Justice Department charges Russian spies and criminal hackers in Yahoo

intrusion
FBI arrests alleged attacker who tweeted seizure-inducing strobe at Kurt
Eichenwald
How wiretaps actually work and whats really going on here
Digital Privacy at the U.S Border: A New How-To Guide from EFF
Facebook says police cant use its data for surveillance
That CIA exploit list in full: The good, the bad, and the very ugly
What the CIA WikiLeaks dump tells us: Encryption works
MAC randomization: A massive failure that leaves iPhones, Android mobes open
to tracking
Googles reCAPTCHA turns invisible, will separate bots from people without
challenges
Ransomware for Dummies: Anyone Can Do It
A U.S. ally fired a $3 million Patriot missile at a $200 drone.
1.Justice Department charges Russian spies and
criminal hackers in Yahoo intrusion
The Justice Department announced Wednesday the indictments of two Russian spies and two
criminal hackers in connection with the heist of 500 million Yahoo user accounts in 2014,
marking the first U.S. criminal cyber charges ever against Russian government officials.
The indictments target two members of the Russian intelligence agency FSB, and two hackers
hired by the Russians.
The charges include hacking, wire fraud, trade secret theft and economic espionage, according
to officials. The indictments are part of the largest hacking case brought by the United States.
The charges are unrelated to the hacking of the Democratic National Committee and the FBIs
investigation of Russian interference in the 2016 presidential campaign. But the move reflects
the U.S. governments increasing desire to hold foreign governments accountable for malicious
acts in cyberspace.
The United States does not have an extradition treaty with Russia, but officials have said that
taking steps such as charges and imposing sanctions can be a deterrent. People also
sometimes slip up and travel to a country that is able and willing to transfer them to the United
States for prosecution.
Yahoo reported the 2014 hack last fall in what was then considered the largest data breach
in history. The company later disclosed another intrusion affecting more than 1 billion user
accounts in 2013, far surpassing the 2014 event. Officials have not determined whether there is
a link between the two.
The twin hacks clouded the prospects for the sale of Yahoos core business to
telecommunications giant Verizon. The deal is proceeding after Verizon negotiated the price
down in the wake of the breaches.
The compromised accounts may have affected more than just email. Breaking into a Yahoo
account would give the hackers access to users activity on Flickr, Tumblr, fantasy sports and
other Yahoo applications.
In the 2014 hack, the FSB Russias Federal Security Service, and a successor to the KGB
allegedly sought the information for intelligence purposes, targeting journalists, dissidents and
U.S. government officials, but allowed the criminal hackers to use the email cache for the
officials and the hackers financial gain, through spamming and other operations.
The charges illustrate the murky world of Russian intel services using criminal hackers in a
wide variety of ways, said Milan Patel, a former FBI Cyber Division supervisory special agent
who is now a managing director at K2 Intelligence, a cyber firm.
Although FBI agents have long suspected that the Russians have used cyber mercenaries to do
their work, this case is among the first in which evidence is offered to show that.
The indicted FSB officers are Dmitry Dokuchaev and Igor Sushchin, his superior. Particularly
galling to U.S. officials is that the men worked for the cyber investigative arm of the FSB a
rough equivalent of the FBIs Cyber Division. That the agency that is supposed to investigate
computer intrusions in Russia is itself engaged in hacking is pretty sad, one official said.
Dokuchaev, whose hacker alias was Forb, was arrested in December in Moscow, according to
the news agency Interfax, on charges of state treason for passing information to the CIA. He
had reportedly agreed to work for the FSB to avoid prosecution for bank card fraud.
Another man indicted in the case is Alexsey Belan, who is on the list of most-wanted cyber
criminals and has been charged twice before, in connection with intrusions into three major tech
firms in Nevada and California in 2012 and 2013. He was in custody in Greece for a time but
made his way back to Russia, where he is being protected by authorities, officials said.
The other hacker-for-hire is Karim Baratov, who was born in Kazakhstan but has Canadian
citizenship. He was arrested in Canada on Tuesday.
The indictments grew out of a nearly two-year investigation by the FBIs San Francisco office
with the aid of international law enforcement, officials said. Sanctions and criminal charges are
two tools that the Obama administration began using to punish and deter nation state hackers.
They have the effect of galvanizing other countries that are watching whats happening, said
Luke Dembosky, a former deputy assistant attorney general for national security. They show
that we have the resources and capabilities to identify the people at the keyboard, even in the
most sophisticated cases.
Three years ago, the United States charged five Chinese military hackers with economic
espionage, marking the first time cyber-related charges were levied against foreign government
officials.
After the Chinese military hackers were indicted, officials said their activity seemed to dwindle.
And the indictments, Dembosky said, helped wrest a pledge in 2015 from the Chinese to stop
economic cyberespionage against U.S. firms.
In early 2015, the Obama administration imposed economic sanctions on North Korea for its
cyberattack on Sony Pictures systems.
And in late December, the Obama administration levied economic sanctions on Moscow for its
election-year meddling. At the same time, the government sanctioned two Russian criminal
hackers with no apparent connection to the Kremlins interference campaign. They included
Belan, who is one of the four indicted in the Yahoo case.

2. FBI arrests alleged attacker who tweeted

seizure-inducing strobe at Kurt Eichenwald
An arrest has been made three months after someone tweeted a seizure-inducing strobe at
writer and Vanity Fair contributing editor Kurt Eichenwald. The Dallas FBI confirmed the arrest
to The Verge today and issued a press release with additional details. Eichenwald, who has
epilepsy, tweeted details of the arrest and said that more than 40 other people also sent him
strobes after he publicized the first attack. Their information is now with the FBI, he says.

