Special Report – Inside the UAE’s secret hacking team of U.S. mercenaries

Two weeks after leaving her position as an intelligence analyst for the U.S. National Security Agency in 2014, Lori Stroud was in the Middle East working as a hacker for an Arab monarchy.

She had joined Project Raven, a clandestine team that included more than a dozen former U.S. intelligence operatives recruited to help the United Arab Emirates engage in surveillance of other governments, militants and human rights activists critical of the monarchy.

Stroud and her team, working from a converted mansion in Abu Dhabi known internally as “the Villa,” would use methods learnt from a decade in the U.S intelligence community to help the UAE hack into the phones and computers of its enemies.

Stroud had been recruited by a Maryland cybersecurity contractor to help the Emiratis launch hacking operations, and for three years, she thrived in the job. But in 2016, the Emiratis moved Project Raven to a UAE cybersecurity firm named DarkMatter. Before long, Stroud and other Americans involved in the effort say they saw the mission cross a red line: targeting fellow Americans for surveillance.

“I am working for a foreign intelligence agency who is targeting U.S. persons,” she told Reuters. “I am officially the bad kind of spy.”

The story of Project Raven reveals how former U.S. government hackers have employed state-of-the-art cyber-espionage tools on behalf of a foreign intelligence service that spies on human rights activists, journalists and political rivals.

The operatives utilized an arsenal of cyber tools, including a cutting-edge espionage platform known as Karma, in which Raven operatives say they hacked into the iPhones of hundreds of activists, political leaders and suspected terrorists. Details of the Karma hack were described in a separate Reuters article today.

An NSA spokesman declined to comment on Raven. An Apple spokeswoman declined to comment. A spokeswoman for UAE’s Ministry of Foreign Affairs declined to comment. The UAE’s Embassy in Washington and a spokesman for its National Media Council did not respond to requests for comment.

The Raven story also provides new insight into the role former American cyberspies play in foreign hacking operations. Within the U.S. intelligence community, leaving to work as an operative for another country is seen by some as a betrayal. “There’s a moral obligation if you’re a former intelligence officer from becoming effectively a mercenary for a foreign government,” said Bob Anderson, who served as executive assistant director of the Federal Bureau of Investigation until 2015.

While this activity raises ethical dilemmas, U.S. national security lawyers say the laws guiding what American intelligence contractors can do abroad are murky. Though it’s illegal to share classified information, there is no specific law that bars contractors from sharing more general spycraft knowhow, such as how to bait a target with a virus-laden email.

The rules, however, are clear on hacking U.S. networks or stealing the communications of Americans. “It would be very illegal,” said Rhea Siers, former NSA deputy assistant director for policy.

Read the complete article on Reuters here.

Trump-Russia inquiry in ‘grave doubt’

The top Democrat on one of the congressional committees investigating ties between Donald Trump and Russia has raised “grave doubt” over the viability of the inquiry after its Republican chairman shared information with the White House and not their committee colleagues.

In the latest wild development surrounding the Russia inquiry that has created an air of scandal around Trump, Democrat Adam Schiff effectively called his GOP counterpart, Devin Nunes, a proxy for the White House, questioning his conduct.

“These actions raise enormous doubt about whether the committee can do its work,” Schiff said late Wednesday afternoon after speaking with Nunes, his fellow Californian, before telling MSNBC that evidence tying Trump to Russia now appeared “more than circumstantial”.

Two days after testimony from the directors of the FBI and NSA that dismissed any factual basis to Trump’s 4 March claim that Barack Obama had him placed under surveillance, Nunes publicly stated he was “alarmed” to learn that the intelligence agencies may have “incidentally” collected communications from Trump and his associates.

Nunes, who served on Trump’s national security transition team, said the surveillance “appears to be all legally collected” and masked the identities of Americans, but did so in such a way that Nunes could hazard a guess as to whom the intercepted communications discussed. Nunes added that the alleged intercepts did not actually concern Russia.

“Details about persons associated with the incoming administration, details with little apparent foreign intelligence value were widely disseminated in intelligence community reporting,” said Nunes, who has shifted the focus of the inquiry onto leaks that Trump blames on the intelligence agencies.

Nunes went to the White House to brief the president, who seized on the chairman’s comments as vindication, even though there is little evidence even in Nunes’s vague and often conditional remarks that they revive Trump’s claim that Obama had Trump Tower wiretapped.

“I somewhat do. I must tell you I somewhat do. I very much appreciated the fact that they found what they found, I somewhat do,” Trump said Wednesday afternoon.

Nunes took whatever material he had acquired to Trump before sharing it with the committee – a decision that represented nearly a final straw for Schiff, who called for an independent commission to investigate ties between Trump and Russia.

