Warrantless Eavesdropping Before Supreme Court

Photo: anthonycmaki/Flickr

The Supreme Court on Monday will hear arguments on whether it should halt a legal challenge to a once-secret warrantless surveillance program targeting Americans’ communications, a program that Congress eventually legalized in 2008.

The hearing will mark the first time the Supreme Court has reviewed any case touching on the eavesdropping program that was secretly employed by the George W. Bush administration in the wake of the September 11, 2001 terror attacks, and largely codified into law years later.

Before the justices is the FISA Amendments Act (.pdf), the subject of a lawsuit brought by the American Civil Liberties Union and others. The act authorizes the government to electronically eavesdrop on Americans’ phone calls and e-mails without a probable-cause warrant so long as one of the parties to the communication is believed to be outside the United States. Communications may be intercepted “to acquire foreign intelligence information.”

The government has also, according to former top Justice Department lawyer David Kris, taken the ”position that surveillance of a U.S. person’s home and mobile telephones was ‘directed at’ al Qaeda, not at the U.S. person himself. [T]his logic seemed to allow surveillance of Americans’ telephones and e-mail accounts, inside the United States, without adherence to traditional FISA, as long as the government could persuade itself that the surveillance was indeed ‘directed’ at al Qaeda or another foreign power that was reasonably believed to be abroad.”

That bill was signed into law in July 2008, and the ACLU filed suit immediately claiming it was unconstitutional. A lower court judge tossed the suit.

But a surprise appellate court decision last year reinstated the challenge. The Obama administration asked the Supreme Court to overturn the decision and, in May, the justices agreed to do so.

The administration argues that the ACLU and a host of other groups don’t have the legal standing to bring the case. A lower court agreed, ruling the ACLU, Amnesty International, Global Fund for Women, Global Rights, Human Rights Watch, International Criminal Defence Attorneys Association, The Nation magazine, PEN American Center, Service Employees International Union and other plaintiffs did not have standing to bring the case because they could not demonstrate that they were subject to the eavesdropping.

The groups appealed to the 2nd U.S. Circuit Court of Appeals, arguing that they often work with overseas dissidents who might be targets of the National Security Agency program. Instead of speaking with those people on the phone or through e-mails, the groups asserted that they have had to make expensive overseas trips in a bid to maintain attorney-client confidentiality.

The plaintiffs, some of them journalists, also claim the 2008 legislation chills their speech, and violates their Fourth Amendment privacy rights.

Without ruling on the merits of the case, the appeals court agreed with the plaintiffs last year that they have ample reason to fear the surveillance program, and thus have legal standing to pursue their claim.

A similar standing argument was made by journalists who opposed a provision of the 2012 National Defense Authorization Act that allows for indefinite detention of American citizens without trial, and in June, they won an injunction against the provision.

But even if the Supreme Court sides with the ACLU, that does not necessarily mean the constitutionality of the FISA Amendments Act would be litigated.

The lawsuit would return to New York federal court, where the Obama administration likely would play its trump card: an assertion of the powerful state secrets privilege that lets the executive branch effectively kill lawsuits by claiming they threaten to expose national security secrets.

The courts tend to defer to such claims. But in a rare exception in 2008, a San Francisco federal judge refused to throw out a wiretapping lawsuit against AT&T under the state secrets privilege. The AT&T lawsuit was later killed anyway, because the FISA Amendments Act also granted the phone companies retroactive legal immunity for their alleged participation in the NSA spying program.

The only suit to prevail against the program was filed by two American lawyers who convinced a court, using open-source evidence, that their communications with an Islamic charity were spied on, without warrants. However, the suit was dismissed by an appeals court, which found that the section of federal wiretap law the lawyers proved the government had violated lacked any provision for penalizing governmental lawbreaking.

The FISA Amendments Act generally requires the Foreign Intelligence Surveillance Act Court to rubber-stamp terror-related electronic surveillance requests. The government does not have to identify the target or facility to be monitored. It can begin surveillance a week before making the request, and the surveillance can continue during the appeals process if, in a rare case, the secret FISA court rejects the surveillance application.

The act expires at year’s end. President Obama, who voted for the act as a senator and presidential candidate in 2008, says it’s a top priority for Congress to reauthorize it.

Scotusblog has all the court documents.

The justices normally take weeks or months to rule after hearing a case.

Adobe Releases Security Bulletin for Adobe Shockwave Player

Adobe has released a security bulletin to address multiple vulnerabilities in Adobe Shockwave Player and earlier versions for Windows and Macintosh. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Adobe security bulletin APSB12-23 and update to Adobe Shockwave Player to help mitigate the risks.

Additional information regarding CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, and CVE-2012-4176 can be found in Vulnerability Note VU#872545.

This product is provided subject to this Notification and this Privacy & Use policy.

Man Claiming Half Ownership of Facebook Arrested on Fraud Charges

Paul Ceglia, would-be half-owner of Facebook, now faces fraud charges for filing a lawsuit against Facebook and Mark Zuckerberg.

A man claiming to own half of Facebook was arrested at his rural New York home Friday and charged with a multi-billion-dollar scheme to defraud the social-networking site and its chief executive and founder Mark Zuckerberg.

Paul Ceglia, of Wellsville, New York, filed a federal lawsuit in 2010, citing documents and a contract between him and Zuckerberg that promised him 50 percent of the social networking site.

Ceglia, a wood pellet salesman, is now accused of one count of mail fraud and one count of wire fraud (.pdf), the authorities said. Each count carries a maximum 20-year term.

