Tag Archives: nsa

UK law mandates software backdoors, jail for disclosing vulnerability

It’s the hottest trend in spooking: Take law-abiding citizens, usually business owners, and use the justice system to compel them into being your enthusiastic deputies. People pitch in by opening their doors, both physically and digitally, so the government can make use of any supposedly private user data they might have. The seeming enthusiasm of the collaboration comes from the fact that these same orders make it a crime to reveal the collaboration, so service providers must also actively deceive their own users about the true level of privacy they provide.

Now the UK is getting in on the action, as it’s been revealed that under the upcoming Investigatory Powers Bill it will have the ability to order companies to build software “backdoors” into their products, and revealing that collaboration could result in up to a year in prison. More than that, the government is also empowering itself to enlist the services of talented individuals like hackers, and to also legally restrain these people from revealing the work they’ve done — even in open court. In the US, these orders are called as National Security Letters (NSLs), and they have come to be routinely served to everyone from a small business owners to major corporate executives.

cameron head

The bill, widely referred to as the Snoopers Charter, could also mean that citizens subjected to these secret orders, who decide to defy them, would be tried by secret courts and appeal to secret tribunals with zero public accountability or even disclosure of its decisions. This fundamentally makes resistance impossible — try to make a stink about what you see as improper use of government power in the UK, and the UK government may soon be able to respond with a judicial system not all that different from a black bag over the head.

The most famous battle over a National Security Letter in the US came when the creator of Lavabit decided that the only way to alert his customers to government snooping without going to jail was to shut down the service without notice or explanation. These sorts of laws, which not only grant powers but build into the system secrecy about those powers, stultify the discourse and make democracy fundamentally impossible. How do you set defense policy when you are not legally allowed to discuss the full range of defensive practices?

snoopers 2In the documentary CitizenFour, among many other places, NSA whistleblower Edward Snowden makes a point of saying that of all the Western intelligence powers, GCHQ, the signals intelligence agency of the United Kingdom, is the most invasive. While NSA has a strong sense of entitlement to push the boundaries of its constitutional limitations, it does exist within the context of those limitations and the tyranny-phobic American system in general.

As a Canadian, someone who has tried investigating even minor details about Canada’s SIGINT body, let me just say that while things may be getting worse in America, they are absolutely not the worst out there. The current parliamentary democracies, whether in Britain, Canada, or elsewhere, have the capacity to produce far less restricted governments and government agencies, while also subjecting those agencies to less meaningful public oversight.

Not that Americans should become any less noisy or demanding about their digital rights — things may be bad all over the Western world, but the fact that Americans are willing to complain so loudly is the only reason things haven’t gotten even worse than they are today.

Tagged , , , , , , , ,

UK introduces law to ban civilian encryption, but government policies recommend its use

Last January, in the wake of the terrorist attacks in Paris, UK Prime Minister David Cameron began advocating for limiting or preventing ordinary citizens from using end-to-end encryption that the government could not break. Now, the government has introduced legislation that would ban companies like Apple from offering end-to-end encryption. What makes this particularly ironic is the discovery of other documents from earlier this year that show the UK encouraging enterprise and governments to adopt encryption.

Both the BBC and the Telegraph have sounded off about the new powers the government is seeking. According to the BBC, the new law (the Investigatory Powers Bill) would give government investigators “to see if someone used Snapchat at 07:30 GMT on their smartphone at home and then two hours later looked at Twitter’s website via their laptop at work, but neither the text typed into the app, nor the specific pages looked at on the social network would be accessible.”

That kind of power isn’t what has privacy advocates and security researchers worried, however. the IPB also requires that companies must take “reasonable” steps to provide data when a warrant is issued, even if that warrant applies to encrypted communication. Companies like Apple literally can’t take “reasonable” steps to provide law enforcement with information because they no longer have the ability to peer into their own encrypted devices without user-provided information.