The suspect, John Rayne Rivello, 29, of Salisbury, Maryland allegedly sent a message to
Eichenwald saying, You deserve a seizure for your post. That message included the strobe.
After pursuing a search warrant, police say they found Twitter direct messages in which Rivello
discussed Eichenwald and said he hoped his message would send him into a seizure and that
he was waiting to see if the writer dies. He additionally had a screenshot of a Wikipedia page for
Eichenwald in which he altered it to say that the victim died on December 16, 2016 (the day
after he sent the strobe).
It isnt clear whether these different charges relate to similar online harassment incidents or
something else entirely. Weve reached out to Eichenwalds lawyer for comment and will update
when we hear back. The
This wasnt the first time Eichenwald was allegedly targeted with a strobe. He claims to have
been attacked two other times last year. Eichenwald says that in October, a Trump supporter
attempted to induce a seizure by sending him an epileptogenic cartoon. In that case, he says he
dropped his iPad before a seizure was triggered.
The most recent attack on Eichenwald followed a spat between his employer, Vanity Fair, and
President Trump. After the magazine eviscerated Trump Grill in a review, the president tweeted
that the magazine was dead.

Eichenwald extensively covered Trump both during the election season and prior to his political
rise.

3. How wiretaps actually work and whats really

going on here
David Kris was assistant attorney general for national security from 2009 to 2011. He served as
a national security adviser to the Clinton campaign in 2016.
The presidents wiretap tweetstorm on Saturday produced the expected reactions, some of
them inaccurate. Here are three points about the legal questions in play and three broader
questions about what is really going on.
First, the U.S. government needs probable cause, signatures from government officials
and advance approval from a federal court before engaging in wiretapping in the United
States. There are some narrow exceptions, for things such as short-term emergencies, which
are then reviewed by a judge promptly after the fact. This is not something that the president
simply orders.
Under the law governing foreign intelligence wiretaps, the government has to show probable
cause that a facility is being used or about to be used by a foreign power e.g., a foreign
government or an international terrorist group or by an agent of a foreign power. A facility is
something like a telephone number or an email address.
A U.S. citizen or permanent resident alien cant be an agent of a foreign power unless he or
she, for example, knowingly engages in clandestine intelligence gathering activities for or on
behalf of a foreign power, which activities involve or may involve a violation of the criminal
statutes of the United States. There are other ways that Americans can be agents of a foreign
power, but all of them require criminal conduct. For a visiting foreigner such as the Russian
ambassador, the standards are different: He can be an agent of a foreign power simply because
he is acting as the officer of a foreign government.
Second, there is no requirement that the facility being wiretapped be owned, leased or
listed in the name of the person who is committing the offense or is the agent of a foreign
power. In other words, a wiretap of Trump Tower does not require probable cause that
President Trump was committing a crime. If I am a spy, and I use a phone in some building to
call my handler at the Russian Embassy, then the government can wiretap that phone even
though its owner may be entirely innocent and unaware of my clandestine intelligence activities.
Third, government officials, including the president, dont normally speak publicly about
wiretaps. Indeed, it is in some cases a federal crime to disclose a wiretap without authorization,
including not only the information obtained from the wiretap, but also the mere existence of a
wiretap with an intent to obstruct it. With respect to intelligence wiretaps, there is an additional
issue: They are always classified, and disclosure of classified information is also generally a
crime. The president enjoys authority over classified information, of course, but at a minimum it
would be highly irregular to disclose an intelligence wiretap via Twitter.
Beyond those three legal points, what is really going on here? As usual, Trumps motives are
hard to discern. Maybe he was trying to seize a news cycle and shift attention away from
Attorney General Jeff Sessionss recusal from any investigation into Russian attempts to
influence the election and related issues. Maybe Trump concluded that a congressional
investigation into his Russia connections is inevitable and wanted to enlarge its scope to
address something, anything, about the Obama administration. I have even heard the theory
that he wanted to promote the investigation to give his team an excuse to defer public comment
pending its outcome, although that is certainly not his M.O. so far. Maybe he was just venting.
Whatever his motives, the effects of the presidents tweetstorm are coming into focus. First, he
has increased congressional, media and public demand for information. It seems more likely
than ever that there will be some form of independent investigation into the Russia connection,
even if it also embraces the question of whether President Barack Obama ordered a tap on
Trump Tower (which should not take long to resolve).
Second, Trump also may be understood by the Justice Department and the FBI as signaling a
policy shift toward disclosure rather than secrecy in ongoing investigations. This is not
unprecedented, and perhaps FBI Director James B. Comey will take him at his tweet and
provide the desired information, at least to Congress, whether it involves wiretaps of Trump
Tower or other wiretaps and investigative measures.
Third, Trump is spending at a terrific rate the accumulated credibility capital of the office he
occupies. There may come a day when he needs to speak seriously, and to be taken seriously,
at home or abroad. On his present course and speed, that will be a hard day. If this were
House of Cards, it would all be very entertaining. As it is, existing institutions, both domestic
and international, are going to have to adapt to this new feature of our world.
4. Digital Privacy at the U.S Border: A New How-To
Guide from EFF
Increasingly frequent and invasive searches at the U.S. border have raised questions for those
of us who want to protect the private data on our computers, phones, and other digital devices.
A new guide released today by the Electronic Frontier Foundation (EFF) gives travelers the
facts they need in order to prepare for border crossings while protecting their digital information.
Digital Privacy at the U.S. Border helps everyone do a risk assessment, evaluating personal
factors like immigration status, travel history, and the sensitivity of the data you are carrying.
Depending on which devices come with you on your trip, your gadgets can include information
like your client files for work, your political leanings and those of your friends, and even your tax
return. Assessing your risk factors helps you choose a path to proactively protect yourself, which
might mean leaving some devices at home, moving some information off of your devices and
into the cloud, and using encryption. EFFs guide also explains why some protections, like
fingerprint locking of a phone, are less secure than other methods.
Border agents have more power than police officers normally do, and people crossing the
border have less privacy than they usually expect, said EFF Staff Attorney Sophia Cope.
Border agents may demand that you unlock your phone, provide your laptop password, or
disclose your social media handles. Yet this is where many of us store our most sensitive
personal information. We hope this guide makes preparing for your trip and protecting your
devices easier and more effective.
Many travelers are confused about what is legal at the border, and the consequences for
running afoul of a border agent can run the gamut from indefinite seizure of your phone and
computer, to denial of entry for foreign visitors, although American citizens always have the right
to re-enter the country. EFFs new guide hopes to clear up misinformation while recognizing that
there is no one size fits all approach to crossing into the United States. In addition to the full
report, EFF has also created a pocket guide for helping people concerned with data protection.
The border is not a Constitution-free zone, but sometimes the rules are less protective of
travelers and some border agents can be aggressive, said EFF Senior Staff Attorney Adam
Schwartz. That can put unprepared travelers in a no-win dilemma at the U.S. border. We need
clearer legal protections for everyone, but in the meantime, our report and pocket guides aim to
put more power back into the hands of travelers.
5. Facebook says police cant use its data for
surveillance
Facebook is cutting police departments off from a vast trove of data that has been increasingly
used to monitor protesters and activists.
The move, which the social network announced Monday, comes in the wake of concerns over
law enforcements tracking of protesters social media accounts in places such as Ferguson,
Mo., and Baltimore. It also comes at a time when chief executive Mark Zuckerberg says he is
expanding the companys mission from merely connecting the world into friend networks to
promoting safety and community.
Although the social networks core business is advertising, Facebook, along with Twitter and
Facebook-owned Instagram, also provides developers access to users' public feeds. The
developers use the data to monitor trends and public events. For example, advertisers have
tracked how and which consumers are discussing their products, while the Red Cross has used
social data to get real-time information during disasters such as Hurricane Sandy.

