To be honest, I thought “Keeping Up with the Snoops 7: Too Many Snoops” (21 November 2014), might have been the last in this series. The release of Snowden’s documents seemed to be finished, the USA Freedom Act has been defeated, and the battle between the CIA and Senate over hacking has been quietly swept aside.
But as we approach the two-year anniversary of the first Snowden revelations of government mass surveillance, it turns out that the topic still has legs. Here’s the latest in the saga.
Iron Patriot Act — Like many “temporary” measures, the USA PATRIOT Act, signed into law quickly after the 11 September 2001 attacks, isn’t going away anytime soon.
On 25 February 2015, the Patriot Act was extended for yet another year, with all attempts at adding civil liberty protections defeated.
The Patriot Act has often been used to enable or justify NSA mass surveillance. However, its author, Representative Jim Sensenbrenner, has accused the NSA of abusing the law by attempting to collect records of all phone calls in the United States.
Have You Been Spied On? — Since I began this series, I’ve heard a common complaint from critics: “No one is spying on YOU,” a statement that no one could prove or disprove with certainty.
Now, thanks to a UK court ruling, we may be able to find out. The Investigatory Powers Tribunal (IPT) found that secret intelligence sharing between America’s National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ) violated human rights laws. The ruling was especially interesting, given that in its 15-year history, the IPT has never before ruled against intelligence agencies.
So how does this ruling affect you if you live in the United States? Anyone whose data was shared illegally with or by the GCHQ can ask if his or her communications were included. While the IPT will not divulge details, it will give a simple “yes” or “no” determination (which is more like a maybe than a plain “no”).
To make this process easy, Privacy International, one of the plaintiffs in the suit, has set up a Web page where it’s collecting data to make the appropriate requests to the IPT, and also to request that the GCHQ destroy its illegally collected data.
Be aware that it could be a long time before action is taken. Privacy International says that nothing like this has ever happened before, especially not at this scale. It could take years before things are sorted out.
What’s Hiding in Your Hard Drive? — According to a report from Kaspersky Lab, your hard drive might have malware hiding in its firmware.
The work of the so-called Equation Group of malware authors has been traced all the way back to 2001. One piece of the Equation Group’s malware is able to hijack the hard drive itself, preventing users from deleting data, or even enabling attackers to create hidden partitions that can be used to bypass encryption or collect data.
Some malware from the Equation Group bears several similarities to the Stuxnet worm that destroyed many of Iran’s nuclear centrifuges between 2009 and 2010. Stuxnet is largely attributed to a collaboration between the United States and Israel.
Indeed, malware linked to the Equation Group is prolific and highly sophisticated, leading many to believe that the Equation Group is linked to, or even part of, the NSA.
Should you worry about your hard drive being hijacked by government snoops? Probably not. Despite the furor this story has sparked, the victims that Kaspersky has discovered so far have been highly targeted, either individually or through Web sites linked to religious radicals.
Still, the work of the Equation Group goes to show just how inherently insecure computers can be — even down to the bare metal.
Mr. Obama Goes to Silicon Valley — In a time of rising tensions between Silicon Valley and the U.S. federal government, President Obama held a White House Summit on Cybersecurity and Consumer Protection at Stanford University on 12 February 2015.
The president attempted to make peace with the tech community by inviting top CEOs to the summit. However, Facebook’s Mark Zuckerberg, Google’s Larry Page and Eric Schmidt, and Yahoo’s Marissa Mayer all declined.
Apple’s Tim Cook was in attendance, and he gave a speech reiterating Apple’s commitment to privacy. He also touted Apple Pay, announcing that Apple Pay will soon be available for federal government transactions. You can watch the full speech here.
The focus of the summit was an executive order, signed by President Obama at the event, that encourages greater sharing of security information between tech companies and the federal government. The order, which is advisory and not prescriptive, calls for central clearinghouses for information between the government and private enterprise.
The president also agreed to a few interviews, mostly notably with Re/code’s Kara Swisher. You can watch the entire interview here.
In the interview, Obama admitted to a strained relationship with Silicon Valley, mostly pinning the blame on Edward Snowden’s revelations of NSA spying. Indeed, revelations about mass surveillance have caused the Chinese government to drop many American technology brands, including Apple. However, the president did acknowledge that the NSA had gone too far in its intelligence gathering efforts. “There have been abuses on U.S. soil,” the president said.
One of the main tussles between the government and the tech sector has been over encryption. The NSA has been caught weakening encryption standards (see “The NSA’s Campaign to Undermine Internet Security,” 5 September 2013), and law enforcement has complained about stronger encryption measures in consumer products (see “Apple and Google Spark Civil Rights Debate,” 10 October 2014). Swisher asked the president about this, but his response was something of a waffle.
But the intelligence agencies’ biggest win over encryption had yet to be revealed…
The Great SIM Heist — Just when the Snowden revelations seemed to be fading away, The Intercept dropped another bombshell.
Britain’s GCHQ, with help from the NSA, infiltrated Gemalto, the world’s leading producer of SIM cards. Gemalto produces 2 billion SIM cards a year for AT&T, Sprint, T-Mobile, Verizon, and others. Intelligence operatives mined the private communications of engineers to steal SIM encryption keys.
In effect, the NSA and GCHQ may have the capability to decrypt voice and data from almost any cell phone in the world. “Once you have the keys, decrypting traffic is trivial,” Christopher Soghoian of the American Civil Liberties Union told The Intercept. “The news of this key theft will send a shockwave through the security community,” he said.
In fact, the ramifications for cellular security could be significant. Matthew Green, a cryptographer at Johns Hopkins University, called it, “bad news for phone security. Really bad news.” He continued, “Gaining access to a database of keys is pretty much game over for cellular encryption.”
Gemalto has admitted that it was hacked, but has downplayed the severity of the intrusion. The company said that the infiltrators gained few, if any, SIM card keys, and that the ones that might have been stolen were outdated anyway. However, many are skeptical that Gemalto could have performed a thorough security audit in such a short amount of time.
The Gemalto story has caused even more tension between the federal government and security experts. At a New America Foundation conference on cybersecurity on 23 February 2015, things got heated when NSA Director Mike Rogers was grilled by Yahoo’s chief information security officer, Alex Stamos, about the NSA’s desire for encryption backdoors (a term Rogers rejected). Rogers dismissed concerns that foreign nations could also demand their own encryption backdoors with, “I think we can work our way through
this.” (As an aside, this picture of Admiral Rogers does not inspire confidence.)
The silver lining in this cloud is that this may have finally alerted technology companies to the stark reality that many of the technologies we rely on every day are inherently insecure. Let’s hope it causes the tech world to focus more on fundamental security practices.