EO 12333 Sharing Will Likely Expose Security Researchers Even More Via Back Door Searches

/6 Comments/in , /by

At Motherboard, I have piece arguing that the best way to try to understand the Marcus Hutchins (MalwareTech) case is not from what we see in his indictment for authoring code that appears in a piece of Kronos malware sold in 2015. Instead, we should consider why Hutchins would look different to the FBI in 2016 (when the government didn’t arrest him while he was in Las Vegas) and 2017 (when they did). In 2016, he’d look like a bit player in a minor dark market purchase made in 2015. In 2017, he might look like a guy who had his finger on the WannaCry malware, but also whose purported product, Kronos, had been incorporated into a really powerful bot he had long closely tracked, Kelihos.

Hutchins’ name shows up in chats obtained in an investigation in some other district. Just one alias for Hutchins—his widely known “MalwareTech”—is mentioned in the indictment. None of the four or more aliases Hutchins may have used, mostly while still a minor, was included in the indictment, as those aliases likely would have been if the case in chief relied upon evidence under that alias.

Presuming the government’s collection of both sets of chat logs predates the WannaCry outbreak, if the FBI searched on Hutchins after he sinkholed the ransomware, both sets of chat logs would come up. Indeed, so would any other chat logs or—for example—email communications collected under Section 702 from providers like Yahoo, Google, and Apple, business records from which are included in the discovery to be provided in Hutchins’ case in FBI’s possession at that time. Indeed, such data would come up even if they showed no evidence of guilt on the part of Hutchins, but which might interest or alarm FBI investigators.

There is another known investigation that might elicit real concern (or interest) at the FBI if Hutchins’s name showed up in its internal Google search: the investigation into the Kelihos botnet, for which the government obtained a Rule 41 hacking warrant in Alaska on April 10 and announced the indictment of Russian Pyotr Levashov in Connecticut on April 21. Eleven lines describing the investigation in the affidavit for the hacking warrant remain redacted. In both its announcement of his arrest and in the complaint against Levashov for operating the Kelihos botnet, the government describes the Kelihos botnet loading “a malicious Word document designed to infect the computer with the Kronos banking Trojan.”

Hutchins has tracked the Kelihos botnet for years—he even attributes his job to that effort. Before his arrest and for a period that extended after Levashov’s arrest, Hutchins ran a Kelihos tracker, though it has gone dead since his arrest. In other words, the government believes a later version of the malware it accuses Hutchins of having a hand in writing was, up until the months before the WannaCry outbreak—being deployed by a botnet he closely tracked.

There are a number of other online discussions Hutchins might have participated in that would come up in an FBI search (again, even putting aside more dated activity from when he was a teenager). Notably, the attack on two separate fundraisers for his legal defense by credit card fraudsters suggests that corner of the criminal world doesn’t want Hutchins to mount an aggressive defense.

All of which is to say that the FBI is seeing a picture of Hutchins that is vastly different than the public is seeing from either just the indictment and known facts about Kronos, or even open source investigations into Hutchins’ past activity online.

To understand why Hutchins was arrested in 2017 but not in 2016, I argue, you need to understand what a back door search conducted on him in May would look like in connection with the WannaCry malware, not what the Kronos malware looks like as a risk to the US (it’s not a big one).

I also note, however, that in addition to the things FBI admitted they searched on during their FBI Google searches — Customs and Border Protection data, foreign intelligence reports, FBI’s own case files, and FISA data (both traditional and 702) — there’s something new in that pot: data collected under EO 12333 shared under January’s new sharing procedures.

That data is likely to expose a lot more security researchers for behavior that looks incriminating. That’s because FBI is almost certainly prioritizing asking NSA to share criminal hacker forums — where security researchers may interact with people they’re trying to defend against in ways that can look suspicious if reviewed out of context. That’s true, first of all, because many of those forums (and other dark web sites) are overseas, and so are more accessible to NSA collection. The crimes those forums facilitate definitely impact US victims. But criminal hacking data — as distinct from hacking data tied to a group that the government has argued is sponsored by a nation-state — is also less available via Section 702 collection, which as far as we know still limits cybersecurity collection to the Foreign Government certificate.

If I were the FBI I would have used the new rules to obtain vast swaths of data sitting in NSA’s coffers to facilitate cybersecurity investigations.

So among the NSA-collected data we should expect FBI newly obtained in raw form in January is that from criminal hacking forums. Indeed, new dark web collection may have facilitated FBI’s rather impressive global bust of several dark web marketing sites this year. (The sharing also means FBI will no longer have to go the same lengths to launder such data it obtains targeting kiddie porn, which it appears to have done in the PlayPen case.)

As I think is clear, such data will be invaluable for FBI as it continues to fight online crime that operates internationally. But because back door searches happen out of context, at a time when the FBI may not really understand what it is looking at, it also risks exposing security researchers in new ways to FBI’s scrutiny.

