s Digital Editions e-book and PDF reader—an application used by thousands of libraries to give patrons access to electronic lending libraries—actively logs and reports every document readers add to their local “library” along with what users do with those files.
Even worse, the logs are transmitted over the Internet in the clear, allowing anyone who can monitor network traffic (such as the National Security Agency, Internet service providers and cable companies, or others sharing a public Wi-Fi network) to follow along over readers’ shoulders. Ars has independently verified the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no reply. Update, 6:23 PM ET: An Adobe spokesperson now says the company is working on an update. An Adobe spokesperson provided the following statement: Here's what Adobe says they collect: NSA/GCHQ/CES Infecting Innocent Computers Worldwide. There's a new story on the c't magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks.
These are not target computers; these are innocent third parties. The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they've completed port scans of 27 different countries and are prepared to do more. The point of this is to create ORBs, or Operational Relay Boxes.
Slides from the UK's GCHQ also talk about ORB detection, as part of a program called MUGSHOT. The slides never say how many of the "potential ORBs" CESG discovers or the computers that register positive in GCHQ's "Orb identification" are actually infected, but they're all stored in a database for future use. The story contains formerly TOP SECRET documents from the US, UK, and Canada. Tags: GCHQ, malware, NSA, scanners, UK. NSA/GCHQ: The HACIENDA Program for Internet Colonization - c't Magazin. Translations of this article are available in German, French, Italian and Spanish. Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems.
In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a "standard tool" to be applied against entire nations (Figure 1, see the picture gallery). Twenty-seven countries are listed as targets of the HACIENDA program in the presentation (Figure 2), which comes with a promotional offer: readers desiring to do reconnaissance against another country need simply send an e-mail (Figure 3). Bild 1 von 26 The HACIENDA Programm The documents do not spell out details for a review process or the need to justify such an action. Background: The TCP Three-Way Handshake The most commonly-used protocol on the Internet is TCP | the Transmission Control Protocol. The Authors The Enemy Online Every device a target Internet Colonization TCP Stealth 1. 2. 3. Visit the Wrong Website, and the FBI Could End Up in Your Computer | Threat Level.
Getty Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes. Now the technique is being adopted by a different kind of a hacker—the kind with a badge.
For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system. The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it’s also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants.
Microsoft Ireland Case: Can a US Warrant Compel A US Provider to Disclose Data Stored Abroad? The animating question in this case is whether a U.S. law enforcement agency can compel a U.S. provider of communications service to disclose the content of digital information the provider stores outside the U.S. The Stored Communications Act (SCA), part of the Electronic Communications Privacy Act (ECPA) of 1986, does not explicitly address the issue.
The SCA authorizes the Government to seek the contents of stored communications that are more than 180 days old, using a subpoena, a court order issued under 18 USC 2703(d), or a warrant. The Government takes the position that a subpoena can also compel disclosure of opened email no matter its age. However, Microsoft and most other large providers apply U.S. v. Warshak, 631 F.3d 266 (6th Cir. 2010) on a nationwide basis, and require warrants for all content. The parties have briefed the case, and Microsoft enjoys amicus support from AT&T, Verizon, Cisco/Apple and the Electronic Frontier Foundation. I. A. B. C. D. E. II. A. B. C. III. Supreme Court to Cops Who Want to Search Your Cellphone: Get a Warrant. On Wednesday, the Supreme Court unanimously ruled that police generally may not search the cellphones of Americans who have been arrested without a search warrant.
(You can read the decision here; it's also posted below.) In a sweeping win for digital privacy rights, the justices recognized that cellphones contain "vast quantities of personal information" and are fundamentally different than other items that a person might have on his or her body when arrested. "Before cellphones, a search of a person was limited by physical realities and generally constituted only a narrow intrusion on privacy. But cellphones can store millions of pages of text, thousands of pictures or hundreds of videos. This has several interrelated privacy consequences," reads the opinion, which reverses the decision of the California appellate court in Riley v. California. The Supreme court was asked to consider two cases—United States v. So, why are police allowed to search my cellphone without a warrant?
