Cyber Security Intelligence

Twitter< Follow on Twitter >

November Newsletter #3 2014

Google’s secret NSA alliance: The terrifying deals between Silicon Valley and the security state

Cover detail of "@War" by Shane Harri

In mid-December 2009, engineers at Google’s headquarters in Mountain View, California, began to suspect that hackers in China had obtained access to private Gmail accounts, including those used by Chinese human rights activists opposed to the government in Beijing. But when the engineers looked more closely, they discovered that this was no ordinary hacking campaign.

In what Google would later describe as “a highly sophisticated and targeted attack on our corporate infrastructure originating from China,” the thieves were able to get access to the password system that allowed Google’s users to sign in to many Google applications at once. This was some of the company’s most important intellectual property, considered among the “crown jewels” of its source code by its engineers. Google wanted concrete evidence of the break-in that it could share with US law enforcement and intelligence authorities. So they traced the intrusion back to what they believed was its source — a server in Taiwan where data was sent after it was siphoned off Google’s systems, and that was presumably under the control of hackers in mainland China.

“Google broke in to the server,” says a former senior intelligence official who is familiar with the company’s response. The decision wasn’t without legal risk, according to the official. Was this a case of hacking back? Just as there’s no law against a homeowner following a robber back to where he lives, Google didn’t violate any laws by tracing the source of the intrusion into its systems. It’s still unclear how the company’s investigators gained access to the server, but once inside, if they had removed or deleted data, that would cross a legal line. But Google didn’t destroy what it found. In fact, the company did something unexpected and unprecedented — it shared the information.

Google uncovered evidence of one of the most extensive and far-reaching campaigns of cyber espionage in US history. Evidence suggested that Chinese hackers had penetrated the systems of nearly three dozen other companies, including technology mainstays such as Symantec, Yahoo, and Adobe, the defense contractor Northrop Grumman, and the equipment maker Juniper Networks. The breadth of the campaign made it hard to discern a single motive. Was this industrial espionage? Spying on human rights activists? Was China trying to gain espionage footholds in key sectors of the U.S. economy or, worse, implant malware in equipment used to regulate critical infrastructure?

Google shared what it found with the other targeted companies, as well as U.S. law enforcement and intelligence agencies.

On January 12, 2010, Google’s chief legal officer, David Drummond, posted a lengthy statement to the company’s blog, accusing hackers in China of attacking Google’s infrastructure and he criticized the Chinese government for censoring Internet content and suppressing human rights activists.

Back at the State Department, officials saw a rare opportunity to put pressure on China for spying. That night Hillary Clinton issued her own statement. “We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation,” she said. “The ability to operate with confidence in cyberspace is critical in a modern society and economy.”

As diplomatic maneuvers go, this was pivotal. Google had just given the Obama administration an opening to accuse China of espionage without having to make the case itself. Officials could simply point to what Google had discovered as a result of its own investigation.

On the day that Google’s lawyer wrote the blog post, the NSA’s general counsel began drafting a “cooperative research and development agreement,” a legal pact that was originally devised under a 1980 law to speed up the commercial development of new technologies that are of mutual interest to companies and the government.

The cooperative agreement and reference to a “tailored solution” strongly suggest that Google and the NSA built a device or a technique for monitoring intrusions into the company’s networks. That would give the NSA valuable information for its so-called active defense system, which uses a combination of automated sensors and algorithms to detect malware or signs of an imminent attack and take action against them. One system, called Turmoil, detects traffic that might pose a threat. Then, another automated system called Turbine decides whether to allow the traffic to pass or to block it.

The government could command the company to turn over that information, and it does as part of the NSA’s Prism program, which Google had been participating in for a year by the time it signed the cooperative agreement with the NSA.

Google took a risk forming an alliance with the NSA. The company’s corporate motto, “Don’t be evil,” would seem at odds with the work of a covert surveillance and cyber warfare agency. But Google got useful information in return for its cooperation.

