Saturday, May 31, 2014

Cyber security and government surveillance updates May 31 , 2014 -- “TrueCrypt is not secure,” official SourceForge page abruptly warns Support for decade-old crypto program pulled, touching off Internet firestorm......... Cisco purchase of CIA-funded company may fuel distrust abroad Few are talking about In-Q-Tel investment in ThreatGRID.........EFF Accuses the Government of Spoilation of Evidence........Snowden interview : discussion / query of a classified Executive Order ??? US cybercrime laws being used to target security researchers Security researchers say they have been threatened with indictment for their work investigating internet vulnerabilities .........

Cyber security items.....

“TrueCrypt is not secure,” official SourceForge page abruptly warns

Support for decade-old crypto program pulled, touching off Internet firestorm.

One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn't safe to use.
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," text in red at the top of TrueCrypt page on SourceForge states. The page continues: "This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."
The advisory, which Ars couldn't immediately confirm was authentic, touched off a tsunami of comments on Twitter and other social media sites. For more than a decade, the open source and freely available TrueCrypt has been the program of choice of many security-minded people for encrypting sensitive files and even entire hard drives. Last year, amid revelations that the NSA can decode large swaths of the Internet's encrypted data, supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.
Matthew Green, a professor specializing in cryptography at Johns Hopkins University and one of the people who spearheaded the TrueCrypt audit, told Ars he had no advance notice of the announcement. He said the announcement appears to be authentic, an observation he repeated on Twitter. He told Ars he has privately contacted the largely secretive TrueCrypt developers in an attempt to confirm the site or get more more details.
The SourceForge page, which was delivered to people trying to view pages, contained a new version of the program that, according to this "diff" analysis, appears to contain changes warning that the program isn't safe to use. Curiously, the new release also appeared to let users decrypt encrypted data but not create new volumes.
Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank. Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers.
In either case, it's a good idea for TrueCrypt users to pay attention and realize that it may be necessary to move to a new crypto app. Ars will continue to cover this unfolding story as more information becomes available.

Cisco purchase of CIA-funded company may fuel distrust abroad

Few are talking about In-Q-Tel investment in ThreatGRID

By Paul McNamara on Fri, 05/30/14 - 1:26pm.
The CIA's non-profit venture capital arm, In-Q-Tel, has been pumping millions of dollars into technology startups since its launch in 2000, meaning it's not the least bit unusual for major vendors to have acquired and assimilated one of these CIA-nurtured seedlings.
So what would make Cisco's recent acquisition of In-Q-Tel-backed security company ThreatGRID any more noteworthy than all the others?
You've probably seen the pictures of NSA employees apparently intercepting and bugging Cisco equipment, and read of the letter sent by Cisco CEO John Chambers to President Obama suggesting the obvious: that this kind of thing is bad for business.
In short, Cisco's acquisition of ThreatGRID is different because Cisco is today scrambling to counter the impression - especially abroad - that it is in league with the U.S. intelligence community, a charge it has always denied. And in this atmosphere of growing distrust, little distinction will be appreciated between our domestic and foreign spy agencies. Moreover, the connections between Cisco's new acquisition and U.S. intelligence are more than financial, they are familial, too, as we'll get to below.
As first noted by blogger Brad Reese, no mention was made of the CIA funding of ThreatGRID by those involved in announcing the deal last week. I was unable to find any mention of ThreatGRID on the In-Q-Tel website, though dozens of current and former funding recipients are listed.
So might real-world buyers even care about such a link?
"I think it's a reasonable proposition," says Zeus Kerravala, founder and principal analyst with ZK Research, and a contributor to Network World. "The fact remains, there's so much uncertainty today about whose watching what that it scares some customers.  The uncertainty though should drive U.S. customers back to Cisco but give cause for concern for overseas ones.  Either way, it doesn't help security sales for Cisco or really any company."
There's an element of bad timing at play here, too, as the deal was clearly in the works before those damaging pictures emerged and ThreatGRID received its CIA funding before the world had even heard of Edward Snowden.
From a May 28, 2013 story in CRN:
Dov Yoran, co-founder and CEO of ThreatGrid, an antimalware analysis platform that recently received In-Q-Tel funding, said the investment firm required a certain influence on the product road map. The funding ensures that the intelligence community not only gets the technology, but gets a product that is more refined for their needs, he said. ...
"In-Q-Tel helps you break that government veil of being an outsider looking in," Yoran said. "It benefits the company with not only larger exposure to potential clients, but real clients that are actually going to buy."
Also quoted in that CRN story was Yoran's brother, Amit Yoran, a senior vice president at RSA who in 2003 was appointed director of the Department of Homeland Security's National Cyber Security Division, a post he held for a year. In 2006, Amit Yoran served a four-month stint as CEO of In-Q-Tel.
A third brother, Elad Yoran, in addition to having 20 years of experience in the cyber security industry, has served as an advisor to the Department of Homeland Security and currently serves the FBI in that capacity.
The brothers did a televised interview with Fox News on Aug. 14, 2013 where they were introduced as "the self-proclaimed first family of cyber-security."
None of which should have anything to do with Cisco and its products.
Unless you're looking for a reason to suspect Cisco and its products.

