Posts

ShadowBrokers’ Kiss of Death

In the ShadowBrokers’ latest post, I got a kiss of death. At the end of a long rambling post, TSB called me out — misspelled “EmptyWheel” with initial caps — as “true journalist and journalism is looking like.”

TSB special shouts outs to Marcy “EmptyWheel” Wheeler, is being what true journalist and journalism is looking like thepeoples!

TheShadowBrokers, brokers of shadows.

Forgive me for being an ingrate, but I’m trying to engage seriously on Section 702 reform. Surveillance boosters are already fighting this fight primarily by waging ad hominem attacks. Having TSB call me out really makes it easy for surveillance boosters to suggest I’m not operating in the good faith I’ve spent 10 years doing.

Way to help The Deep State, TSB.

Worse still, TSB lays out a load of shit. A central focus of the post (and perhaps the reason for my Kiss of Death) is the latest fear-mongering about Russian AV firm, Kaspersky.

Are ThePeoples enjoying seven minutes of hate at Russian hackers and Russian security company? Is after October 1st, new moneys is being in US government budgets for making information warfares payments. Is many stories of NSA + lost data. Is all beings true? Is NSA chasing shadowses? Is theequationgroup still not knowing hows thems getting fucked? Is US government trying out storieses to be seeing responses? TheShadowBrokers be telling ThePeoples year ago how theshadowbrokers is getting data. ThePeoples is no believing. ThePeoples is got jokes. ThePeoples is making shits up. So TheShadowBrokers then saying fucks it, theshadowbrokers can be doings that too.

TheShadowBrokers is thinkings The Peoples is missings most important part of storieses. Corporate media company (WSJ) publishes story with negative financial impacts to foreign company (Kaspersky Labs) FROM ANONYMOUS SOURCE WITH NO PHYSICAL EVIDENCE. WTF? Can they being doing that? Libel law suits? But is ok, Kaspersky is Russian security peoples. Russian security peoples is being really really, almost likes, nearly sames as Russian hackers. Is like werewolves. Russian security peoples is becoming Russian hackeres at nights, but only full moons. AND AMERICA HATES RUSSIAN HACKERS THEY HACKED OUR ELECTION CIA, GOOGLE, AND FACEBOOK SAID. If happening to one foreign company can be happening to any foreign company? If happening to foreign company can be happen to domestic? Microsoft Windows 10 “free” = “free” telemetry in Microsoft cloud.

TSB tries to claim that the Kaspersky stories are a US government attempt to explain how TSB got the files he is dumping. But as I have pointed out — even the NYT story on this did — it doesn’t make sense. That’s true, in part because if the government had identified the files the TAO hacker exposed to Kaspersky in spring 2016 as Shadowbrokers’, they wouldn’t have gone on to suggest the files came from Hal Martin when they arrested him. Mind you, Martin’s case has had a series of continuations, which suggests he may be cooperating, so maybe he confessed to be running Kaspersky on his home machine too? But even there, they’d have known that long before now.

Plus, TSB was the first person to suggest he got his files from Kaspersky. TSB invoked Kaspersky in his first post.

We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic.

And TSB more directly called out Kaspersky in the 8th message, on January 8, just as the US government was unrolling its reports on the DNC hack.

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

The latter is a point fsyourmoms made in a post and an Anon made on Twitter; I had made it in an unfinished post I accidentally briefly posted on September 15.

But I don’t think the Kaspersky call-out in January is as simple as people make it out to be.

First, as Dan Goodin and Jake Williams noted collectively at the time, the numbers were off, particularly with regards to whether all of them were detected by Kaspersky products.

The post included 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers. While, according to this analysis, 43 of them were detected by antivirus products from Kaspersky Lab, which in 2015 published a detailed technical expose into the NSA-tied Equation Grouponly one of them had previously been uploaded to the Virus Total malware scanning service. And even then, Virus Total showed that the sample was detected by only 32 of 58 AV products even though it had been uploaded to the service in 2009. After being loaded into Virus Total on Thursday, a second file included in the farewell post was detected by only 12 of the 58 products.

Most weren’t uploaded to Virus Total, but that’s interesting for another reason. The dig against Kaspersky back in 2015 — based off leaked emails that might have come from hacking it — is that in 2009 they were posting legit files onto Virus Total to catch other companies lifting its work.

At that level, then, the reference to Kaspersky could be another reference to insider knowledge, as TSB made elsewhere.

But there are several other details of note regarding that January post.