UK's David Cameron

While the bill doesn’t explicitly ban encryption, there’s been enormous concern about how things will play out if the government demands access to material that Apple, Google, or another manufacturer literally can’t provide. A Home Office spokesperson speaking to the Telegraph said this:

The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts. That means ensuring that companies themselves can access the content of communications on their networks when presented with a warrant, as many of them already do for their own business purposes, for example to target advertising. These companies’ reputations rest on their ability to protect their users’ data.” (Emphasis added).

Apple’s own encryption system can’t be made compliant with the new law without changes, which is why so many companies have been against these types of laws in the first place. Implementing encryption methods with backdoor decryption only weakens the entire stack. There’s no way to create vulnerabilities that are guaranteed to remain in the hands of the white hats, no matter who those whitehats happen to be.

ISPs will be forced to retain this data for one year, including the aforementioned data on browsing activities.

Do as we say, not as we do

Meanwhile, in an amusing twist, a recent report on secure voice communications prepared by the UK government notes that the public telephone network (PSTN) hasn’t been considered secure for over a decade. The report contains an entire section devoted to the security challenges of creating a secure voice communication system — and it sheds light on the kind of hoops Apple might be expected to jump through.

From the report:

The ability to support lawful interception and business practice monitoring is a key requirement of secure voice technology and it is often overlooked. Solutions which perform end-to-end encryption generally need to rely on key escrow to support lawful interception.

It goes on to note that the IETF (Internet Engineering Task Force) has developed a new protocol, MIKEY SAKKE (Multimedia Internet KEYing – Sakai Kasahara Key Exchange). Mikey Sakke is designed using elliptic-curve mathematics. That’s fascinating, considering the NSA recently issued directives warning companies not to rely overmuch on elliptic key cryptography. That’s not to say that the GCHQ recommended standards are already broken, but the GCHQ may be contemplating shifting to encryption methods that the NSA has already compromised. Alternately, it could be advocating for the adoption of such standards precisely because it wants the ability to crack its own code.

Proper encryption implementation is incredibly difficult — the last thing we need is government-mandated backdoors making an already tough situation worse.

Tagged , , , , ,

Is the NSA trying to warn us that cryptography is dead?

Back in August, the NSA released an updated advisory that was at once interesting and expected: It said that the world had to prepare for the oncoming impact of quantum computers, and the possibility that these devices could render existing computer cryptography almost completely obsolete. They called for the cryptographic community to invest heavily in developing so-called post-quantum cryptographic solutions that could survive this hypothetical watershed invention. And, as you might imagine, this advisory has very nearly driven the internet insane. Now, two security researchers have published a paper compiling all the various theories surrounding this advisory, and trying to make sense of the situation.

Remember that quantum computers have obsessed internet weirdos for as long as the concept has existed. Try really looking into the Deep Web sometime, and you’ll quickly come up against the idea of a quantum deep web, a deep deep deep web, that can only be accessed by/through Illuminati-style quantum networks that, of course, don’t actually exist. Much of this lore is simply gleeful trolling by people who love to mislead noobs, but don’t kid yourself — many of the most entrenched People Of The Internet really do believe this crap.

NSA logoSo, unsurprisingly, now they believe this crap. The biggest issue springs for a single passage (emphasis mine):

For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.

The reason this has surprised so many people is that the NSA has been a long-time supporter of several of what we might call pre-quantum cryptographic solutions, new and highly advanced algorithms that shore up problems with current solutions, but which would probably not be secure in the event of real quantum computing. In particular, NSA has been a booster of Elliptical Curve Cryptography (ECC), which makes this back-pedaling announcement a bit confusing. They’re now saying that this ECC is a stopgap solution waiting to be made obsolete by quantum research — but that’s what it’s always been, so what’s changed?

DWave's (alleged) quantum computing chip.

However, while it’s certainly possible that NSA has a secret, super-successful quantum computer behind closed doors, that looks very unlikely at this point. Not only does NSA seem to lack the sheer volume of pure-science research talent that would be necessary to compete with the major, openly admitted research bodies, but the Edward Snowden leaks revealed absolutely no indication that NSA has or soon expects to have access to post-quantum capabilities.