But the social networks have come under fire for working with third parties who market the data
to law enforcement. Last year, Facebook, Instagram and Twitter cut off access to Geofeedia, a
start-up that shared data with law enforcement, in response to an investigation by the American
Civil Liberties Union. The ACLU published documents that made references to tracking activists
at protests in Baltimore in 2015 after the death of a black man, Freddie Gray, while in police
custody and also to protests in Ferguson, Mo., in 2014 after the police shooting of Michael
Brown, an unarmed black 18-year-old.
On Monday, Facebook updated its instructions for developers to say that they cannot use data
obtained from us to provide tools that are used for surveillance.
The company also said, in an accompanying blog post, that it had kicked other developers off
the platform since it had cut ties with Geofeedia.
Until now, Facebook hasnt been explicit about who can use information that users post publicly.
This can include a persons friend list, location, birthday, profile picture, education history,
relationship status and political affiliation if they make their profile or certain posts public.
Some departments have praised the tools, which they say helps them fight crime for
example, if gang leaders publicly post references to their crimes.
In a statement about the changes, which were the results of several months of conversations
with activists, the ACLU and other groups lauded Facebooks move as a first step.

We depend on social networks to connect and communicate about the most important issues in
our lives and the core political and social issues in our country, Nicole Ozer, technology and
civil liberties director at the ACLU of California, said in the statement. Now more than ever, we
expect companies to slam shut any surveillance side doors and make sure nobody can use their
platforms to target people of color and activists.
Some said Facebook hadnt gone far enough. When technology companies allow their
platforms and devices to be used to conduct mass surveillance of activists and other targeted
communities, it chills democratic dissent and gives authoritarianism a license to thrive, Malkia
Cyril, executive director and founder of the Center for Media Justice, said in the statement. It's
clear there is more work to be done to protect communities of color from social media spying,
censorship and harassment.
The new policy language does not kick law enforcement off the platform. For one, the company
cooperates with law enforcement on a case-by-case basis for help in solving crimes.

Police and federal agencies may still siphon peoples feeds in cases of national disasters and
emergencies, Facebook officials said. It was unclear how Facebook would decide which
emergencies and public events would warrant monitoring citizens data and which would
constitute unreasonable surveillance. Surveillance was also not defined in the blog post, a
potential gray area that outsiders can exploit. Facebook said it would continue to audit third
parties for policy violations and require that developers disclose what they plan to do with data
they are requesting access to.
Local police departments across the United States have spent roughly $5 million on social
media monitoring over the past several years, according to the Brennan Center for Justice. The
relatively small amount shows how it is inexpensive to track and monitor the behavior of large
numbers of people.