First, it was a huge headfake. It came four days after TSB had promised to post the guts of the Equation Group warez — Danderspritz and the other powerful tools that would eventually get released in April in the Lost in Translation post, which would in turn lead to WannaCry. Having promised some of NSA’s best and reasonably current tools (which may have led NSA to give Microsoft the heads up to patch), TSB instead posted some older ones that mostly embarrassed Kaspersky.

And that was supposed to be the end of things. TSB promised to go away forever.

So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and bullshit, not many bitcoins.

As such, the events of that week were almost like laying an implicit threat as the US intelligence community’s Russian reports came out and the Trump administration began, but backing off that threat.

But I’m not sure why anyone would have an incentive to out Kaspersky like this. Why would TSB want to reveal the real details how he obtained these files?

Two other things may be going on.

First, the original TSB post was accompanied by the characters shi pei.

I haven’t figured out what that was supposed to mean. It might mean something like “screw up,” or it might be reference using the wrong characters to Madame Butterfly (is this even called a homophone in Mandarin, where intonations mean all?), Shi Pei Pu, the drag Chinese opera singer who spied on France for 20 years. [Update: Google Translate says it is “loser”.] I welcome better explanations for what the characters might mean in this context. But if it means either of those things, they might be a reference to the December arrest, on treason charges, of Kaspersky researcher Ruslan Stoyanov, who along with cooperating with US authorities against some Russian spammers, may have also received payment from foreign companies. That is, either one might have been a warning to Kaspersky as much as an expose of TSB’s sources.

All of which is to say, I have no idea what this January post was really intended to accomplish (I have some theories I won’t make public), but it seems far more complex than an early admission that Russia was stealing NSA files by exploiting Kaspersky AV. And if it was meant to expose TSB’s own source, it was likely misdirection.

For what it’s worth, with respect to my Kiss of Death, my post on the possibility TSB shares “the second source” with Jake Appelbaum got at least as much interesting attention as my briefly posted post on the earlier TSB Kaspersky post.

In any case, I think the far more interesting call out than mine in TSB’s post is that he gives Matt Suiche. Ostensibly, TSB apologizes for missing his Black Hat talk.

TheShadowBrokers is sorry TheShadowBrokers is missing you at theblackhats or maybe not? TSB is not seeing hot reporter lady giving @msuiche talk, was that not being clear required condition? TheShadowBrokers is being sures you understanding, law enforcements, not being friendly fans of TSB. Maybe someday. Dude? “…@shadowbrokerss does not do thanksgiving. TSB is the real Infosec Santa Claus…” really? “Trick or Treet”, cosplay and scarring shits out of thepeoples? TheShadowBrokers favorite holiday, not holiday, but should be being, Halloween!

Of course, TSB could have done that in last month’s post. Instead, this reference is a response to this thread on whether he might dump something on Thanksgiving to be particularly disruptive. In which case, it seems to be a tacit threat: that he will dump on Halloween, just a few weeks away.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers and the “Second Source”

When I emphasized Der Spiegel’s reporting on TAO in this post on the tool for which Shadow Brokers recently released a manual, UNITEDRAKE, I was thinking along the same lines Electrospaces was here. Electrospaces lays out a universe of documents and reporting that doesn’t derive from Edward Snowden leaked documents, notes some similarity in content (a focus on NSA’s Tailored Access Operations), and the inclusion of documents from NSA’s San Antonio location. From that, Electrospaces posits that Shadow Brokers could be “identical with the Second Source.”

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source?

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there’s probably also a much more direct connection: the batch of documents published along with Der Spiegel’s main piece from December 29, 2013 include a presentation about the TAO unit at NSA’s Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):


TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)NSA/CSS TexasIt’s quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source – and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.

Frankly, I’m skeptical of the underlying reports that Shadow Brokers must be a disgruntled NSA employee or contractor, which derives in part from the conclusion that many of the files released include documents that had to be internal to NSA, and in part from this report that says that’s the profile of the suspect the government is looking for.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

Sources tell CyberScoop that former NSA employees have been contacted by investigators in the probe to discover how a bevy of elite computer hacking tools fell into the Shadow Brokers’ possession.

Those sources asked for anonymity due to sensitivity of the investigation.

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

The investigatory effort is being led by a combination of professionals from the FBI, National Counterintelligence and Security Center (NCSC), and NSA’s internal policing group known as Q Group.

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

The report clearly suggests (and I confirmed with its author, Chris Bing) that the government is still testing out theories, and that the current profile (or the one they were chasing in July) happens to be an insider of some sort, but that they didn’t have a specific insider in mind as the suspect.

