BuzzFeed reports about critical FBI software source code having been developed by Russians:
The fingerprint-analysis software used by the FBI and more than 18,000 other US law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems.
The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm — then a subsidiary of the massive Paris-based conglomerate Safran — deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said.
The White House has come up with a severity scheme ranging from Level Zero for an inconsequential event to Level 5 for an emergency — or an attack that poses an “imminent threat” to critical systems such as the power grid, federal government stability or people’s lives. Level 2 is reserved for an incident that may affect public safety or national security. Level 3 moves into the realm of significant, for high-severity events that are likely to have a “demonstrable” impact on public safety or national security.
There has been no known incident that would be considered a Level 5, senior officials said. The suspected Russian cyberattack on Ukraine’s electric grid in December that caused widespread power outages probably would have been a Level 4 — a “severe” event that likely would result in “significant” harm to public safety or national security — if it had happened in the United States, the official said.
Level indicator sounds easy for the layman to comprehend, but likely far too onerous for practitioners to easily determine which level is appropriate for a given incident.
As part of the new system, developers building software for Apple’s devices will be able to opt for users’ information to have no encryption, single-key encryption, or multi-key encryption “with per-file keys for file data and a separate key for sensitive metadata” – comparable to leaving a door unlocked, using one key, or using two keys.
In its documentation of APFS, Apple explains that full disk encryption has been available on OS X since version 10.7 Lion. APFS differs in that it encrypts files individually rather than as a one unit, similar to other encryption mechanisms Apple introduced to its iOS platform in 2010. It also encrypts related metadata – the basic summary attached to each file – and will keen data secure even when the device has been physically hacked.
Since its battle with the FBI, Apple has made a number of important changes to increase security and tighten encryption. Apple itself couldn’t decrypt information the agency demanded, but the company did have the keys to access information stored in the shooter’s iCloud account. The company is now reportedly considering a system that wouldn’t allow it to access iCloud data.
The number of resumes submitted as a direct result of the bureau’s presence at the conference was not readily available. (The story will be updated with those figures if and when we get them.)
Last year, the FBI recruited more than 1,500 special agents with cyber expertise, according to data from the bureau’s human resources department.
However, the hacker and cybersecurity communities are still wary of the federal government. This fact was clear during the Q&A portions of many of the talks and presentations featuring government representatives.
FBI Director James Comey alluded to some of these worries during a talk in January at the International Conference on Cyber Security.
“There is a wind blowing that I worry has blown what is a healthy skepticism of government power … to a cynicism so that people don’t want to be with us anymore,” he said. “We’ve got to do our best to speak into that wind to try to explain how we’re using our authorities in government.”
Having a presence at Black Hat and other similar venues is part of the FBI’s push to overcome this reality.
Beginning in late 2014, FBI and DOJ officials have sounded alarms about encryption, saying law enforcement agencies are increasingly “going dark” in criminal and terrorism investigations because subjects’ data unavailable, even after a court-issued warrant. Apple and Google both announced new end-to-end encryption services on their mobile operating systems, in part as a response to leaks about massive surveillance programs at the National Security Agency.
One recent criminal defendant described end-to-end encryption as “another gift from God,” Deputy Attorney General Sally Quillian Yates said during a speech last month. “But we all know this is no gift—it is a risk to public safety,” she said then.
Several encryption and security experts, as well as digital rights groups, have criticized the DOJ and FBI calls for encryption workarounds. “If it’s easier for the FBI to break in, then it’s easier for Chinese hackers to break in,” Senator Ron Wyden, an Oregon Democrat, said last month. “It’s not possible to give the FBI special access to Americans’ technology without making security weaker for everyone.”
The Gameover Zeus botnet owners looked at their operation as a complete criminal organization, owned all the assets and put them all under one roof, Elliott noted. “They were very centralized, which made it good for them from a logistics standpoint and very good for us in law enforcement.”
One of the principal servers used by Gameover Zeus was referred to by the botnet owners as the “Business Club.” Through the Business Club, the FBI was able to connect the dots across attacks and victims. There was a full ledger system in place that kept accurate track of all the fraud committed by the Gameover Zeus botnet, Elliott said.
As to how the FBI actually identified the individuals responsible, Elliott said the criminals weren’t part-time criminals; cybercrime was their full-time job. That’s how the FBI was able to identify Evgeniy Bogachev as the kingpin behind the Gameover Zeus botnet.
“One of the things we try to do as law enforcement is work ourselves in, so we can attack the seams between their personal life and their criminal life,” Elliott said. “Fortunately Bogachev was a user of VPNs, and he liked to use the same VPNs to log into his personal accounts as he would to administrate the backend of the botnet servers.”
The FBI did a botnet takeover in June of 2014 to protect victims and stop future fraud.
Short of outlawing cryptography, which would ensure that only outlaws have crypto, some of the solutions on the table call for either key escrow or building access for law enforcement into key servers.
“There’s no assurance that something like this would not be abused for mass surveillance,” Green said.
The FBI’s Comey, as recently as a month ago, eased off demands for exceptional access, and instead told technology companies they need to try harder to find a solution to the problem. Key escrow, where trusted parties share keys, was part of Comey’s solution.