 

Share this entry

The UK’s New Revolving Door Hacker Prosecution

/1 Comment/in /by

Given that I talk a lot about Lauri Love and Marcus Hutchins’ treatment vis a vis the UK’s willingness to ship them to the US to be tried for hacking charges that could be tried at home, I wanted to flag what happened to Daniel Kaye, who got extradited back to his native UK to face charges of launching attacks with the Mirai botnet.

His extradition to the UK is actually a return trip, after having been shipped to Germany to face charges there in February.

Kaye, meanwhile, was arrested on February 22 at London-area Luton Airport by the NCA at the request of Germany’s BKA (see British Cops Bust Suspected German ISP Mirai Botnet Hacker). In March, he was extradited to Germany.

Appearing last month at a court in Cologne, Kaye pleaded guilty to infecting 1.25 million Deutsche Telekom routers with Mirai malware. He also pleaded guilty to launching attacks designed to infect devices with Mirai malware for the purpose of selling stresser/booter services – aka distributed denial-of-service attacks.

[snip]

Last month, Kaye was given a suspended sentence – of one year and eight months – by the German court after he pleaded guilty to related charges, characterizing what he’d done as being “the worst mistake of my life,” Agence France Presse reported.

Now Kaye is being extradited back home to face charges he attack Lloyds, too.

Kaye is due to appear Thursday in Westminster Magistrates’ Court in London to face nine charges against him under the U.K. Computer Misuse Act, as well as two charges of blackmail and one relating to possession of criminal property, an NCA spokesman tells Information Security Media Group.

Kaye has also been charged with having allegedly “endangered human welfare with an alleged cyberattack against Lonestar MTN,” which is the biggest internet provider in the West African coastal republic of Liberia, which has a population of nearly 5 million, NCA says (see Liberia Latest Target for Mirai Botnet).

The NCA says it filed charges against Kaye following a complex investigation that involved assistance from Germany’s BKA, the Federal Criminal Police Office of Germany.

So … arrest in the UK, sent to Germany to receive a suspended sentence there, now shipped back home to face even more charges.

Here’s why that’s interesting, though:

[S]ecurity experts say Kaye has also been tied to attacks launched by a hacker who has used the handles “Peter Parker,” “Spiderman,” “BestBuy,” “Popopret” and “Spidr,” and that he also appears to be the author of the remote-access Trojan and keylogger called GovRAT.

Security firm InfoArmor says GovRAT has been sold on darknet forums since 2014.

You don’t have to be a dummy to ask why Germany was willing to let this guy go back to the UK, to face another set of charges that don’t, however, reach to his alleged extensive involvement in creating the tools other hackers use.

In his July post reporting on Kaye’s suspended sentence, Brian Krebs noted that no one has gone after the authors of the Mirai botnets yet.

In January 2017, this blog published the results of a four-month investigation into who was likely responsible for not only for writing Mirai, but for leaking the source code for the malware — spawning dozens of competing Mirai botnets like the one that Kaye built. To my knowledge, no charges have yet been filed against any of the individuals named in that story.

Shortly after that, though, Krebs wrote a post successfully IDing Kaye, noting a lot of the things alluded to in the Kaye article, as well as Spider’s ties to the Israelis who attacked his own site.

Interestingly, both of these email addresses — [email protected] and [email protected] — were connected to similarly-named user accounts at vDOS, for years the largest DDoS-for-hire service (that is, until KrebsOnSecurity last fall outed its proprietors as two 18-year-old Israeli men).

He also included the curious detail that Spider — Kaye — had been accused of sharing his access to the vDOS database when he traveled overseas.

The technical support logs from vDOS indicate that the reason the vDOS database shows two different accounts named “bestbuy” is the vDOS administrators banned the original “bestbuy” account after it was seen logged into the account from both the UK and Hong Kong. Bestbuy’s pleas to the vDOS administrators that he was not sharing the account and that the odd activity could be explained by his recent trip to Hong Kong did not move them to refund his money or reactivate his original account.

All of which is to say that Kaye appears to have been deep in a number of other key networks, on top of attacking banks in two countries with Mirai. Which probably explains why Kaye has been on such an interesting revolving door trip through two of Europe’s legal systems, all for charges that don’t get at a fraction of the stuff he is alleged to have been involved with.

 

Share this entry
[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Reality Winner Claims NSA’s Collection on Russians Had Already Been Compromised

/10 Comments/in , , /by

I guess today is Reality Winner day.

As Trevor Timm describes, Winner is trying to get comments she made in an interview with the FBI thrown out, arguing she was for legal purposes in custody yet did not receive a Miranda warning. In support of that argument, she submitted a declaration describing what happened to her that day — basically how 10 male FBI agents showed up to search her house, with two taking her to a back room to interrogate her.

