Gemalto downplays impact of NSA and GCHQ hacks on its SIM cards

Dutch digital security firm Gemalto, which is the world’s biggest manufacturer of SIM cards, has reported back on internal investigations triggered by last week’s revelations about the NSA and GCHQ hacking into its systems and stealing encryption keys that are supposed to protect phone users’ communications.

On Wednesday Gemalto said it reckoned a series of intrusions into its systems in 2010 and 2011 could have matched up with the attacks described in documents leaked by Edward Snowden and published by The Intercept. However, it downplayed the impact of the attacks on its systems and SIM encryption key transfer mechanisms, hinting that the methods described in the documents were more likely to have affected its rivals.

For a start, Gemalto said these attacks, which involved the “cyberstalking” of some of its employees in order to penetrate its systems, only affected its office networks:

The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data…

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.

Regarding that method of targeting encryption keys in transit, Gemalto said it had put in place “highly secure exchange processes” before 2010, which explained why the documents noted how the NSA and GCHQ failed to steal the keys for certain Pakistani networks.

The company said that at the time “these data transmission methods were not universally used and certain operators and supplies had opted not to use them,” though Gemalto itself used them as standard practice, barring “exceptional circumstances.” In other words, Gemalto does it right (most of the time) while other suppliers may not have been so cautious.

Gemalto, whose stock price was whacked by last week’s revelations, also said that the attacks could only have affected 2G SIM cards, due to enhanced security measures introduced in 3G and 4G versions. “Gemalto will continue to monitor its networks and improve its processes,” it added. “We do not plan to communicate further on this matter unless a significant development occurs.”

On Tuesday, another SIM card vendor, Germany’s Giesecke & Devrient (G&D), said last week’s report had prompted it to “introduce additional measures to review the established security processes together with our customers.”

Snowden: “I should have leaked sooner”

A day after Citizenfour, a documentary in which he stars, won an Academy Award, Edward Snowden along with director Laura Poitras and journalist Glenn Greenwald sat down for a Reddit AMA.

Snowden, the former NSA-hand turned whistleblower, basically blew the lid off the National Security Agency’s intelligence-gathering procedures, embarassing the U.S. governnment, angering its allies and throwing tech vendors into a quandary over how to protect people’s data without running afoul of the government. His leaking of key information to Greenwald, Poitras and Washington Post reporter Barton Gellman, prompted some to call him a traitor while others see him as a hero fighting to protect citizens’ rights to privacy.

One burning question from the AMA was, what does Snowden, who has been in Moscow since June of 2013, regret most about the events of the past few years? Mostly that he hadn’t done what he did earlier:

Had I come forward a little sooner, these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers. This is something we see in almost every sector of government, not just in the national security space, but it’s very important:

Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back.

Another good tidbit: Citizenfour will not be the last film we’ll see out of this episode. Poitras said she plans to release more footage of the long Snowden interview she and Greenwald did in Hong Kong, as well as a separate interview with Snowden on the technical aspects of what he did.

“I also filmed incredible footage with Julian Assange/WikiLeaks that we realized in the edit room was a separate film,” she said.

Snowden film Citizenfour picks up Oscar for best documentary

Citizenfour, Laura Poitras’s extraordinary depiction of the start of Edward Snowden’s NSA surveillance leaking extravaganza, has won the Academy Award for best documentary.

The film shows how Snowden got in touch with the activist film-maker using the titular pseudonym, and the Hong Kong interviews with Glenn Greenwald and Ewen MacAskill in which he started detailing what he knew from his time working at the NSA.

As a rare combination of rights activism, historical record and technological explainer, it is quite unlike any other documentary I have seen (I was lucky enough to catch it at its first showing in Berlin, where it had been edited – Poitras understandably wanted some distance between that process and U.S. intelligence services.)

In her acceptance speech on Sunday night, Poitras said Snowden’s disclosures “don’t only expose a threat to our privacy but to our democracy itself. When the decisions that rule us are taken in secret we lose the power to control and govern ourselves.”