And so, those viewing the situation have slid down to a possible explanation that’s at once more and less realistic: a conventional computer algorithm that can break modern computer encryption through sheer mathematical efficiency. This is more realistic, since it could theoretically come from the mind of just a single brilliant analyst, and thus it could come from the NSA, out of the blue and with no help from the private sector. On the other hand, conventional wisdom in cryptography says that such a classical code-breaking system is impossible, with a digital computer.

The fact is that “NSA Has Quantum!” is a bit like the tech-world’s equivalent of “Half Life 3 Confirmed” — it’s basically a joke at this point, but beneath the sarcasm lies an understanding that the cliche does have to come true eventually, even if not for a very, very long time. That’s why both memes have been so long-lived: Quantum computers seem like they will come into existence at some point, so no matter how many times they cry (or hint) wolf, you’ve still got to be wary — every single time.

Tagged , , , , , , , , ,

Edward Snowden interview: ‘Smartphones can be taken over’

Smartphone users can do “very little” to stop security services getting “total control” over their devices, US whistleblower Edward Snowden has said.

The former intelligence contractor told the BBC’s Panorama that UK intelligence agency GCHQ had the power to hack into phones without their owners’ knowledge.

Mr Snowden said GCHQ could gain access to a handset by sending it an encrypted text message and use it for such things as taking pictures and listening in.

The UK government declined to comment.

Mr Snowden spoke to Panorama in Moscow, where he fled in 2013 after leaking to the media details of extensive internet and phone surveillance by his former employer, the US National Security Agency (NSA).

He did not suggest that either GCHQ or the NSA were interested in mass-monitoring of citizens’ private communications but said both agencies had invested heavily in technology allowing them to hack smartphones. “They want to own your phone instead of you,” he said.

Mr Snowden talked about GCHQ’s “Smurf Suite”, a collection of secret intercept capabilities individually named after the little blue imps of Belgian cartoon fame.

“Dreamy Smurf is the power management tool which means turning your phone on and off with you knowing,” he said.

“Nosey Smurf is the ‘hot mic’ tool. For example if it’s in your pocket, [GCHQ] can turn the microphone on and listen to everything that’s going on around you – even if your phone is switched off because they’ve got the other tools for turning it on.

“Tracker Smurf is a geo-location tool which allows [GCHQ] to follow you with a greater precision than you would get from the typical triangulation of cellphone towers.”

Peter Taylor’s film Edward Snowden: Spies and the Law also covers:

  • The contentious relationship between the British government and social media companies. The intelligence agencies and the police want the companies to co-operate in detecting terrorist content but the programme learns that not all companies are prepared to co-operate to the extent that the agencies would like.
  • Documents leaked by Mr Snowden that appear to show that the UK government acquired vast amounts of communications data from inside Pakistan by secretly hacking into routers manufactured by the US company, Cisco.

‘Necessary and proportionate’

Mr Snowden also referred to a tool known as Paronoid Smurf.

“It’s a self-protection tool that’s used to armour [GCHQ’s] manipulation of your phone. For example, if you wanted to take the phone in to get it serviced because you saw something strange going on or you suspected something was wrong, it makes it much more difficult for any technician to realise that anything’s gone amiss.”

Once GCHQ had gained access to a user’s handset, Mr Snowden said the agency would be able to see “who you call, what you’ve texted, the things you’ve browsed, the list of your contacts, the places you’ve been, the wireless networks that your phone is associated with.

“And they can do much more. They can photograph you”.

Mr Snowden also explained that the SMS message sent by the agency to gain access to the phone would pass unnoticed by the handset’s owner.

“It’s called an ‘exploit’,” he said. “That’s a specially crafted message that’s texted to your number like any other text message but when it arrives at your phone it’s hidden from you. It doesn’t display. You paid for it [the phone] but whoever controls the software owns the phone.”


Describing the relationship between GCHQ and its US counterpart, he said: “GCHQ is to all intents and purposes a subsidiary of the NSA.