Silk Road 2.0 Seized and Shut: Opinion By Max Vetter

Silk Road 2.0 and 400 other sites believed to be selling illegal items including drugs and weapons have been shut down. The sites operated on the Tor network - a part of the Internet unreachable via traditional search engines. The joint operation between 16 European countries and the US saw 17 arrests, including Blake Benthall who is said to be behind Silk Road 2.0.

Only a year after its predecessor was closed, Silk Road 2.0 was recently shut down, along with 27 other Dark Web websites in a coordinated transnational police operation called ‘Operation Onymous‘. I spoke on the BBC World Service about how this will affect the Dark Web.
As with every closure of a Dark Web website, the main question is how authorities found the location of the server. Instead of hacking Silk Road 2.0 (as was done with Silk Road 1) court documents reveal that an FBI undercover officer was active within the Silk Road 2.0 community from its inception. This officer appears to have been given administrator rights to the server allowing him to clone it and find where it was located. No doubt other technical capabilities were utilised in seizing so many websites and those working on the Tor project are concerned for the security of the network and ramifications it may have for the people it protects, like human rights activists.

The administrator of Silk Road 2.0 is allegedly, the 26 year old, Blake Benthall (pictured) a church goer and “computer genius” who reportedly never touched drugs; not the typical drugs Kingpin. Like Ross Ulbricht before him, Benthall is a young, tech-savvy American male, and made a number of simple errors that led to his arrest including using his personal email address when registering the server. There is a theme appearing here; a class of neo-libertarian crypto-hackers who have become involved in developing the Dark Web. These neo-libertarians believe in freeing the world from the tyranny of rules and regulations imposed by big government. The cracks in this theory appear very quickly as evidenced by Ross Ulbricbht’s alleged attempt to have six people assassinated for various reasons during his administration of the site. When there is no regulation or laws to abide by, the only option left is to revert to animalism; kill or be killed.

Ironically when it comes to narcotics, the free market is exactly the problem. The narcotics trade is a great example what happens in a truly unregulated capitalist market; death and misery rained down by a powerful few. Those who understand the “drugs problem” also know that legalisation and regulation is the only option, as explained in my previous article. This is not because people should take drugs but it is because they will.

As for Silk Road 2.0, no doubt buyers and sellers alike will be shaken, scared and poorer by the latest swoop on their community. Some may give up altogether, others will already be trading on other sites, such as the even bigger Agora market. Interestingly as of writing this Agora is only accepting new registrants with referrals; clearly the admins are nervous. No doubt law enforcement will eventually catch up with the administrators of Agora as well, but developments being made may soon make seizing the server and closing the website a thing of the past.

The technology being developed is called Open Bazaar (previously Dark Market). This market will replace the main point of failure, the centralised server, with a decentralised peer-2-peer style market place that exists on every users machine. In the same way that when the music industry attempted to stop music piracy peer-2-peer BitTorrent software was developed, and has proven to be impossible to close down. Once this market is completed and released onto the world there will be very little law enforcement will be able to do to stop it.

The fascinating thing about this area of technology development is the innovation shown and ramifications for other types of technology to branch off. Just like with Bitcoin, some people can use it for nefarious purposes, but it is also an incredible piece of software that may change the face of money transfers and global currencies the world over for the better. Will Open Bazaar do the same for trade or will it just be another market used for narcotics sales that cannot be shut down? Only time will tell.

Other connections:

MH370: 'shock' as plane will be declared 'lost'

Official rebuked for 'astounding' claim that MH370 will be officially recorded as lost by the end of 2014

Families of missing MH370 passengers were left "shocked and confused" after a Malaysia Airlines official suggested the plane could be declared "lost" by the end of this year, raising fears that search efforts in the Indian Ocean could be called off.

The airline's commercial director Hugh Dunleavy allegedly told the New Zealand Herald that the Australian and Malaysian governments were trying to set a date to formally announce the loss of MH370 and that this was likely to be set by the end of the year.