Greenwald, who led the reporting on the leaks for the Guardian, joined Poitras on stage. Snowden was of course not there, still being holed up in Russia, but he was represented by his girlfriend, Lindsay Mills, who also briefly featured in the film. In a statement, Snowden said: “When Laura Poitras asked me if she could film our encounters, I was extremely reluctant. I’m grateful that I allowed her to persuade me.”

Tech and media firms join Twitter in key test of FBI gag orders

A bitter fight between the Justice Department and Silicon Valley is expanding as a diverse group of companies have lined up behind Twitter in a case that will help determine the limits of free speech in the age of Edward Snowden.

On Tuesday, groups ranging from BuzzFeed to Wikipedia to the Guardian filed friend-of-the-court briefs (see below) to support a challenge by Twitter to Patriot Act gag orders. Two other large companies, which are only allowed to refer to themselves as “Corporations 1 & 2,” also filed briefs.

The case, which began when Twitter sued the Justice Department in October, turns on how companies may use so-called “transparency reports” to tell users about government requests for their data.

Twitter claims it has a right under the First Amendment to say specifically how often it receives National Security Letters, while the government counters that companies can only do so in broad strokes lest they jeopardize national security.

In recent years, the FBI has made extensive use of National Security Letters to obtain information about subscribers, while also attaching gag orders to the letters that forbid companies from revealing they have even received a letter in the first place. The Justice Department has issued hundreds or thousands of such letters to companies like Google, Facebook and AT&T.

In its lawsuit, Twitter claims it is an illegal prior restraint of free speech for the government to bar companies from even disclosing that they have received a letter. A group of media companies has now voiced support for that argument:

“Twitter’s proposed transparency report is no less entitled to free speech protections than ‘literature’ or ‘movies,'” said the brief filed on behalf of BuzzFeed, NPR, the Washington Post, PEN America, the Guardian and First Look Media.

The brief reflects the media’s newfound legal interest into what has largely been a tech industry fight, but also shows how digital media companies like BuzzFeed are finally taking up the legal fight for free speech, a burden that has long been borne almost entirely by old-line newspaper companies.

“Corporations 1 & 2”

Meanwhile, a separate filing shows that a phone and internet company are also weighing in on the Twitter case, but in the guise of “Corporations 1 & 2.” The companies (which are likely Verizon and Google or Yahoo) are using the pseudonyms at the direction of a judge, and are muzzled in part because they are already before an appeals court in another national security case over the right to disclose government demands.

The right of internet companies to discuss security letters has become more pressing since 2013 , when leaked documents from Edward Snowden revealed massive surveillance operations by the U.S. government. Those operations rely on obtaining information from tech and phone companies, and have been facilitated by the legal process governing Patriot Act letters, as well as a related process for NSA demands.

In response, companies like Twitter have come to claim that free speech and the public interest give them the freedom to disclose how many NSA and FBI letters they receive in the first place. The companies stress they are not arguing for the right to disclose the contents of the letters, since doing so could jeopardize ongoing investigations, but only the existence of the letters.

The docket also shows that a group of other entities  — the Wikimedia Foundation, CloudFlare, Sonic, Wickr, Credo Mobile and Automattic (publisher of WordPress.com) — filed a brief in support of Twitter.

Here’s a copy of the media companies’ filing with some of the key parts underlined. Note that a key part of the argument turns on whether the federal judge has authority to hear the case in the first place (as the companies argue) or if the case belongs instead in a controversial secret court (as the Justice Department claims).

Media Amicus in Twitter Case

[protected-iframe id=”c2f560431d071729a0491afe9d08caae-14960843-34118173″ info=”https://www.scribd.com/embeds/256148646/content?start_page=1&view_mode=scroll&show_recommendations=true” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

This article was updated at 12:35pm ET to note that Automatic is the publisher of WordPress.com; an earlier version said “WordPress” (which refers to the software used by the company, WordPress.com). This article was also updated at 1:40pm on Thursday to clarify that it was the Wikimedia Foundation (not Wikipedia) that was on the amicus brief.

UK access to NSA mass surveillance data was illegal, court rules

The system through which U.K. spy agency GCHQ can access data from NSA mass surveillance programs was in violation of fundamental rights, the Investigatory Powers Tribunal has ruled. However, the limits of that finding have left human rights groups dissatisfied.