6. That CIA exploit list in full: The good, the bad, and
the very ugly
We're still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for
political mischief, although here are some of the highlights.
First, though, a few general points: one, there's very little here that should shock you. The CIA is
a spying organization, after all, and, yes, it spies on people.
Two, unlike the NSA, the CIA isn't mad keen on blanket surveillance: it targets particular people,
and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of
interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As
we previously mentioned, that involves breaking into someone's house and physically
reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or
another, smart telly or no smart telly. You'll probably be tricked into opening a dodgy attachment
or download.
That's actually a silver lining to all this: end-to-end encrypted apps, such as Signal and
WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read
your messages and snoop on your webcam and microphones, if you're unlucky enough to be a
target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will
be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in
our pockets, laptop bags, and living rooms.
Thirdly, if you've been following US politics and WikiLeaks' mischievous role in the rise of
Donald Trump, you may have clocked that Tuesday's dump was engineered to help the
President pin the hacking of his political opponents' email server on the CIA. The leaked
documents suggest the agency can disguise its operations as the work of a foreign government.
Thus, it wasn't the Russians who broke into the Democrats' computers and, by leaking the
emails, helped swing Donald the election it was the CIA all along, Trump can now claim.
That'll shut the intelligence community up. The President's pet news outlet Breitbart is already
running that line.
Back to the leaked files. One amusing page gives details of discussions within the CIA on how
to avoid having its secrets leak in the wake of the theft of the NSA Equation Group's hacking
tools. Along with a detailed report [PDF] on the Equation Group hack, there are suggestions on
how to protect resources.
The CIA and the White House have yet to comment on the veracity of the leaked material and
are unlikely to do so. But at least one former intelligence worker with knowledge of such matters
seems convinced they are real.
So here's a rundown of the highlights so far. With so much material to go through, some
important things will have been missed. Feel free to add your own insights in the comments
section. We note that a good number of these cyber-weapons were obtained from the NSA,
GCHQ or private computer security researchers, and hoarded without warning vendors in case
vulnerabilities are patched we've covered this subject over and over.
Windows: The CIA's UMBRAGE team has a modest collection of attack tools for
systems powered by Microsoft's widely used operating system, all listed here. These
tools include keystroke loggers, sandbox escape ropes, and antivirus avoidance
mechanisms. The CIA analysts found flaws in Control Panel, and the ability to add data
streams to NTFS without detection to smuggle data onto storage drives. Windows library
files are useful stepping stones to malicious code execution, as are Windows Theme
files.
DLL files [PDF] are a popular attack vector for the CIA PDF]. They are also handy for
concealing malware in applications, and the documents show that common apps have
been used for spying by exploiting DLL weaknesses.
One DLL attack technique shows that someone at the agency is a bit of a Will Ferrell
fan. The RickyBobby program, named after the character in the film Talladega Nights,
uses several .NET DLLs and a Windows PowerShell script to implant a "listening post"
on a target Windows PC.
A version has been used in the field on USB drives, according to this document. The
software, with attack tools dubbed Fight Club, was put onto six thumb drives and
"inserted into the supply chain of a target network/group."
If you're using Windows Exchange 2010, the CIA has a tool for that, dubbed
ShoulderSurfer. This performs a code injection attack against the Exchange Datastore
manager process that would allow an agent to collect emails and contacts at will and
without the need for an individual's credentials.
 Exchange 2007 is even easier to crack, according to the CIA. For a detailed rundown on
Exchange and all its flaws, this document [PDF] should be helpful to Microsoft engineers
looking to fix the problems.
OS X: Users of Apple's OS X shouldn't look too smug, however. The CIA has tools for
you too pages of them.
A lot of hacking tools cover OS X El Capitan, but presumably these have been updated
to subvert new versions of the operating system. That said, it does seem through
reading these files that Apple poses a significantly more difficult challenge for the CIA
than Redmond's code.
Analysts note that the operating system can be resilient to applications that try to slip
malware onto a Mac. But it's still possible to whitelist spying software; subvert NetInstall
images, creating zombie programs; and surreptitiously get at the kernel.
One interesting project the files touch on is dubbed QuarkMatter. This is a technique for
hiding spying software persistently on an OS X system by using an EFI driver stored on
the EFI system partition. Another, dubbed SnowyOwl, uses a pthread in an OpenSSH
client to potentially pull off remote monitoring of a target system.
The documents also show a project called HarpyEagle that analyzed Apple's Airport
Extreme firmware for private keys, and also Time Capsule systems.
iOS: The CIA files show an extensive list of iOS exploits. Some of these were developed
in-house, some obtained from the NSA or Britain's GCHQ, and others were purchased
from private vendors. It looks as though at least some of the security bugs were fixed by
Apple in recent iOS updates versions 8 and later or are otherwise no longer
exploitable. For instance, the Redux sandbox workaround and Xiphos kernel exploit
were both used to hack "iPhone 4S and later, iPod touch (5th generation) and later, iPad
2 and later," but both flaws were fixed after being publicized by the Chinese jailbreaker
Pangu.
While it's likely the exploit list is an old one, a lot of them may still work. iOS 8 appears to
have killed off a few, but most of the exploits don't have death dates listed.
The Dyonedo exploit, developed by GCHQ, allows unsigned code to run on iOS devices,
while the CIA's homegrown Persistence tool allows "a symbolic link [to] be created (on
iOS 7.x) or an existing file can be overwritten (iOS 8.x) that will run our bootstrapper,
giving [users] initial execution on every boot."
While full root is a goal, the documents also detail an attack known as Captive Portal.
This sets up the browser to route all web use through a server run by the CIA.
Android: There's a much longer list for Android exploits than that for its Cupertino
cousin's operating system.
There are exploits such as Chronos and Creatine that attack specific flaws in Qualcomm
Adreno GPU drivers, and others like Starmie and Snubble only work against specific
Samsung handsets. There are also a lot of Chrome-based attacks for Android that will
only work on older versions of the browser. There's a full list of version histories here.
There are also three implants listed Bowtie, SuckerPunch, and RoidRage. The release
notes for RoidRage show it can monitor all radio functions and allows SMS stealing.
 While the bulk of the exploits listed allow for escalation of privileges, allowing malicious
apps to gain more or total control of the infected device, there are some like
BaronSamedi, Dugtrio, and Salazar that allow for remote access. Many of these have
been shut down on phones running Android version 4.4 and higher, but bear in mind this
list is three years old and the revised grab bag of exploits currently in use could be more
effective against more modern Android builds.
Antivirus: The CIA stash contains rundowns on most of the popular antivirus systems
and how to defeat them. Much of the information has been redacted but there are a few
snippets left.
The documents note that evading F-Secure's detection mechanisms is possible, but that
the software has a pretty good heuristics engine that can pick up Trojan software. The
agency has devised two ways around this using RAR file string tables or cloning a RAR
file manifest file.
Avira has similarly good heuristics, the files note, but two similar attacks appear to work.
Avira is a high-value target, since the documentation notes that it is popular among
counter-terrorism targets.
Bitdefender's heuristic engine has also caused the CIA some problems when it comes to
detecting the agency's malware. However, one file notes: "cleartext resources or simple
RXOR-ed resources don't seem to cause Bitdefender to trip."
Comodo's code is described as a "giant PITA" for its malware detection capabilities.
However, it has a weak spot and doesn't scan the contents of the Recycle Bin. The
notes say malware can be stored safely here, but may be detected if run.
Ever since version six of Comodo's code, things have become a lot easier and the CIA
has an exploit dubbed the Gaping Hole of DOOM. That version ignores malware that it
thinks is part of the Windows core operating system.
"Anything running as SYSTEM is automatically legit under 6.X. ANYTHING," the
document states. "Let that sink in. Got a kernel-level exploit? Good, because you can
drop the kitchen sink and the contents of your garage and as long as you continue to run
as SYSTEM you are golden. Yeah."
Details on AVG are sketchy, but the CIA trove indicates at least two ways to defeat the
security software. These include a fake installer and malware that can be dropped onto a
system and activated by a specific web link.
Antivirus code and other programs can also be targeted by a series of tools developed
under the moniker WreckingCrew. The vast majority of these were under development,
but two were finished and could be used to shut down security software and to "troll
people."
Signal/WhatsApp: In some good news for privacy advocates it appears that the CIA has
had no luck in cracking the popular encrypted chat protocol created by Whisper
Systems, which is used in Signal and WhatsApp.
CD/DVD attacks: There are still plenty of people in the world using CDs and DVDs, so
the CIA has developed code called HammerDrill to exploit the storage medium.
Version two of the software allows an infected computer to log what CDs and DVDs are
being read by the user, for how long, and the data they contain. The CIA also added a
 function in the second build that allows it to install a hidden Trojan in new discs being
burned, if the target is using the popular Nero burning software.
The developer notes state that a 279-byte shellcode can be burned onto the storage
medium that will run on 32-bit Windows systems. The documents note that Kaspersky
antivirus (a top choice in Russia and elsewhere) can be bypassed in this way.
Smart TVs: The CIA and the British spies at MI5 have developed an attack known as
Weeping Angel. This can put smart TVs Samsung's is mentioned into a "Fake-Off
mode," which makes the device look like it's powered down with its LEDs off. However,
it's still on and can now be used as a bugging device. The Wi-Fi keys the TV uses are
also slurpable.