“I’ve heard that it’s too hard, that there’s no solution. Really?” Comey said during a Congressional hearing July 8, mentioning Silicon Valley by name. “Maybe it is too hard, but given the stakes, we’ve got to give it a shot and I don’t think it’s been given an honest hard look.
“We want people to be in position to comply with judges’ orders in the U.S. We want creative people to figure out how to comply with court orders,” Comey said. “You shouldn’t be looking at the FBI director for innovation.”
Green and Denaro pointed out during today’s session a number of technical issues that make exceptional access a bad idea, in particular the fact that this issue has no geographic borders. Should Apple, for example, build in a backdoor for U.S. law enforcement, how does it say no to other countries, including leaders in oppressive or sanctioned nations?
“Once we have the capability to eavesdrop, even if you build in a legal safeguard to make sure it’s not abused, what happens when you send this to repressive governments that don’t have a First Amendment?” Green said. “Build it here to chase [criminals] and give that same technology to oppressive governments to own devices? If ISIS needs encryption, it will get it. It will stop relying on iMessage pretty quickly if it’s backdoored.”
I am just not buying this whole “going dark” problem. The FBI just wants these tools to make their jobs easier, which I can totally related to and maybe even sympathize. However, to blatantly disregard the security implications inherent in backdoors, the FBI is positioning the US to be less safe than anywhere else.
As a parallel, who were the only people with alcohol during Prohibition? Gangsters and people uninterested in following the law. So guess what happened? There was a lot of violence around the alcohol trade, many unnecessary deaths, and meanwhile people kept drinking alcohol. Long story short: prohibition did not prohibit anything. What makes the FBI think the same is going to happen this time around?
As of January 2015, The Federal Bureau of Investigation had only hired 52 of the 134 computer scientists it was authorized to employ under the Justice Department’s Next Generation Cyber Initiative launched in 2012, the report showed.
Although cyber task forces have been set up at all 56 FBI field offices, five of them did not have a computer scientist assigned to them, the report by the Office of the Inspector General found.
Cyber security threats are among the Justice Department’s top priorities and there has been a slew of damaging cyberattacks against private companies and U.S. government agencies in the last couple of years.
The FBI budgeted $314 million on the program for the 2014 fiscal year, including 1,333 full-time employees, the report by the internal watchdog said.
Lower salaries compared to the private sector made it difficult for the FBI to hire and retain cyber experts, the Office of the Inspector General said in the report.
No surprises here. Not only is the salary low, but the quality of life is not exactly what most techies are looking for in an employer. The FBI really needs to reconsider not only its recruiting efforts, but also some of its internal human resources policies before cyber security geeks will consider them a viable opportunity.
Waving the threat of ISIS and terrorism before the Committee, Comey in particular chose not to believe that cryptographers, technologists and security experts know what they are talking about, and said that the companies have probably not tried hard enough to come up with a viable answer on how to provide access to law enforcement, but keep criminals out.
He then admitted to not knowing enough about the technology to come up with a realistic proposal, but he said he was sure that brilliant US technologist can do it.
“We want to work with the communications providers to find a way with them to get access to the information we need … while protecting privacy. We want to have each provider think about and work out a way where they will find a way to respond to these requests,” Quillian stated, and again asked for Sillicon Valley[sic] companies to come up with an answer – or scrap end-to-end encryption altogether.
According to The Intercept, both she and Comey said that if the companies voluntarily refused or made it impossible to give access to law enforcement, they should have to be forced to do so by law.
If you tell me its impossible then you are obviously not trying hard enough.
Hacking Team has generated a total of 697,710 Euros ($773,226.64) from the FBI since 2011, according to the hacked spreadsheets. In 2015, the FBI spent 59,855 Euros on “maintenance,” and in 2014 the agency spent the same amount on “license/upgrades.” No expenditure was recorded for the whole of 2013.
In 2012, however, the FBI allegedly spent 310,000 Euros for Hacking Team’s services, all on licenses or upgrades, and the year before it spent 268,000 Euros.
Despite this expenditure on controversial surveillance technology, it appears that the FBI is only using Hacking Team’s software as a “back up” to other tools, according to internal emails.
As highlighted by Forbes, Eric Rabe, Hacking Team’s communications chief, wrote in a leaked email that “The FBI unit that is using our system seems like a pretty small operation and they have purchased RCS as a sort of back up to some other system they user.”
Today, we have far more to protect online – from our financial transactions to our private health information, companies’ sensitive intellectual property, plans for our military systems, and our our personal communications. All of that information is (or should be) protected by strong encryption. And yet all of those categories of information have already been breached by unauthorized hackers. Sadly, the cyber-attackers, whether they are criminals, the Chinese, Russians, or North Koreans, have a far easier time than the cyber-defenders.
But weakening security systems by forcing companies to hold an encryption key will undermine rather than enhance our security.
First, ensuring government access to encrypted communications means that devices, apps and services have a built-in vulnerability for anyone to exploit. This is true whether the company holds the key or gives it to the government. The existence of an encryption key in the hands of someone other than the end user greatly increases the risk that those communications can be compromised. The more holders of encryption keys, the greater the risk that the communications can be accessed by the good guys and the bad guys.