The decision came as a result of a case brought about by Privacy International, Liberty and other human rights groups regarding the Prism and Upstream programs. Prism is the scheme through which U.S. intelligence gets users’ communications from service providers in that country, and Upstream intercepts bulk data from the internet’s core infrastructure.

In December the IPT ruled that it was legal in principle for GCHQ get data from these programs now – i.e. from December 2014, in the post-Snowden world, where people actually know what’s going on — but it held back on saying whether there had been historical breaches of human rights.

Having subsequently heard out both the complainants and the intelligence agencies, the tribunal said on Friday that the data-sharing regime had violated the rights to privacy and free expression, as set out in Articles 8 and 10 of the European Convention on Human Rights. However, it reiterated that it believes the system now no longer does so.

In a statement on Friday, Privacy International said it and Pakistani NGO Bytes For All would ask the IPT, which generally acts as a secret court, to “confirm whether their communications had been unlawfully collected prior to December 2014 and, if so, demand their immediate deletion.”

The groups also disputed the December ruling’s assertion that the disclosure of “a limited subset of rules governing intelligence-sharing and mass surveillance” made everything OK. They will now appeal that ruling with the European Court of Human Rights, as will Liberty.

Here’s what Liberty legal director James Welch said in the statement:

We now know that, by keeping the public in the dark about their secret dealings with the National Security Agency, GCHQ acted unlawfully and violated our rights. That their activities are now deemed lawful is thanks only to the degree of disclosure Liberty and the other claimants were able to force from our secrecy-obsessed Government.

But the Intelligence Services retain a largely unfettered power to rifle through millions of people’s private communications – and the Tribunal believes the limited safeguards revealed during last year’s legal proceedings are an adequate protection of our privacy. We disagree, and will be taking our fight to the European Court of Human Rights.

“We must not allow agencies to continue justifying mass surveillance programs using secret interpretations of secret laws,” Privacy International deputy director Eric King added. “The world owes Edward Snowden a great debt for blowing the whistle, and today’s decision is a vindication of his actions.”

Levitation program tracked file-sharing sites, Snowden doc shows

The Canadian spy agency CSE monitors activity across over 100 free file upload sites, a newly-revealed PowerPoint document from NSA whistleblower Edward Snowden’s cache has shown.

The document describing CSE’s Levitation program was published on Wednesday by The Intercept, reporting alongside Canadian broadcaster CBC. Although Canada has long been known to be a member of the core Anglophone “Five Eyes” spying club, this is the first Snowden revelation putting it at the forefront of one of the Eyes’ mass surveillance programs.

Using an internet cable-tap program called Atomic Banjo, CSE’s agents were at the time of the presentation’s authoring collecting HTTP metadata for 102 cyberlocker sites, including Sendspace and Rapidshare, and tracking 10-15 million “events” each day to find “about 350 interesting download events per month.” And yes, this meant filtering out loads of TV shows and such.

According to the presentation, the technique yielded a “German hostage video” (the hostage was killed, according to The Intercept) and an “AQIM [Algerian al-Qaeda] hostage strategy”.

In total, there were 2,200 file addresses that effectively acted as traps once CSE had identified them. Once the agents have an IP address for someone downloading a suspect file, they then run a query on it through GCHQ’s Mutant Broth tool to see which ad cookies have been tracking them (insecure marketing technologies provide an easy vehicle for spying efforts), what their likely Facebook ID is, and so on.

SendSpace told CBC that no-one had permission to trawl its service for data, and internet policy lawyer Tamir Israel told the broadcaster that the program was potentially very intrusive, as CSE (known until last year as CSEC) could pick whichever documents it wanted.

Defending encryption doesn’t mean opposing targeted surveillance

David Omand, the former head of British spy agency GCHQ, has made an extraordinary threat. Speaking earlier this week, he said that if companies such as Apple and Google don’t abandon their end-to-end encryption efforts, intelligence services will have to employ more “close access” surveillance on people they suspect of evil deeds.

This means physical observation, or bugging rooms, or hacking into phones and computers. According to Omand, such actions are “more targeted but in terms of intrusion into personal privacy – collateral intrusion into privacy – we are likely to end up in an ethically worse position than we were before.”