There are a number of  reasons I’m skeptical. First, part of that theory is based on Shadow Brokers making comments about Jake Williams that reflects some inside knowledge about an incident that happened while he was at NSA (Shadow Brokers has deleted most of his tweets, but they’re available in this superb timeline).

trying so hard so  helping out…you having big mouth for former  member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing  members but had make exception for big mouth, keep talking shit  your next

Even there, Shadow Brokers was falsely suggesting that Matt Suiche, who’s not even an American citizen, might be NSA. But things got worse in June, when Shadow Brokers thought he had doxed @drwolfff as a former NSA employee, only to have @drwolfff out himself as someone else entirely (see this post, where Shadow Brokers tried to pretend he hadn’t made a mistake). So Shadow Brokers has been wrong about who is and was NSA more often than he has been right.

Another reason I doubt he’s a direct insider is because when he posted the filenames for Message 6, he listed a good many of the files as “unknown.” (Message 6 on Steemit, archived version)

That suggests that even if Shadow Brokers had some insider role, he wasn’t using these particular files directly (or didn’t want to advertise them as what they were).

And because I’m not convinced that Shadow Brokers is, personally, an insider, I’m not convinced that he necessarily is (as Electrospaces argues) “identical with the Second Source.”

Rather, I think it possible that Jacob Appelbaum and Shadow Brokers have a mutually shared source. That’s all the more intriguing given that Wikileaks once claimed that they had a copy of at least the first set of Shadow Brokers files, which Shadow Brokers recalled in January, and that Julian Assange released an insurance file days after Guccifer 2.0 first started posting hacked Democratic documents (see this post on the insurance file and this one on Shadow Brokers calling out WikiLeaks for hoarding that document).

Maybe they’re all bullshitting. But given Electrospaces’ observation that some of the files (covering intercepts of US allies, often pertaining to trade deals) for which there is no known source went straight to WikiLeaks, I think a shared source is possible.

All that said, there’s one more detail I’d add to Electrospaces’ piece. As noted, he finds the inclusion, in both the Shadow Brokers and the Appelbaum files, of documents from NSA’s San Antonio location to be intriguing. So do I.

Which is why it’s worth noting that that location is among the three where — as late as the first half of 2016 — a DOD Inspector General audit found servers and other sensitive equipment unlocked.

An unlocked server would in no way explain all of the files included even in a narrowly scoped collection of “Second Source” files. But it would indicate that the San Antonio facility was among those that wasn’t adequately secured years after the Snowden leaks.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Companies Victimized by Repurposed NSA Tools Don’t Share Those Details with Government

Reporting on an appearance by acting DHS undersecretary for the National Protection and Programs Directorate Christopher Krebs, CyberScoop explains that the government only heard from six victims of the WannaCry and NotPetya ransomware outbreaks (two known major victims are Maersk shipping, which had to shut down multiple terminals in the US, and the US law firm DLA Piper).

Christopher Krebs, acting undersecretary for the National Protection and Programs Directorate, told an audience of cybersecurity professionals Wednesday that the biggest issue with both incidents came from an absence of reports from businesses who were affected. While experts say that WannaCry and NotPetya disrupted business operations at American companies, it’s not clear how many enterprises were damaged or to what degree.

The government wanted to collect more information from affected companies in order to better assess the initial infection vector, track the spread of the virus and develop ways to deter similar future attacks.

Collecting data from victim organizations was important, a senior U.S. official who spoke on condition of anonymity told CyberScoop, because the information could have been used to inform policymakers about the perpetrator of the attack and potential responses

The rest of the story explains that private companies are generally reluctant to share details of being a ransomware victim (particularly if a company pays the ransom, there are even legal reasons for that).

But it doesn’t consider another factor. If a cop left his gun lying around and some nutjob stole the gun and killed a kid with it, how likely is that family going to trust the cop in question, who indirectly enabled the murder?

The same problem exists here. Having proven unable to protect its own powerful tools (this is more a factor in WannaCry than NotPetya, though it took some time before people understood that the latter didn’t rely primarily on the NSA’s exploit), the government as a whole may be deemed less trustworthy on efforts to respond to the attack.

