Tuesday, 1 July 2014

Android Car Coming In October, Volvo Says

Volvo, which joined the Open Automobile Alliance with other car makers from all over the world, says it will will launch a smart car integrating Android’s smartphone platform.
“Android Auto brings features and services familiar to Android smartphone and tablet users directly into the car via Volvo Cars’ large center console touch screen display,” Volvo says in a press release.
Android Car Coming In October, Volvo Says
The XC90 will have an Android-based user interface that can access Google applications including Google Search, Maps, Google Play Music and third-party apps such as Spotify. Phone-based applications can be controlled through voice commands, steering wheel controls or the car’s touchscreen.
Also, the Android content will run simultaneously with the car’s own system. Google’s voice control system plays an important role in user safety and is one reason for the decision to opt for Android, the company adds.
Smart appliances no are no longer viewed as eccentric as they were a few years ago. Smart TVs and personal gadgets are in high demand right now. Read more about the security risks and vulnerabilities found in your home appliances.

Butler University data breach victims stretch back over 30 years

Some 163,000 people are receiving letters through the mail right now, and it’s not good news.
Butler University in Indianapolis has the unpleasant task of informing students, alumni, faculty, staff and even past applicants who never even attended the university, that their personal and financial information has been stolen by hackers.
The letter, signed by University president Jim Danko, offers some details of how it came to discover that it had been hacked and the nature of the stolen information:
On May 28, 2014, Butler University was contacted by Californian law enforcement and alerted to an identity theft investigation in which the suspect had in his possession a flash drive containing the personal information of certain Butler University employees. Upon learning of this, Butler University immediately notified the affected employees and launched an internal investigation. This investigation revealed that this personal information could have originated from unauthorized hacking into Butler University’s computer network between November 2013 and May 2014. Third-party computer forensic experts were retained by Butler University to confirm these findings and to identify the full extent of data potentially exposed as a result of this incident, While these investigations are ongoing, we have determined that files containing your name, date of birth, Social Security number, and bank account information were accessible to the hacker(s) during this time period.
The letter goes on to promise a year’s complimentary identity theft protection. But what people really wanted was for their information to be properly secured in the first place (or safely wiped when no longer required).
After all, what happens if the bad guys take over a year to exploit the information? Presumably Butler University’s fig leaf of 12 months’ protection isn’t going to be much help then.
The letter has confused some recipients, who suspected that it might be a scam.
Sadly, it isn’t.
According to the Indy Star, Butler spokesperson Marc Allan confirmed that even people who graduated as far back as 1983 could have had their information exposed by the security breach.
1983. Let that sink in for a moment.
That’s over 30 years ago. 1983 was when a young Matthew Broderick and Ally Sheedy hacked into military computers in the movie “WarGames” for heaven’s sake.
That’s a lifetime ago.
What are the chances that Butler University still has up-to-date addresses for all 163,000 people stretching back that many years?
Mind you, if they did have up-to-date contact information. Would you have trusted them to keep it safe?