"We don't have a final date but once we've had an official loss recorded we can work with the next of kin on the full compensation payments for those families," he is quoted as saying. This raised fears that the huge undersea search for the missing plane would be terminated.

Voice 370, an association set up for families of those on board the aircraft, said relatives had been left "shocked and confused" by Dunleavy's "astounding" comments, especially since the second phase of the search had only just begun.

Malaysia Airlines has since issued a statement to say the comments were Dunleavy's "personal opinion". The only official updates would be coming from the Australia-based Joint Agency Coordination Centre (JACC), it said. Voice 370 said JACC has assured families that all possible efforts will be exhausted before the search is called off.

50 Celebrities Endorse Edward

An international coalition of more than fifty actors, musicians and intellectuals have announced their support for Edward Snowden, WikiLeaks, whistleblowers and publishers. Some are also encouraging donations to the Courage Foundation, which runs the official legal defense fund for Edward Snowden and other whistleblowers, as well as fights for whistleblower protections worldwide, with tweets and social media posts.

The announcement coincides with the expanded theatrical release of Laura Poitras’ critically acclaimed documentary CitizenFour — providing a first-hand account of Edward Snowden’s disclosure of the NSA’s mass surveillance program.

The statement reads: ‘We stand in support of those fearless whistleblowers and publishers who risk their lives and careers to stand up for truth and justice. Thanks to the courage of sources like Daniel Ellsberg, Chelsea Manning, Jeremy Hammond, and Edward Snowden, the public can finally see for themselves the war crimes, corruption, mass surveillance, and abuses of power of the U.S. government and other governments around the world. WikiLeaks is essential for its fearless dedication in defending these sources and publishing their truths. These bold and courageous acts spark accountability, can transform governments, and ultimately make the world a better place’.

For the full list of signatories go to:

The State Spies on You – but is it up to the Job?

In the wake of the Snowden affair, finding a balance between national security and our right to privacy raises questions not only of trust but competence and value for money

First, what could we do to curb comprehensive surveillance of the net? The Internet engineering community seems determined to do something about it. In its current form, the network is wide open to snooping, because most of its operations are not encrypted. At the Vancouver 2013 meeting of the Internet Engineering Task Force there were discussions about ways of inserting so much cryptographic treacle into the network’s operations that the NSA would have to work much harder to survey it, thereby forcing snoopers to adopt more targeted approaches that would be amenable to credible legal oversight.

The most depressing thing about the political response to the revelations is how crass and simplistic they have been. First we had the yah-boo phase: Snowden was a traitor; the revelations dramatically undermined “national security”; anyone who applauds what he did is a naive idiot; if you have nothing to hide then you have nothing to fear, etc. These are the philosophical equivalent of the debates that go on in bars after Premier League matches.

Finally, there’s the question that is never discussed. Is this bulk surveillance actually effective? Is there credible evidence, as distinct from bland assurances by officials that it actually works? Why, despite all the snooping, for example, did our intelligence services not pick up the Islamic State threat? And how cost-effective is it? The US currently spends over $100bn a year on counter-terrorism. How much the UK spends we are not told and are we getting real value for all this taxpayers’ money? I’d like to know. Wouldn’t you?

Interpol's paedophile tracking system 'compromised by privacy concerns' following Snowden spying revelations

The global system designed to track paedophiles is failing as nations refuse to share information following the Edward Snowden spying revelations, child protection experts have warned. Suspicions of government “snooping” and potential privacy breaches have meant that countries have proved unwilling to hold and disseminate information on known and dangerous child abusers.

The main system to identify offenders, The Green Notice, run by Interpol, is out of date and border authorities are failing to act even when known offenders are travelling to their countries, according to Ernie Allen, a senior US child protection expert who has worked with parliaments in 100 countries on designing new laws.