The exploit was developed and the documents show areas of interest that CIA hackers
wanted to research, notably leaving Wi-Fi on and enabling video capture, get into
caches of stored audio recordings, and setting up a man-in-the-middle attack against the
television's browser.
The TV is compromised via a USB stick inserted into the device, but the documents
show that if the user has updated their operating system to firmware version 1118 and
above then the hack won't work. The documents also note that only 700MB of 1.6GB of
onboard storage is available for spying uses.
IoT devices: It's clear the CIA is looking actively at subverting Internet of Things devices
with its Embedded Development Branch.
The documents here are somewhat scant, but from meeting notes in 2014 it's clear that
the analysts are looking at self-driving cars, customized consumer hardware,
Linux-based embedded systems, and whatever else they can get their hands on.
Those Amazon Echo or Google Home devices are looking less and less attractive every
day.
Other interesting snippets are that some of the documents contain the licence keys of software
the CIA uses. These include keys for OmniGraffle graphic design software and the Sublime text
editor, but in the latter case the 10-user licence key was listed as belonging to Affinity Computer
Technology, a small computer repair shop in Sterling, Virginia.
We spoke to Affinity's manager, Bill Collins, who checked out the page and pronounced himself
baffled. They're a small computer repair shop, he said, with no links to the CIA.
There are also some amusing touches. One analyst has included his favorite ASCII characters
for conversing online with Japanese people, along with games he likes to play and some music
suggestions. He or she also appears to be a Monty Python fan.
There is no way to read the entire archive in a day. If you are a developer or a technology
vendor, it's worth going through the archive. We suspect a lot of companies have been doing
little else all day.
7. What the CIA WikiLeaks dump tells us: Encryption
works
If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that
data-scrambling encryption works, and the industry should use more of it.
Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents
must go to great lengths to circumvent encryption they can't break. In many cases, physical
presence is required to carry off these targeted attacks.
"We are in a world where if the U.S. government wants to get your data, they can't hope to
break the encryption," said Nicholas Weaver, who teaches networking and security at the
University of California, Berkeley. "They have to resort to targeted attacks, and that is costly,
risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do
stuff like this should reassure civil libertarians that the situation is better now than it was four
years ago."
MORE ENCRYPTION
Four years ago is when former NSA contractor Edward Snowden revealed details of huge and
secret U.S. eavesdropping programs. To help thwart spies and snoops, the tech industry began
to protectively encrypt email and messaging apps, a process that turns their contents into
indecipherable gibberish without the coded "keys" that can unscramble them.
The NSA revelations shattered earlier assumptions that internet data was nearly impossible to
intercept for meaningful surveillance, said Joseph Lorenzo Hall, chief technologist at the
Washington-based civil-liberties group Center for Democracy & Technology. That was because
any given internet message gets split into a multitude of tiny "packets," each of which traces its
own unpredictable route across the network to its destination.
The realization that spy agencies had figured out that problem spurred efforts to better shield
data as it transits the internet. A few services such as Facebook's WhatsApp followed the earlier
example of Apple's iMessage and took the extra step of encrypting data in ways even the
companies couldn't unscramble, a method called end-to-end encryption.
CHALLENGES FOR AUTHORITIES
In the past, spy agencies like the CIA could have hacked servers at WhatsApp or similar
services to see what people were saying. End-to-end encryption, though, makes that
prohibitively difficult. So the CIA has to resort to tapping individual phones and intercepting data
before it is encrypted or after it's decoded.
It's much like the old days when "they would have broken into a house to plant a microphone,"
said Steven Bellovin, a Columbia University professor who has long studied cybersecurity
issues.
Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online
privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a
driftnet."
Encryption has grown so strong that even the FBI had to seek Apple's help last year in cracking
the locked iPhone used by one of the San Bernardino attackers. Apple resisted what it
considered an intrusive request, and the FBI ultimately broke into the phone by turning to an
unidentified party for a hacking tool presumably one similar to those the CIA allegedly had at
its disposal.
On Wednesday, FBI Director James Comey acknowledged the challenges posed by encryption.
He said there should be a balance between privacy and the FBI's ability to lawfully access
information. He also said the FBI needs to recruit talented computer personnel who might
otherwise go to work for Apple or Google.
Government officials have long wanted to force tech companies to build "back doors" into
encrypted devices, so that the companies can help law enforcement descramble messages with
a warrant. But security experts warn that doing so would undermine security and privacy for
everyone. As Apple CEO Tim Cook pointed out last year , a back door for good guys can also
be a back door for bad guys. So far, efforts to pass such a mandate have stalled.
STILL A PATCHWORK
At the moment, though, end-to-end encrypted services such as iMessage and WhatsApp are
still the exception. While encryption is far more widely used than it was in 2013, many
messaging companies encode user data in ways that let them read or scan it. Authorities can
force these companies to divulge message contents with warrants or other legal orders. With
end-to-end encryption, the companies wouldn't even have the keys to do so.
Further expanding the use of end-to-end encryption presents some challenges. That's partly
because encryption will make it more difficult to perform popular tasks such as searching years
of emails for mentions of a specific keyword. Google announced in mid-2014 that it was working
on end-to-end encryption for email, but the tools have yet to materialize beyond research
environments.
Instead, Google's Gmail encrypts messages in transit. But even that isn't possible unless it's
adopted by the recipient's mail system as well.
And encryption isn't a panacea, as the WikiLeaks disclosures suggest.
According to the purported CIA documents, spies have found ways to exploit holes in phone
and computer software to grab messages when they haven't been encrypted yet. Although
Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the
CIA documents, it's not known how many holes remain open.
"There are different levels where attacks take place, said Daniel Castro, vice president with the
Information Technology and Innovation Foundation. "We may have secured one level (with
encryption), but there are other weaknesses out there we should be focused on as well."
Cohn said people should still use encryption, even with these bypass techniques.
"It's better than nothing," she said. "The answer to the fact that your front door might be cracked
open isn't to open all your windows and walk around naked, too."
___
Liedtke reported from San Francisco.
8. MAC randomization: A massive failure that leaves
iPhones, Android mobes open to tracking
Analysis To protect mobile devices from being tracked as they move through Wi-Fi-rich
environments, there's a technique known as MAC address randomization. This replaces the
number that uniquely identifies a device's wireless hardware with randomly generated values.
In theory, this prevents scumbags from tracking devices from network to network, and by
extension the individuals using them, because the devices in question call out to these nearby
networks using different hardware identifiers.
It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC
addresses, so that shoppers are recognized by their handheld when they next walk in, or walk
into affiliate shop with the same creepy system present. This could be used to alert assistants,
or to follow people from department to department, store to store, and then sell that data to
marketers and ad companies.
Public wireless hotspots can do the same. Transport for London in the UK, for instance, used
these techniques to study Tube passengers.
Regularly changing a device's MAC address is supposed to defeat this tracking.
But it turns out to be completely worthless, due to a combination of implementation flaws and
vulnerabilities. That and the fact that MAC address randomization is not enabled on the majority
of Android phones.
In a paper published on Wednesday, US Naval Academy researchers report that they were able
to "track 100 per cent of devices using randomization, regardless of manufacturer, by exploiting
a previously unknown flaw in the way existing wireless chipsets handle low-level control
frames."
Beyond this one vulnerability, an active RTS (Request to Send) attack, the researchers also
identify several alternative deanonymization techniques that work against certain types of
devices.
Cellular radio hardware has its own set of security and privacy issues; these are not considered
in the Naval Academy study, which focuses on Android and iOS devices.
Each 802.11 network interface in a mobile phone has a 48-bit MAC address layer-2 hardware
identifier, one that's supposed to be persistent and globally unique.
Hardware makers can register with the Institute of Electrical and Electronics Engineers (IEEE) to
buy a block of MAC addresses for their networking products: the manufacturer is assigned a
three-byte Organizationally Unique Identifier, or OUI, with is combined with an additional
three-byte identifier that can be set to any value. Put those six bytes together, and you've got a
48-bit MAC address that should be globally unique for each device.
The IEEE's registration system makes it easy to identify the maker of a particular piece of
network hardware. The IEEE also provides the ability to purchase a private OUI that's not
associated with a company name, but according to the researchers "this additional privacy
feature is not currently used by any major manufacturers that we are aware of."
Alternatively, the IEEE offers a Company Identifier, or CID, which is another three-byte prefix
that can be combined with three additional bytes to form 48-bit MAC addresses. CID addresses
can be used in situations where global uniqueness is not required. These CID numbers tend to
be used for MAC address randomization and are usually transmitted when a device
unassociated with a specific access point broadcasts 802.11 probe requests, the paper
explains.
The researchers focused on devices unassociated with a network access point as might
happen when walking down the street through various Wi-Fi networks rather than those
associated and authenticated with a specific access point, where the privacy concerns differ and
unique global MAC addresses come into play.

