The NSA is Hacking Your Games

nsa

That sounds crazy right? Even given how unscrupulous the NSA has been revealed of late, surely they aren’t using app stores to track us? Wrong. That’s exactly what they are doing.

In the latest of docs leaked by Edward Snowden, it is revealed that the NSA and the spy organizations of the UK, New Zealand, Canada and Australia (yes folks, the good guys) were working together to exploit the kinds of weaknesses in mobile apps which criminal hackers usually use to steal identities for their own espionage purposes. The technical details are super boring, so I won’t waste your time with them. But essentially, they were combing through popular apps to find their own exploits, then planning to use those exploits to collect data and track individuals. Mobile devices are ideally equipped to let spies track us; all they have to do is match the SIM to the individual and it’s game on.

The project was called ‘Irritant Horn’ (who comes up with these names?) and it’s not 100% clear to what extent it was fully deployed. Of course, if it was done well enough, we wouldn’t be able to tell. The agencies were particularly interested in African countries and Asia. Almost hilariously, the most popular mobile browser in China was characterized as leaking like a sieve. Leaving users open to a wide range of tracking and interception, they were even able to send fake messages from one identified user to another once those users had been infected by the spyware the actual spies were using.

Naturally, the responsible agencies are claiming ‘appropriate oversight’ and self-defense. Google, Apple and Samsung have no comment and I’m sure that this story will be buried as quickly as possible. But next time you are noodling on Candy Crush, just remember that Big Brother is watching you.

The NSA May Have Been Hiding in Your Computer for 14 Years

FILE PHOTO  NSA Compiles Massive Database Of Private Phone Calls

Security researchers at Kaspersky Lab have unearthed a suite of surveillance platforms that can hide within the firmware of hard drives from more than a dozen manufacturers. The attackers, which Kaspersky is calling the Equation Group due to their complex skill set, are the most advanced that the researchers have encountered to date.

The programs, some of which date back to 2001, appear to have been developed in succession with each new program being more sophisticated than the last. Personal computers in more than 30 different countries have been discovered to carry the infection.

One of the worms uncovered has direct connections with Stuxnet and may have even been used as a test to help figure out the best route for the malware to reach systems involved in Iran’s nuclear program. Researchers didn’t name who they believe might be behind the attacks although there’s a good bit of circumstantial evidence that points to the NSA.

One component of the suite, GrayFish, is able to re-flash the firmware on hard drives. Because it resides in the firmware, reformatting the drive doesn’t get rid of the infection. Key to being able to rewrite the firmware is having access to source code. If the NSA is indeed behind the attacks, getting source code wouldn’t present too much of an issue.

In addition to physically intercepting shipments (in this case, hard drives) and loading them with malware before repackaging and sending to targets, the NSA could have simply asked manufacturers for their source code (directly or indirectly) or posed as software developers.

Google is joining Apple in the fight for NSA privacy

metadata-nsa-cell-phone-spying

Google is releasing the next generation of the Android operating system next month, and it will encrypt data by default for the first time. This raises yet another barrier to police gaining access to the troves of personal data typically kept on smartphones.

Android has offered optional encryption on some devices since 2011, but few users have known how to turn on the feature. Now Google is designing the activation procedures for new Android devices so that encryption happens automatically; only somebody who enters a device’s password will be able to see the pictures, videos and communications stored on those smartphones.

The move offers Android, the world’s most popular operating system for smartphones, a degree of protection that resembles what Apple has done for the new iPhone operating system. Both companies have now embraced a form of encryption that in most cases will make it impossible for law enforcement officials to collect evidence from smartphones even when authorities get legally binding search warrants.

This move is part of a broad shift by American technology companies to make their products more resistant to government snooping in the aftermath of revelations of National Security Agency spying by former contractor Edward Snowden.

Expanded deployment of encryption by Google and Apple, however, will have the most direct impact on law enforcement officials, who have long warned that restrictions on their access to electronic devices make it much harder for them to prevent and solve crimes. Last June, the Supreme Court ruled that police needed search warrants to gain access to data stored on phones in most circumstances. But that standard is quickly being rendered moot; eventually no form of legal compulsion will suffice to force the unlocking of most smartphones.

Privacy advocates are ecstatic about the changes by Apple and Google, and especially about their shift toward making encryption automatic, through default settings, so that users get privacy protections without taking any action on their own.

There remain significant differences between how Apple and Google are handling encryption. Apple, which controls both the hardware and software on its devices, will be able to deliver the updated encryption on both new iPhones and iPads, as users update their operating systems with the latest release, iOS 8.

That is likely to happen over the next several weeks, and for those with iOS 8, the encryption will be so secure that the company says it will lack the technical ability to unlock the phones or recover data for anyone — whether it be for police or even users themselves if they forget their device passcodes.

Big Brother is Searching You

nsa-Tor

I have an American bulldog called Hedwig (named after Hedwig and the Angry Inch not the owl from Harry Potter). She is a sweetheart and a lughead at the same time. She has a weak spot for pillows…if she is left with unattended access  there is a good chance we will return to find a thick down of feathers covering everything. She just lies on the floor cowering in abject misery as we yell at her….again. Her argument is “what can I do…I cant stop myself… have a problem!”  The NSA is a lot like Hedwig when it comes to our personal data.

The problem with data is that just as data it’s not that useful. You have to be able to use that data to answer questions. The obvious model to follow is a search engine. So God bless ’em our good friends at the NSA built themselves a “Google like” search engine for all their data. The troubling thing isn’t that they built a search engine….the troubling thing is that according to the law of the land they aren’t allowed to store data on US citizens on a “just incase” basis. Individual US citizens are supposed to be terror suspects or similar before being subject to this kind of scrutiny. In their enthusiasm to collect data on all kinds of potential foreign threats they are also scooping up tons of data on perfectly innocent US citizens and that data is then made searchable through their snappily named Google clone  ICREACH search program.

What our government is doing is circumventing regulations designed to protect our privacy by wrapping a search engine around all of the data stored separately (and perhaps legitimately in some cases) by various government entities and making it searchable by all the agencies irrespective of who gathered it and under what level of legal approval.

This isn’t a new problem. Search technology companies have been solving these problems for large companies for years. Imagine you are Home Depot. You have data in many different databases such as sales, stock inventory, HR records, delivery schedules etc. To manage your business you need to be able to normalize that data so that your people can see the entire picture not just the data limited to the area they specialize in. A search engine can wrap around those different data sources giving insights into the bigger picture.  It also makes sense to present the data in a way already understood by the people working on it. In the same way that the military models their vehicle and weapons control units around XBox controllers so the NSA copied Google. Data perhaps obtained legitimately by agency A is being made completely available to agencies B through Z a lot of data from completely innocent citizens is being collected then made available to any agency employee with access to ICREACH.

The good news is that our leaders who are incapable of launching a website to give access to medical services under the Affordable Care Act have apparently proved able to build and launch a super powerful search platform…an altogether tougher problem. I have a suggestion for that team.  The VA has thousands of veterans who are unable to get services because the government simply can’t find their records. Maybe the ICREACH team could be brought in to index and make searchable the chaos of data collected legitimately by the VA and get those service people the services they need….it’s not as much fun as constantly breaking the fourth amendment…but a good idea none the less.