Whether that was the intent or just a handy side benefit for the perpetrators of WannaCry (and of Shadow Brokers, who released the exploit) remains unclear. But the effect is clear: attacking people with NSA tools may undermine the credibility of the government, and in the process, its ability to respond to attacks.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

UNITEDRAKE and Hacking under FISA Orders

As I noted yesterday, along with the encrypted files you have to pay for, on September 6, Shadow Brokers released the manual for an NSA tool called UNITEDRAKE.

As Bruce Schneier points out, the tool has shown up in released documents on multiple occasions — in the catalog of TAO tools leaked by a second source (not Snowden) and released by Jacob Appelbaum, and in three other Snowden documents (one, two, three) talking about how the US hacks other computers, all of which first appeared in Der Spiegel’s reporting (one, two, three). [Update: See ElectroSpaces comments about this Spiegel reporting and its source.]

The copy, as released, is a mess — it appears to have been altered by an open source graphics program and then re-saved as a PDF. Along with classification marks, the margins and the address for the company behind it appears to have been altered.

The NSA is surely doing a comparison with the real manual (presumably as it existed at the time it may have been stolen) in an effort to understand how and why it got manipulated.

I suspect Shadow Brokers released it as a message to those pursuing him as much as to entice more Warez sales, for the observations I lay out below.

The tool permits NSA hackers to track and control implants, doing things like prioritizing collection, controlling when an implant calls back and how much data is collected at a given time, and destroying an implant and the associated UNITEDRAKE code (PDF 47 and following includes descriptions of these functions).

It includes doing things like impersonating the user of an implanted computer.

Depending on how dated this manual is, it may demonstrate that Shadow Brokers knows what ports the NSA will generally use to hack a target, and what code might be associated with an implant.

It also makes clear, at a time when the US is targeting Russia’s use of botnets, that the NSA carries out its own sophisticated bot-facilitated collection.

Finally of particular interest to me, the manual shows that UNITEDRAKE can be used to hack targets of FISA orders.

To use it to target people under a FISA order, the NSA hacker would have to enter both the FISA order number and the date the FISA order expires. After that point, UNITEDRAKE will simply stop collecting off that implant.

Note, I believe that — at least in this deployment — these FISA orders would be strictly for use overseas. One of the previous references to UNITEDRAKE describes doing a USSID-18 check on location.

SEPI analysts validate the target’s identity and location (USSID-18 check), then provide a deployment list to Olympus operators to load a more sophisticated Trojan implant (currently OLYMPUS, future UNITEDRAKE).

That suggests this would be exclusively EO 12333 collection — or collection under FISA 704/705(b) orders.

But the way in which UNITEDRAKE is used with FISA is problematic. Note that it doesn’t include a start date. So the NSA could collect data from before the period when the court permitted the government to spy on them. If an American were targeted only under Title I (permitting collection of data in motion, therefore prospective data), they’d automatically qualify for 705(b) targeting with Attorney General approval if they traveled overseas. Using UNITEDRAKE on — say, the laptop they brought with them — would allow the NSA to exfiltrate historic data, effectively collecting on a person from a time when they weren’t targeted under FISA. I believe this kind of temporal problem explains a lot of the recent problems NSA has had complying with 704/705(b) collection.

In any case, Shadow Brokers may or may not have UNITEDRAKE among the files he is selling. But what he has done by publishing this manual is tell the world a lot of details about how NSA uses implants to collect intelligence.

And very significantly for anyone who might be targeted by NSA hacking tools under FISA (including, presumably, him), he has also made it clear that with the click of a button, the NSA can pretend to be the person operating the computer. This should create real problems for using data hacked by NSA in criminal prosecutions.

Except, of course, especially given the provenance problems with this document, no defendant will ever be able to use it to challenge such hacking.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers’ Persistence: Where TSB Has Signed, Message, Hosted, and Collected

Back in April, Shadow Brokers boasted about his operational security.

TheShadowBrokers is practicing obfuscation as part of operational security (OPSEC). Is being a spy thing. Is being the difference between a contractor tech support guy posing as a infosec expert but living in exile in Russia (yes @snowden) and subject matter experts in Cyber Intelligence like theshadowbrokers. TheShadowBrokers has being operating in country for many months now and USG is still not having fucking clue. Guessing so called global surveillance is not being as good as @snowden is claiming?

I started thinking about this boast again after TSB deleted all his Twitter feed in June (which served to hide the truly moronic failed doxing of @DRWolfff, which he then followed with an even more moronic post claiming he hadn’t failed). Good to know being an asshole on Twitter will keep you alive for more than a year after dumping NSA tools all over the InterWebs.