Unmasking
Previous security research has shown that flaws in the Wi-Fi Protected Setup (WPS) protocol
can be used to reverse engineer a device's globally unique MAC address through a technique
called Universally Unique IDentifier-Enrollee (UUID-E) reversal. The US Naval Academy study
builds upon that work by focusing on randomized MAC address implementations.
The researchers found that "the overwhelming majority of Android devices are not implementing
the available randomization capabilities built into the Android OS," which makes such Android
devices trivial to track. It's not clear why this is the case, but the researchers speculate that
802.11 chipset and firmware incompatibilities might be part of it.

Samsung v Apple
Surprisingly, Samsung devices, which accounted for 23 per cent of the researcher's Android
data set, show no evidence of implementing MAC address randomization.
Apple, meanwhile, introduced MAC address randomization in iOS 8, only to break it in iOS 10.
While the researchers were evaluating devices last year, Apple launched iOS 10 and changed
its network probe broadcasts to include a distinct Information Element (IE), data added to Wi-Fi
management frames to extend the Wi-Fi protocol.
"Inexplicably the addition of an Apple vendor-specific IE was added to all transmitted probe
requests," the paper explains. "This made identification of iOS 10 Apple devices trivial
regardless of the use of MAC address randomization."
This shortcoming aside, Apple handles randomization correctly, in the sense that it properly
randomizes the full 48-bits available for MAC addresses (with the exception of the
Universal/Local bit, set to distinguish between global MAC addresses and the local ones used
for randomization, and the Unicast/Multicast Bit).
The researchers find this interesting because the IEEE charges a fee for using the first three
bytes of that space for CID prefixes, "meaning that Apple is freely making use of address space
that other companies have paid for."
In a phone interview with The Register, Travis Mayberry, assistant professor at the US Naval
Academy and one of the paper's co-authors, expressed surprise that something like 70 per cent
of Android phones tested did not implement MAC address randomization.
"It's strange that Android was so vulnerable," he said. "It's just really bad at doing what it was
supposed to do."

