Inside N.Z. Police Megaupload Files: U.S. Investigation Began in 2010

Kim Dotcom. Photo: Kim Dotcom

U.S. and New Zealand law enforcement action against filesharing kingpin Kim Dotcom and associates was set in motion over a year ahead of the raid on the Megaupload founder’s mansion in January, and police knew their tactical assault by helicopter would be perceived as overbearing, redacted police documents show.

Known as the “Blue Folder,” the planning documents obtained by Computerworld  from the Auckland High Court reveal that that N.Z. Police enlisted the assistance of the SWAT-style Special Tactics Group (STG) and Armed Offenders Squad (AOS) for an armed, helicopter-borne assault on the Dotcom mansion at 0700 hours on Jan. 20 this year, New Zealand time.

The documents shed more light on the U.S.’s determined prosecution of Dotcom and fellow executives, which involves felony charges of racketeering, a complete shutdown of one of the net’s most popular file-sharing sites and legal theories that could just as easily been wielded against YouTube. Dotcom remains free in New Zealand, pending an extradition hearing scheduled in the spring of 2013.

Further evidence of overeager and illegal police work emerged Thursday in New Zealand as Inspector General of Security and Intelligence Paul Neazor released a report on the illegal bugging of Kim Dotcom and Megaupload programmer Bram van der Kolk. Two GCSB officers were present at a police station nearby Dotcom’s mansion as the raid took place.

Neazor’s report says the signals intelligence service GCSB did not check police information about Dotcom and van der Kolk’s immigration status, and thought the pair weren’t permanent residents but foreign nationals. Under law, the GCSB cannot intercept N.Z. citizens’ and residents’ communications.

The request for assistance from the STG, dated Jan. 9, also shows that police knew Dotcom and his then-heavily pregnant wife Mona were New Zealand residents before the raid. Under New Zealand law, the GCSB is not permitted to intercept the communications of the country’s citizens and residents.

But the police and the GCSB say they misunderstood the N.Z. Immigration Act and interpreted Dotcom’s residence class visa as not being enough to make him a protected permanent resident.

The director of the GCSB, Ian Fletcher has apologized to the New Zealand Prime Minister for the errors. It’s not clear what effect, if any, the admission of illegal interception will have on the extradition case against Dotcom and his four co-accused, or if the GCSB shared information with the FBI. The GCSB is in charge of New Zealand’s contribution to the global Echelon SIGINT network under which the U.S., the U.K., Australia and Canada share information with each other.

Police weighed several options for the raid named “Operation Debut,” undertaken at the behest of U.S. authorities, and sought to take Dotcom and associates with the “greatest element of surprise” and to minimise any delays the in executing the search and seizure operation should the German file sharing tycoon’s staff be uncooperative or even resist officers on arrival.

According to the documents, the preferred option for the police was to drop a “primary arrest team proximate to the dwelling” with STG and AOS officers in “lower standard of dress” following in vehicles on ground.

However, police were concerned that their actions could be seen as “heavy handed” and the use of helicopter as “possibly seen as over the top use of resources”.

Furthermore, police also questioned the scale of the operation, as Dotcom and associates faced only fraud offences and asked “why a tactical intervention?” in the planning documents.

Due to “the international interest this warrant execution may bring” police officers were to dress and interact “in as lower [sic] key manner as possible” the planning documents dictated.

Police classified the entire operation as “Low Risk” even though the documents said there would be firearms on the premises.

The police planners also noted that “Dotcom will use violence against person’s [sic] and that he has several staff members who are willing to use violence at Dotcom’s bidding” after a U.S. cameraman, Jess Bushyhead, reported the Megaupload founder for assaulting him with his stomach after a dispute.

Based on Dotcom’s license plates such as MAFIA, POLICE, STONED, GUILTY and HACKER, police said this indicates the German “likes to think of himself as a gangster” and is “described as arrogant, flamboyant and having disregard for law enforcement.” However, the documents show that Dotcom had only been caught violating the speed limit in New Zealand.

The request for assistance from the STG notes that the U.S. investigation against Mega Media Group and Dotcom was started in March 2010 by prosecutors and the FBI.

According to the documents, U.S. prosecutors and FBI “discovered that the Mega Media Group had engaged in and facilitated criminal copyright infringement and money laundering on a massive scale around the world.”

FBI in turn contacted N.Z. Police in “early 2011”, requesting assistance with the Mega Media Group investigation as Dotcom had moved to New Zealand at the time.

N.Z. Police agreed and set up Taskforce Debut “to action requests made by the FBI through the Mutual Legal Assistance Treaty (MLAT) which includes the execution of search warrants, seizure of assets, arrests of targets under warrant and the extradition of targets.”