In language that stripped away any pretense of cordiality remaining on the committee, Schiff said Nunes would have to decide whether to helm a credible inquiry or whether to operate as a White House adjunct, complicit in what Schiff intimated was a “campaign by the White House to deflect from the [FBI] director’s testimony”.

Asked if Schiff was considering pulling out of the inquiry, Schiff said he would have to “analyze what this development means”, suggesting a potential Democratic departure from one of the most internationally watched congressional investigations in recent history.

“If you have a chairman who is interacting with the White House, sharing information with the White House, when the people around the White House are the subject of the investigation and doing it before sharing it with the committee, it puts a profound doubt over whether that can be done credibly,” Schiff said.

Schiff reiterated that from what he had gleaned from his conversation with Nunes, “there is still no evidence that the president was wiretapped by his predecessor”.

Read the complete article on The Guardian newspaper website.

Trump to tighten grip on Intelligence agencies following ‘leaks’.

 Stephen A. Feinberg, right, a founder of Cerberus Capital Management, at the Capitol in December 2008. He is said to be in talks for a White House role examining the country’s intelligence agencies. Credit Brendan Smialowski for The New York Times


Stephen A. Feinberg, right, a founder of Cerberus Capital Management, at the Capitol in December 2008. He is said to be in talks for a White House role examining the country’s intelligence agencies. Credit Brendan Smialowski for The New York Times

President Trump plans to assign a New York billionaire to lead a broad review of American intelligence agencies, according to administration officials, an effort that members of the intelligence community fear could curtail their independence and reduce the flow of information that contradicts the president’s worldview.

The possible role for Stephen A. Feinberg, a co-founder of Cerberus Capital Management, has met fierce resistance among intelligence officials already on edge because of the criticism the intelligence community has received from Mr. Trump during the campaign and since he became president. On Wednesday, Mr. Trump blamed leaks from the intelligence community for the departure of Michael T. Flynn, his national security adviser, whose resignation he requested.

There has been no announcement of Mr. Feinberg’s job, which would be based in the White House, but he recently told his company’s shareholders that he is in discussions to join the Trump administration. He is a member of Mr. Trump’s economic advisory council.

Mr. Feinberg, who has close ties to Stephen K. Bannon, Mr. Trump’s chief strategist, and Jared Kushner, the president’s son-in-law, declined to comment on his possible position. The White House, which is still working out the details of the intelligence review, also would not comment.

Mr. Bannon and Mr. Kushner, according to current and former intelligence officials and Republican lawmakers, had at one point considered Mr. Feinberg for either director of national intelligence or chief of the Central Intelligence Agency’s clandestine service, a role that is normally reserved for career intelligence officers, not friends of the president. Mr. Feinberg’s only experience with national security matters is his firm’s stakes in a private security company and two gun makers.

On an array of issues — including the Iran nuclear deal, the utility of NATO, and how best to combat Islamist militancy — much of the information and analysis produced by American intelligence agencies contradicts the policy positions of the new administration. The divide is starkest when it comes to Russia and President Vladimir V. Putin, whom Mr. Trump has repeatedly praised while dismissing American intelligence assessments that Moscow sought to promote his own candidacy.

The last time an outsider with no intelligence experience took the job was in the early days of the Reagan administration, when Max Hugel, a businessman who had worked on Mr. Reagan’s campaign, was named to run the spy service. His tenure at the C.I.A. was marked by turmoil and questions about the politicization of the agency. He was forced to resign after six months, amid accusations about his past business dealings. (He later won a libel case against the two brothers who made the accusations.)

Even the prospect that Mr. Feinberg may lead a review for the White House has raised concerns in the intelligence community.

Against this backdrop, Mr. Trump has appointed Mike Pompeo, a former Republican congressman from Kansas, to run the C.I.A., and former Senator Dan Coats, an Indiana Republican, to be the director of national intelligence (he is still awaiting confirmation). Both were the preferred choices of the Republican congressional leadership and Vice President Mike Pence and had no close or longstanding ties to Mr. Trump. In fact, they each endorsed Senator Marco Rubio of Florida for president during the 2016 Republican primaries.

Mr. Coats is especially angry at what he sees as a move by Mr. Bannon and Mr. Kushner to sideline him before he is even confirmed, according to current and former officials. He believes the review would impinge on a central part of his role as the director of national intelligence and fears that if Mr. Feinberg were working at the White House, he could quickly become a dominant voice on intelligence matters.

Read more at the New York Times and The Guardian.