'Closest to being pretty good'

Apple, meanwhile, fared better in terms of effort, though not results. "Apple is the closest to
being pretty good," Mayberry said, but noted that Apple devices, despite the advantage of
hardware consistency, are still vulnerable to an RTS (Request to Send) attack. Sending RTS
frames to an Apple phone forces the device to reveal its global unique MAC address, rather
than the randomized one normally presented to the hotspot.
"No matter how hard you try, you can't defend against that because it's a property of the
wireless chip itself," said Mayberry.
There was single Android phone that fared well. "The one Android phone that was resistant to
our passive attacks was the CAT S60 which is some kind of 'tough' phone used on construction
sites and the like," Mayberry explained in an email. "It did not have a recognizable fingerprint
and did not ever transmit its global MAC except when associating. It was still vulnerable to our
active RTS attack though, since like I said, that is a problem with the actual chips and effects
every phone."
Mayberry was at a loss to explain why Apple shot itself in the foot by adding a trackable
identifier to a system that previously worked well.
"I initially thought it might be to support some of the 'continuity' features where multiple apple
devices can discover and exchange stuff like open browser tabs and clipboard contents but that
came out in earlier versions of iOS," he said. "It also might be linked to the HomeKit features
that they added in iOS to control IoT devices. Basically it would have to be to purposefully
identify and discover other Apple devices that are not associated, otherwise we wouldn't see it
in probe requests. All of this is pure speculation though and we really don't have a strong reason
for it."
Mayberry said he hoped the research would help the industry understand the consequences of
everyone doing things differently. There's no generally accepted way to handle MAC address
randomization. "There are so many phones not using it," he said. "There should be a standard."

9. Googles reCAPTCHA turns invisible, will

separate bots from people without challenges
Google says it can separate man from machine without any tricky tests or checkboxes.
Google's reCAPTCHA is the leading CAPTCHA service (that's "Completely Au tomated Public
Turing test to tell Computers and Hu
mans Apart") on the Web. You've probably seen
CAPTCHAs a million times on sign-up pages across the Web; to separate humans from spam
bots, a challenge will pop up asking you to decipher a picture of words or numbers, pick out
objects in a grid of pictures, or just click a checkbox. Now, though, you're going to be seeing
CAPTCHAs less and less, not because Google is getting rid of them but because Google is
making them invisible.
The old reCAPTCHA system was pretty easyjust a simple "I'm not a robot" checkbox would
get people through your sign-up page. The new version is even simpler, and it doesn't use a
challenge or checkbox. It works invisibly in the background, somehow, to identify bots from
humans. Google doesn't go into much detail on how it works, only saying that the system uses
"a combination of machine learning and advanced risk analysis that adapts to new and
emerging threats." More detailed information on how the system works would probably also help
bot-makers crack it, so don't expect details to pop up any time soon.
reCAPTCHA was bought by Google in 2009 and was used to put unsuspecting website users to
work for Google. Some CAPTCHA systems create arbitrary problems for users to solve, but
older reCAPTCHA challenges actually used problems Google's computers needed to solve but
couldn't. Google digitizes millions of books, but sometimes the OCR (optical character
recognition) software can't recognize a word, so that word is sent into the reCAPTCHA system
for solving by humans. If you've ever solved a reCAPTCHA that looks like a set of numbers,
those were from Google's camera-covered Street View cars, which whizz down the streets and
identify house numbers. If the OCR software couldn't figure out a house number, that number
was made into a CAPTCHA for solving by humans. The grid of pictures that would ask you to
"select all the cats" was used to train computer image recognition algorithms.
When sites switch over to the invisible CAPTCHA system, most users won't see CAPTCHAs at
all, not even the "I'm not a robot" checkbox. If you are flagged as "suspicious" by the system,
then it will display the usual challenges.