In addition to all the details about how many male FBI agents there were and how they had her stand in the fenced yard when they were done interrogating her, she describes how she answered when they asked whether she believed she had compromised sources and methods.

16. Law enforcement specifically asked me whether I believed the disclosure of the document compromised the “sources and methods” contained in the document, to which I advised that it was likely those “sources and methods” had already been compromised.

17. I specifically told law enforcement that, “whatever we were using had already been compromised, and that this report was just going to be like a one drop in the bucket.”

Critics will argue that this wasn’t Winner’s operational judgment to make, though it does reveal that even in this interview, she attested that she didn’t think her leak would damage intelligence.

But I’m interested in her claim that these collection points were already burned.

While many people complain that the IC has withheld too much information about the Russian hack, there are some details that have been released that are downright surprising. Sure, we don’t know who leaked the Steele dossier, but it may have led to the exposure (and possible execution) of his sources. We do know, however, that DOJ itself revealed (in the Yahoo indictment) that it collected email conversations of FSB officers among themselves. We’ve heard vague reporting, too, that Russians figured out they were tapped and went silent accordingly. One early report I got about Russia’s involvement in the DNC hack explained that the suspected hackers rolled up a good deal of their infrastructure after it was exposed.

But Winner (who’s an analyst, remember, not a technical person) claims, that “whatever we were using had already been compromised” with apparent confidence.

Which raises questions whether that’s based on actual knowledge of how Russians were responding to our spying.

Share this entry

NYT’s Churlish Vote Hacking Story Should Name Reality Winner

/11 Comments/in , /by

NYT has a story reporting that that there has been almost no forensic analysis to find out whether Russian attempts to tamper with localized voting infrastructure had any effect on the election.

After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists.

It’s a worthwhile story that advances the current knowledge about these hacks in several ways. It reveals that several other election services companies got breached.

Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies.

It reveals a local investigation (which had already been reported) into one county that used VR systems, Durham, North Carolina, did not conduct the forensic analysis necessary to rule out a successful hack.

In Durham, a local firm with limited digital forensics or software engineering expertise produced a confidential report, much of it involving interviews with poll workers, on the county’s election problems. The report was obtained by The Times, and election technology specialists who reviewed it at the Times’ request said the firm had not conducted any malware analysis or checked to see if any of the e-poll book software was altered, adding that the report produced more questions than answers.

And it describes other counties that experienced the same kind of poll book irregularities that Durham had.

In North Carolina, e-poll book incidents occurred in the counties that are home to the state’s largest cities, including Raleigh, Winston-Salem, Fayetteville and Charlotte. Three of Virginia’s most populous counties — Prince William, Loudoun, and Henrico — as well as Fulton County, Georgia, which includes Atlanta, and Maricopa County, Arizona, which includes Phoenix, also reported difficulties. All were attributed to software glitches.

That said, the headline and the second framing paragraph (following the “After a presidential campaign scarred by Russian meddling” one above) suggest no one else has been looking at this question.

The assaults on the vast back-end election apparatus — voter-registration operations, state and local election databases, e-poll books and other equipment — have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic emails and spreading of false or damaging information about Mrs. Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed, The New York Times found.

That’s particularly churlish given that NYT’s story so closely resembles a superb NPR story published on August 10.

Both stories focus on Durham County, NC. Both stories start with an extended description of how things went haywire as people showed up to vote. Both rely heavily on someone who worked Election Protection’s help lines on election day, Susan Greenhalgh.

It’s not just NPR. One of NYT’s other premises, that no one knew how many states were affected, was reported back in June by Bloomberg (which gave an even higher number for the total of states affected). Another detail — that local officials still don’t know whether they’ve been hacked because they don’t have clearance — has been reported by Motherboard and NPR, among others.

And, like both the NPR Durham story and the Bloomberg one, NYT also invokes the Intercept’s report on this from June.

Details of the breach did not emerge until June, in a classified National Security Agency report leaked to The Intercept, a national security news site.

But unlike Bloomberg (and like NPR) NYT doesn’t mention that Reality Winner is in jail awaiting trial, accused of having leaked that document (as I noted about the Bloomberg article, it’s highly likely the multiple “current and former government officials” who served as sources for this story won’t face the same plight Winner is).

I get that outlets may have a policy against naming someone in a case like this. But if you’re going to claim people aren’t paying attention to this issue, it’s the least you can do to actually inform readers that someone risked her freedom to bring attention to the matter, and the government has successfully convinced a judge to prohibit her from even discussing why leaking the document was important.

By all means, let’s have more analysis of whether votes were affected. But let’s make sure the people who are actually trying to generate more attention get the credit they deserve.