“They [the NSA] provide technology, they provide tasking and direction as to what they [GCHQ] should go after.”

The NSA is understood to have a similar programme to the Smurf Suite used by GCHQ on which it is reported to have spent $1bn in response to terrorists’ increasing use of smartphones.

Mr Snowden said the agencies were targeting those suspected of involvement in terrorism or other serious crimes such as paedophilia “but to find out who those targets are they’ve got to collect mass data”.

“They say, and in many cases this is true, that they’re not going to read your email, for example, but they can and if they did you would never know,” he said.

In a statement, a spokesperson for the UK government said: “It is long-standing policy that we do not comment on intelligence matters.

“All of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position.”

The government believes Mr Snowden has caused great damage to the intelligence agencies’ ability to counter threats to national security.

Mr Snowden maintains he has acted in the public interest on the grounds that the surveillance activities revealed in the thousands of documents he leaked are carried out – in his words – “without our knowledge, without our consent and without any sort of democratic participation”.

Watch Peter Taylor’s film: Edward Snowden, Spies and the Law on Panorama on BBC One on Monday, 5 October at 20:30 BST or catch up later online.

Tagged , , , , , ,

This New Campaign Wants To Help Surveillance Agents Quit NSA or GCHQ

SUPPORT GROUPS HELP cult and gang members break free of their former lives. Alcoholics and Narcotics Anonymous help addicts overcome their dependencies. And now one group of privacy campaigners wants to offer its target audience an escape route for what it sees as a equally insidious trap: Their jobs working for intelligence agencies like the NSA.

On Monday, a group of Berlin-based anti-surveillance activists launched Intelexit, a campaign to encourage employees of the NSA and British spy agency GCHQ to reconsider the morality of their spy work and to persuade them to quit. They planned to kick the project off with aseries of billboards strategically posted near intelligence agency buildings around the world. One, reading “listen to your heart, not to private phone calls,” was to be installed next to the Dagger Complex, a military base and NSA outpost in Darmstadt, Germany, the group told WIRED. Another, with the text “the intelligence community needs a backdoor,” will appear outside GCHQ’s Cheltenham, UK headquarters, playing on the UK and US governments’ demands for a “backdoor” system to allow the decryption of citizens’ encrypted communications. A third sign, pictured above, is meant to be affixed to a van patrolling the area around the NSA’s Fort Meade, Maryland, headquarters, where the activists today plan to hand out fliers to employees with information on where they can get support and counseling if they choose to leave the agency.

“We know for a fact that there are many, many people working there who are conflicted, anxious and ultimately completely against what these agencies are doing,” says Ariel Fischer, a pseudonymous spokesperson for the Intelexit group, an offshoot of the social activism collective called Peng. “If more of those individuals start realizing that they can take a stand, and that they have support from the outside world, well, then maybe a few people will be compelled to act on their principles.”

The campaign, says Fischer, is set to continue tomorrow and Wednesday with blasts of faxes, emails, and phone calls to NSA numbers and addresses. (Fischer says the group acquired an internal NSA contact list from a source she declined to name.) The group’s website features a set of arguments against working in surveillance, a tool for composing a resignation letter based on a survey of principles an intelligence employee can fill out, and a video featuring testimonials from figures like crypto guru Bruce Schneier and NSA whistleblower Thomas Drake.

Drake, an ex-NSA senior analyst who in 2005 blew the whistle on the agency’s financially disastrous, privacy-invasive Trailblazer program, says he joined the group to support fellow conscientious objectors. Drake faced a serious backlash after his own ethical objections to that massive post-9/11 contractor project: He was indicted for leaking classified documents and forced out of the NSA, losing his clearance and his career, only to have the charges reduced to a misdemeanor after it was determined he never actually gave classified data to a reporter. But he hopes his own difficult experience will show other NSA agents with moral misgivings that they are not alone. “In some cases you do need a mirror that shows you that you have the choice to leave,” Drake said in a phone interview with WIRED. “And knowing that there are people who have gone through this before helps make that choice.”