Of some 20 countries that have sex offenders’ registers, only a handful, including Britain, Australia, Ireland and the US, have any system of restricting the foreign travel of convicted paedophiles.

Allen said that senior politicians from undisclosed countries told him they were unwilling to set up registers, believing that the data should not be held, or expressed concern about a public backlash over the holding of private information in the wake of the National Security Agency controversy.

The continuing expansion of international tourism and the Internet has opened up the possibilities for offending abroad, but law enforcement has failed to keep up, he said. The failure of countries to alert others about the movements of paedophiles, or act on information, has resulted in a series of scandals that have left children alone with known offenders.

A convicted child abuser, Ian Bower, was able to molest children in Cambodia for five years after he fled from Britain in 2006 in breach of his release conditions. He went to work in South-east Asia as an English teacher but even after his arrest for the alleged abuse of children, British authorities failed to seek his extradition. He was finally jailed five years later in Cambodia.

International Police Cyber Stories

Europol and Norway Join to Combat Cyber-Crime

Mid November Europol’s European Cybercrime Centre (EC3) and the Norwegian Center for Cyber and Information Security (CCIS) sign a Memorandum of Understanding, initiating cooperation in the fight against cybercrime. Preventing and combating the increasing criminal activities in cyberspace demands a public-private partnership and enhanced cooperation across nations. The European Cybercrime Centre (EC3), hosted by Europol, is contributing significantly to these efforts.

No crime is as borderless as cybercrime, requiring law enforcement authorities to adopt a coordinated and collaborative approach across borders, together with public and private stakeholders alike. Operations of this magnitude cannot be successfully concluded by national police forces alone.

To facilitate close cooperation, EC3 operates so-called advisory groups in which Norway is represented via its Center for Cyber and Information Security (CCIS). Established as a public-private partnership, CCIS promotes new ways of collaboration across organisations and sectors. 25 partners joined the CCIS initiative in order to increase capacity, preparedness, and operational effectiveness in preventing and combating cybercrime.

US Sheriff’s Office pays ransom to cyber criminals

A US law enforcement agency’s data system is hacked by a cyber criminal who holds the sensitive information for ransom until certain demands are met.

Except in recent developments at the Dickson County Sheriff’s Office, that scenario is all too real. The alleged criminal, who used the name “Nimrod Gruber,” extorted $572 from the county by locking up sensitive data with “ransomware” known nationally as “CryptoWall.”
“Our computer system was attacked from an outside source,” said Sheriff Jeff Bledsoe to county commissioners last week.

In recent days, sheriff’s office staff was listening to Dickson radio station WDKN’s online radio stream, according to Bledsoe, when the “ransomware” infected the department’s report management system.

When “cryptowall“ struck, staff were notified by on-screen messages they had a certain amount of time to pay or the data would not be unlocked. The software company used by department was contacted and verified the malicious software as “cryptowall.”

“Cryptowall works by encrypting files on any attached storage devices with a high-level encryption scheme,” Bledsoe said. “Typically backups are made with storage devices, so in many cases backup data is also vulnerable.

“Although a substantial portion of the data encrypted on the report management server was able to be restored from backups, there were still approximately 72,000 files affected on the host computer, which introduced the malware to the network and the report management system and the attached drives,” the sheriff added.

Bledsoe said the department contacted both the Tennessee Bureau of Investigation and the Federal Bureau of Investigation. He said those agencies advised that the cryptowall extortioners usually released the files when the money is paid.

“My first response is we are not going to be held hostage. We are not going to pay a fee to get our records back,” Bledsoe said. “But once it was determined which records were involved and that they were crucial to victims of crimes in this county, and to the operations of the sheriff’s office and the citizens of this county…I had no choice but to authorize to pay this.”

The sensitive data included “documents vital to our ongoing investigations, booking documents, records, records of issued equipment, documents related to current and past prosecutions and other non-replaceable documents,” Bledsoe said.