EFF Accuses the Government of Spoilation of Evidence

I’ve written about these accusations in the past. EFF got a preservation order in its NSA lawsuits back in 2008. Only after the government asked for permission to destroy phone dragnet data earlier this year did they learn the government has been destroying data relevant to their various suits for years.
But now they’ve written an aggressive motion asking for sanctions.
There is now no doubt that the government defendants have destroyed evidence relevant to plaintiffs’ claims. This case concerns the government’s mass seizure of three kinds of information: Internet and telephone content, telephone records and Internet records. The government’s own declarations make clear that the government has destroyed three years of the telephone records it seized between 2006 and 2009; five years of the content it seized between 2007 and 2012; and seven years of the Internet records it seized between 2004 and 2011, when it claims to have ended those seizures.
By destroying this evidence, the government has hindered plaintiffs’ ability to prove with governmental evidence that their individual communications and records were collected as part of the mass surveillance, something the government has vigorously insisted that they must do, even as a threshold matter. Although plaintiffs dispute that the showing the government seeks is required, the government’s destruction of the best evidence that plaintiffs could use to make such a showing is particularly outrageous.
This is spoliation of evidence. A litigant has a clear legal duty to preserve evidence relevant to the facts of a case pending consideration by the court, and that duty requires preservation of all relevant evidence, defined as anything that is likely to lead to the discovery of admissible evidence. This duty is subject only to practical considerations, none of which the government has ever raised. Any private litigant who engaged in this behavior would be rightly sanctioned by the court; indeed many have been severely sanctioned for failure to preserve evidence in far less egregious circumstances.
This court has the power to order a broad range of remedies for spoliation, up to and including terminating sanctions. Plaintiffs here seek more modest relief: that the government be subject to an adverse inference that the destroyed evidence would have shown that the government has collected plaintiffs’ communications and communications records. Plaintiffs also request that the Court set a prompt hearing date on this matter in order to halt any ongoing destruction.
My favorite part — being  a bit of a timeline wonk — is the timeline showing all the broad claims the government made to ensure state secrets would cover even activities authorized by FISA, interspersed with what data the NSA was destroying when.
Then there’s this lesson in warrantless wiretapping.
The government overreaches in trying to limit plaintiffs’ complaint. For example, the government tries to use the fact that plaintiffs often characterize the surveillance as “warrantless” as indicating that the complaint doesn’t reach surveillance conducted under the FISC. But this characterization is absolutely true even as to the FISC-authorized surveillance. Whatever the legal import of the FISC orders, they are unequivocally not full Fourth Amendment warrants, and the surveillance conducted under them is “warrantless.” Thus, this court was exactly correct in July 2013 when it stated that Plaintiffs’ claim is “that the federal government . . . conducted widespread warrantless dragnet communications surveillance of United States citizens following the attacks of September 11, 2001.”
Given all the things the government destroyed here — such as the US person phone data collected without requisite First Amendment review, the Internet metadata that included content, and the US person communications collected under upstream collection, the EO 12333 collected metadata mingled with the PATRIOT authorized data  – they might well rather give EFF standing without all that data.