German Official: U.S. Spying ‘Biggest Strain’ in Relations Since Iraq War

As U.S. and German officials meet this week to discuss privacy and security in the cyber realm, a German official is calling recent revelations of NSA spying on his country the “biggest strain in bilateral relations with the U.S.” since the controversy surrounding the 2003 invasion of Iraq.
Actually, he said, it’s “bigger than Iraq.”
“Iraq was a disagreement of a foreign policy,” the official, who requested anonymity, told WIRED. “This is a disagreement of a relationship between two allies.”
The U.S. State Department did not respond to a request for comment.
Last year, the German news weekly Der Spiegel reported that the NSA had been eavesdropping on German Chancellor Angela Merkel‘s mobile phone. The CIA and NSA reportedly maintained a listening station at the U.S. embassy in Berlin that it used to monitor German government communications.
The German government, outraged by the spying, has reportedly ended a contract with the U.S.-based telecom Verizon out of concern that the company might be cooperating with the NSA in its eavesdropping activities. The government has also sent lists of questions to the U.S. government inquiring about its surveillance against German citizens. But, according to Der Spiegel, although the NSA promised to send “relevant documents” in response—in an effort “to re-establish transparency between the two governments”—it failed to do so.
The spying scandal has come at a particularly delicate time, as the U.S. is faced with mobilizing support to address issues like the Russian invasion of Ukraine and the rise of the militant group ISIS in Iraq. But the German official says the scandal has caused some to call into question existing perceptions about the legitimacy of U.S. interests in such matters. “Even if governments agree with the U.S. position, it’s more difficult [for them] to defend that position to their electorates now,” he says.
The German official notes that not all European governments share a dim view of the U.S. in the aftermath of the revelations. Countries like Germany with a recent history of authoritarianism are more sensitive to the surveillance issue than those with a longer history of democracy, he says, because they have a greater wariness of state institutions and control.
“They distrust the state [in general] and they want to make sure that they control the state and not that the state controls them,” he says. “In all of Europe, with the exception of Belarus, you have solid democracies. But in some of those, you have relatively recent authoritarianism.”
Another European official told WIRED the spying is likely to affect international commerce, particularly trade agreements, going forward. European countries that have other issues with regard to trade negotiations with the United States likely will use the spying as leverage to gain an upper hand in those negotiations, he says.
“The Snowden revelations have a tremendous effect on how the U.S. is seen [in Europe],” he says. “It will be very difficult to disentangle [other issues from this] and will be harder to get consensus on trade.”
This aside, the meetings between U.S. and German officials this week were designed in part to address the strain between the two countries.
They met in open and closed-door meetings on Thursday and Friday to discuss a number of cyber issues. The open meeting included German Foreign Minister Frank-Walter Steinmeier, senior White House advisor John Podesta, as well as other members of government, industry, and academia. Its aim was to focus, in part, on establishing cooperation between the two countries with regard to securing critical infrastructure and addressing cyber crime. But the issue of U.S. spying loomed large over this and the closed-door proceedings.
The German official said the meetings were being viewed as an opportunity to establish understanding of the issues and, with regard to the spying scandal, “identify ways to move on” and attempt to repair the damage that’s been done by the surveillance.
The overall goal, he said, “is not to ruin what has been a beautiful friendship since 1947, but to try to fix this.”

Snarky Lawmaker Reminds Former NSA Chief That Selling State Secrets Is Illegal

Keith Alexander, former director of the NSA, during his retirement ceremony March 28.
Keith Alexander, former director of the NSA, during his retirement ceremony March 28.
Cybersecurity firms and snake-oil salesmen promising protection from online threats are ubiquitous these days, and it’s hard to stand out in such a crowded field—unless you’re the former leader of the world’s best hacking outfit. In that case, the promises you sell carry more weight—and a higher price tag.
Which may well explain why Gen. Keith Alexander, the former head of the NSA and U.S. Cyber Command, has launched the consulting firm IronNet Cybersecurity. It also may explain why a congressman has reminded the former spy that selling top secret info is a crime.
To capitalize on his recent departure from military intelligence—Alexander resigned in March following months of revelations by NSA whistleblower Edward Snowden—the general is offering his security expertise to the banking industry for the fire sale price of $600,000 per month after first asking for $1 million. There are threats everywhere, Alexander warns, and “It would be devastating if one of our major banks was hit, because they’re so interconnected.”
That may be, but Rep. Alan Grayson (D-Florida) is suspicious that Alexander has anything useful to offer at that price—unless, that is, he’s peddling national security secrets.
In letters sent Wednesday (.pdf) to the Securities Industry and Financial Markets Association, the Consumer Bankers Association, the Financial Services Roundtable and the Clearing House—all of which Alexander reportedly has approached about his services—Grayson made it clear to Alexander and those who might retain him that selling classified information is illegal.
“I am writing with concerns about the potential disclosure of classified information by former National Security Agency Director Keith Alexander,” Grayson wrote. “Disclosing or misusing classified information for profit is, as Mr. Alexander well knows, a felony.
“I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods,” Grayson continued. “Without the classified information he acquired in his former position, he literally would have nothing to offer to you.”
Grayson’s staff says the congressman has not yet received a response from Alexander or any of the organizations that received the letter.
“The Congressman is very interested in what they have to say,” said Matt Stoller, Grayson’s senior policy advisor, in an email to WIRED.
Alexander could not be reached for comment.