Share this entry

MalwareTech’s Case Gets Complex

/15 Comments/in /by

Today, prosecutor Michael Chmelar and Marcus Hutchins’ lawyers, Marcia Hofmann and Brian Klein, had a phone meeting with judge Nancy Johnson.

Hutchins’ lawyers got the judge to agree to further loosen his bail terms (putting him on a curfew rather than house arrest, it appears). But, after agreeing willingly to most requests last week, the government is now objecting to the change, asking for a stay and reconsideration. Recall, too, that AUSA Michael Chmelar had tacitly agreed to have Hutchins taken off GPS monitoring. We will likely see the substance of their complaint in a motion in the coming days.

The other thing that happened — again, as I reported would happen here — the case got deemed complex, meaning the trial can be delayed without a violation of the Speedy Trial Act. The minutes describe the judge’s approval of the motion for these reasons.

Based on the information presented here, the nature of the charges, the nature and amount of the discovery, the fact that discovery is coming from multiple sources and the fact that some of the information may need independent testing/review, the court will designate this matter COMPLEX.

The most interesting detail here is that independent testing may be required. Probably — especially given researchers are already raising doubts — Hutchins’ lawyers are going to get outside experts to check the government claims that the code sold in Kronos came from Hutchins.

Another detail from the minutes is that Hutchins’ lawyers object to the redaction of the indictment.

The Government gives background of this case and notes that defendant Hutchins is the only party to appear thus far.

[snip]

The defense notes that it objects to the redaction of the Indictment.

The WI courthouse already accidentally revealed the name of Hutchins’ co-defendant, Tran.

In spite of some effort, no one I’ve seen has identified a likely (and sufficiently interesting) co-defendant whose last name is Tran — or a connection between that name and VinnyK, the name currently associated with selling the malware. Presumably, if the co-defendant’s aliases were unsealed, it would be easier for researchers to understand what Hutchins has been accused of, and who he has been accused of conspiring with.

As for the discovery, some of that was provided in the minutes. As I noted, the government turned over Hutchins’ custodial interview (curiously, the minutes don’t specify that they were with the FBI) and the recordings of two calls.

 The government will be following its open file policy. To date, the defendant has provided the defense with the following:

– 1 CD with post arrest statements

– CD with 2 audio recordings from the county jail in Nevada. (The government is awaiting a written transcript from the FBI.)

Here’s what’s left to discovery, with my comments interspersed.

In addition, there are:

– 150 pages of Jabber chats between the defendant and an individual (somewhat redacted).

Were these encrypted or group chats? If the former, via what means did FBI decrypt them? Did someone hand them over to the FBI?

– Business records from Apple, Google and Yahoo.

These would be accessible via Section 702 (though, given the lack of a FISA notice, would likely have been backstopped via subpoena if they were collected via 702).

– Statements (350 pages) to the defendant from another internet forum which were seized by the government in another District.

The government provides no details on what the location (US or overseas) of this forum is — and they describe it as statements to Hutchins rather than statements by him. But their existence shows that another District had enough interest in some conversations Hutchins happened to be involved in that they collected — via whatever means — this forum.

– 3-4 samples of malware

At a minimum, the government needs 3 pieces of malware: Kronos before Hutchins allegedly updated it, Kronos after he did, and the version of Kronos that got sold. Apparently, the government hasn’t decided how many versions they’ll give the defense. And all that still leaves the question of victims; to prove that anything Hutchins did affected any Americans they might need more malware.

In part for that reason, I suspect independent researchers will continue to look for their own publicly available samples.

– A search warrant executed on a third party which may contain some privileged information.

As with the other forum, this suggests the FBI or some other agency was interested enough in another case — or a corporation — such that some kind of privilege might apply. This could, in fact, be a victim.

All of that is what led the defense to request (after the government already said it would do the same, having initially said this wouldn’t be a complex case) that this should be deemed complex, in part so Hutchins’ team can have a couple of months to review what they’re looking at.

The parties agree that the case should be designated as complex. Information is still being obtained from multiple sources. The issues are complex[.] The defendant requests 45-60 days in which to review the discovery. The government notes that it is in agreement with the request.

So it’s a complex case and it’ll drag on until such time as the government gets more coercive to get whatever it is they’re after or they drop the case.

Share this entry

A Tale of Two Malware Researchers: DOJ Presented Evidence Yu Pingan Knew His Malware Was Used as Such

/in /by

The government revealed the arrest in California of a Chinese national, Yu Pingan, who is reportedly associated with the malware involved in the OPM hack.

The complaint that got him arrested, however, has nothing to do with the OPM hack. Rather, it involves four US companies (none of which are in the DC area), at least some of which are probably defense contractors.

Company A was headquartered in San Diego, California, Company B was headquartered in Massachusetts, Company C was headquartered in Los Angeles, California, and Company D was headquartered in Arizona.