The NSA didn’t immediately respond to WIRED’s request for comment on the Intelexit campaign. But a GCHQ spokesperson wrote in an email that the agency “has several formal lines of accountability and a culture and ethos of high ethical standards among our workforce.” The statement also argues that GCHQ doesn’t actually do anything illegal or immoral, and that staff can report any concerns they do have to managers or to GCHQ’s own counselors.

“The work of GCHQ is carried out within a strict legal framework and there is no question of anyone being asked to do anything unlawful or which they consider to be unethical,” the statement reads. “GCHQ actively encourages staff to discuss any concerns they might have about their work and we pride ourselves on the structures we have in place to support this.”

Intelexit’s Fischer counters that agencies like the NSA and GCHQ enable mass surveillance—like GCHQ’s Karma Police program to understand the web-browsing habits of “every visible user on the Internet,” which was only detailed last week—and gather the intelligence that enables drone warfare, both of which she considers immoral. And it’s questionable whether official agency reporting systems offered any help to past whistleblowers like Drake, who in 2002 helped assemble a critique of Trailblazer sent to the Pentagon’s Inspector General, or Snowden, who claims he raised his mass surveillance concerns with managers more than 10 times before leaking documents.

Fischer adds that the idea of Intelexit isn’t to demonize or attack the intelligence agencies but to humanize them—to appeal to the morality of the humans that compose them. “We make a clear difference between individuals and the structures they are part of,” she says. “We want to meet our surveillers eye to eye, and say ‘We can help you.’”

Just how effective a project like Intelexit might be is far from clear. For all its idealism, the campaign’s chances of effecting any significant exodus of intel employees are slim. The NSA’s difficulties with moraleand recruiting in the wake of Edward Snowden’s mass surveillance revelations are no secret. But for every Snowden or Drake, there are no doubt many thousands of NSA and GCHQ employees who see their work as both moral and necessary, and just as many who treat it as a workaday job without considering its ethical implications.

But Fischer says that cases like Snowden’s, Drake and Army intelligence leaker Chelsea Manning give Intelexit hope that there’s an audience for its message. If it can lead even a small number of NSA and GCHQ staffers to reconsider their work, Fischer says, she’ll consider the project a success. “We have seen a shift in the last years of people leaving, people blowing the whistle, even in the face of great repression and we wanted to support that,” she says. “If there is a backdoor and people start leaving, and people start talking, and the public starts reacting, they will be forced to change.”

Tagged , , , , ,

Jeb Bush says the NSA isn’t powerful enough

Jeb Bush says the National Security Agency should not have its powers scaled back, the Associated Press reports. But encryption by private technology companies like Google, Bush suggests, is a threat to national security.


“There’s a place to find common ground between personal civil liberties and NSA doing its job,” Bush said, according to comments he made yesterday at a forum reported on by the AP. “I think the balance has actually gone the wrong way.” Bush says a recent change to the Patriot Act that ordered a stop to the bulk collection of Americans’ phone records was misguided; there was “no evidence,” he says, that the surveillance violated civil liberties.

Bush also suggested that encryption by private companies, which high-profile law enforcement officials have fought against, “makes it harder for the American government to do its job while protecting civil liberties to make sure evildoers aren’t in our midst.”

The comments are not a complete surprise. Bush has already been vocal in his support for the NSA, and with the exception of Rand Paul, many GOP presidential hopefuls have taken similar positions.

Tagged , , , , ,

AT&T Helped NSA Track Internet Traffic, Report Says

Telecommunications powerhouse AT&T Inc has provided extensive assistance to the U.S. National Security Agency as the spy agency conducts surveillance on huge volumes of Internet traffic passing through the United States, The New York Times reported on Saturday, citing newly disclosed NSA documents.

The newspaper reported that the company gave technical assistance to the NSA in carrying out a secret court order allowing wiretapping of all Internet communications at the headquarters of the United Nations, an AT&T customer.

The documents date from 2003 to 2013 and were provided by fugitive former NSA contractor Edward Snowden, The Times reported.