Top cyber security experts ‘can expect to earn $300,000 a year’

Hacking drives demand for experience over that for young techies in private sector.
Top cyber security experts can earn up to $300,000 a year through a combination of technical expertise and business or managerial experience.
Most wanted are those in their 30s rather than their 20s
"Contrary to initial impressions, the top tier is not necessarily composed of young geniuses so much as those who possess the right combination of technical talents and organizational experience, notably administrative, managerial, bureaucratic, and/or marketing smarts," reported research firm Rand.
Rand interviewed a number of companies and US Government security agencies as part of its report, with one firm indicating that cyber security experts could command $300,000 salaries.
Government organisations struggle to outbid private companies for the very best talent, with members of the top tier able to rapidly switch between jobs, demanding salary increases each time.
This seller's market is said to have been caused by a lag between increasing demand for cyber security workers and training programmes able to meet that demand, though this too is said to be changing.
The Computing Research Association (CRA) found that last year the number of computer degrees awarded in the US rose for the fourth year running to more than 15,000, up from 10,000 in 2009.
"The difficulty in finding qualified cyber security candidates is likely to solve itself, as the supply of cyber professionals currently in the educational pipeline increases, and the market reaches a stable, long-run equilibrium," RAND said. "This equilibrium may take some time to achieve."
However the firm warned that as companies turn to "radically new technology" to defend themselves from hackers, this may in turn reduce the number of cyber security experts needed.

Maligno – Penetration Testing Tool that Serves Metasploit Payloads

Maligno is an open source penetration testing tool that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.
Changelog: Metasploit multi-host support, socks4a server support (metasploit), last resort redirection for invalid requests and hosts out of scope, automatic client code obfuscation, delayed client payload execution, automatic metasploit resource filegeneration
Feature :
  • Encrypted communications: Maligno is a web server which communicates via HTTP or HTTPS with the clients. Communications are encrypted with AES and encoded with Base64 both for HTTP and HTTPS. Encryption and encoding parameters can be configured. Clients do NOT validate the server certificate by default.
  • On the fly shellcode generation – per session mode: Maligno will generate shellcode while starting up, and it will cache it for later use. Maligno will serve the cached shellcode to all clients that request it during the session. Maligno will maintain a cache for each configured Metasploit payload. The cache is removed when Maligno is shut down.
  • Multi-payload support: You may configure Maligno with several Metasploit payloads. Clients can request different payloads to the server. Payloads are referred by an index, which is passed as a GET parameter. Such parameter can be also configured.
  • Multi-server support: Maligno can run on a single server with Metasploit or in separate machines. Clients will connect to Maligno, and Maligno will generate shellcode that points to a pre-configured Metasploit multi-handler.
  • SOCKS4a proxy support: Maligno helps you starting a Metasploit auxiliary socks4a proxy, which can be used with payloads such as reverse_https_proxy. This will allow you to send all your traffic through your Maligno server, in case of having a multi-server environment.
  • Scope definition: Maligno allows you to define single IP addresses or ranges. This will ensure that your shellcode is served only to machines involved in your pentest. You may also use a wildcard in order to accept ANY address.
  • Last resort redirection: Maligno will redirect hosts out of scope, or hosts sending invalid requests, to a configured URL.
  • Client code generator and pseudorandom obfuscator: Maligno comes with a script that will generate and obfuscate (pseudorandomly) client code ready for use, based on your server configuration.
  • Delayed client execution: Maligno clients use a basic random execution delay, which attempts to bypass AV-sandboxes.
  • Metasploit resource file generator: Maligno generates MSF resource files based on your configuration, which can be used with msfconsole right away.