Still, since then TSB hasn’t tweeted at all. And his September dump — which given the normal pattern, would have been released in the last days of August — didn’t come out until September 6 (just a few days after a bunch of us were wondering if he had finally snuck off to join Snowden in Sheremetyevo). On that day, TSB dumped the files he claims to have dumped in his Warez of the Month club since June, as well links for twice-monthly dumps going through November.

While we were chatting about TSB running off to Sheremetyevo, Matt Suiche raised a point I had been thinking about too: TSB’s key. By now, that key must be set to loud alarms in Fort Meade, such that any time it appears transiting across the InterTubes, lights flash in an attempt to ID TSB’s location.

Of course, all that’s done for the next three months, because everything is safely loaded on Mega’s servers in one fell swoop.

Suiche noted that TSB hadn’t signed a post since June; he actually had in July (but over at ZeroNet rather than on Steemit), but not the for the late June post tied to the July dump.

In other words, since June, TSB has been either not signing posts, or signing them somewhere else, away from the Steemit account that (in the wake of his Twitter demise) has now become his persistent identity, where people can follow him.

Anyway, because I’m a loser, I decided to track what he had done for the entire year plus to be able to sustain a persistent identity while still avoiding drone strikes. A draft table of what TSB has done to sustain persistence with 1) key-signing, 2) stable messaging identity, 3) file-hosting, and 4) payment since August 2016 is here. In addition to increasingly signing remotely, and shifting from Twitter to Steemit to alert followers, TSB has also moved away from stable, public cryptocurrency addresses, and encrypted emails with individual buyers, instead relying on the security of Zcash and its memo line.

  • Zcash only, no Monero, delivery email in encrypted memo field
  • Delivery email address clearnet only, recommend tutanota or protonmail, no need exchange secret, no i2p, no bitmessage, no zeronet

In any case, this is just a draft. I’m sure I fat-fingered some stuff, and I’m sure I didn’t understand some of what I was looking at. But please take a look and see what I’m missing/gotten wrong.

There are some interesting bits even from what’s here. I hadn’t realized, for example, that TSB cashed out his BTC wallets the same day, May 29, he posted the new ZEC and XMR sales. Also, TSB posted “Don’t Forget Your Base” at his old-school haunts — Medium and Reddit — as well as Zero and Steemit (he was transitioning from one to another that day), I guess to reinvigorate his fan base after claiming he was done in January.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers Gets Results! Congress Finally Moves to Oversee Vulnerabilities Equities Process

Since the Snowden leaks, there has been a big debate about the Vulnerabilities Equities Process — the process by which NSA reviews vulnerabilities it finds in code and decides whether to tell the maker or instead to turn it into an exploit to use to spy on US targets. That debate got more heated after Shadow Brokers started leaking exploits all over the web, ultimately leading to the global WannaCry attack (the NotPetya attack also included an NSA exploit, but mostly for show).

In the wake of the WannaCry attack, Microsoft President Brad Smith wrote a post demanding that governments stop stockpiling vulnerabilities.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

But ultimately, the VEP was a black box the Executive Branch conducted, without any clear oversight.

The Intelligence Authorization would change that. Starting 3 months after passage of the Intel Authorization, it would require each intelligence agency to report to Congress the “process and criteria” that agency uses to decide whether to submit a vulnerability for review; the reports would be unclassified, with a classified annex.

In addition, each year the Director of National Intelligence would have to submit a classified list tracking what happened with the vulnerabilities reviewed in the previous year. In addition to showing how many weren’t disclosed, it would also require the DNI to track what happened to the vulnerabilities that were disclosed. One concern among spooks is that vendors don’t actually fix their vulnerabilities in timely fashion, so disclosing them may not make end users any safer.

There would be an unclassified report on the aggregate reporting of vulnerabilities both at the government level and by vendor. Arguably, this is far more transparency than the government provides right now on actual spying.

This report would, at the very least, provide real data about what actually happens with the VEP and may show (as some spooks complain) that vendors won’t actually fix vulnerabilities that get disclosed. My guess is SSCI’s mandate for unclassified reporting by vendor is meant to embarrass those (potentially including Microsoft?) that take too long to fix their vulnerabilities.

I’m curious how the IC will respond to this (especially ODNI, which under James Clapper had squawked mightily about new reports). I also find it curious that Rick Ledgett wrote his straw man post complaining that Shadow Brokers would lead people to reconsider VEP after this bill was voted out of the SSCI; was that a preemptive strike against a reasonable requirement?