The company helped the spy agency in a broad range of classified activities, the newspaper reported.

The documents describe how the NSA’s working relationship with AT&T has been particularly important, enabling the agency to conduct surveillance, under various legal rules, of international and foreign-to-foreign Internet communications that passed through network hubs in the United States.

AT&T installed surveillance equipment in at least 17 of its U.S. Internet hubs, far more than competitor Verizon Communications Inc, The Times reported. AT&T engineers also were the first to use new surveillance technologies invented by the NSA, The Times reported.

“This is a partnership, not a contractual relationship,” according to one NSA document describing the link between the agency and the company.

AT&T’s “corporate relationships provide unique accesses to other telecoms and I.S.P.s,” or Internet service providers, according to another NSA document.

AT&T started in 2011 to provide the NSA more than 1.1 billion domestic cellphone calling records daily after “a push to get this flow operational prior to the 10th anniversary of 9/11,” referring to the Sept. 11, 2001, attacks on the United States, The Times reported.

AT&T’s providing of foreign-to-foreign Internet traffic has been especially important to the NSA because large amounts of the world’s Internet communications pass across U.S. cables, The Times reported. The company gave access to contents of transiting email traffic years before Verizon started in March 2013, The Times reported.

Asked to comment on The Times report, AT&T spokesman Brad Burns told Reuters by email: “We do not voluntarily provide information to any investigating authorities other than if a person’s life is in danger and time is of the essence. For example, in a kidnapping situation we could provide help tracking down called numbers to assist law enforcement.”

Burns said AT&T would have nothing further to say on the report.

Tagged , , , ,

Widely trusted API lets cyber-spies fingerprint your device battery

There are a lot of ways to track a device. You can track its physical address in the internet, but that can be obscured. You can track the profiles and logins used to access different services online, but those can be logged out and avoided. You can even install active hardware and software trackers, but those can be tricked or removed.

In the aggregate, however, the ability to track devices, service profiles, and targeted malware results in a near-perfect ability to track a target. The biggest issue is bridging small periods in which tracking went down — this IP address drops out at this time, then thatdevice logs in through the Tor Network at that time. How do you correlate the two, so they made a single, contiguous story? You use specialized identification techniques like the one unveiled this week by French and Belgian researchers.

The technique works by making use of a now-standard piece of low level software called the Battery Status API, an HTML5 feature supported by Chrome, Firefox, and Opera. This API can be used to precisely track the battery level on a smartphone, tablet, or laptop computer, and its charge and discharge times. Over short intervals (between chargings) this data can act as a sort of fingerprint to help identify the device and correlate the activity of one device with the activity of another, showing them to in fact be the same device using different connection methods.

This sort of info can be unique, if tracked with enough accuracy.

Older batteries make better identifiers, since they have more unique charging levels — batteries fresh out of the factory tend to be much more similar, thus more difficult to distinguish based on their charge characteristics.

The World Wide Web Consortium (W3C) classifies battery data as not crucial to security, and has specifically opened it up to software developers without the need to ask user permission. That makes battery level data an attractive target for data miners, who don’t have to alert browsers to their interest. If it could be used to identify browsers to a specific site, it would make a powerful tool for cyber-sleuths.

The researchers did say that the API could be made much more secure simply by making it worse; lower the precision with which it tracks the battery’s various levels and the “fingerprint” will become blurred to the point of uselessness. Meanwhile, most of us don’t need Firefox to predict our battery’s trends down to the second, so there’s little functional loss to the user. They submitted a bug report to Firefox, and “a fix has been deployed.”

The massive iPhone 6 Plus battery

These sorts of privacy attacks are important because, while crude, they also supersede any attempt at hiding an online signature. Turning on the Tor Network doesn’t change your battery capacity, nor does using a VPN make you suddenly type and scroll differently. With biometric sensors becoming more and more common in consumer electronics, the ability to identify a person, as opposed to an electronic profile, has never been more profound.