The money was paid by a sheriff’s office staff member through Western Union and was reimbursed personally by Bledsoe. The commission approved reimbursing the sheriff for the money last week.

A report published in February by the Dell SecureWorks Counter Threat Unit said cryptowall first became well known in the spring but was identified as early as November last year. The Dell researchers state that cryptowall is the “largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing.”

The report further states: “The ransom has frequently fluctuated at the whim of the...operators, and no exact pattern has been established that determines which victims receive a particular ransom value. Ransoms ranging from $200 to $2,000 have been demanded at various times by CryptoWall's operators. The larger ransoms are typically reserved for victims who do not pay within the allotted time (usually 4 to 7 days). In one case, a victim paid $10,000 for the release of their files.”

UK Gloucestershire Police hit by 500 cyber attacks this year

Gloucestershire Police’s Force Control Room has been hit by more than 500 cyber attacks this year. The Force Control Room, at the Constabulary's Waterwells HQ, is the central hub that deals with non-emergency 101 and emergency 999 calls. Above PC Jon Wiffen is pictured showing Andy Vasey and Roger Davies some of the computer systems.

Control room police constable Jon Wiffen said: “We are very aware of cyber attacks and physical attacks on the building. “We have been hit more than 500 times this year by cyber attacks. When it happens you have to consider whether it is a state-led attack, whether it is terrorism. In one incident it was actually a 14-year-old boy in his bedroom.

Our IT department is given a maximum of one hour to respond and that is 24 hours of the day, 365 days a year. Our system is state-of-the-art and we have contingency plans in place when there is an incident.”

PC Wiffen was speaking as members of the public were given a rare opportunity to take a look around Gloucestershire Constabulary’s busy control room. Gloucestershire Police now inviting the public to the control room throughout November. To arrange a visit contact Inspector Simon Goodenough on 01452 754113.

Cyber Alert – Android Phones

Security firm Adaptivemobile has uncovered a new variant of the “Android.Koler.A” malware, which is being called Worm.Koler and is spread by SMS message.

The message received will typically read: “someone made a profile named -[the contact’s name]- and he/she uploaded some of your photos! Is that you?” This will then be followed by a ‘’ URL. On clicking the link it will redirect the victim to a file hosting service. Once on that site the victim is encouraged to download an app called ‘Photoviewer”.

Once this app is installed a pop up screen will appear stating that the device, has been locked by the police, and the user must pay a certain amount to unblock the device.

Whilst this is happening on the screen, in the background, an SMS message will be spammed out to all contacts on the victim’s phone. The message is only sent once to make it appear more authentic.

It appears that this variant is currently being aimed at the US, as the pop screens are US based, e.g. purporting to be from the FBI. It is likely that UK has already, or is likely to be affected, but to date the NFIB has not received any reports detailing this type of ransomware.
If you are unsure about any messages containing a link do not click on them, and think about contacting the sender for verification that they intended to send you the message.

For further information please contact the Lincolnshire Police Crime Deduction Unit at

Self-healing computers will Fight Hackers!

Agency networks should be able to not only continuously detect hackers and throttle their destructive tactics, but also robotically bounce back.

“We’ve talked about the need to go from static defenses, such as firewalls, under so-called continuous monitoring, to active cyber defenses -doing automated hardening, automated defense of our networks,” Philip Quade, chief operating officer of NSA’s information assurance directorate told DefenseOne. “But I think there is one more step that we’re not really talking about and that’s automated regeneration, automated resiliency.”

The pricey DHS-sponsored initiative now underway, known as continuous diagnostics and mitigation, or CDM, is expected to supply all agencies with sensors and specialists to move from traditional three-year vulnerability checks to real-time problem spotting. Agencies have until 2017 to achieve full implementation.

In between CDM and futuristic self-healing is active response, sometimes called “active defense,” which can include, for example, sharing threat intelligence with potential targets in real time.