SEC. 604. REPORTS ON THE VULNERABILITIES EQUITIES POLICY AND PROCESS OF THE FEDERAL GOVERNMENT.

Report Policy And Process.—

(1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act and not later than 30 days after any substantive change in policy, the head of each element of the intelligence community shall submit to the congressional intelligence committees a report detailing the process and criteria the head uses for determining whether to submit a vulnerability for review under the vulnerabilities equities policy and process of the Federal Government.

(2) FORM.—Each report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

(b) Annual Report On Vulnerabilities.—

(1) IN GENERAL.—Not less frequently than once each year, the Director of National Intelligence shall submit to the congressional intelligence committees a report on—

(A) how many vulnerabilities the intelligence community has submitted for review during the previous calendar year;

(B) how many of such vulnerabilities were ultimately disclosed to the vendor responsible for correcting the vulnerability during the previous calendar year; and

(C) vulnerabilities disclosed since the previous report that have either—

(i) been patched or mitigated by the responsible vendor; or

(ii) have not been patched or mitigated by the responsible vendor and more than 180 days have elapsed since the vulnerability was disclosed.

(2) CONTENTS.—Each report submitted under paragraph (1) shall include the following:

(A) The date the vulnerability was disclosed to the responsible vendor.

(B) The date the patch or mitigation for the vulnerability was made publicly available by the responsible vendor.

(C) An unclassified appendix that includes—

(i) a top-line summary of the aggregate number of vulnerabilities disclosed to vendors, how many have been patched, and the average time between disclosure of the vulnerability and the patching of the vulnerability; and

(ii) the aggregate number of vulnerabilities disclosed to each responsible vendor, delineated by the amount of time required to patch or mitigate the vulnerability, as defined by thirty day increments.

(3) FORM.—Each report submitted under paragraph (1) shall be in classified form.

(c) Vulnerabilities Equities Policy And Process Of The Federal Government Defined.—In this section, the term “vulnerabilities equities policy and process of the Federal Government” means the policy and process established by the National Security Council for the Federal Government, or successor set of policies and processes, establishing policy and responsibilities for disseminating information about vulnerabilities discovered by the Federal Government or its contractors, or disclosed to the Federal Government by the private sector in government off-the-shelf (GOTS), commercial off-the-shelf (COTS), or other commercial information technology or industrial control products or systems (including both hardware and software).

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Government Changes Its Tune about MalwareTech

Marcus Hutchins, AKA MalwareTech, just plead not guilty at his arraignment in Milwaukee, WI. After the hearing, his attorney, Marcia Hofmann, called him a “hero” and said he would be fully vindicated.

A dramatic change in the tone of the government suggested that might well be the case. Whereas at Hutchins’ Las Vegas hearing, the government used his appearance at a tourist-focused gun range in an attempt to deny him bail, here, the government was amenable to lifting many of the restrictions on his release conditions. Hutchins will be able to live in Los Angeles, where his other attorney, Brian Klein, is. He will be able to continue working. He can travel throughout the US, though he cannot leave the country (though his defense tried to get him released to the UK).

About the only major restriction — aside from GPS monitoring and monitoring by pretrial services — is that he can’t touch the WannaCry sinkhole.

The government’s attorney, Michael Chmelar, described Hutchins’ alleged crimes as “historic,” a seeming concession that he’s not currently a threat. That said, while the government had not deemed this a complex crime when they indicted Hutchins back on July 11, Chmelar said he expected they would do so in the coming weeks. The trial is currently scheduled for October, but with a complex designation, that will slide.

Chmelar said that they had or would turn over today both Hutchins’ FBI interview, as well as two other recorded phone calls. The rest of discovery will be delayed until the defense signs a protection order.

Perhaps the funniest part of the hearing came when the lawyers tried to help Magistrate William Duffin understand what a “sinkhole” is.

Update: Fixed spelling of Hofmann’s last name–sorry Marcia!

Update: Forgot to mention — the case was assigned to JP Stadtmueller, a 75-year old Reagan appointee, formerly the Chief Judge of EDWI.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Marcus Hutchins, the Word of God

Motherboard obtained the hearing transcript from Marcus Hutchins (AKA MalwareTech) court hearing on August 4. It reveals precisely the oblique language Prosecutor Dan Cowhig actually used, which got reported very differently, to explain Hutchins’ alleged admission to have authored the Kronos malware.

In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he had sold that code to another.

Compare that to this allegation, in Hutchins’ indictment.

