NSA Chief Tells Hackers His Agency Doesn’t Create Dossiers on All Americans

Gen. Keith Alexander, head of the NSA and U.S. Cyber Command appearing at the 2012 DefCon hacker conference in Las Vegas on Friday. Photo: Kim Zetter/Wired

LAS VEGAS — NSA chief Gen. Keith Alexander, appearing for the first time at the DefCon hacker conference, told the crowd of hackers and security professionals that his agency “absolutely” does not maintain files on Americans.

Responding to a question from DefCon founder Jeff Moss asking “does the NSA really keep a file on everyone?,” Alexander replied, “No, we don’t. Absolutely no. And anybody who would tell you that we’re keeping files or dossiers on the American people knows that’s not true.”

Alexander went on to say that the NSA’s job was foreign intelligence, not domestic and that the agency is constantly monitored in everything it does.

“We get oversight by Congress, both intel committees and their congressional members and their staffs,” he continued, “so everything we do is auditable by them, by the FISA court … and by the administration. And everything we do is accountable to them…. We are overseen by everybody. And I will tell you that those who would want to weave the story that we have millions or hundreds of millions of dossiers on people is absolutely false.”

Unstated in both Moss’s question and Alexander’s answer, however, is whether the NSA monitors and collects the communications of millions of Americans en masse, something that is very different from keeping a “file” on individual Americans.

Alexander did touch on the collection of data in his answer, but denied that this involved Americans. Under the FISA Amendment Act, he said, the NSA is authorized “to collect foreign targets — think of terrorists — outside the United States.

“And that law allows us to use some of our infrastructure to do that. We may, incidentally, in targeting a bad guy, hit on somebody from a good guy. [But] we have requirements from the FISA court and the attorney general to minimize that, which means nobody else can see it unless there’s a crime that’s been committed…. And so from my perspective, the people who would say that we’re [targeting Americans] should know better.”

Alexander is likely referring to recently published comments by former NSA officials, who told author James Bamford that the NSA’s future $2 billion data center being built in Utah will be used to store “all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital ‘pocket litter.’”

According to one unnamed former NSA official, “Everybody’s a target; everybody with communication is a target.”

Dressed casually in blue jeans and a t-shirt, Alexander was deferential to the packed auditorium of hackers and security professionals, telling them that DefCon was “the world’s best cyber community,” and appealed to the audience for help in solving some of the problems of the internet.

“In this room … is the talent our nation needs to secure cyberspace,” he told the audience. “You folks understand cybersecurity. You know that we can protect the networks and have civil liberties and privacy, and you can help us get there.”

In discussing the need to develop better methods to protect networks from intrusions, Alexander said, “Some of you . . . can help us show the world that you can actually do intrusion detection and prevention systems and ensure civil liberties and privacy. Showing that to the world is absolutely important because we can do both and we need to do both.”

Feds: We Can Freeze Megaupload Assets Even if Case Dismissed

Kim Dotcom, the founder of Megaupload, in a recent photo from New Zealand, where he is fighting extradition to the United States on criminal conspiracy charges.

The United States government said Friday that even if the indictment of the Megaupload corporation is dismissed, it can continue its indefinite freeze on the corporation’s assets while it awaits the extradition of founder Kim Dotcom and his associates.

Judge Liam O’Grady is weighing a request to dismiss the indictment against Megaupload because (in Megaupload’s view) the federal rules of criminal procedure provide no way to serve notice on corporations with no U.S. address. At a hearing in Alexandria, Virginia, he grilled both attorneys in the case but did not issue a ruling.

O’Grady speculated, with evident sarcasm, that Congress intended to allow foreign corporations like Megaupload to “be able to violate our laws indiscriminately from an island in the South Pacific.”

But Megaupload’s attorney insisted that this may not be too far from the truth. Megaupload, they said, is a Hong Kong corporation with no presence in the United States. He argued it was perfectly reasonable for Megaupload to be subject to the criminal laws of Hong Kong, but not the United States.

arstechnica

For its part, the government suggested that it could sidestep the mailing requirement in one of several ways. For example, it could wait for Kim Dotcom to be extradited to the United States and then mail notice to him, as Megaupload’s representative, at his address in prison. Or, they suggested, the government could send notice of the indictment to Carpathia Hosting, a Virginia company that has leased hundreds of servers to the locker site.

The government also mentioned the possibility that it could use the provisions of a Mutual Legal Assistance Treaty to send notice to Megaupload’s Hong Kong address.

But Judge O’Grady seemed skeptical of these argument. He noted that the “plain language” of the law required sending notice to the company’s address in the United States. “You don’t have a location in the United States to mail it to,” he said. “It’s never had an address” in the United States.