Yu is introduced as a “malware broker.” But deep in the affidavit, the FBI describes Yu as running a site selling malware as a penetration testing tool.

UCC #1 repeatedly obtained malware from YU. For example, on or about March 3, 2013, YU emailed UCC #1 samples of two types of malware: “adjesus” and “hkdoor.” The FBI had difficulty deciphering adjesus, but open source records show that it was previously sold as a penetration testing tool (which is what legitimate security researchers call their hacking. tools) on the website penelab.com.5 Part of the coding for the second piece of malware, hkdoor, indicated that “Penelab” had created it for a customer named “Fangshou.”6 Seized communications and open source records show that YU ran the penelab.com website (e.g., he used his email address and real name to register it) and that UCC #1 used the nickname “Fangshou.”

For that reason — and because Yu was arrested as he arrived in the US for a conference — a few people have questioned whether a fair comparison can be made between Yu and Marcus Hutchins, AKA MalwareTech.

It’s an apples to oranges comparison, as DOJ rather pointedly hasn’t shared the affidavit behind Hutchins’ arrest warrant, so we don’t have as much detail on Hutchins. That said, Hutchins’ indictment doesn’t even allege any American victims, whereas Yu’s complaint makes it clear he (or his malware) was involved in hacking four different American companies (and yet, thus far, Yu has been accused with fewer crimes than Hutchins has).

In any case, at least what we’ve been given shows a clear difference. Over a year before providing Unindicted Co-Conspirator 1 two more pieces of malware, the complaint shows, UCC #1 told Yu he had compromised Microsoft Korea’s domain.

YU and UCC #1 ‘s communications include evidence tying them to the Sakula malware. On or about November 10, 2011, UCC #1 told YU that he had compromised the legitimate Korean Microsoft domain used to download software updates for Microsoft products. UCC #1 provided the site http://update.microsoft.kr/hacked.asp so YU could confirm his claim. UCC #1 explained that he could not use the URL to distribute fraudulent updates, but the compromised site could be used for hacking attacks known as phishing.

So unlike in Hutchins’ case, DOJ has provided evidence (and there’s more in the affidavit) that Yu knew he was providing malware to hack companies.

Indeed, unless the government has a lot more evidence against Hutchins (more on that in a second), it’s hard to see why they’ve been charged with the same two crimes, Conspiracy to violate CFAA and CFAA.

Share this entry
[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers Gets Results! Congress Finally Moves to Oversee Vulnerabilities Equities Process

/8 Comments/in , /by

Since the Snowden leaks, there has been a big debate about the Vulnerabilities Equities Process — the process by which NSA reviews vulnerabilities it finds in code and decides whether to tell the maker or instead to turn it into an exploit to use to spy on US targets. That debate got more heated after Shadow Brokers started leaking exploits all over the web, ultimately leading to the global WannaCry attack (the NotPetya attack also included an NSA exploit, but mostly for show).

In the wake of the WannaCry attack, Microsoft President Brad Smith wrote a post demanding that governments stop stockpiling vulnerabilities.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

But ultimately, the VEP was a black box the Executive Branch conducted, without any clear oversight.

The Intelligence Authorization would change that. Starting 3 months after passage of the Intel Authorization, it would require each intelligence agency to report to Congress the “process and criteria” that agency uses to decide whether to submit a vulnerability for review; the reports would be unclassified, with a classified annex.

In addition, each year the Director of National Intelligence would have to submit a classified list tracking what happened with the vulnerabilities reviewed in the previous year. In addition to showing how many weren’t disclosed, it would also require the DNI to track what happened to the vulnerabilities that were disclosed. One concern among spooks is that vendors don’t actually fix their vulnerabilities in timely fashion, so disclosing them may not make end users any safer.

There would be an unclassified report on the aggregate reporting of vulnerabilities both at the government level and by vendor. Arguably, this is far more transparency than the government provides right now on actual spying.

This report would, at the very least, provide real data about what actually happens with the VEP and may show (as some spooks complain) that vendors won’t actually fix vulnerabilities that get disclosed. My guess is SSCI’s mandate for unclassified reporting by vendor is meant to embarrass those (potentially including Microsoft?) that take too long to fix their vulnerabilities.

I’m curious how the IC will respond to this (especially ODNI, which under James Clapper had squawked mightily about new reports). I also find it curious that Rick Ledgett wrote his straw man post complaining that Shadow Brokers would lead people to reconsider VEP after this bill was voted out of the SSCI; was that a preemptive strike against a reasonable requirement?

SEC. 604. REPORTS ON THE VULNERABILITIES EQUITIES POLICY AND PROCESS OF THE FEDERAL GOVERNMENT.

Report Policy And Process.—

(1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act and not later than 30 days after any substantive change in policy, the head of each element of the intelligence community shall submit to the congressional intelligence committees a report detailing the process and criteria the head uses for determining whether to submit a vulnerability for review under the vulnerabilities equities policy and process of the Federal Government.

