Fancy Bear ramping up infowar against Germany—and rest of West

Enlarge / The bear is back. It never went away.

US intelligence agencies have been forthright in their insistence that the Russian government was behind not only the hacking of the Democratic National Committee (DNC) and other political organizations in the US, but a concerted effort to undermine confidence in the results of the US presidential election, including attacks on state election officials' systems. But the US is not the only country that the Russian government has apparently targeted for these sorts of operations—and the methods used in the DNC hack are being applied increasingly in attempts to influence German politics, Germany's chief of domestic intelligence warned yesterday.

In a press release issued on December 8, Germany's Bundesamt für Verfassungsshutz (BfV)—the country's domestic intelligence agency—warned of an ever-mounting wave of disinformation and hacking campaigns by Russia focused on increasing the strength of "extremist groups and parties" in Germany and destabilizing the German government. In addition to propaganda and disinformation campaigns launched through social media, the BfV noted an increased number of "spear phishing attacks against German political parties and parliamentary groups" using the same sort of malware used against the Democratic National Committee in the US.

The statement from the BfV came on the same day that Alex Younger, the chief of the United Kingdom's Secret Intelligence Service (MI6) made more veiled references to disinformation and hacking campaigns. In remarks Younger delivered at Vauxhall Cross, MI6 headquarters, he warned of the mounting risks posed by "hybrid warfare."

Read 6 remaining paragraphs | Comments

UK intel agencies spy indiscriminately on millions of innocent folks

(credit: Wikipedia)

The UK's intelligence agencies (MI5, MI6, and GCHQ) are spying on everything you do, and with only the flimsiest of safeguards in place to prevent abuse, according to more than a thousand pages of documents published today as a result of a lawsuit filed by Privacy International.

The documents reveal the details of so-called "Bulk Personal Datasets," or BPDs, which can contain "hundreds to millions of records" on people who are not suspected of any wrongdoing.

These records can be “anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities,” Privacy International's legal officer Millie Graham Wood said in a statement. "The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data."

Read 21 remaining paragraphs | Comments

SSL certificate debacle includes CIA, MI6, Mossad and Tor

SpyLast week I wrote about the compromise of digital certificate authority DigiNotar. While the idea of over 250 false certificates being issued was scary, the number has grown to 531, including what could be intermediate signing certificates.

This is really bad news. As DigiNotar is a “root” certificate, they can assign authority to intermediaries to sign and validate certificates on their behalf.

It appears the attackers signed 186 certificates that could have been intermediate certificates. These certificates masqueraded as well-known certificate authorities like Thawte, Verisign, Comodo and Equifax.

The expanded list of domains for which fraudulent certificates were issued includes Facebook, Google, Microsoft, Yahoo!, Tor, Skype, Mossad, CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress. A complete list can be downloaded from the Tor website.

The attackers also issued themselves certificates for *.*.com and *.*.org. I am not sure if a multi-wildcard certificate like this is valid, but if so it could allow them to impersonate anything.

Tor logoAccording to the blog post on the Tor project’s website, they also left a message in Farsi. Loosely translated, it reads “great cracker, I will crack all encryption, i hate/break your head.”

This incident makes me feel more justified than ever in my distrust of the certificate system. While Mozilla, Google and others have been quick to permanently remove DigiNotar as a trusted authority, in this case it is too little, too late.

Currently computer users of IE and Safari on Windows 7/Vista/2008/2008R2, or Chrome and Firefox on any platform, are protected against exploitation as long as they are fully patched.

Mac OS X users using the latest Chrome and Firefox (6.0.1) versions are fine, but Safari and OS X itself have not been patched. There are instructions on doing so on the ps | Enable blog, although it is non-trivial.

More concerning is that mobile users are being left in the dark. There have been no updates, and no manual removal method for Android or iPhone/iPad/iPod Touch users who haven’t jailbroken/rooted their devices.

Tap, tap, tap… Hello, Apple? Are you there? Your competitors (Microsoft, Google, Mozilla) are protecting their customers promptly and openly. I know you don’t like to talk about security, but now would be a great time to show you care.

Correction: I mistakenly had noted Firefox 6.0.2 was current, when in fact 6.0.1 is the latest.