Even though the search and arrest warrants were later found to be invalid and unlawful, N.Z. police categorically state in the documents that they have been “thoroughly evaluated” and their legal authority is current.
STG Request for Assistance -Blue Folder- [Redacted] [Revised]

In U.N. Speech, Assange Demands U.S. End Persecution of WikiLeaks and Bradley Manning

WikiLeaks founder Julian Assange addresses a meeting via videolink from Ecuador’s London embassy during the United Nations General Assembly at U.N. headquarters, Wednesday, Sept. 26, 2012. (AP Photo/Jason DeCrow)

In a rambling speech to a United Nations panel on Tuesday, WikiLeaks founder Julian Assange called on the U.S. to stop “persecuting” WikiLeaks and alleged leaker Bradley Manning.

Speaking at the United Nations General Assembly in New York via a live video feed from the Ecuadorean embassy in London, Assange aligned himself with Manning, discussing the soldier at length for the first time in many months, and referred to the “absurdist neo-McCarthyist fervor” that exists in some parts of the U.S. administration that insist on referring to WikiLeaks as an “enemy” of the state.

Assange was speaking as part of a panel that was supposed to focus on the legal and ethical issues around diplomatic asylum, but instead veered off for a lengthy discussion about U.S. President Barack Obama’s speech at the U.N. this week, which he called “fine words” that needed to be followed up with “fine deeds.”

“It is time for Obama to do the right thing and join the forces of change, not in fine words, but in fine deeds,” he said.

He derided the U.S. for seeming to take credit for the Arab spring, citing the U.S.’s previous support or tacit acceptance of repressive regimes in the region.

At one point, he also recited a biography of Manning’s upbringing in Oklahoma that talked about Manning’s parents falling in love, his father training as an Army intelligence analyst and Manning following in his footsteps.

Assange was speaking from the Ecuadorean embassy, where he has been holed up since June 19 when he sought asylum from Ecuador to avoid being extradited to Sweden where he’s wanted for questioning in a sex-crimes case. Assange could not travel to New York to address the U.N. in person because he has a warrant out for his arrest for breach of bail if he leaves the Ecuadorean embassy.

Among those on the panel were Ecuadorean Foreign Minister Ricardo Patino and Baher Azmy, the legal director of the Center for Constitutional Rights.

Azmy, who did focus on the diplomatic issue, noted that if Assange were anyone else, he would be granted asylum in the U.S. for his role in whistle blowing.

“If Julian Assange were not Julian Assange, he would have a very good case for political asylum in the United States for the activities he undertook,” Azmy said. “Of course, he is public enemy number one and a so-called enemy of the state and is therefore unlikely to get a fair trial” should he be extradited to the U.S.

The Ecuadorean government granted Assange asylum last month but has yet to figure out a way to get him out of that country without being arrested by U.K. authorities.

U.K. Foreign Secretary William Hague has said that no one, least of all Ecuador, “should be in any doubt that we are determined to carry out our legal obligation to see Mr. Assange extradited to Sweden.”

Swedish authorities have said that Assange will be imprisoned as soon as he arrives in that country and would have a court hearing four days after extradition from the U.K. to determine if he would have to remain in custody.

Ecuadorean officials have said they are meeting with U.K. authorities on Thursday in the hope of negotiating a solution that would provide Assange with safe passage out of the U.K. One possible solution Ecuador has considered is for U.K. authorities to provide Assange with safe passage to the Ecuadorean embassy in Sweden, where he can be questioned by Swedish authorities, under the protection of Ecuador, without being arrested.

Assange requested diplomatic protection and political asylum under the United Nations Declaration of Human Rights.

Under Article 14 of the Universal Declaration of Human Rights, “everyone has the right to seek and to enjoy in other countries asylum from persecution.” However, the second clause of the article states that “the right may not be invoked in the case of prosecutions genuinely arising from non-political crimes or from acts contrary to the purposes and principles of the United Nations.”

Assange is not, in fact, accused of political crimes.

He is being sought for questioning in Sweden on rape and coercion allegations stemming from separate sexual relations he had with two women in that country in August 2010. One woman told police that Assange pinned her down to have sex with her and that she suspected he intentionally tore a condom he wore. The second woman reported that he had sex with her while she was initially asleep, failing to wear a condom despite repeated requests for him to do so. Assange has denied any wrongdoing, asserting that the sex in both cases was consensual.

His attorneys have been fighting extradition to Sweden because they say the investigation is a ruse to make it easier for the United States to further extradite him to the U.S. to face criminal charges over the publication of millions of U.S. classified diplomatic cables.

Ecuadorean Foreign Minister Ricardo Patino said last month that Ecuador granted Assange asylum after it considered his claims that if extradited to Sweden he would be further extradited to the U.S. where he would face a possible military court trial for publishing documents that have angered the U.S. government. He said that Ecuador had come to its decision after failing to obtain assurances from Sweden that it would not extradite Assange to the U.S.