Millions of dynamic DNS users suffer after Microsoft seizes No-IP domains

Microsoft security research team began this operation under an order granted by a federal court in Nevada, and targeted traffic involving two malware families that abused No-IP services. The Windows malwares, which went by the names Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm), use No-IP accounts to communicate with their creators in 93 percent of detected infections, which are the most prevalent among the 245 other pieces of malware currently exploiting No-IP domains.
In a blog post, Richard Domingues Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, said Microsoft pursued the seizure for No-IP’s role “in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.” He claimed.
Over the past year, Microsoft security team has detected more than 7 million infections that makes use of Bladabindi and Jenxcus malware, in order to take control of users’ computers, steal passwords, and turn on webcams and microphones.
Microsoft accused Kuwaiti national Naser Al Mutairi and Algerian national Mohamed Benabdellah of writing and distributing the Bladabindi and Jenxcus malware, respectively. Microsoft claims the developers have sold over 500 copies of the malicious software to crooks and cyber criminals, and promoted No-IP service to use with malware to help them covering their tracks.
In a civil case filed on June 19, Microsoft named two individuals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions of violating “federal and state law by distributing malicious software through more than 18,000 sub-domains belonging to No-IP, causing the unlawful intrusion into, infection of, and further illegal conduct involving, the personal computers of innocent persons, thereby causing harm to those persons, Microsoft, and the public at large.”
Microsoft attorneys said No-IP is “functioning as a major hub for 245 different types of malware circulating on the Internet.
The court
  • ns7.microsoftinternetsafety.net
  • ns8.microsoftinternetsafety.net
Microsoft claimed, “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.”.In an official statement, Vitalwerks counter-accused Microsoft for allegedly affecting millions of innocent users, who are currently experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.
Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.” No-IP Marketing Manager, Natalie Goguen said.
Vitalwerks and No­-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-­IP system domains free of spam and malicious activity.” Natalie Goguen said. “Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one.

Google wants more information from NSA transparency report

Google has asked for more PRISM information from the NSA
Google has welcomed the National Security Agency transparency report, but said it does not provide a full picture.
The report was released on Tumblr through the US director of national intelligence (DNI). It claims to include "as much information as possible".
An introductory note from the director of national intelligence (DNI) said: "In June 2013, President Obama directed the intelligence community to declassify and make public as much information as possible about certain sensitive US government surveillance programs while protecting sensitive classified intelligence and national security information.
"Today we are releasing information related to the use of these important tools, and will do so in the future on an annual basis."
The NSA released a similar report in August 2013, saying agents only touched 0.00004 percent of the world's web traffic. The latest information has been criticised as being vague because of the loose grouping of surveillance requests.
While transparency reports from firms such as Google count the individuals affected, the NSA report groups people together as one target. The report finds the NSA admitting to requesting access to a total of 89,138 ‘targets', but that would need to be extrapolated for real accuracy.
The report covers national security letters and requests made under the US Foreign Intelligence Surveillance Act (FISA), which are the ones that service providers have fought to disclose. The report says that US authorities issued around 19,000 National Security Letters and around 40,000 requests for target information.
Richard Salgado, Google's director for law enforcement and information security asked for more clarity in a blog post: "The government has chosen to disclose an estimated number of ‘targets' that it has surveilled, rather than the number of ‘accounts' at issue.
"In our methodology, and that used by other companies, we each would count the number of accounts impacted by a particular surveillance request. The government could provide more meaningful transparency by specifying the number of accounts too."
But Salgado said that despite his reservations it is a move in the right direction. "I'm excited to see how far this debate has come; a year ago almost no one would have imagined that the federal government would release data about its national security demands to companies," he added.
"These steps show that national security and transparency for the public are not in competition. We also hope that governments around the world will follow the lead of the US government and be more open about the national security demands they serve on service providers and put out comparable transparency reports. Congress and other governments around the world should build on these steps."

Spy-busting Silent Circle-powered Blackphone launches, sells out

Blackphone has sold out already
SGP Technologies has begun shipping its privacy-focused Blackphone, claiming the handset will protect users from intelligence agencies' and criminal groups' espionage campaigns.
The Blackphone is the first smartphone released by SGP Technologies and is a joint project between security firm Silent Circle and hardware company Geeksphone.
SGP announced the Blackphone in January but only unveiled the handset one month later at the Mobile World Congress (MWC) trade show.
It is aimed at individuals such as workers who regularly handle sensitive information. The Blackphone was listed as a key tool to help users protect themselves from government surveillance campaigns, such as the National Security Agency's (NSA's) PRISM.
PRISM is a mass-surveillance campaign that saw the NSA siphon vast amounts of web user data from numerous technology companies including Facebook, Microsoft, Google, Yahoo and Apple.
SGP Technologies chief executive Toby Weir-Jones said fresh privacy concerns following PRISM helped increase interest in the Blackphone. He confirmed that the handset is currently sold out and will not be on sale again until 14 July with prices starting at $629.
"Blackphone's arrival puts mobile privacy directly in the hands of professionals and consumers everywhere," Weir-Jones said.