It’s a very different thing to create code that may make up part of a package that would be sold on AlphaBay as malware and to write code that makes up part of the code ultimately packaged and sold as malware. It seems likely the government overstated what they had evidence of in the indictment (and, one wonders, to the grand jury), which might, in turn, significantly alter questions of intent.

Even with the government’s claim that Hutchins discussed getting paid for his code in chat logs (we’ll see about their provenance and accuracy after Hutchins goes broke trying to pay the bills in WI without a job, I guess), it’s not entirely clear the government even claims to have evidence that Hutchins wanted to sell a tool to rip off banks.

Which means that any eventual trial (assuming Hutchins doesn’t plea out of desperation) may turn on textual analysis of what it was some agents in WI bought off the dark web and what Hutchins coded years ago.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Rick Ledgett’s Straw Malware

For some reason, over a month after NotPetya and almost two months after WannaCry, former Deputy DIRNSA Rick Ledgett has decided now’s the time to respond to them by inventing a straw man argument denying the need for vulnerabilities disclosure. In the same (opening) paragraph where he claims the malware attacks have revived calls for the government to release all vulnerabilities, he accuses his opponents of oversimplification.

The WannaCry and Petya malware, both of which are partially based on hacking tools allegedly developed by the National Security Agency, have revived calls for the U.S. government to release all vulnerabilities that it holds.  Proponents argue this will allow for the development of patches, which will in turn ensure networks are secure.  On the face of it, this argument might seem to make sense, but it is actually a gross oversimplification of the problem, would not have the desired effect, and would in fact be dangerous.

Yet it’s Ledgett who is oversimplifying. What most people engaging in the VEP debate — even before two worms based, in part, on tools stolen from NSA — have asked for is for some kind of sense and transparency on the process by which NSA reviews vulnerabilities for disclosure. Ledgett instead poses his opponents as absolutists, asking for everything to be disclosed.

Ledgett then spends part of his column claiming that WannaCry targeted XP.

Users agree to buy the software “as is” and most software companies will attempt to patch vulnerabilities as they are discovered, unless the software has been made obsolete by the company, as was the case with Windows XP that WannaCry exploited.

[snip]

Customers who buy software should expect to have to patch it and update it to new versions periodically.

Except multiple reports said that XP wasn’t the problem, Windows 7 was. Ledgett’s mistake is all the more curious given reports that EternalBlue was blue screening at NSA when — while he was still at the agency — it was primarily focused on XP. That is, Ledgett is one of the people who might have expected WannaCry to crash XP; that he doesn’t even when I do doesn’t say a lot for NSA’s oversight of its exploits.

Ledgett then goes on to claim that WannaCry was a failed ransomware attack, even though that’s not entirely clear.

At least he understands NotPetya better, noting that the NSA component of that worm was largely a shiny object.

In fact, the primary damage caused by Petya resulted from credential theft, not an exploit.

The most disturbing part of Ledgett’s column, however, is that it takes him a good eight (of nine total) paragraphs to get around to addressing what really has been the specific response to WannaCry and NotPetya, a response shared by people on both sides of the VEP debate: NSA needs to secure its shit.

Some have made the analogy that the alleged U.S. government loss of control of their software tools is tantamount to losing control of Tomahawk missile systems, with the systems in the hands of criminal groups threatening to use them.  While the analogy is vivid, it incorrectly places all the fault on the government.  A more accurate rendering would be a missile in which the software industry built the warhead (vulnerabilities in their products), their customers built the rocket motor (failing to upgrade and patch), and the ransomware is the guidance system.

We are almost a full year past the day ShadowBrokers first came on the scene, threatening to leak NSA’s tools. A recent CyberScoop article suggests that, while government investigators now have a profile they believe ShadowBrokers matches, they’re not even entirely sure whether they’re looking for a disgruntled former IC insider, a current employee, or a contractor.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

[snip]

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

[snip]

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

At least some of Shadow Brokers’ tools were stolen after Edward Snowden walked out of NSA Hawaii with the crown jewels, at a time when Rick Ledgett, personally, was leading a leak investigation into NSA’s vulnerabilities. And yet, over three years after Snowden stole his documents, the Rick Ledgett-led NSA still had servers sitting unlocked in their racks, still hadn’t addressed its privileged user issues.

Rick Ledgett, the guy inventing straw man arguments about absolutist VEP demands is a guy who’d do the country far more good if he talked about what NSA can do to lock down its shit — and explained why that shit didn’t get locked down when Ledgett was working on those issues specifically.