No, you’re not. Surreptitiously getting a key to a suspect’s communications is no more ethical than conducting close personal surveillance — but in the big picture, the latter is vastly preferable.

The ethics of spying

Targeted surveillance will always mean “collateral intrusion” into the privacy of people associated with a suspect, regardless of whether communications are read by having a master key or by hacking into client devices. Either way, communications with innocent people will probably be scooped up. When the master key mechanism means a weakening of security for the public at large, though, that option has the added downside of being dangerous and counterproductive.

Omand was spouting what is either a misinterpretation of the pro-end-to-end-encryption argument, or (more likely) a willful misdirection. His implication is that those who favor end-to-end encryption – which leaves your Apples and Googles without any keys to offer the spooks – are against the surveillance of people who want to blow things up.

That’s nonsense. I can’t speak for everyone, but I don’t personally fancy being murdered by terrorists, nor would I like anyone else to be. We do need to have intelligence services, and they do need to keep us safe.

However, strong encryption also keeps us safe from criminals and potentially foreign agents too (GCHQ and the NSA aren’t the only ones with mean hacking skills). Our ecommerce infrastructure wouldn’t work without it. A trustworthy internet will not work without it. The next-best alternative to end-to-end encryption is arguably the use of key escrow databases, which are inherently less secure. There’s a reason the U.S. government’s own cybersecurity department recommends people use end-to-end encryption.

That’s why we should ignore calls by Omand and David Cameron and Barack Obama and the EU’s counter-terrorism coordinator to abolish end-to-end encryption in communications tools, and why we should be deeply annoyed at the intelligence community’s surreptitious attempts to weaken encryption standards. Sure, security will always be an arms race — attackers make better attacks, so defenders make better defenses; rinse and repeat — but hyperconnected societies require state-of-the-art defenses for regular citizens.

The case for friction

There’s an added benefit to proper encryption technology, which may be the real reason spies and securocrats want it stamped out. Intelligence services can, to put it generously, get somewhat carried away, particularly when a framework such as the internet makes it so much easier and cheaper to spy on people’s communications than ever before, by encouraging everyone to live their lives on spy-friendly infrastructure.

This lack of friction makes mass surveillance relatively efficient and secretive, as there’s no need for a lumbering, conspicuous Stasi-like system (something that really had extra ethical downsides, creating a society based on mutual suspicion). When the secrecy associated with the agencies’ programs also leads to fewer judicial and political safeguards, an excess of efficiency may also encourage the overuse of targeted surveillance, because who would know?

In short, the internet’s opportunities for surveillance efficiency create the potential for intelligence agencies to become too powerful. End-to-end encryption adds friction and acts as a counterbalance. It doesn’t make targeted surveillance impossible – Omand himself noted that client device hacking and physical surveillance render encryption moot – but it does make it more resource-expensive, and therefore discourages its overuse.

We don’t want intelligence agencies to be unable to do their job. We do want them to focus more and even keep a more watchful eye on those who need watching — perhaps by diverting resources from mass surveillance efforts to targeted surveillance. We also want the necessary security underpinnings of our digital economy to be genuinely secure.

These things can and should coexist, and there’s no reason to inaccurately paint them as being in opposition. So, spies and law enforcement, please go right ahead and employ close access surveillance where it’s necessary. You have more support in that regard than you’re making out.

Chinese attacks cost U.S. Defense Department over $100M

Chinese army hackers apparently caused more than $100 million worth of damage to U.S. Department of Defense networks, according to NSA research detailed in documents from the Edward Snowden cache.

On Saturday Germany’s Der Spiegel published a story, based on the Snowden documents, that described some of the offensive “digital weapons” the NSA has developed and generally outlined the chaotic, unregulated arms race that’s ramping up in the digital realm.

A large part of the article focused on the capabilities of other countries – something that’s not previously come through very strongly in publications of Snowden’s revelations – and how the NSA tracks what foreign intelligence agencies steal, then steals that information from them. This cunning practice is apparently known as “Fourth Party Collection”.