(2) FORM.—Each report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

(b) Annual Report On Vulnerabilities.—

(1) IN GENERAL.—Not less frequently than once each year, the Director of National Intelligence shall submit to the congressional intelligence committees a report on—

(A) how many vulnerabilities the intelligence community has submitted for review during the previous calendar year;

(B) how many of such vulnerabilities were ultimately disclosed to the vendor responsible for correcting the vulnerability during the previous calendar year; and

(C) vulnerabilities disclosed since the previous report that have either—

(i) been patched or mitigated by the responsible vendor; or

(ii) have not been patched or mitigated by the responsible vendor and more than 180 days have elapsed since the vulnerability was disclosed.

(2) CONTENTS.—Each report submitted under paragraph (1) shall include the following:

(A) The date the vulnerability was disclosed to the responsible vendor.

(B) The date the patch or mitigation for the vulnerability was made publicly available by the responsible vendor.

(C) An unclassified appendix that includes—

(i) a top-line summary of the aggregate number of vulnerabilities disclosed to vendors, how many have been patched, and the average time between disclosure of the vulnerability and the patching of the vulnerability; and

(ii) the aggregate number of vulnerabilities disclosed to each responsible vendor, delineated by the amount of time required to patch or mitigate the vulnerability, as defined by thirty day increments.

(3) FORM.—Each report submitted under paragraph (1) shall be in classified form.

(c) Vulnerabilities Equities Policy And Process Of The Federal Government Defined.—In this section, the term “vulnerabilities equities policy and process of the Federal Government” means the policy and process established by the National Security Council for the Federal Government, or successor set of policies and processes, establishing policy and responsibilities for disseminating information about vulnerabilities discovered by the Federal Government or its contractors, or disclosed to the Federal Government by the private sector in government off-the-shelf (GOTS), commercial off-the-shelf (COTS), or other commercial information technology or industrial control products or systems (including both hardware and software).

Share this entry

Senate Intelligence Bill Aims to Label WikiLeaks — and Maybe the Journalists Who Look Like Them — Spooks

/11 Comments/in , /by

I’m reading the draft Senate Intelligence Authorization for 2018; in a follow-up, I will lay out why it is a remarkably useful bill, particularly in the way it addresses vulnerabilities identified in the wake of the Russian efforts to tamper with our election.

But there is a major point of concern, one which led Senator Ron Wyden to vote against the bill in committee. Attached to a must-pass bill, it holds that it is the sense of Congress that WikiLeaks resembles a non-state hostile intelligence service.

SEC. 623. SENSE OF CONGRESS ON WIKILEAKS.

It is the sense of Congress that WikiLeaks and the senior leadership of WikiLeaks resemble a non-state hostile intelligence service often abetted by state actors and should be treated as such a service by the United States.

In explaining his opposition to the provision, Wyden laid out all the unintended consequences that might come from labeling WikiLeaks a hostile intelligence service. “My concern is that the use of the novel phrase ‘non-state hostile intelligence service’ may have legal, constitutional, and policy implications, particularly should it be applied to journalists inquiring about secrets,” stated Senator Wyden. “The language in the bill suggesting that the U.S. government has some unstated course of action against ‘non-state hostile intelligence services’ is equally troubling. The damage done by WikiLeaks to the United States is clear. But with any new challenge to our country, Congress ought not react in a manner that could have negative consequences, unforeseen or not, for our constitutional principles. The introduction of vague, undefined new categories of enemies constitutes such an ill-considered reaction.”

Wyden has a point. If WikiLeaks is treated as an intelligence service, for example, then anyone having extensive conversations with them can be targeted for surveillance. Any assistance someone gives — like donations — can be deemed a potential criminal violation. And a lot of people who access and support Wikileaks because of the content it publishes may be deemed suspect.

Wyden did find other things in the bill to praise, including three things he sponsored, two of them explicitly tied to the Russian threat:

  1. A report on the threat to the United States from Russian money laundering. The amendment calls on intelligence agencies to work with elements of the Treasury Department’s Office of Terrorism and Financial Intelligence, such as the Financial Crimes Enforcement Network (FinCEN), to assess the scope and threat of Russian money laundering to the United States.
  2. Requires Congressional notification before the establishment of any U.S.-Russia cybersecurity unit, including a report on what intelligence will be shared with the Russians, any counterintelligence concerns, and how those concerns would be mitigated.
  3. A report from the Intelligence Community on whether cyber security vulnerabilities in the U.S. cell network, including known vulnerabilities to SS7, are resulting in foreign government surveillance of Americans. The report follows on a study by the Department of Homeland Security that found major, widespread weaknesses in U.S. mobile networks.