Forbes. Data-Sharing Agreements. PRISM - Where do we go from here? | www.alexanderhanff.com. In light of the shocking revelations regarding the United States surveillance machine (the National Security Agency) and their PRISM initiative - one has to ask how do we move forward? As you can see from my previous blog post, I have personally written to President Barroso of the European Commission asking that the Commission immediately revoke the Safe Harbour status of the United States, ban all US companies from EU markets until such time as the US Government acknowledge and uphold the fundamental and constitutional rights of European citizens and begin a formal investigation into the allegations that the UK Government's signals analysis agency GCHQ used PRISM to circumvent the legal processes in place governing the acquisition and interception of citizens' communications.
People have already started to ask me to recommend some alternatives to the popular services we use online, to be honest there aren't very many. For the above reasons, I once again turn my old friends at Ixquick. File Sharing. EPIC Online Guide to Practical Privacy Tools. Disclaimer: EPIC does not lobby for, consult, or advise companies, nor do we endorse specific products or services. This list merely serves as a sampling of available privacy-enhancing tools. If you have a suggestion for a tool that you believe should be included, or if you have comments to share regarding one or more of the tools that are already listed, send e-mail to epic-info@epic.org.
If you have questions about a tool on this page, visit the affiliated company or individual's Web site for more information. CD/USB Based Operating Systems Tails: live operating system that can run from removable media without leaving tracks. Internet Anonymizers, Virtual Private Networks (VPNs) and Proxy Servers Web Browser Ad-ons HTTPS Everywhere (Firefox, Chrome): forces HTTPS versions of websites were they are available.
Search Engines DuckDuckGo: anonymous, encrypted web searches. ixquick: anonymous, encrypted web searches. Email/Communication Encryption Alternative Email Accounts Anonymous Remailers. Lavabit Files Opening Brief in Landmark Privacy Case | Threat Level. Edward Snowden. Courtesy of the Guardian Secure email provider Lavabit just filed the opening brief in its appeal of a court order demanding it turn over the private SSL keys that protected all web traffic to the site. The government proposed to examine and copy Lavabit’s most sensitive, closely guarded records–its private keys–despite the fact that those keys were not contraband, were not the fruits of any crime, were not used to commit any crime, and were not evidence of any crime.
Rather, the government obtained a warrant to search and seize Lavabit’s property simply because it believed that the information would be helpful to know as it conducted its investigation of someone else. The name of the target is redacted from the brief, and from unsealed records in the case. The appeal brief correctly notes that the SSL keys would have allowed the government to eavesdrop on any or all of Lavabit’s 400,000 users as they used the site, though the government promised it wouldn’t do that.
Judges Poised to Hand U.S. Spies the Keys to the Internet | Threat Level. How does the NSA get the private crypto keys that allow it to bulk eavesdrop on some email providers and social networking sites? It’s one of the mysteries yet unanswered by the Edward Snowden leaks. But we know that so-called SSL keys are prized by the NSA – understandably, since one tiny 256 byte key can expose millions of people to intelligence collection. And we know that the agency has a specialized group that collects such keys by hook or by crook.
That’s about it. Which is why the appellate court challenge pitting encrypted email provider Lavabit against the Justice Department is so important: It’s the only publicly documented case where a district judge has ordered an internet company to hand over its SSL key to the U.S. government — in this case, the FBI. Oral arguments in the Lavabit appeal were heard by a three-judge panel in Richmond, Virginia last week. The audio (.mp3) is available online (and PC World covered it from the courtroom). Lavabit founder Ladar Levison. The New Yorker | Strongbox. Our privacy promise The New Yorker's Strongbox is designed to let you communicate with our writers and editors with greater anonymity and security than afforded by conventional e-mail.
When you visit or use our public Strongbox server, The New Yorker and our parent company, Condé Nast, will not record your I.P. address or information about your browser, computer, or operating system, nor will we embed third-party content or deliver cookies to your browser. Strongbox servers are under the physical control of The New Yorker and Condé Nast in a physically and logically segregated area at a secure data center. Strongbox servers and network share no elements in common with The New Yorker or Condé Nast infrastructure.