One Snowden document, however, outlined damage perpetrated by the Chinese Army on the U.S.’s own military infrastructure. It’s a presentation from a few years back that’s based on the findings of the NSA’s “Byzantine Hades” research into Chinese computer network exploitation, and it referred to more than 30,000 incidents involving Department of Defense (DoD) systems, over 500 of which it called “significant intrusions”. More than 1,600 computers on the DoD network were penetrated.

The presentation stated that it cost the DoD more than $100 million to assess the damage and rebuild its networks. It also suggested that the Chinese were after information on U.S. missile navigation and tracking systems, nuclear submarine and anti-air missile designs, space-based laser technology, and various military jets.

According to the documents, when the NSA traced back one Chinese attack on the DoD, they found not only the source of the attack but also information that the Chinese had stolen from others, including the United Nations.

Other documents, drawn up by the Canadian NSA partner CSEC, detailed spyware implants dubbed Snowball and Snowman (a system collectively referred to as Snowglobe) that CSEC thought “with moderate certainty” was the work of the French. The targets here included Iran, former French colonies such as Algeria and the Ivory Coast, and European countries such as Greece, Norway and Spain. The malware also appeared to have targets within France itself.

What you need to know about the NSA document dump

While many Americans were cozying up on the afternoon of Christmas Eve, the National Security Agency was busy posting dozens of quarterly reports detailing incidents where it potentially violated U.S. laws through improper monitoring of U.S. citizens and foreigners.

Here’s what you need to know about the document dump:

What is the NSA supposed to do?

The NSA, like other American intelligence agencies, relies on a 1981 executive order that legalized the surveillance of foreigners living outside of the U.S. It uses that same executive order “to sweep up the international communications of countless Americans,” the American Civil Liberties Union writes.

“At the targeting stage, NSA collects only those communications that it is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements,” the NSA report’s executive summary reads. “After foreign intelligence or counterintelligence information is acquired, it must be analyzed to remove or mask certain protected categories of information, including U.S. person information, unless specific exceptions apply.”

“Data incorrectly acquired is almost always deleted,” it continues.

After data is collected, it is placed in a large database that the agency’s employees can search with highly specific requests.

“For instance, a query for “improvised explosive devices” would likely be prohibited as overly broad and result in a reportable incident—even if the analyst required the information for her job,” the summary states. “Results returned from improper queries may be deleted. …”

Why were these documents released?

Of course, it doesn’t happen quite like that. Edward Snowden’s 2013 leaks revealed the NSA is monitoring more than 1 billion people globally. Its spying on Americans is expansive.

The American Civil Liberties Union filed a Freedom of Information Act lawsuit that has been dredging up documents since July 2013. These most recent documents are a series of quarterly reports turned over to the President’s Intelligence Oversight Board. They date from late 2001 to mid-year 2013.

“In general, each NSA report contains similar categories of information, including an overview of recent oversight activities conducted by NSA’s Office of the Inspector General and the Office of the General Counsel; signals intelligence activities affecting certain protected categories; and descriptions of specific incidents which may have been unlawful or contrary to applicable policies,” the NSA executive summary states.

What do the documents contain?

The heavily redacted reports detail many, many incidents where NSA agents pulled up the wrong information with the database. Each incident is followed by a statement that the data was either not accessed or the query and results were deleted.

Other reports cover agents being granted access to data without the proper training or using searches that were no longer meant to be in effect. Raw data was at times accidentally emailed or kept on an unsecured computer.

There is also at least one instance where an NSA employee purposefully sought out data that was both unnecessary and illegal. One document states a woman went through her husband’s phone contacts “without his knowledge to obtain names and phone numbers for targeting” over a period of 2-3 years.

What will happen to the NSA?

This is not the first documentation of errors and abuse by the NSA. A 2013 letter to Senator Charles Grassley from the NSA inspector general documented “intentional misuse” in 12 different instances.

The Privacy and Civil Liberties Oversight Board published a report in January stating the case for ending phone records collection. But legislators have yet to pass any limits on the NSA’s power.

So in the grand scheme of documents released by the NSA, these are not the most shocking. It is unclear when public outcry will turn into actual legislative action.