But he nevertheless voted against the bill to register his concerns about the new label for WikiLeaks.

The WikiLeaks language would sure make it harder for Trump to exchange information with Julian Assange in exchange for a pardon. But tacking this onto such an otherwise useful bill seems like a bad idea.

Share this entry

Government Aims to Protect Other Ongoing Investigations in MalwareTech Case

/3 Comments/in , /by

In its request for a protection order governing discovery materials turned over to the defense in the Marcus Hutchins/MalwareTech case, the government provided this explanation of things it needed to keep secret.

The discovery in this matter may include information related to other ongoing investigations, malware, and investigative techniques employed by the United States during its investigation of Mr. Hutchins and others.

The government will always aim to protect investigative techniques — though in an international case investigating hackers, those techniques might well be rather interesting. Of particular interest, the government wants to hide techniques it may have used against Hutchins … and against others.

The government’s claim it needs to hide information on malware will disadvantage researchers who are analyzing the Kronos malware in an attempt to understand whether any code Hutchins created could be deemed to be original and necessary to the tool. For example, Polish researcher hasherezade showed that the hooking code Hutchins complained had been misappropriated from him in 2015, when the government claims he was helping his co-defendant revise Kronos, was not actually original to him.

The interesting thing about this part of Kronos is its similarity with a hooking engine described by MalwareTech on his blog in January 2015. Later, he complained in his tweet, that cybercriminals stolen and adopted his code. Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas. However, it turned out that this technique was described much earlier (i.e. here//thanks to  @xorsthings for the link ), and both authors learned it from other sources rather than inventing it.

Hasherezade may well have proven a key part of the government’s argument wrong here. Or she may be missing some other piece of code the government claims comes from Hutchins. By hiding any discussions about what code the government is actually looking at, though, it prevents the security community from definitely undermining the claims of the government, at least before trial.

Finally, there’s the reference to other, ongoing investigations.

One investigation of interest might be the Kelihos botnet. In the April complaint against Pyotr Levashov, the government claimed that the Kelihos botnet had infected victims with Kronos malware.

In addition to using Kelihos to distribute spam, the Defendant also profits by using Kelihos to directly install malware on victim computers. During FBI testing, Kelihos was observed installing ransomware onto a test machine, as well as “Vawtrak” banking Trojan (used to steal login credentials used at financial institutions), and a malicious Word document designed to infect the computer with the Kronos banking Trojan.

Unlike known uses of Kronos by itself, Kelihos is something that has victimized people in the United States; the government has indicted and is trying to extradite Pyotr Levashov in that case. So that may be one investigation the government is trying to protect.

It’s also possible that, in an effort to pressure Hutchins to take a plea deal, the government is investigating allegations he engaged in other criminal activity, activity that would more directly implicate him in criminal hacking. There’s little (aside from statutes of limitation) to prevent the government from doing that, and their decision to newly declare the case complex may suggest they’re threatening more damaging superseding indictments against Hutchins, if they can substantiate those allegations, to pressure him to take a plea deal.

Finally, there’s WannaCry. As I noted, while the government lifted some of the more onerous bail conditions on Hutchins, they added the restriction that he not touch the WannaCry sinkhole he set up in May. The reference to ongoing investigations may suggest the government will be discussing aspects of that investigation with Hutchins’ defense team, but wants to hide those details from the public.

Update: I’ve corrected the language regarding Kelihos to note that this doesn’t involve shared code. h/t ee for finding the reference.

Share this entry

Dana Rohrabacher Brokering Deal for Man Publishing a CIA Exploit Every Week

/26 Comments/in , , /by

Yesterday, right wing hack Charles Johnson brokered a three hour meeting between Dana Rohrabacher and Julian Assange. At the meeting, Assange apparently explained his proof that Russia was not behind the hack of the DNC. In a statement, Rohrabacher promises to deliver what he learned directly to President Trump.

Wikileaks founder Julian Assange on Wednesday told Rep. Dana Rohrabacher that Russia was not behind leaks of emails during last year’s presidential election campaign that damaged Hillary Clinton’s candidacy and exposed the inner workings of the Democratic National Committee.

The California congressman spent some three hours with the Australian-born fugitive, now living under the protection of the Ecuadorian embassy in the British capital.

Assange’s claim contradicts the widely accepted assessment of the U.S. intelligence community that the thousands of leaked emails, which indicated the Democratic National Committee rigged the nomination process against Sen. Bernie Sanders in favor of Clinton, were the result of hacking by the Russian government or persons connected to the Kremlin.

Assange, said Rohrabacher, “emphatically stated that the Russians were not involved in the hacking or disclosure of those emails.” Rohrabacher, who chairs the House Foreign Affairs Subcommittee on Europe, Eurasia, and Emerging Threats, is the only U.S. congressman to have visited the controversial figure.