Privacy experts fear Donald Trump running global surveillance network

 The NSA. Obama’s approach has been to offer a modicum of transparency, much of it forced on him by the courts, in place of reform. Photograph: Patrick Semansky/AP

The NSA. Obama’s approach has been to offer a modicum of transparency, much of it forced on him by the courts, in place of reform. Photograph: Patrick Semansky/AP

Privacy activists, human rights campaigners and former US security officials have expressed fears over the prospect of Donald Trump controlling the vast global US and UK surveillance network.

Privacy and human rights campaigners in the US and UK say a Trump presidency will tip the balance between surveillance and privacy decisively towards the former. The UK surveillance agency GCHQ is so tied up with America’s NSA, often doing work on its behalf, it could find itself facing a series of ethical dilemmas.

On the campaign trail, Trump made an ambiguous remark about wishing he had access to surveillance powers.

“I wish I had that power,” he said while talking about the hack of Democratic National Committee emails. “Man, that would be power.”

“I think many Americans are waking up to the fact we have created a presidency that is too powerful.”

John Napier Tye, a former state department official who became a reluctant whistleblower in 2014, warning of NSA dragnets, said: “Obama and Bush could have set the best possible privacy protections in place, but the trouble is, it’s all set by executive order, not statute.

“So Trump could revise the executive order as he pleases. And since it’s all done in secret, unless you have someone willing to break the law to tell you that it happened, it’s not clear the public will ever learn it did. Consider that even now, the American people still do not know how much data on US persons the NSA actually collects.”

Thomas Drake, an NSA whistleblower who predated Snowden, offered an equally bleak assessment. He said: “The electronic infrastructure is fully in place – and ex post facto legalised by Congress and executive orders – and ripe for further abuse under an autocratic, power-obsessed president. History is just not kind here. Trump leans quite autocratic. The temptations to use secret NSA surveillance powers, some still not fully revealed, will present themselves to him as sirens.”

One specific surveillance measure Trump proposed on the campaign trail was surveilling mosques and keeping a database of Muslims. “A grave concern we have is that his rhetoric is going to be perceived in some corners as a green light for unfettered surveillance activities. Our concern is not just about the NSA but also the FBI. The FBI doesn’t exactly have a great record over the last 15 years,” said Farhana Khera, the president and executive director of the US-based civil rights group Muslim Advocates.

The next flashpoint over the NSA’s powers will come late in 2017, when a major surveillance law permitting collection of Americans’ international communications is set for expiration, the legal basis for the NSA’s Prism programme which siphons information from the technology giants.

According to documents released by Snowden, now years out of date as technological advancements have developed, the NSA vacuums 5bn daily records just of cellphone locations. In April 2011, it was collecting an average of 194m text messages every day.

How to Remain Secure Against the NSA

Spies and Espionage

“How to Remain Secure Against the NSA” is from a recent newsletter by Bruce Schneier, a recognized authority on Internet security. I’ve been a fan of his for many years and have recommended him to others.

The following is a direct quote from a recent newsletter by Bruce. You may find it useful.

The primary way the NSA eavesdrops on Internet communications is in the network. That’s where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.

Leveraging its secret agreements with telecommunications companies — all the US and UK ones, and many other “partners” around the world — the NSA gets access to the communications trunks that move Internet traffic. In cases where it doesn’t have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.

That’s an enormous amount of data, and the NSA has equivalently enormous capabilities to quickly sift through it all, looking for interesting traffic. “Interesting” can be defined in many ways: by the source, the destination, the content, the individuals involved, and so on. This data is funneled into the vast NSA system for future analysis.

The NSA collects much more metadata about Internet traffic: who is talking to whom, when, how much, and by what mode of communication. Metadata is a lot easier to store and analyze than content. It can be extremely personal to the individual, and is enormously valuable intelligence.

The Systems Intelligence Directorate is in charge of data collection, and the resources it devotes to this is staggering. I read status report after status report about these programs, discussing capabilities, operational details, planned upgrades, and so on. Each individual problem — recovering electronic signals from fiber, keeping up with the terabyte streams as they go by, filtering out the interesting stuff — has its own group dedicated to solving it. Its reach is global.

The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.

The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO — Tailored Access Operations — group. TAO has a menu of exploits it can serve up against your computer — whether you’re running Windows, Mac OS, Linux, iOS, or something else — and a variety of tricks to get them onto your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there’s a lot of bad cryptography out there. If it finds an Internet connection protected by MS-CHAP, for example, that’s easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.

TAO also hacks into computers to recover long-term keys. So if you’re running a VPN that uses a complex shared secret to protect your data and the NSA decides it cares, it might try to steal that secret. This kind of thing is only done against high-value targets.