Creating encryption access is not a single point problem; it would require access at all points of the chain. If a device manufacturer provides encryption access, the operating system developer may encrypt for privacy. Even if the OS has a encryption key for law enforcement, the data custodian also may encrypt, or the app developer, or the peripheral manufacturer. Requiring that law enforcement have encryption access means creating multiple built-in vulnerabilities, each requiring a trusted custodian at each company to hold that key to secure the data.
Most of these arguments are not new or surprising. Indeed, it was for many of the same reasons that the US government ultimately rejected the idea of encryption backdoors in the 90s, during what are now called the “Crypto Wars.” We as a nation already had the debate that Comey is demanding — we had it 20 years ago! — and the arguments against backdoors have only become stronger and more numerous with time. Most notably, the 21st century has turned out to be a “Golden Age for Surveillance” for the government. Even with the proliferation of encryption, law enforcement has access to much more information than ever before: access to cellphone location information about where we are and where we’ve been, metadata about who we communicate with and when, and vast databases of emails and pictures and more in the cloud. So, the purported law enforcement need is even less compelling than it was in the 90s. Meanwhile, the security implications of trying to mandate backdoors throughout the vast ecosystem of digital communications services have only gotten more dire in the intervening years, as laid out in an exhaustive new report issued just this morning by over a dozen heavy-hitting security experts.
Yesterday, Comey conceded that after a meaningful debate, it may be that we as a people decide that the benefits of widespread encryption outweigh the costs and that there’s no sensible, technically feasible way to guarantee government access to encrypted data. But the fact is that we had that debate 20 years ago, and we’ve been having it again for nearly a year. We are not talking past each other; a wide range of advocates, industry stakeholders, policymakers, and experts has been speaking directly to Comey’s arguments since last fall. Hopefully he will soon start listening, rather than dooming us to repeat the mistakes of the past and dragging us into another round of Crypto Wars.
The Obama administration has grown increasingly wary about encryption on smartphones ever since Apple and Google last year announced efforts to offer tighter security by default on their products. Earlier this year, President Obama warned that “if we get into a situation which the technologies do not allow us at all to track somebody we’re confident is a terrorist … that’s a problem.”
But many cybersecurity experts strongly disagree with Obama and Comey. Many believe there is no such thing as a “golden key” for encryption that could allow law-enforcement or national security professionals access into an encrypted device without also creating a vulnerability that malicious hackers could exploit. A secret 2009 U.S. cybersecurity report obtained by Edward Snowden and published by The Guardian seemed to back that view up, warning that government and private computers are vulnerable to cyberattacks from Russia, China, and criminal actors if stronger encryption was not adopted across the board.
Comey, in his blog post, said that the two sides of the encryption debate are “talking past each other” and that he intends to kickoff a “healthy discussion” about the tension between privacy and security with respect to this issue.
“I really am not a maniac (or at least my family says so),” Comey said. “But my job is to try to keep people safe. In universal strong encryption, I see something that is with us already and growing every day that will inexorably affect my ability to do that job.”
The move comes amid a wider effort by the FBI to capture its most wanted cyber criminals. Other bounties offered take the total up for grabs to $4.2m.
The second biggest reward is $1m for Nicolae Popescu for his involvement in an online shopping scam that promised to send buyers goods including cars but instead took their money without sending any goods in return.
A reward of $100,000 has been posted for Alexsey Belan for allegedly intruding in the computer networks of three major US e-commerce companies in Nevada and California, stealing customer information and selling the databases.
Providing information about Carlos Enrique Perez-Melara will land you a $50,000 reward. He is wanted for allegedly manufacturing spyware that was used to intercept the private communications of victims and send information back to those running the spyware. He was charged in 2005.
Grassley also is seeking information about whether and how the FBI uses zero days. He asked Comey whether the bureau uses and zero days in the process of installing spyware tools on target machines, and if so, whether the FBI develops exploits in-house or buys them from vendors, such as VUPEN. He also asked, if the bureau does use zero days, whether the FBI ever notifies software vendors about the bugs it’s exploiting.
Intelligence agencies and military branches are known to use exploits for zero days in their work, some of which are developed internally and others that are purchased from outside vendors. In 2013, a contract surfaced that showed the NSA had subscribed to a zero-day exploit service run by VUPEN, a French company that develops and sells vulnerability and exploit information. And last month the U.S. Navy published a solicitation for zero days in a variety of popular software.
In addition to the information on exploit usage, Grassley also is asking Comey for more details on the FBI’s phishing operations. Last year, it was reported that the FBI at one point ran an operation that involved setting up a site to impersonate the Associated Press in order to get a target to click on a link that would install a remote monitoring tool. AP officials were indignant at the revelation, saying it undermined the organization’s credibility. In his letter, Grassley asks how many other times the FBI has used this tactic and whether the bureau ever informs the companies it is impersonating.
There is no doubt in my mind the FBI will be completely forthcoming in its use of zero-day exploits and phishing. I am sure they just cannot wait to tell the Senate Judiciary Committee all the intimate details about these operations.