And Megaupload pointed out that the government hadn’t produced a single example in which the government had satisfied the rules of criminal procedure using one of the methods it was suggesting in this case. Most of the precedents the government has produced were in civil cases, which have different rules. And most involved serving a corporate parent via its subsidiary. That’s a very different relationship than, for example, the vendor-customer relationship between Megaupload and Carpathia.

The government brought up one new example during the hearing: an instance in which a judge allowed notice to be sent via e-mail to the Columbian guerilla group FARC. But Megaupload’s attorneys dismissed this example as well, pointing out that FARC was not a corporation and that the propriety of that service was never tested in court.

The government also argued that it could keep Megaupload in legal limbo indefinitely. “None of the cases impose a time limit on service,” the government’s attorney told the judge. Therefore, the government believes it can leave the indictment hanging over the company’s head, and keep its assets frozen, indefinitely.

Not only that, but the government believes it can continue to freeze Megaupload’s assets and paralyze its operations even if the judge grants the motion to dismiss. That’s because in the government’s view, the assets are the proceeds of criminal activity and the prosecution against founder Kim Dotcom will still be pending. The fact that the assets are in the name of Megaupload rather than its founder is of no consequence, the government claimed.

Hollywood, at least, seems nervous that Judge O’Grady might buy Megaupload’s argument. In a conference call held Wednesday in advance of today’s hearing, a senior vice president at the Motion Picture Association of America argued that the dismissal of the case against Megaupload would have little practical impact, since the company’s principals would still be facing indictment. And he rejected Kim Dotcom’s efforts to frame the case as a test of internet freedom, describing Dotcom as a “career criminal” who had grown wealthy stealing the work of others.

This story originally appeared on Ars Technica.

An Examination of Java Vulnerability CVE-2012-1723

A BlackHole Exploit Toolkit sample that exploits the Oracle Java SE CVE-2012-1723 Remote Code Execution Vulnerability was released in the beginning of July 2012.

The vulnerability exists due to “type confusion” between a static variable and an instance variable. A static variable is common in a class, whereas an instance variable is only valid in an instantiated class. In the sample, the class defines many variables:
 

class C2

{

  static ClassLoader static_field;

  C3 f0;

  C3 f1;

  C3 f2;

  … continues to f99

  C3 f99;
 

In order to access the static variable static_field, we use C2.static_field. In order to access the instance variable f0, we use this.f0. You can use this.static_field in Java source code but once it is compiled, this.static_field is compiled to C2.static_field in the byte code. This is because static variables are completely different from instance variables. The javac.exe compiler is not confused by field types.

However, as Michael ‘mihi’ Schierl mentions, if a Java byte-code assembler is used or if a class file is patched by hand, it is possible for “type confusion” between variable types to occur. The sample contains the following code:
 

  classloader2 = C2.static_field;

  this.static_field = classloader3;

Due to this illegal code, a vulnerable Java VM would not be able to determine between the static variable and the instance variable, leading to referencing a wrong variable (one of f0 through f99 in the sample), which has not been verified as safe. Consequently, the malicious C3 class will be executed without any of the limitations imposed by the Java VM sandbox.

Many security vendors added detections for this sample. And as a matter of course, the malware authors started to obfuscate the malicious Java programs in an attempt to escape the detections.

A year ago, such obfuscations were mainly achieved by an author’s source code, whereby redundant code was inserted and class names were changed randomly. Furthermore, sometimes certain obfuscation tools, both commercial and free, were also applied by the malware authors. Nowadays, obfuscation is primarily achieved by such obfuscation tools. A recent JAR file (MD5: 2b65631bc1239838e7db52f1e623cc27) detected as Trojan.Maljava, contains four class files, fawa.class, fawb.class, fawc.class, and fawd.class under a package named fawa, and all of them are obfuscated by a commercial obfuscator.

Each class contains ambiguous names of fields and methods. The fawa.class file contains fields fawa and fawb, and methods fawa (fawa, String), fawc (fawa, String), fawa (fawa) and fawb (fawa, String). The fawb.class file contains fields fawa and z, and methods fawc(), fawa(), fawa (String), fawb(), and fawd(). The fawc.class file contains many fields whose names start with “faw” and methods fawa() and so forth. The fawd.class file also contains similar names for fields and methods. The only distinguishable name is fawd.init(), which is necessary because it extends the Applet class.

Since the package name, class names, field names, and method names share the same meaningless names, it is not easy to understand the program at a glance.
 


 


 


 

If the Web page containing the JAR file is viewed on a Java-enabled Internet browser, the fawd class is executed first. The fawd class then executes the fawc class. If the Oracle Java Runtime Environment is not patched, the fawc class successfully exploits the Oracle Java SE CVE-2012-1723 Remote Code Execution Vulnerability and executes the unverified fawa class, which can escape the sandbox of the Java VM. Next, the fawa class executes the fawb class. The fawb class contains a long encrypted string variable, which has, in fact, been encrypted by the commercial obfuscator. The string is decrypted when the fawb class is initialized.