China slams cyberattacks after Sony job leads US to ask for help

The United States has asked China for help in blocking cyberattacks emanating from North Korea, officials told CNN and the New York Times in the wake of the attack on Sony Pictures that the U.S. administration has now pinned on North Korea. And now China has responded, albeit obliquely.

On Monday, the Chinese foreign ministry said the country “opposes any country or individual using other countries’ domestic facilities to conduct cyberattacks on third-party nations,” according to a Reuters report. Chinese Foreign Minister Wang Yi told U.S. Secretary of State John Kerry that “China opposes all forms of cyberattacks and cyber terrorism.” However, China said there was still no proof that North Korea had perpetrated the attack.

North Korea isn’t exactly a highly-connected nation — only a few high-level officials are allowed to access the global internet – but what access it does have mostly flows through Chinese networks. There have been reports that the attack on Sony Pictures emanated partly from China (though such attacks can be routed through proxy servers pretty much anywhere.)

North Korea itself released a statement over the weekend, denying involvement in the hack and saying “the U.S. should not pull up others for no reason.”

The colorfully-phrased statement included this:

It is a common sense that the method of cyber warfare is almost similar worldwide. Different sorts of hacking programs and codes are used in cyberspace. If somebody used U.S.-made hacking programs and codes and applied their instruction or encoding method, perhaps, the “wise” FBI, too, could not but admit that it would be hard to decisively assert that the attack was done by the U.S….

After all, the grounds cited by the FBI in its announcement were all based on obscure sci-tech data and false story and, accordingly, the announcement itself is another fabrication. This is the DPRK’s stand on the U.S. gangster-like behavior against it.

China, of course, has spent much of 2014 engaged in a war of words with the U.S. over hacking. It began in May, when the U.S. charged several Chinese officials over the alleged hacking of U.S. firms for economic espionage reasons, and since then China’s authorities have been generally making life hard for U.S. firms trying to do business there. China, which has enthusiastically pointed to Edward Snowden’s revelations about U.S. cyber-naughtiness, said in October that the country was “resolutely opposed” to hacking.

Act of vandalism, not war

The Sony Pictures hack saw the theft of reams of the company’s strategic and commercial information, as well as employees’ personal information and several unreleased films.

Although the motives of the “Guardians of Peace” hackers were initially unclear, speculation that the attack was related to the imminent release of a Seth Rogen comedy called The Interview crystallized over the last few weeks. After theaters were threatened with some kind of physical attack if they screened the movie, which features a plot to assassinate North Korean dictator Kim Jong-un, Sony cancelled its release.

Following criticism by U.S. President Barack Obama for pulling The Interview, Sony is now insisting that it will release it somehow. The file-sharing platform BitTorrent has offered its BitTorrent Bundles facility for the release, though Sony has yet to respond.

Obama described the attack as a “very costly, very expensive” act of cyber-vandalism rather than an act of war, but he said he is considering putting North Korea back on the U.S.’s list of sponsors of terrorism, as part of the official response.

Experts skeptical

However, despite the U.S. administration and the FBI finally having gone on the record in blaming North Korea, many in the security community remain deeply skeptical. Marc Rogers, principal security researcher at Cloudflare, wrote over the weekend that the evidence for that attribution – at least, the evidence that has been shown to the public — was weak.

The FBI said that there were great similarities in the attack code and methods between the Sony job and earlier attacks attributed to North Korea, but Rogers pointed out that the evidence for North Korea having been behind those earlier attacks was “flimsy and speculative at best.” He pointed out that many components of the malware were publicly available and easy to use, and noted that almost all the IP addresses used in the Sony attack were proxies that were again open to the public.

A message allegedly posted by the Guardians of Peace over the weekend accused the FBI of being idiots in concluding that North Korea was the culprit.

Meanwhile, south of the Korean DMZ there is concern over the safety of several nuclear power plants. Unidentified hackers have warned the Korea Hydro and Nuclear Power Co. that the reactors should be shut down or people should “stay away from them. The hackers stole equipment designs and manuals and posted them online. While the energy company has played down the threat to the plants’ safety, it is conducting drills to test defences against a cyberattack.

This article was updated at 2.55am PT to include North Korea’s statement and again at 3.10am PT to note China’s comments on the evidence.