"In a world where devices and apps increasingly offer features only in return for users' personal or sensitive information, the pent-up demand for Blackphone shows there is strong, international demand for our brand's devices and services that stand apart by placing privacy before all else."
At the time of publishing SGP Technologies had not responded to V3's request for comment on exactly how many Blackphones it has sold since it began shipping, or whether the firm is able to meet pre-order demand.
The Blackphone runs using a custom PrivatOS operating system. PrivatOS is a radically altered version of Android KitKat, which integrates Silent Circle's Silent Text, Silent Phone, Silent Contacts and Silent Keys services directly into it.
The custom tools are designed to let users securely make and receive phone calls, exchange texts, transfer and store files and video chat, without fear that their activities are being monitored or recorded.
The tools work by setting up a secure line of communication between phones with the applications installed. The lines are encrypted using a self-generating and deleting encryption key that is never stored on the phone or by Silent Circle.
The technology does not work on communications between a Blackphone and regular phone without Silent Circle services.
Silent Circle has bundled the Blackphone with three complimentary one-year subscriptions to Silent Circle services that can be shared with friends, family or co-workers to help get round this.
As an added safety measure, the Blackphone comes bundled with the Kismet Smart WiFi Manager and two-year-long access to Disconnect VPN and SpiderOak encrypted storage.
The Blackphone also features top-end hardware and comes loaded with a powerful quad-core 2GHz Nvidia Tegra 4i processor, 2GB of RAM, 4.7in HD in-plane switching (IPS) display, an 8MP rear camera and 16GB of internal storage.

BlackEnergy spooks hacking government systems with bogus IT alerts

F-Secure researchers have uncovered a spear-phishing campaign targeting European governments
A fresh BlackEnergy hack campaign is believed to be targeting European governments with a wave of spear-phishing emails masquerading as IT alerts, researchers at F-Secure have warned.
The F-Secure researchers said they uncovered the fresh BlackEnergy campaign after seeing two new malware sample submissions from Ukraine and Belgium on VirusTotal.
F-Secure said the two samples were submitted within minutes of each other, indicating that they may be part of a wider campaign designed to target European government systems.
"Given the current situation in Ukraine, and that Belgium is the centre of the European Union government (and where Nato headquarters is located), we cannot discount the theory that they are related," F-Secure said in a blog post.
The BlackEnergy family of malware is believed to be the same malware used in the cyber attack against Georgia in 2008. The new malware uses a malicious decoy document to hide its activities from victims, and makes it easier for the hackers to mount follow-up attacks.
"We think the sample is possibly sent as attachment in spear-phishing emails pretending to be IT advisories warning people to avoid certain passwords. Take note that there is no software vulnerability or exploit involved. The decoy document is created and opened by the dropper programmatically," read the post.
"This is something similar to what we have seen before in what might be the first documented APT attempt in OS X. The malware did however exempt its host process (rundll32.exe) from Data Execution Prevention (DEP), which may open up an attack surface for future exploitation."
F-Secure security analyst Sean Sullivan told V3 that while the malware is fairly basic, the company did uncover evidence that it is being used by state-sponsored groups as well as basic criminals.
"It's a distributed denial of service (DDoS) bot, but like other bots the ‘platform' is modular and is capable of more than what it's popularly used for. Its complexity rates with that of Zeus, not Stuxnet," Sullivan said.

"We're seeing hints of nation state usage, but that could be for the sake of plausible deniability. On the whole of it, BlackEnergy is considered to be crimeware and has been developed as such. But note: the nation state in which it is developed may have links between crime and government."
Earlier in June Kaspersky Lab researchers uncovered a cyber scam in which hackers were stealing €500,000 per week from customers of a "large European bank".