As security measures available become more elaborate (and in the post-Snowden world, better at evading a known threat), attacks will have to get not just better, but more subtle. Burrowing a zero-day exploit into the foundational software of all modern computing is certainly a good start, but usage statistics have the capacity to ignore all addressing information and perhaps even help track users as they move between devices.

Tagged , , , , , , , , , , , ,

U.S. Embedded Spyware Overseas, Report Claims

The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm.

In a presentation of its findings at a conference in Mexico on Monday, Kaspersky Lab, the Russian firm, said that the implants had been placed by what it called the “Equation Group,” which appears to be a veiled reference to theNational Security Agency and its military counterpart, United States Cyber Command.

It linked the techniques to those used in Stuxnet, the computer worm that disabled about 1,000 centrifuges in Iran’s nuclear enrichment program. It was later revealed that Stuxnet was part of a program code-named Olympic Games and run jointly by Israel and the United States.

Kaspersky’s report said that Olympic Games had similarities to a much broader effort to infect computers well beyond those in Iran. It detected particularly high infection rates in computers in Iran, Pakistan and Russia, three countries whose nuclear programs the United States routinely monitors.

Some of the implants burrow so deep into the computer systems, Kaspersky said, that they infect the “firmware,” the embedded software that preps the computer’s hardware before the operating system starts. It is beyond the reach of existing antivirus products and most security controls, Kaspersky reported, making it virtually impossible to wipe out.

In many cases, it also allows the American intelligence agencies to grab the encryption keys off a machine, unnoticed, and unlock scrambled contents. Moreover, many of the tools are designed to run on computers that are disconnected from the Internet, which was the case in the computers controlling Iran’s nuclear enrichment plants.

Kaspersky noted that of the more than 60 attack groups it was tracking in cyberspace, the so-called Equation Group “surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades.”

Kaspersky Lab was founded by Eugene Kaspersky, who studied cryptography at a high school co-sponsored by the K.G.B. and once worked for the Russian military. Its studies, including one describing a cyberattack of more than 100 banks and other financial institutions in 30 countries, are considered credible by Western experts.

The fact that security software made by Kaspersky Lab is not used by many American government agencies has made it more trusted by other governments, like those of Iran and Russia, whose systems are closely watched by United States intelligence agencies. That gives Kaspersky a front-row seat to America’s digital espionage operations.

The firm’s researchers say that what makes these attacks particularly remarkable is their way of attacking the actual firmware of the computers. Only in rare cases are cybercriminals able to get into the actual guts of a machine.

Recovering from a cyberattack typically involves wiping the computer’s operating system and reinstalling software, or replacing a computer’s hard drive. But if the firmware becomes infected, security experts say, it can turn even the most sophisticated computer into a useless piece of metal.

In the past, security experts have warned about “the race to the bare metal” of a machine. As security around software has increased, criminals have looked for ways to infect the actual hardware of the machine. Firmware is about the closest to the bare metal you can get — a coveted position that allows the attacker not only to hide from antivirus products but also to reinfect a machine even if its hard drive is wiped.

“If the malware gets into the firmware, it is able to resurrect itself forever,” Costin Raiu, a Kaspersky threat researcher, said in the report. “It means that we are practically blind and cannot detect hard drives that have been infected with this malware.”

The possibility of such an attack is one that math researchers at the National Institute of Standards and Technology, a branch of the Commerce Department, have long cautioned about but have very rarely seen. In an interview last year, Andrew Regenscheid, a math researcher at the institute, warned that such attacks were extremely powerful. If the firmware becomes corrupted, Mr. Regenscheid said, “your computer won’t boot up and you can’t use it. You have to replace the computer to recover from that attack.”

That kind of attack also makes for a powerful encryption-cracking tool, Mr. Raiu noted, because it gives attackers the ability to capture a machine’s encryption password, store it in “an invisible area inside the computer’s hard drive” and unscramble a machine’s contents.

Kaspersky’s report also detailed the group’s efforts to map out so-called air-gapped systems that are not connected to the Internet, including Iran’s nuclear enrichment facilities, and infect them using a USB stick. To get those devices onto the machines, the report said, the attackers have in some cases intercepted them in transit.