10. Ransomware for Dummies: Anyone Can Do It

Among todays fastest-growing cybercrime epidemics is ransomware, malicious software that
encrypts your computer files, photos, music and documents and then demands payment in
Bitcoin to recover access to the files. A big reason for the steep increase in ransomware attacks
in recent years comes from the proliferation of point-and-click tools sold in the cybercrime
underground that make it stupid simple for anyone to begin extorting others for money.
Recently, I came across an extremely slick and professionally produced video advertisement
promoting the features and usability of Philadelphia, a ransomware-as-a-service crimeware
package that is sold for roughly $400 to would-be cybercriminals who dream of carving out their
own ransomware empires.
This stunning advertisement does a thorough job of showcasing Philadelphias many features,
including the ability to generate PDF reports and charts of victims to track your malware
campaigns as well as the ability to plot victims around the world using Google Maps.
Everything just works, claim the proprietors of Philadelphia. Get your lifetime copy. One
payment. Free updates. No monthly fees.
One interesting feature of this ransomware package is the ability to grant what the programs
architects call mercy. This refers to the desperate and heartbreaking pleas that ransomware
purveyors often hear from impecunious victims whose infections have jeopardized some
priceless and irreplaceable data such as photos of long lost loved ones.
Ill revisit the authors of this ransomware package in a future post. For now, just check out their
ad. Its fairly chilling.

11. A U.S. ally fired a $3 million Patriot missile at a

$200 drone. Spoiler: The missile won
With a price tag of about $3 million, the U.S. Armys Patriot missile is among the most
sophisticated, not to mention costliest, surface-to-air defense weapons in the world. Capable of
flying five times the speed of sound, the 700-pound, five-meter-long Patriots main purpose is to
intercept other missiles.
But according to an Army general, a U.S. ally recently used one to shoot down a different target:
a $200 drone aircraft.
Gen. David Perkins, commander of the U.S. Army Training and Doctrine Command, gave a brief
account of the incident at an Army symposium on March 13 in Huntsville, Ala., available on
YouTube.
We have a very close ally of ours that was dealing with an adversary using small quadcopters,
Perkins said, indicating the situation was not a drill. They shot it down with a Patriot missile.
The Patriot won, he added with a grin. That quadcopter that cost 200 bucks from
Amazon.com did not stand a chance against the Patriot.
A disproportionate response? No doubt. But thats exactly why Perkins brought up the anecdote
in his talk, which focused on how military commanders should deal with new threats.
Though the Patriot easily took out the encroaching drone, he said, it wasnt a very cost-effective
way of dealing with the problem.
Im not sure thats a good economic-exchange ratio, Perkins said. In fact, if Im the enemy, Im
thinking, Hey, Im just going to get on eBay and buy as many of these $300 quadcopters as I
can and expend all the Patriot missiles out there.
Developed and manufactured by Lockheed Martin and Raytheon, Patriot missiles have been
purchased by 13 countries, including the United States, Saudi Arabia, Kuwait, Qatar and Israel,
since they came into service in the 1980s. The missiles are guided by radar, making them ideal
for locking onto other projectiles, as well as fast-moving aircraft. Drones, for what its worth,
would seem to fall into that category.
The research firm Forecast International has a handy (albeit jargon-laden) description of how
the Patriot works in practice:

When launched, the PAC-3 missile flies to an intercept point specified prior to launch by its
ground-based fire solution computer. Target trajectory data can be updated during flyout by the
means of a radio frequency uplink/downlink. Shortly before arrival at the intercept point, the
missiles on board Ka-band seeker acquires the target, selects the optimal aim point and
initiates terminal guidance. The attitude control motors, located in the missile forebody, fire
explosively to refine the PAC-3 missiles course to assure direct body-to-body impact.

While theres something laughably absurd about a retail quadcopter taking on a surface-to-air
missile designed for full-scale war, the threat of weaponized drones is no joke. In recent
months, Islamic State fighters have used consumer-grade drones loaded with explosives to
attack Iraqi security forces and Western troops in Iraq.
One of the first strikes came in October, when a drone carrying munitions detonated at a
Kurdish and French position in northern Iraq, killing two soldiers and injuring two others. Dozens
of similar attacks have been carried out since the beginning of the year when the Islamic State
announced a new Unmanned Aircraft of the Mujahideen unit, as The Washington Posts Joby
Warrick has reported.
Still, the incident related by Perkins seemed to invite a degree of mockery.
It is clearly enormous overkill, Justin Bronk, a researcher at the British defense think tank
Royal United Services Institute, told the BBC. But, he added, it certainly exposes in very stark
terms the challenge which militaries face in attempting to deal with the adaptation of cheap and
readily available civilian technology with extremely expensive, high-end hardware designed for
state-on-state warfare.
Andrew Liptak of the Verge explained the drone-versus-Patriot problem by way of analogy.
While a fly buzzing around is a nuisance, he wrote, a fly swatter is a better solution than a
shotgun.