Snowden: “A Classified Executive Order”

NSA Authorities TimelineYesterday, I noted that the subject of Edward Snowden’s emailed question to NSA’s Office of General Counsel pertained to one of the under-reported themes of his leaks, the way NSA uses EO 12333 to collect data on Americans that either clearly was or might have been covered by stricter laws passed by Congress. I also notedhow unbelievably shitty the NSA training programs released to ACLU and EFF are, particularly the way seemingly outdated documents that remain in effect appear to allow spying on Americans prohibited by statute.
I’d like to return to the precise language Snowden usedto refer to this email exchange (and a thus-far unreleased exchange he claims to have had with NSA’s Compliance folks).
Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. 
I suggested yesterday that this was likely a conflict over whether EO 12333 superseded laws passed by Congress, including but not limited to FISA.
But note: Snowden says he asked about a “classified” EO.
EO 12333 is unclassified.
So there are two possibilities. First, that there’s a classified EO — one that remains classified  – that we don’t know about, one Congress may not even be fully cognizant of (on the premise that this EO supersedes the law).
That’s possible. But EO 12333 is the only EO referenced in USSID 18′s list of references.
USSID 18 References
The other possibility is far more interesting.
As I noted, the documents laying out the core regulations governing NSA conflict badly, largely because many of the documents are very dated, and have been (or should have been) superseded by recent laws (like the FISA Amendments Act) and court decisions (like John Bates’ 2011 ruling on upstream collection).
Of particular interest is NSA/CSS Policy 1-23 (starting at PDF 110). That policy is interesting, first of all, because it was first issued on March 11, 2004 by Michael Hayden. That is, this policy dates to the very day when Michael Hayden agreed to continue the illegal wiretap program even as half of DOJ threatened to quit.
The policy was updated twice, once to make what were considered minor adjustments in policy in 2007, and once in 2009 to incorporate FISA Amendments Act changes. Thus, the policy at least purports to fully incorporate FAA. The 2009 reissue — and its classified annex — is considered among the signature authorizing milestones according to a timeline leaked by Snowden, above, and the only one that mentions a classified annex.
But — as I noted yesterday — the policy still relies on (and incorporates) a classified annex to EO 12333 that was written in 1988 (though the document itself bears the March 11, 2004 date). And among other things, that now declassified annex permits the collection of US person data for 90 days so long as the Attorney General certifies that person is a foreign agent.
with specific prior approval by the Attorney General based on a finding by the Attorney General that there is probable cause to believe the United States person is an agent of a foreign power and that the purpose of the interception or selection is to collect significant foreign intelligence. Such approvals shall be limited to a period of time not to exceed ninety days for individuals and one year for entities.
That is, NSA/CSS Policy 1-23, and the 25 year old classified annex to EO 12333 that was still classified and in place in April of last year (and for all we know, still today), permits wiretapping Americans on the very same terms the government used under the illegal wiretap program: AG approval for 90-day periods.
It also includes authority to do precisely what NSA tried to legalize in Dianne Feinstein’sFakeFiSAFix last year: wiretapping non-resident aliens who enter the US for 72 hours.
It permits the interception and dissemination of “Illicit Communications,” which I suspect would include encrypted communications.
It lays out a very broad definition of “significant foreign intelligence,” which as applied would mean the NSA could keep everything that might feasibly be helpful for foreign intelligence purposes (which is the standard we understand them to use).
[A]ny deliberate interception, selection or use of a selection term shall be deemed to constitute electronic surveillance; and “significant foreign intelligence” shall mean not only those items of information that are in themselves significant, but also items that are reasonably believed, based on the experience of the United States Signals Intelligence System, when analyzed together with other items, to make a contribution to the discovery of “significant foreign intelligence.” ,
It also includes language on dissemination that would seem to permit the government to disseminate communications it obtained from NatSec journalists.
the communication or information indicates that the United States person is engaged in the unauthorized disclosure of classified national security information;
In short, the now declassified classified annex to EO 12333 seems to permit a number of things — including wiretapping of Americans without a warrant — that FISA would seem to prohibit.
If this is the classified (annex to an) Executive Order that Snowden referred to , it would mean even NSA’s compliance people were suggesting this language took precedence over FISA as recently as April of last year.
As I noted, both PCLOB and HPSCI were pushing — as recently as a late March — to force the Agencies to update their decades old implementation procedures for EO 12333, which this would seem to include this classified annex.
This document was declassified and released on November 18 of last year, less than a week after DiFi’s FakeFISAFix passed through the Senate Intelligence Committee. It was released along with some far more interesting documents (including several pertaining to the Internet Dragnet). Given that only one or two other people have even read the other documents associated with this release, I suspect almost no one read this annex. But it seems to have made quite clear that in implementing EO 12333, NSA created loopholes in the laws passed by Congress.
The same loopholes that almost led half of DOJ to quit in 2004.