Nearly half of companies hit with DDoS attacks in the last year

Nearly half of companies have been hit with a Distributed Denial of Service (DDoS) attack in the past year.
According to a BT survey, four out of ten organisations  (41 percent) globally suffered a DDoS attack over the past year, with more than three quarters of those (78 percent) targeted twice or more.
A DDoS attack attempts to overload a company system — such as a web server — by sending so many communications requests that legitimate traffic cannot get through. It's the digital equivalent of jamming a postbox full of leaflets so that real letters can't get through.
The 'distributed' refers to the army of PCs — acting without their owners' knowledge, usually thanks to a virus infection — that are used to deliver the attacks. Banks, retailers and online gambling companies are among the most commonly targeted firms — organisations that face significant loss of business if their websites cannot respond to customers.
Sometimes a DDoS attack is just cover for a bigger crime. For example, it was recently revealed that organised crime groups can use a DDoS attack against a bank to divert the attention of the bank's security team while the criminals plunder accounts using stolen credentials.
According to the BT-commissioned research, which covered 11 countries, DDoS attacks are seen as a key concern by a third of UK organisations (36 percent), although they seem to worry less than their international rivals: globally, almost twice as many organisations (58 percent) named DDoS as a key concern.
Perhaps that's because about half of UK organisations (49 percent) have a response plan in place, even though just one in 10 UK decision makers interviewed said they strongly believed they have sufficient resources in place to counteract an attack.
Respondents said that customer complaints and queries jumped by an average of 36 percent following an attack. On average, organisations take 12 hours to fully recover from an especially powerful attack, while in the UK more than half of IT decision makers (58 percent) said DDoS attacks had brought down their systems for more than six hours.

FBI, CIA Join NSA In “Backdoor” Searches On Americans

Thousands of Americans were targets of so-called “backdoor” warrantless surveillance by the NSA and other intelligence agencies last year, according to a letter sent to Senator Ron Wyden.
The missive, written by the Office of the Director of National Intelligence (ODNI) to the Senator in response to a question posed earlier this month, is plainspoken. The Office also stated that the searches in question are not based on an exploited legal “loophole.”
The House recently voted to curtail such searches by defunding them.
Section 702 of the Foreign Intelligence Surveillance Act allows the government to collect information on foreign targets that are, to use its own language, “reasonably believed to be outside of the U.S. at the time of collection.” It can’t target United States persons by law, and it isn’t allowed to reverse-target — picking a foreign target with the hopes of picking up the communications of someone thought to be in the United States.
The information collected under Section 702 authority may include the communications of Americans picked up in the process of collecting data on foreign targets. The stored information can then be queried by the NSA, and its intelligence brethren, using search terms to find the communications of Americans. Hence the term “backdoor.”
How many Americans are caught up in the mix? According to the letter, the NSA used such queries to search the communications content of 198 U.S. persons in 2013. It also made around 9,500 metadata queries for the communications of U.S. persons in the period. The number of people impacted by the meta-data searches isn’t clear.
The CIA made 1,900 queries of Section 702-sourced information “using specific U.S. person identifiers” in 2013.
Ominously, the FBI also has access to some of the pooled data, but doesn’t count how often that it queries it using U.S. person identifiers.
Senator Wyden isn’t pleased with the data. In a statement, he indicated that “[w]hen the FBI says it conducts a substantial number of searches and it has no idea of what the number is, it shows how flawed this system is and the consequences of inadequate oversight.”
Scale is also something to keep in mind. The ODNI states in its letter that “collection under Section 702 is not bulk collection, but is targeted collection based on specific identifiers.” Senator Wyden disagrees (Emphasis: TechCrunch):
While intelligence officials have often argued that it is impossible to estimate how many Americans’ communications are getting swept up by the government under Section 702, the Foreign Intelligence Surveillance Court has noted that the NSA acquires more than two hundred and fifty million Internet communications every year using Section 702, so even if US communications make up a small fraction of that total, the number of U.S. communications being collected is potentially quite large.
In short, using a law named the Foreign Intelligence Surveillance Act, the NSA and the CIA and the FBI are able to search and read the content of the communications of Americans. Brilliant.

Google to be sued over 'snooping'

The US Supreme Court has rejected Google's appeal to dismiss legal action accusing it of breaking privacy laws.
In 2010 Google admitted accidentally collecting personal data from unencrypted wi-fi networks while building its Street View program.
Its cars collected emails, usernames and passwords between 2008 and 2010.
According to USA Today, Google has been the subject of nearly a dozen civil actions. And those suing the search giant are now "pressing forward".
"In 2011, those lawsuits were combined in one class action in federal court in San Francisco," it said.
Google is accused of breaking the US Wiretap Act, which "regulates the collection of the content of wire and electronic communications" and restricts unauthorised interception.
The BBC understands Google argued the information collected fell under an "accessible to the public exception" clause, which permits the interception of electronic communication if it is readily accessible to the general public.
In an official blog post, the company said: "We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it."
Google has already agreed to pay $7m (£4,1m) to settle an investigation into the matter, "involving 38 US states and the District of Columbia", according to a report from Reuters news agency.