But he barely mentions that part of the response to WannaCry and NotPetya.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

In Mistaking Surveillance for Sabotage, NYT Fearmongers Nukes Again

Last night, the NYT had an alarming story reporting that suspected Russian spies were compromising engineers that work at nuclear power plants across the United States. Amber! the story screamed.

Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.

Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.

The joint report was released on June 28. It was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the severity of the threat.

After screaming “Amber,” the story went on to scream “bears!”

The origins of the hackers are not known. But the report indicated that an “advanced persistent threat” actor was responsible, which is the language security specialists often use to describe hackers backed by governments.

The two people familiar with the investigation say that, while it is still in its early stages, the hackers’ techniques mimicked those of the organization known to cybersecurity specialists as “Energetic Bear,” the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012.

Ultimately, the story worked its way up to invoke StuxNet, an attack on the actual enrichment processes of a nuclear facility.

In 2008, an attack called Stuxnet that was designed by the United States and Israel to hit Iran’s main nuclear enrichment facility, demonstrated how computer attacks could disrupt and destroy physical infrastructure.

The government hackers infiltrated the systems that controlled Iran’s nuclear centrifuges and spun them wildly out of control, or stopped them from spinning entirely, destroying a fifth of Iran’s centrifuges.

In retrospect, [former chairman of the Federal Energy Regulatory Commission] Mr. Wellinghoff said that attack should have foreshadowed the threats the United States would face on its own infrastructure.

And yet, in the fourth paragraph of the story, NYT admitted it’s not really clear what the penetrations involved. With that admission, the story also revealed that the computer networks in question were not the control systems that manage the plants.

The report did not indicate whether the cyberattacks were an attempt at espionage — such as stealing industrial secrets — or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims’ computers into the control systems of the facilities, nor is it clear how many facilities were breached.

Still further down, the report admitted that this involved phishing and watering hole attacks on engineers, not attacks on control systems.

In most cases, the attacks targeted people — industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material, according to two people familiar with the attacks who could not be named because of confidentiality agreements.

[snip]

Hackers wrote highly targeted emails messages containing fake résumés for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said.

[snip]

In some cases, the hackers also compromised legitimate websites that they knew their victims frequented — something security specialists call a watering hole attack.

That is, even while screaming “Amber Russian bear OMIGOSH StuxNet!!” the article admitted that this is not StuxNet. This amounts to spies, quite possibly Russian, “hunting SysAdmins,” just like the United States does (of course, the US and its buddy Israel also assassinate nuclear engineers, which for all its known assassinations, Russia is not known to have done).

That distinction is utterly critical to make, no matter how much you want to fearmonger with readers who don’t understand the distinction.

There is spying — the collection of information on accepted targets. And there is sabotage — the disruption of critical processes for malicious ends.

This is spying, what our own cyber doctrine calls “Cyber Collection.”

Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence – including information that can be used for future operations – from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. ( C/NF)

That doesn’t mean Russian spying on how our nuclear facilities work is not without risk. It does carry risks that they are collecting the information so they can one day sabotage our facilities.

But if we want to continue spying on North Korea’s or Iran’s nuclear program, we would do well to remember that we consider spying on nuclear facilities — even by targeting the engineers that run them — squarely within the bounds of acceptable international spying. By all means we should try to thwart this presumed Russian spying. But we should not suggest — as the NYT seems to be doing — that this amounts to sabotage, to the kinds of things we did with StuxNet, because doing so is likely to lead to very dangerous escalation.

And it’s not just me saying that. Robert M. Lee, who works on cyber defense for the energy industry and who recently authored a report on Crash Override, Russia’s grid-targeting sabotage tradecraft (and as such would have been an obvious person to cite in this article) had this to say:

So while the threat to nuclear from cyber is a real concern because of impact it’s very improbable and “what about Stuxnet” is a high bar

Or said more simply: phishing emails are lightyears removed from “what about Stuxnet” arguments. It’s simply otherworldly in comparison.

There’s one more, very real reason why the NYT should have been far more responsible in clarifying that this is collection, not sabotage. Among the things Shadow Brokers, with its presumed ties to Russia, has been threatening to expose is “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.” If the NYT starts inflating the threat from cyber collection on nuclear facilities, it could very easily lead to counter-inflation, with dangerous consequences for the US and its ability to monitor our adversaries.

There is very real reason to be concerned that Russia — or some other entity — is collecting information on how our nuclear and other power facilities work. But, as Lee notes, conflating that with StuxNet is “otherworldly.”

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.