US cybercrime laws being used to target security researchers

Security researchers say they have been threatened with indictment for their work investigating internet vulnerabilities
A hand reaching through a laptop to type on the keyboard
Industry experts are concerned that America's anti-hacking laws are being applied without proper discretion, leaving security researchers vulnerable to prosecution. Photograph: Epoxydude/fstop/Corbis
Some of the world’s best-known security researchers claim to have been threatened with indictment over their efforts to find vulnerabilities in internet infrastructure, amid fears American computer hacking laws are perversely making the web less safe to surf.
Many in the security industry have expressed grave concerns around the application of the US Computer Fraud and Abuse Act (CFAA), complaining law enforcement and lawyers have wielded it aggressively at anyone looking for vulnerabilities in the internet, criminalising work that’s largely benign.
They have also argued the law carries overly severe punishments, is too vague and does not consider context, only the action.
HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by US law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet.

'Law enforcement are killing careers'

Jeremiah Grossman, CEO of cyber research firm Whitehat Security, believes that the aggressive application of the law will lead to researchers quitting before they’ve found serious problems on the internet, leading to a degradation of its overall security.
“Right now they are probably killing careers, because they're not accounting for intent,” said Grossman.
“The chilling effect is on the problems we don't know about yet. The canaries in the coalmine? They just killed them all. So now we're going to suffer the consequences.”
The project that landed Moore in trouble, Critical.IO, uncovered some serious, widespread vulnerabilities, including one case where between 40 and 50 million network machines could have been compromised due to weaknesses in a network protocol, known as Universal Plug and Play (UPnP).
Yet US law enforcement continued to pursue Moore, even though he was transparent with his role and the reasons for his scanning, he claimed, without naming the government body that was responsible.

'The law doesn't encourage experts with the skill to investigate threats'

Moore said the actions by law enforcement were partly responsible for him taking a break from the industry, from which he has just returned. But his biggest fears surround the overall effect on internet security.
“You need people who can get into the detail with these systems, people who know how to manipulate the technology to their advantage as a criminal would,” he added.
“You need these people to help users understand the threats, and to work with vendors to help them fix them. At the moment, the law doesn’t encourage this. It doesn’t make any distinction between bona fide research and criminal activity. It doesn’t help consumers understand their risk.”
Many other researchers are believed to have had similar issues. Zach Lanier, senior security researcher at Duo Security, said many of his team had “run into possible CFAA issues before in the course of research over the last decade”.