Facebook has made it clear from the beginning that it believed the contract and e-mails that Ceglia has produced as evidence were fakes — and it even hired private investigators to dig up dirt on Ceglia’s none-too-sparkly past. Facebook told a federal judge that its forensic examiners proved that a 9-year-old contract Ceglia submitted to the court was “forged.” The analysis also claimed that 27 e-mails between Zuckerberg and Ceglia — some of which mention Facebook — were “fabricated” by Ceglia.

Zuckerberg has said all along that an authentic “Work for Hire” contract between the two involved another project. Ceglia had hired Zuckerberg to work on Ceglia’s StreetFax company nearly a decade ago, Zuckerberg claimed. Ceglia, however, alleges the contract also included fronting Zuckerberg $2,000 in exchange for half of Facebook when Zuckerberg was a Harvard University computer science student.

Federal authorities agreed with Zuckerberg and its forensic analysis conducted by Stroz Freidberg.

“As alleged, by marching into federal court for a quick payday based on a blatant forgery, Paul Ceglia has bought himself another day in federal court for attempting a multi-billion-dollar fraud against Facebook and its CEO,” Manhattan U.S. attorney Preet Bharara said. “Ceglia’s alleged conduct not only constitutes a massive fraud attempt, but also an attempted corruption of our legal system through the manufacture of false evidence. That is always intolerable. Dressing up a fraud as a lawsuit does not immunize you from prosecution.”

Facebook applauded the charges. “Ceglia used the federal court system to perpetuate his fraud and will now be held accountable for his criminal scheme,” Facebook attorney Orin Snyder said.

In June, we asked Ceglia why he has churned through at least eight law firms in his legal quest to become Facebook’s co-owner.  His e-mail reply: “What type of Corporate Duche [sic] wants to talk about lawyers when we just released expert reports that prove the contract and the emails are real?”

U.S. Magistrate Leslie Foschio, who was presiding over the Ceglia lawsuit, has fined Ceglia $97,000 in sanctions and costs associated with Ceglia breaching court orders compelling him to produce potentially damaging documents. The judge said the documents at issue “are relevant to the genuineness” of Ceglia’s claims.

Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems

According to the Symantec Internet Security Threat Report (ISTR), 400 million new variants of malware were created in 2011, which is an average of 33 million new variants of malware a month, or an average of one million new variants a day.

It is impossible to manually analyze such a large number of sample files, so it is therefore necessary to use an automated threat analysis system to analyze sample behavior and prioritize the files that virus definitions should be created for.

By searching the Web, you can find services that execute files in a sandbox and show the behavior of those files, thus enabling you to see what a suspicious file does before you execute it on your computer.

Both systems execute the requested files in a sandbox and log system behavior.

If malware can hide itself from automated threat analysis systems, it can blend in with millions of sample files and antivirus applications may not be able to figure out that it is malicious. Therefore, both malware and packer program authors attempt to utilize techniques to hide malicious files from automated threat analysis systems.

For a long time, malware has been able to detect the environment it is running in and hide itself from automated threat analysis systems. The list below is the measures malware takes avoid being detected by dynamic analyzer systems:

  • Checks a certain registry entry and stops if it detects that it is running in a virtual environment.
  • Checks video and mouse drivers and stops if it detects that it is running in a virtual environment.
  • Enumerates the system service list and stops if it detects that it is running in a virtual environment.
  • Executes special assembler code and stops if it detects that it is running in a virtual environment.
  • Checks a certain communication port and stops if it detects that it is running in a virtual environment.
  • Checks a certain process name and stops if it detects that it is being monitored.

If malware stops itself when it detects that it is running in a virtual environment, it may trick an automated threat analysis system into thinking that it is a clean program. It is also able to stop itself if it discovers a certain process name and detects that someone is monitoring it. So malware may not only fool automated threat analysis systems, but also a corporate system administrator who is searching for computers compromised by malware.

Malware authors have recently attempted to use other approaches to fool automated threat analysis systems as well. Two of those techniques are explained below.

Figure 1. Malware using the mouse to hide itself

A hook is a point in the system message-handling mechanism where an application can install a subroutine to monitor the message traffic in the system. The SetWindowsHookExA API function shown in the image above installs the _main_routine subroutine to monitor mouse message traffic so that when the malware receives messages from the mouse, that is, if it is moved or buttons clicked, it runs. As a person usually uses a mouse when using Windows, the _main_routine subroutine works fine. But as an automated threat analysis system doesn't use a mouse, the code remains dormant so an automated threat analysis system may not detect it as malware.

Figure 2. Malware using "sleep" to evade dynamic analyzer systems

When the code runs, it waits 300,000 milliseconds, or five minutes, before executing the DecryptCode subroutine, as shown in the image above. It then waits 20 minutes and executes the ModifyRegistry subroutine. After executing the Network_main subroutine, it waits another 20 minutes.

Automated threat analysis systems only spend a small amount of time on one file so they may not detect the code as malware.

In the past, malware authors used very difficult techniques to detect virtual environments. As such, they may have needed specialized skills, such as assembler code writing skills, knowledge of virtual machines, and knowledge of CPUs and memory management.

However, the techniques described in this blog are not technical and hence malware authors these days do not need technical skills to hide their creations from automated threat analysis systems. Furthermore, they are always researching and testing new ideas in order to fool automated threat analysis systems.

Symantec engineers are always on the lookout for new techniques that malware and packer program authors may employ, such as those described in this blog. We recommend that users do not execute suspicious files or applications, and ensure that your computer operating system and antivirus software are always kept up to date.