How do you communicate securely against such an adversary? Snowden said it in an online Q&A soon after he made his first document public: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

I believe this is true, despite today’s revelations and tantalizing hints of “groundbreaking cryptanalytic capabilities” made by James Clapper, the director of national intelligence in another top-secret document. Those capabilities involve deliberately weakening the cryptography.

Snowden’s follow-on sentence is equally important: “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Endpoint means the software you’re using, the computer you’re using it on, and the local network you’re using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn’t matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.

With all this in mind, I have five pieces of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you’re much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my Internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about. There’s an undocumented encryption feature in my Password Safe program from the command line; I’ve been using that as well.

I understand that most of this is impossible for the typical Internet user. Even I don’t use all these tools for most everything I am working on. And I’m still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

This essay originally appeared in the “Guardian.”
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

NSA links:
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
http://online.wsj.com/article/SB10001424127887324108204579022874091732470.html
http://www.theguardian.com/business/2013/aug/02/telecoms-bt-vodafone-cables-gchq
http://www.washingtonpost.com/business/technology/agreements-with-private-companies-protect-us-access-to-cables-data-for-surveillance/2013/07/06/aa5d017a-df77-11e2-b2d4-ea6d8f477a01_story.html
http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
http://www.theguardian.com/world/2013/jun/27/nsa-data-mining-authorised-obama
http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
http://www.foreignpolicy.com/articles/2013/06/10/inside_the_nsa_s_ultra_secret_china_hacking_group
http://www.informationweek.com/security/government/want-nsa-attention-use-encrypted-communi/240157089 or http://tinyurl.com/kdxaytf

Other NSA backdoors:
http://www.schneier.com/blog/archives/2008/01/nsa_backdoors_i.html
http://www.heise.de/tp/artikel/2/2898/1.html
http://www.heise.de/tp/artikel/5/5263/1.html

Snowden’s interview:
http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower

Clapper’s comments:
http://www.wired.com/threatlevel/2013/08/black-budget/

Surveillance built in to the routers:
https://www.rfc-editor.org/rfc/rfc3924.txt

My tools:
http://www.gnupg.org/
https://silentcircle.com/
https://tails.boum.org/
http://www.cypherpunks.ca/otr/
http://www.truecrypt.org/
http://bleachbit.sourceforge.net/
https://www.schneier.com/passsafe.html

NSA ‘touches’ half the communication on the Net.

Fear not, says the NSA, we “touch” only 1.6% of daily internet traffic. If, as they say, the net carries 1,826 petabytes of information per day, then the NSA “touches” about 29 petabytes a day. They don’t say what “touch” means. Ingest? Store? Analyze?

For context, Google in 2010 said it had indexed only 0.004% of the data on the net. So, by inference from the percentages, does that mean that the NSA is equal to 400 Googles?

Seven petabytes of photos are added to Facebook each month. That’s .23 petabytes per day. So that means the NSA is 126 Facebooks.

Keep in mind that most of the data passing on the net is not email or web pages. It’s media. According to Sandvine data (pdf) for the US fixed net from 2013, real-time entertainment accounted for 62% of net traffic, P2P file-sharing for 10.5%.

HTTP – the web – accounts for only 11.8% of aggregated and download traffic in the US, Sandvine says. Communications – the part of the net the NSA really cares about – accounts for 2.9% in the US.

So, by very rough, beer-soaked-napkin numbers, the NSA’s 1.6% of net traffic would be half of the communication on the net. That’s one helluva lot of “touching”.

Keep in mind that, by one estimate, 68.8% of email is spam.

And, of course, metadata doesn’t add up to much data at all; it’s just a few bits per file – who sent what to whom – and that’s where the NSA finds much of its supposedly incriminating information. So, these numbers are meaningless when it comes to looking at how much the NSA knows about who’s talking to whom. With the NSA’s clearance to go three hops out from a suspect, it doesn’t take very long at all before this law of large numbers encompasses practically everyone.

Read the full article on The Guardian here.

New report shows NSA tool collects ‘nearly everything a user does on the internet’

XKeyscore map

XKeyscore is a top secret National Security Agency program which allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden and reported in The Guardian.

“I, sitting at my desk,” said Snowden, could “wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email”.

US officials vehemently denied this specific claim. Mike Rogers, the Republican chairman of the House intelligence committee, said of Snowden’s assertion: “He’s lying. It’s impossible for him to do what he was saying he could do.”

But training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.

XKeyscore, the documents boast, is the NSA’s “widest reaching” system developing intelligence from computer networks – what the agency calls Digital Network Intelligence (DNI). One presentation claims the program covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata.

Analysts can also use XKeyscore and other NSA systems to obtain ongoing “real-time” interception of an individual’s internet activity.

KS1

KS2

KS55edit

Read the complete article on The Guardian web site here.