Justice Department’s Warrantless Spying Increased 600 Percent in Decade

Source: American Civil Liberties Union

The Justice Department use of warrantless internet and telephone surveillance methods known as pen register and trap-and-trace has exploded in the last decade, according to government documents the American Civil Liberties obtained via a Freedom of Information Act claim.

Pen registers obtain, in real time, non-content information of outbound telephone and internet communications, such as phone numbers dialed, and the sender and recipient (and sometimes subject line) of an e-mail message. A trap-and-trace acquires the same information, but for inbound communications to a target. No probable-cause warrant is needed to obtain the data. Judges are required to sign off on these orders when the authorities say the information is relevant to an investigation.

In 2001, the DoJ issued only 5,683 reported “original orders.” (.pdf) Fast forward to 2011, the latest year for which data is available, the number skyrocketed to 37,616 — a more than sixfold increase. Though these can be used to track e-mail, the vast majority are used to get information on mobile phone users’ phone calls and texts.

According to the ACLU:

Because these surveillance powers are not used to capture telephone conversations or the bodies of emails, they are classified as ‘non-content’ surveillance tools, as opposed to tools that collect ‘content,’ like wiretaps. This means that the legal standard that law enforcement agencies must meet before using pen registers is lower than it is for wiretaps and other content-collecting technology. Specifically, in order to wiretap an American’s phone, the government must convince a judge that it has sufficient probable cause and that the wiretap is essential to an investigation. But for a pen register, the government need only submit certification to a court stating that it seeks information relevant to an ongoing criminal investigation. As long as it completes this simple procedural requirement, the government may proceed with pen register or trap and trace surveillance, without any judge considering the merits of the request.

Even more alarming, the latest figures — which were for years 2010 and 2011 — open only a tiny window into the U.S. surveillance society.

Consider that last year mobile carriers responded to a staggering 1.3 million law enforcement requests — which come from federal, state and local police, as well as from administrative offices – for subscriber information, including text messages and phone location data. That’s according to data provided to Congress that was released in July.

The nation’s major phone providers said they were working around the clock and charging millions in fees to keep up with ever-growing demands.

AT&T, the nation’s second-largest mobile carrier, told Congress that it had received 63,100 subpoenas — no judicial oversight required — for customer information in 2007. That more than doubled to 131,400 last year. By contrast, AT&T reported 36,900 court orders for subscriber data in 2007. That number grew to 49,700 court orders last year, a weak growth rate compared to the doubling of subpoenas in the same period.

Not surprisingly, the number of people affected by such orders has jumped as well – consider the below chart on the number of people who the DoJ got information about using trap-and-traces and pen registers.


All of this only concerns disclosed monitoring. The Electronic Frontier Foundation, in ongoing litigation, claims the National Security Agency, with the help of the nation’s telecoms, is hijacking all electronic communications.

The Justice Department, meanwhile, filed the latest pen register and trap-and-trace reports for 2010 and 2011 with Congress, which the law requires. But the Justice Department refused to release the numbers publicly and did so only after the ACLU sued.


Hackers Breached Adobe Server in Order to Sign Their Malware

A door at Adobe’s building in San Francisco. Credit: PhotonBurst/Flickr

The ongoing security saga involving digital certificates got a new and disturbing wrinkle on Thursday when software giant Adobe announced that attackers breached its code-signing system and used it to sign their malware with a valid digital certificate from Adobe.

Adobe said the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability to get code approved from the company’s code-signing system.

Adobe said it was revoking the certificate and planned to issue new certificates for legitimate Adobe products that were also signed with the same certificate, wrote Brad Arkin, senior director of product security and privacy for Adobe, in a blog post.

“This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh,” Arkin wrote. “The revocation does not impact any other Adobe software for Macintosh or other platforms.”

The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services.

The company said it had good reason to believe the signed malware wasn’t a threat to the general population, and that the two malicious programs signed with the certificate are generally used for targeted, rather than broad-based, attacks.

Arkin identified the two pieces of malware signed with the Adobe certificate as “pwdump7 v7.1″ and “myGeeksmail.dll.” He said that the company passed them on to anti-virus companies and other security firms so that they could write signatures to detect the malware and protect their customers, according to the post.

Adobe didn’t say when the breach occurred, but noted that it was re-issuing certificates for code that was signed with the compromised signing key after July 10, 2012. Also, a security advisory the company released with its announcement showed that the two malicious programs were signed on July 26 of this year. Adobe spokeswoman Liebke Lips told Wired that the company first learned of the issue when it received samples of the two malicious programs from an unnamed party on the evening of Sept. 12. The company then immediately began the process of deactivating and revoking the certificate.

The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.

Digital certificates are a core part of the trust that exists between software makers and their users. Software vendors sign their code with digital certificates so that computers recognize a program as legitimate code from a trusted source. An attacker who can sign their malware with a valid certificate can slip past protective barriers that prevent unsigned software from installing automatically on a machine.

Revoking the certificate should prevent the signed rogue code from installing without a warning.

Stuxnet, a sophisticated piece of malware that was designed to sabotage Iran’s nuclear program, was the first malicious code discovered in the wild to be using a valid digital certificate. In that case the attackers – believed to have been working for the U.S. and Israel – stole digital certificates from two companies in Taiwan to sign part of their code.

Adobe said that it stored its private keys for signing certificates in a hardware security module and had strict procedures in place for signing code. The intruders breached a build server that had access to the signing system and were able to sign their malicious programs in that way.