'We warned of a vulnerability - but they claimed we were hacking their systems'

Lanier said that after finding severe vulnerabilities in an unnamed “embedded device marketed towards children” and reporting them to the manufacturer, he received calls from lawyers threatening him with action.
"We had tried to work with them and sent them all the details," said Lanier. "When it finally got to the point that we were going to talk [publicly] about this... a lawyer called us. As is often the case with CFAA things when they go to court, the lawyers and even sometimes the technical people or business people don't understand what it is you actually did. There were claims that we were 'hacking into their systems'."
The threat of a CFAA prosecution forced Lanier and his team to walk away from the research.
"The looming threat of CFAA as ammunition for anyone to use willy-nilly was enough … and had a chilling effect on our research," Lanier added.
The people running organisations who wield CFAA aggressively when vulnerabilities are reported to them "probably don't really think about anything other than dollar signs", he said.
Current attempts at CFAA reform appear to be foundering. Researchers had hoped the case of Andrew “weev” Auernheimer would be useful in fighting for reform. Auernheimer was convicted under CFAA for his part in releasing information on an AT&T website flaw that was hacked to reveal data belonging to iPad consumers. But when Auernheimer succeeded in having his conviction overturned, it was because the judge agreed the case should not have been heard in New Jersey, rather than because of any underlying problem with the nature of the CFAA.
Many are still hopeful Aaron’s Law, named after the late internet activist Aaron Swartz who killed himself in 2013, will pass. Swartz’s family blamed the attempts to prosecute Swartz under CFAA, after he downloaded documents from online resource Jstor from a server at the Massachusetts Institute of Technology without proper authorisation, were partly to blame for his death. He was potentially facing 50 years in prison for what many considered a minor act.

Lawmakers want more severe penalties for hacking

The US Congresswoman Zoe Lofgren had not offered any comment at the time of publication on claims that Aaron’s Law would not be passingthrough the House or the Senate.
The digital rights lawyer Marcia Hoffman says Congress remains divided on the issue. After high-profile breaches, such as the hack of US retailing giant Target and alleged Chinese state-sponsored espionage of various American organisations, many want to see CFAA punishments made more severe.
“On one side of things there are members of Congress who say hacking is a big problem and what we ought to be doing is making penalties tougher. Then on the other side there are people saying the CFAA is not written in a way that is very clear, it's not entirely apparent what behaviour is legal under it and the last thing we should be doing is making penalties tougher.”
According to Hoffman, the wording of the CFAA makes it difficult to understand what is illegal. In particular, an internet user who “intentionally accesses a computer without authorisation or exceeds authorised access” is breaking the law, even though it doesn't actually explain what authorisation actually is, Hoffman added. “Judges have been forced to figure out how one expresses authorisation.”
There are also worries that if CFAA were to be weakened in favour of the security industry, criminal hackers would simply claim in their defence they were carrying out research. Moore said there should be better ways to “define or prove what bona fide research is”.
“For example, is it the way you disclose the findings? Is it the type of information you access? This isn’t easy to solve, but it’s important and worth doing if we want to protect ourselves.”

This Won't Get Abused -- Right?
My Ghod, the stupid burns!
As many as 227 million Americans may be compelled to disclose intimate details of their families and financial lives -- including their Social Security numbers -- in a new national database being assembled by two federal agencies.
The Federal Housing Finance Agency and the Consumer Financial Protection Bureau posted an April 16 Federal Register notice of an expansion of their joint National Mortgage Database Program to include personally identifiable information that reveals actual users, a reversal of previously stated policy.
There's never going to be a federal agency that abuses this data, right?  Like, oh, the IRS?
Or the FBI?
Or...... any other politically-motivated agency?
Oh, and guess what -- since this is part of FHFA and CFPB if you have a mortgage there will be no way out of being listed in it either.
Wanna finance a house?  Why sign right here Mr. and Mrs. American, disclosing your credit details, including what you spend and where, to the Federal Government on an ongoing and permanent basis, with your name and social security number attached.
Oh, and for good measure we know that this database will never, ever be hacked into either -- right ?