Yet, “even with these automated defenses in place, bad things are still going to happen,” Quade said. Organizations need to be asking themselves: “What can you do to automatically regenerate to a minimally secure state, and be automatically resilient and get back to the operating position?”

According to Quade, automated resiliency is “the next big thing,” but he added, “I’m not optimistic that we’re getting anywhere close to that.”

Brazil, Germany in UN condemn Internet surveillance

Brazil and Germany are beefing up inclusion of ‘metadata collection’ to an earlier UN resolution on digital spying, which condemns mass surveillance, digital communication interception and personal data collection as violation of human rights.

In a follow-up resolution adopted last November, the two countries drafting the current resolution have modified the text to include metadata collection.

Unlawful or arbitrary surveillance, interception of communications and collection of personal data, including metadata, are ‘highly intrusive acts,’ said the draft.

Metadata refer to details about communications such as telephone numbers involved in a call, time and duration of call, and Internet activities.

These acts violate the right to privacy and when operated on a mass scale contradict the tenets of a democratic society, said the draft.

It called upon the 193-member assembly to declare that it is “deeply concerned at human rights violations and abuses that may result from the conduct of any surveillance of communications.”
It sought an effective remedy from the states on mass surveillance and urged the Geneva-based UN Human Rights Council to appoint a rapporteur to identify and define privacy rights protection standards.

The 2013 resolution, also drafted by Germany and Brazil following Snowden’s exposure of NSA global spying program, was passed last year by consensus and was supported by the Five Eyes Surveillance Alliance (USA, Britain, Australia, Canada and New Zealand).

Germany and Brazil have both been angered by large-scale US-surveillance allegations. German Chancellor, Angela Merkel’s irritation was quite obvious at the EU summit last week when she said spying on friends is “really not on.” Brazilian President Dilma Rousseff was angry on learning that the computer network of Petrobras, the state-run oil company, was hacked by the NSA to collect emails and telephone calls data.

Cyber + War = Cyber-war: And the Red Button

Say the words ‘cyber-warfare’ to most security professionals and it’s likely they will respond with a withering look. Say ‘cyber 9/11’ or ‘cyber Pearl Harbour’ and you can get ready for a verbal pummeling, maybe worse.

Such faux pas get the disrespect they deserve. For ‘war’ should only be used where there’s destruction of property or lives, according to Peter Sommer, who drew up a document on cyber-warfare for the OECD in 2011, and who specializes in cybersecurity and digital evidence at Leicester de Montfort and the Open University.

“The word ‘war’ itself has gotten devalued,” he tells Infosecurity. “When you talk about war, you talk about levels of destruction you’re seeing in Iraq or Gaza. That isn’t to say there aren’t very powerful cyber-weapons.”

Indeed, there have been many examples of states flexing their muscles when it comes to cyber power. Two stand out: the Stuxnet malware that disrupted uranium enrichment at an Iranian plant, and the 2008 distributed denial of service (DDoS) attacks on Estonia, which prevented the country from contacting networks outside its borders. Russia has always been suspect number one in the latter case, while the US and Israel have been blamed for the former.

In an interview with Wired, the world’s most famous whistleblower raised concerns around an NSA-run program called MonsterMind, a tool designed to block malicious traffic from abroad entering the country. It could also automatically return fire, though few details were given on how it worked. A separate US attempt to tamper with Syrian infrastructure resulted in downtime for the country’s Internet in 2012, Snowden claimed. In its attempts to block and ward off cyber-espionage on its infrastructure, as well as spy on others, the NSA could start a real-world war said Snowden.

Why has the big red button not yet been pushed? One reason could be that attacks on power plants or other critical infrastructure would be better done with real firepower. The most likely reason is that there simply isn’t the political will to cross the Rubicon yet. Amidst the steady global build-up of digital weaponry and the polarised rhetoric, there are some instructive elements to the story of cyber-warfare.


The full web site is currently under development and will be available during 2014