Documents revealed by the former National Security Agency contractor Edward J. Snowden detailed the agency’s plans to leap the “air gaps” that separate computers from the outside world, including efforts to install specialized hardware on computers being shipped to a target country. That hardware can then receive low-frequency radio waves broadcast from a suitcase-size device that the N.S.A. has deployed around the world. At other times the air gaps have been leapt by having a spy physically install a USB stick to infect the adversary’s computer.

Basing its estimate on the time stamps in code, the Kaspersky presentation said the Equation Group had been infecting computers since 2001, but aggressively began ramping up their capabilities in 2008, the year thatPresident Obama was elected, and began doubling down on digital tools to spy on adversaries of America.

While the United States has never acknowledged conducting any offensive cyberoperations, President Obama discussed the issue in general in aninterview on Friday with Re/code, an online computer industry publication, describing offensive cyberweapons as being unlike traditional weapons.

“This is more like basketball than football, in the sense that there’s no clear line between offense and defense,” said Mr. Obama, himself a basketball player. “Things are going back and forth all the time.”

Tagged , , , , , , ,

Twitter Reports a Surge in Government Data Requests

Twitter on Monday released its twice-yearly transparency report, showing a surge in government requests for users’ Twitter information.

The report, which discloses the frequency with which government agencies from around the world ask Twitter to hand over data on specific users, said total requests rose by 40 percent, to about 2,871, compared with the company’s last report, in July. The latest requests came from more than 50 countries.

Since Google first began disclosing such government requests for data four years ago, many major tech companies, including Facebook, Twitter and Microsoft have followed suit.

“These reports shine a light on government requests for customers’ information,” Jeremy Kessel, senior manager of global legal policy at Twitter, said in a company blog post. “Providing this insight is simply the right thing to do, especially in an age of increasing concerns about government surveillance.”

The most requests for Twitter, according to the company’s latest report, came from the government of Turkey, which has often clashed with the microblogging company. In 2014, anonymous Twitter users posted leaked recordings to Twitter that implicated Recep Tayyip Erdogan, the country’s president, in sweeping corruption allegations just weeks before local elections were to be held. Mr. Erdogan was able to block the service throughout Turkey for a time, before the nationwide ban was deemed unconstitutional.

Twitter said it did not comply with any of Turkey’s requests for user data.

Transparency reports gained more attention after Edward J. Snowden, a former National Security Agency contractor, leaked a cache of sensitive documents detailing the government agency’s surveillance operations both at home and abroad. Technology companies were top targets of N.S.A. interest.

Tech companies have fought to ease strict laws that prohibit the firms from detailing the number of national security letters, a kind of subpoena that the F.B.I. can issue without court oversight, and Foreign Intelligence Surveillance Act court requests they have received. Previously, these companies were not able to even acknowledge they had received these requests at all.

Last year, a coalition of tech companies including Apple, Google and Facebook, known as Reform Government Surveillance, reached a settlement with the Department of Justice, allowing tech companies to disclose how many data requests they have received from the government in groups of 1,000.

Twitter, however, did not participate in that agreement, and has gone one step further. In October, Twitter sued the American government in an effort to provide more detail about the data requests the company received from government officials.

“We’ve tried to achieve the level of transparency our users deserve without litigation, but to no avail,” Ben Lee, a vice president for legal matters at Twitter, said in a company blog post last year.

After the lawsuit, the American government publicly filed a redacted version of Twitter’s draft transparency report. Though that report remains heavily edited, language Twitter used indicates that the company received a “relatively small number of national security requests,” it said, affecting only a few “millionths of one percent” of Twitter’s overall users.

“It is important that we be able to share our version of the surveillance story that so many others are trying to tell now,” the company said in its report. “Forcing Twitter to use only government-sanctioned speech is wrong and unlawful. It is harmful to the public’s trust in Twitter, and it violates Twitter’s First Amendment right to free speech.”

Tagged , , , , , , ,