In addition to concerns about the compromised certificate, the breach of the build server raises concerns about the security of Adobe’s source code, which might have been accessible to the attackers. But Arkin wrote that the compromised build server had access to source code for only one Adobe product. The company did not identify the product but said that it was not the Flash Player, Adobe Reader, Shockwave Player or Adobe AIR. Arkin wrote that investigators found no evidence that the intruders had changed source code and that “there is no evidence to date that any source code was stolen.”

Questions about the security of Adobe’s source code came up earlier this month after Symantec released a report about a group of hackers who broke into servers belonging to Google and 33 other companies in 2010. The attackers were after source code for the companies. Adobe was hacked around the same time, but has never indicated if the same attackers that hit Google were responsible for hacking them.

Symantec found evidence that the attackers who struck Google had developed and used an unusually large number of zero-day exploits in subsequent attacks against other companies. The attackers used eight zero-day exploits, five of which were for Adobe’s Flash Player. Symantec said in its report that such a large number of zero-days suggested that the attackers might have gained access to Adobe’s source code. But Arkin insisted at the time that no Adobe software had been stolen.

“We are not aware of any evidence (direct or circumstantial) indicating bad guys have [source code],” he told Wired at the time.

‘System Progressive Protection’ Another Form of Fake AV

System Progressive Protection, a new malware pretending to be antivirus software, first appeared a couple of days ago. It belongs to the Winwebsec family of rogue security products. The malware is distributed by drive-by downloads or is dropped and executed by another malware. It blocks its victims from accessing any other application on an infected machine. It claims to detect infections, and displays alerts to scare users into purchasing protection. These rogue malware extort money from PC owners to “fix” their systems. In reality, this program doesn’t scan your computer at all.

Once the “scan” is complete, System Progressive Protection scares its victims by reporting some applications infected by malware. The malware also connects to IP address through port 1214. The victim cannot run any applications at this point. The malware claims all applications are infected by some malware.

When the victim attempts to activate System Progressive Protection, a web page opens and asks for an online payment.

The malware tells its victims to enter the activation code.

After victims enter the activation code, they can again use their applications, but the fake AV still remains on the machine.

After registering, victims see a message that all the infections have been cleaned. They also get an Internet shortcut file to System Progressive Protection support.

This web page appears to offer a user guide, support, and FAQ.

The malware writes a new file (compressed with PECompact) in memory and executes it.

The encrypted data is taken from .rsrc section.

Files dropped on the victim’s machine after infection:

  • %Desktopdir%\System Progressive Protection.lnk
  • %Programs%\System Progressive Protection\System Progressive Protection.lnk
  • %AppData%\[random]\[random].exe

Registry entries to be removed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “[SET OF RANDOM CHARACTERS]“
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Progressive Protection\

Removing this rogue AV is comparatively easy. Dropped files and registry entries must be deleted. The malware blocks many of the victims’ applications but not Internet Explorer. They can still get online to seek help from antimalware websites:


Advice to Customers

Keep your systems updated with the latest patches. Ensure your antimalware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites.

Actress in Anti-Islam Film Sues YouTube on Copyright Grounds

A California actress who appeared in the infamous “Innocence of Muslims” flick on YouTube is again asking a federal court to remove the anti-Islam footage that has spawned deadly protests and sparked a U.S backlash in the Middle East.

Actress Cindy Lee Garcia is now claiming a copyright interest in the film (.pdf), and says that Google ignored five DMCA takedown notices served on YouTube seeking removal of the film.

The latest development comes days after a Los Angeles County judge refused to take down the film in a previous suit. Garcia argued she was fired from her job, received death threats and was tricked into starring in the “hateful anti-Islamic production.”

In the latest move to have the courts remove the footage, Garcia claims she never signed a model release transferring her intellectual property rights to the maker of the 14-minute YouTube trailer, Nakoula Basseley Nakoula of California. She claims she was duped, and thought she was making an adventure flick, not one in which the prophet Muhammad seemingly engages in oral sex with Garcia’s character.

The federal suit, in addition to naming the producer who uploaded the footage on July 2, targets Google-owned YouTube, which did not remove the film when the actress’ agent sent five takedown notices naming 17 URLs on Sept. 24 and 25. Under the Digital Millennium Copyright Act, websites like YouTube are immune from an infringement suit if they promptly remove content at the request of a rights holder who asserts infringement.

“We are seeking the legally appropriate mechanism and the least politically controversial one to allow Google and YouTube to do the right thing,” Cris Armenta, Garcia’s lawyer, said in a statement.

Marc Randazza, a copyright attorney in Las Vegas, said in a telephone interview that Garcia does not have a case against YouTube. “The default in an absence of a contractual agreement, the default is the director of the movie owns the copyright,” he said.

The federal lawsuit, filed in Los Angeles federal court, also provides documents that Garcia had applied to register her work with the U.S. Copyright Office.

“Because she did not assign her rights in her dramatic performance, or her copyright interests, nor was the film a ‘work for hire,’ her copyright interests in her own dramatic performance remain intact,” the suit says.

The White House had asked YouTube to review the footage to ensure that it comported with the media giant’s terms of service. YouTube did not remove it from U.S.-based viewers. However, YouTube has blocked the film in several countries, including Egypt, Libya, Indonesia, Malaysia and Saudi Arabia.

Google, in response to the White House’s bid, has said the film was “clearly within our guidelines and so will stay on YouTube.”

Google did not immediately respond for comment on the latest lawsuit.