“Ecuador requested some guarantees from Sweden that he wouldn’t be extradited to the U.S., and they rejected any commitment in this sense,” Patino said.

But U.K. prosecutor Clare Montgomery, who was in an early court proceeding representing Swedish authorities, said that even if the U.S. requested extradition of Assange from Sweden, no such extradition could take place without consent from U.K. authorities.

Maker of Smart-Grid Control Software Hacked

Photo: Matti.Frisk / Flickr

The maker of an industrial control system designed to be used with so-called smart grid networks disclosed to customers last week that hackers had breached its network and accessed project files related to a control system used in portions of the electrical grid.

Telvent, which is owned by Schneider Electric, told customers in a letter that on Sept. 10 it learned of the breach into its network. The attackers installed malicious software on the network and also accessed project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach.

According to Telvent, its OASyS DNA system is designed to integrate a utility’s corporate network with the network of control systems that manage the distribution of electricity and to allow legacy systems and applications to communicate with new smart grid technologies.

Telvent calls OASyS “the hub of a real-time telemetry and control network for the utility grid,” and says on its website that the system “plays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.”

But according to Dale Peterson, founder and CEO of Digital Bond, a security firm that specializes in industrial control system security, the OASyS DNA system is also heavily used in oil and gas pipeline systems in North America, as well as in some water system networks.

The breach raises concerns that hackers could embed malware in project files to infect the machines of program developers or other key people involved in a project. One of the ways that Stuxnet spread — the worm that was designed to target Iran’s uranium enrichment program — was to infect project files in an industrial control system made by Siemens, with the aim of passing the malware to the computers of developers.

Peterson says this would also be a good way to infect customers, since vendors pass project files to customers and have full rights to modify anything in a customer’s system through the project files.

An attacker could also use the project files to study a customer’s operations for vulnerabilities in order to design further attacks on critical infrastructure systems. Or they could use Telvent’s remote access into customer networks to infiltrate customer control systems.

To prevent the latter from occurring, Telvent said in a second letter mailed to customers this week that it had temporarily disconnected its remote access to customer systems, which it uses to provide customer support, while it investigates the breach further.

“Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent,” the company said in the letter, obtained by KrebsOnSecurity.

The company said it had established “new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated.”

A hack via a vendor’s remote access to a customer’s network is one of the primary ways that attackers get into systems. Often, intrusions occur because the vendor has placed a hardcoded password into its software that gives them access to customer systems through a backdoor — such passwords can be deciphered by attackers who examine the software. Attackers have also hacked customer systems by first breaching a vendor’s network and using its direct remote access to breach customers.

A Telvent spokesman confirmed the breach of its own network to Wired on Tuesday.

“We are aware of a security breach of our corporate network that has affected some customer files,” spokesman Martin Hannah told Wired in a phone call. “We’re working directly with our customers, and they are taking recommended actions with the support of our Telvent teams. And Telvent is actively working with law enforcement, with security specialists and with customers to ensure that this breach has been contained.”

Hannah wouldn’t say whether attackers had downloaded the project files or altered them.

Project files contain a wealth of customized information about a specific customer’s network and operations, says Patrick Miller, president and CEO of EnergySec, a nonprofit consortium that works with energy companies to improve security.

“Almost all of them will give you some details about the architecture and, depending on the nature of the project, it may go deeper,” he says. Project files can also identify key players in a project, in order to allow hackers to conduct additional targeted attacks, he said.

Additionally, project files could be altered to sabotage systems, says Digital Bond’s Peterson. Some project files contain the “recipe” for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off.

“If you’re going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation,” Peterson says. “Then you modify the project file and load it, and they’re not running what they think they’re running.”

A vendor with good security would have a system in place to log who accesses project files and track any changes made to them. But, Peterson, noted, companies don’t always do what they should do, with regard to security.

Two days after Telvent says it discovered the breach in its network, the company announced a new partnership with Industrial Defender, a U.S.-based computer security firm, to integrate that company’s Automation Systems Manager with its own system to “expand its cybersecurity capabilities” for critical infrastructure.

The ASM system, Telvent said, would give critical infrastructure operators “the ability to determine changes to the system, who made them and why” as well as detect new devices when they’re connected to the network, “allowing for faster decision-making as to whether a change is planned or potentially malicious.”

Industrial Defender did not respond to questions about the Telvent breach or the timing of its partnership with the company.

Miller said he expects that copycat attacks will now recognize the value of attacking industrial control system vendors and begin to attack other vendors after this, if they haven’t already done so.

“If I were a vendor and knew this had happened to Telvent, I should be concerned, ‘Am I next?’”