The conversation ranged over many topics, said Rohrabacher, including the status of Wikileaks, which Assange maintains is vital to keeping Americans informed on matters hidden by their traditional media. The congressman plans to divulge more of what he found directly to President Trump.

I’m utterly fascinated that Assange has taken this step, and by the timing of it.

It comes not long after Rod Wheeler’s lawsuit alleging that Fox News and the White House worked together to invent a story that murdered DNC staffer Seth Rich was in contact with WikiLeaks. Both that story and this one have been promoted aggressively by Sean Hannity.

It comes in the wake of the VIPS letter that — as I’ve begun to show — in no way proves what it claims to prove about the DNC hack.

It comes just after a very long profile by the New Yorker’s Raffi Khatchadourian, who has previously written more sympathetic pieces about Assange. I have a few quibbles with the logic behind a few of the arguments Khatchadourian makes, but he makes a case — doing analysis on what documents got released where that no one else has yet publicly done (and about which numerous people have made erroneous claims in the past) — that Assange’s claims he wasn’t working with Russia no longer hold up.

But his protestations that there were no connections between his publications and Russia were untenable.

[snip]

Whatever one thinks of Assange’s election disclosures, accepting his contention that they shared no ties with the two Russian fronts requires willful blindness. Guccifer 2.0’s handlers predicted the WikiLeaks D.N.C. release. They demonstrated inside knowledge that Assange was struggling to get it out on time. And they proved, incontrovertibly, that they had privileged access to D.N.C. documents that appeared nowhere else publicly, other than in WikiLeaks publications. The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.) All the D.N.C. documents that Guccifer 2.0 released appeared to come from those same two departments.

The Podesta e-mails only make the connections between WikiLeaks and Russia appear stronger. Nearly half of the first forty documents that Guccifer 2.0 published can be found as attachments among the Podesta e-mails that WikiLeaks later published.

The Assange-Rohrabacher meeting also follows a NYT story revealing that the author of a piece of malware named in the IC’s first Joint Analysis Report of the DNC hack, Profexor, has been cooperating with the FBI. The derivative reports on this have overstated the connection Profexor might have to the DNC hack (as opposed to APT 28, presumed to be associated with Russia’s military intelligence GRU).

A member of Ukraine’s Parliament with close ties to the security services, Anton Gerashchenko, said that the interaction was online or by phone and that the Ukrainian programmer had been paid to write customized malware without knowing its purpose, only later learning it was used in Russian hacking.

Mr. Gerashchenko described the author only in broad strokes, to protect his safety, as a young man from a provincial Ukrainian city. He confirmed that the author turned himself in to the police and was cooperating as a witness in the D.N.C. investigation. “He was a freelancer and now he is a valuable witness,” Mr. Gerashchenko said.

It is not clear whether the specific malware the programmer created was used to hack the D.N.C. servers, but it was identified in other Russian hacking efforts in the United States.

But Profexor presumably is describing to the FBI how he came to sell customized access to his tool to hackers working for Russia and who those hackers were.

In other words, this bid by Assange to send information to Trump via someone protected by the Constitution’s Speech and Debate Clause, but who is also suspected — even by his Republican colleagues! — of being on Russia’s payroll, comes at a very interesting time, as outlets present more evidence undermining Assange’s claims to have no tie to Russia.

Coming as it does as other evidence is coming to light, this effort is a bit of a Hail Mary by Assange: as soon as Trump publicizes his claims (which he’ll probably do during tomorrow’s shit-and-tweet) and they get publicly discredited, Assange (and Trump) will have little else to fall back on. They will have exposed their own claims, and provided the material others can use to attack Trump’s attempts to rebut the Russia hack claims. Perhaps Assange’s claims will be hard to rebut; but by making them public, finally, they will be revealed such that they can be rebutted.

I’m just as interested in the reporting on this, though, which was first pushed out through right wing outlets Daily Caller and John Solomon.

The story is presented exclusively in terms of Assange’s role in the DNC hack, which is admittedly the area where Assange’s interests and Trump’s coincide.

Yet not even the neutral LAT’s coverage of the meeting, which even quotes CIA Director and former Wikileaks fan Mike Pompeo,mentions the more immediate reason why Assange might need a deal from the United States. Virtually every week since March, Wikileaks has released a CIA exploit. While some of those exploits were interesting and the individual exploits are surely useful for security firms, at this point the Vault 7 project looks less like transparency and more like an organized effort to burn the CIA. Which makes it utterly remarkable a sitting member of Congress is going to go to the president to lobby him to make a deal with Assange, to say nothing of Assange’s argument that Wikileaks should get a White House press pass as part of the deal.

Dana Rohrabacher is perhaps even as we speak lobbying to help a guy who has published a CIA hack of the week. And that part of the meeting is barely getting notice.

Share this entry