Strongbox is designed to be accessed only through a “hidden service” on the Tor anonymity network, which is set up to conceal both your online and physical location from us and to offer full end-to-end encryption for your communications with us. Mobile Surveillance - A Primer. Share This Mobiles can be useful tools for collecting, planning, coordinating and recording activities of NGO staff and activists. But did you know that whenever your phone is on, your location is known to the network operator? Or that each phone and SIM card transmits a unique identifying code, which, unless you are very careful about how you acquire the phone and SIM, can be traced uniquely to you? With cameras, GPS, mobile Internet come ever more dangerous surveillance possibilities, allowing an observer, once they have succeeded in gaining control of the phone, to turn it into a sophisticated recording device.
However, even a simple phone can be tracked whenever it is on the network, and calls and text messages are far from private. This is understandably disquieting to activists involved in sensitive work. Obviously, the most secure way to use a phone is not to use one at all. The IMEI number – a number that uniquely identifies the phone hardware SMS you have sent or received Author: Anonymized Phone Location Data Not So Anonymous, Researchers Find | Threat Level. Anonymized mobile phone location data produces a GPS fingerprint that can be easily used to identify a user based on little more than tracking the pings a phone makes to cell towers, a new study shows. Analyzing 15 months of anonymized mobile phone data for about 1.5 million users, researchers at MIT and the Universite Catholique de Louvain in Belgium found that it took very few pieces of data to uniquely identify 95 percent of the users — that is, trace the activity to a specific anonymous individual.
Based on hourly updates of a user’s location, tracked by pings from their mobile phone to nearby cell towers as they moved about or made and received calls and text messages, the researchers could identify the individual from just four “data points.” With just two data points, they could identify about 50 percent of users. “Mobility data is among the most sensitive data currently being collected,” the researchers write in their study, published in Scientific Reports. Sen. Franken Wants Apps To Get Explicit Permission Before Selling Your Whereabouts To Random Third Parties. Last week, I spotted Neil Patrick Harris at a ramen restaurant in D.C. and tweeted about it. I immediately felt a little twinge of guilt about ratting out the star’s location to my Twitter followers… especially after he looked at his phone and started peering around the tiny restaurant, as if he’d spotted my tweet and was looking for the responsible party.
This is one of the downsides of being a public figure in the age of instant public communication; their recognizability makes it harder for them to maintain location privacy. But it’s not just the Neil Patrick Harrises of the world who have to worry about their whereabouts being disclosed to third parties by fans; your smartphone is your biggest fan and it’s constantly telling apps where you are.
“Location information is extremely sensitive information,” Franken said during a Senate Judiciary Committee hearing Thursday. “If a company wants to give your location to third parties, they need your permission,” said Franken. Also on Forbes: OVERNIGHT TECH: Senate Judiciary to consider location privacy bill. Mobile Carriers Lobby Against Cell Phone Location Privacy Bill | Threat Level.
Senators strip reporting requirement from location privacy bill | Tech Chronicles. Spy tech secretly embeds itself in phones, monitors and operates them from afar. Getting the Message? Police Track Phones with Silent SMS. Cellphones Track Your Every Move, and You May Not Even Know. Android phones keep location cache, too, but it's harder to access. Cell Phone Location Tracking Public Records Request.
Your Privacy Online - What They Know.
Anonymity. Social networks: privacy/security. Google: privacy. Microsoft: privacy. Still trust DuckDuckGo? | www.alexanderhanff.com. This Internet provider pledges to put your privacy first. Always. | Privacy Inc. Who is Neustar? UltraViolet shines light on locker in the cloud. There is no such thing as anonymous online tracking.
Privacy Study: Top U.S. Websites Share Visitor Personal Data - Digits. Security, Censorship, & Internet. La Quadrature du Net | Internet & Libertés. Internet4.org - internet4.org. To whom it may concern I took the red pill I took it when I joined some IR. Free Dropbox Forensics Tool. 2010 Report on Distributed Denial of Service (DDoS) Attacks. 5 data breaches: From embarrassing to deadly - Netflix accidentally reveals rental histories (1) - CNNMoney.com. Hackers 'steal US data in Christmas-inspired assault' Long Live the Web.