The long string in the fawb class starts with “33r00yv66vgAAADIAwgcAAgEACGEvaGl” and it is stored in the static field z[0]. The string is passed to its BASE-64 decoder as z[0].substring(5), thus cutting off the first five characters of “33r00.” The decoded string starts with 0xCA, 0xFE, 0xBA, and 0xBE, which is the code for the start of the hidden.class file under the package “a”.

The hidden.class file calls setSecurityManager(null) in order to nullify the current security manager, which is possible because it has escaped from the sandbox. The hidden.class file then extracts another class, V.class, from the encrypted string.

When the fawd class is first called, it obtains a parameter “sw” from the HTML file. The parameter string is passed through the fawa class, the fawb class, and the hidden class to the V class. The V class splits the parameter “sw” by using colons (:). It then decrypts each URL from the split strings, and saves them to the following location:
 

%Temp%\fest[NUMBER]r_ot.exe
 

Note: Where [NUMBER] starts at 0 and is incremented by 1 for each download.

The retrieved files are then executed. We are not aware of the HTML file that determines the downloaded URL and cannot tell what would be downloaded. However, it we can be fairly certain that whatever is downloaded onto the compromised computer is likely to be malicious.

Although the relationship of the classes is complex, it is the fawc class that contains the smoking gun for the Oracle Java SE CVE-2012-1723 Remote Code Execution Vulnerability:
 

    System.out.print(fawc.fawh);

    this.fawh = classloader1;
 

Here a static variable fawc.fawh is accessed as an instance variable, this.fawh. The author has changed classloader2 = C2.static_field to System.out.print(fawc.fawh). The basic idea remains the same.

We detect similar samples as Trojan.Maljava!gen23. Oracle has fixed this issue in the most recent Java update. Users are advised to update the Oracle Java Runtime Environment to the latest version in order to prevent the successful exploitation of this vulnerability.

This Cute Chat Site Could Save Your Life and Help Overthrow Your Government

Nadim Kobeissi, creator of Cryptocat, spoke in mid-July at the HOPE conference, held at New York’s Hotel Pennsylvania every two years. Credit: Quinn Norton/Wired

Twenty-one-year-old college student Nadim Kobeissi is from Canada, Lebanon and the internet.

He is the creator of Cryptocat, a project “to combine my love of cryptography and cats,” he explained to an overflowing audience of hackers at the HOPE conference on Saturday, July 14.

The site, crypto.cat, has a chunky, 8-bit sensibility, with a big-eyed binary cat in the corner. The visitor has the option to name, then enter a chat. There’s some explanatory text, but little else. It’s deceptively simple for a web app that can save lives, subvert governments and frustrate marketers. But as little as two years ago such a site was considered to be likely impossible to code.

Cryptocat is an encrypted web-based chat. It’s the first chat client in the browser to allow anyone to use end-to-end encryption to communicate without the problems of SSL, the standard way browsers do crypto, or mucking about with downloading and installing other software. For Kobeissi, that means non-technical people anywhere in the world can talk without fear of online snooping from corporations, criminals or governments.

“The fact that you don’t have to install anything, the fact that it works instantly, this increases security,” he explained, sitting down with Wired at HOPE 9 to talk about Cryptocat, activism and getting through American airports.

To create Cryptocat Kobeissi had to deal with controversies in computer security, usability and geo-politics.

When he flies through the US, he’s generally had the notorious “SSSS” printed on his boarding pass, marking him for searches and interrogations — which Kobeissi says have focused on his development of the chat client.

Online privacy doesn’t have a lot of corporate or governmental fans these days, but Kobeissi has faced controversy before.

“During 2010 and 2011 I was a defender of WikiLeaks and the free press in general, and I thought ‘Collateral Murder’ (the WikiLeaks publication of a controversial helicopter assault video) was a highly significant piece of journalism,” he said.

He mirrored WikiLeaks content and organized a march in support of the organization during the period in late 2010 when WikiLeaks found itself thrown off of Amazon’s hosting service and blocked by credit card companies. “I know for certain that it’s contributed to other defenders of WikiLeaks and Bradley Manning being harassed, so it’s somewhat likely that I could also be targeted.” Still, Kobeissi points out that he’s never been questioned about WikiLeaks, only about Cryptocat.

His SSSS’s can mean hours of waiting, and Kobeissi says he has been searched, questioned, had his bags and even his passport taken away and returned later. But he’s kept his sense of humor about the experience, even joking from the airport on his Twitter account.

The young and cheerfully sarcastic Kobeissi is somewhat baffled by the border attention. Kobeissi said that in one of his last U.S. trips through Charlotte, NC, “In total I was searched either three or four times,” — in a single visit. “Why? Do bombs materialize? I don’t understand,” he continued. If the searches, delays, and interrogations about Cryptocat are an intimidation tactic, they haven’t worked.