Wednesday, 2 April 2014

Obama presents plans to end bulk telephone metadata collection

US President Barack Obama
US president Barack Obama has formally announced plans to stop intelligence agencies collecting customer metadata from companies in bulk, as he looks to restore credibility to the government after the PRISM scandal broke.
The White House issued a statement detailing key changes to the country's metadata-collection laws. The reforms mean in the absence of an "emergency situation" an intelligence agency will have to get permission from the US Foreign Intelligence Surveillance Court (FISC) to collect a specific number of records.
The data will also now be stored with the phone companies involved, not the agency. The companies will, however, be required to provide "technical assistance to ensure that the records can be queried and that results are transmitted to the government in a usable format and in a timely manner".
The proposed changes still need to be approved by US Congress and will require new legislation to be fully implemented. This means the existing intelligence program will continue for at least 90 more days.
The White House said it hoped the move would help restore trust in the US government.
"The president made clear that he was ordering this transition to give the public greater confidence that their privacy is appropriately protected, while maintaining the tools our intelligence and law enforcement agencies need to keep us safe."
US president Barack Obama promised to examine the National Security Agency's (NSA) spying powers during a speech in January. The reforms are designed to address concerns about the NSA's PRISM spying operations.
The PRISM campaign was revealed when ex-CIA analyst Edward Snowden leaked documents to the press proving that the NSA collected vast amounts of metadata from numerous technology and telephone companies. The leaked documents showed that the NSA was collecting as many as five billion phone records every day from citizens across the world.
The huge amounts of data being collected caused suspicion towards American industry and led the European Commission to consider a sweep of reforms designed to protect businesses operating in the region from US intelligence agencies. European Union (EU) justice commissioner Viviane Reding called for new legislation to offer consumers more control over how and where companies store their personal data earlier in March.

Hackers hit Microsoft Word and Excel users with evolved Tor malware

cyber-security-man
Hackers are targeting Word and Excel users with a sophisticated new data-siphoning malware that hides its movements using the Tor network, according to security firm Trend Micro.
Trend Micro threat response engineer Alvin John Nieto reported the campaign in a blog post. "Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family Crigent (also known as ‘Power Worm'), which brings several new techniques to the table," he said.
"This particular threat arrives as an infected Word or Excel document, which may be dropped by other malware, or downloaded or accessed by users. When opened, right away it downloads two additional components from two well-known online anonymity projects: the Tor network, and Polipo, a personal web cache/proxy."
In the first stage of the attack, criminals target a flaw in Windows PowerShell to steal critical information about the victim system. The information includes the system's IP address, location, user account privilege, OS version, architecture and language as well as what Microsoft Office applications and Office versions are running.
PowerShell is an interactive scripting tool that is available for all current versions of Windows and pre-built into Windows 7 and Windows 8. A Trend Micro spokesperson told V3 the use of PowerShell is atypical and suggests the attack is the first stage in a wider campaign.
"This attack appears primarily to be an analytical attack: one intended to gather information, likely for use in current or future attacks. The specific information it seeks to gather is Microsoft Office applications and versions. The attack is atypical in its use of the PowerShell scripting language: this isn't commonly used," they said.
They added that the attack use of the Tor and Polipo anonymising networks is dangerous as it hides the campaign's movements online.
"In this case the malware uses the Tor network to have infected systems contact the command and control (C&C) server for further instructions, specifically to transmit gathered information for central collection," said the spokesperson.
"Tor is used in a variety of ways by cyber criminals for its anonymising capabilities. In addition to this malware using Tor to obfuscate and make taking down the C&C server more difficult."
The spokesperson said concerned IT managers should protect themselves by "running a mature security suite like OfficeScan or Worry-Free Business Security and keeping them up to date."
Attacks using the Tor network are a growing problem facing the security community. Researchers from Kaspersky Lab reported uncovering evidence that criminals plan to release a new wave of advanced cyber attacks using the Tor network earlier in March.

Turkish ISPs are spying on Google customers

Google logo (Robert Scoble Flickr)
Turkish internet service providers (ISP) have attempted to intercept web user data passing through Google's domain name system (DNS) servers.
Google software engineer, Steven Carstensen said the company has received several credible reports of the ISPs' attempts to collect web user data in a public blog post.
"We have received several credible reports and confirmed with our own research that Google's DNS service has been intercepted by most Turkish ISPs," read the post. "Turkish ISPs have set up servers that masquerade as Google's DNS service."
F-Secure security analyst Sean Sullivan told V3 the focus on DNS servers is troubling as it could be used by intelligence agencies to collect data from across the globe.
"Logging DNS queries is an incredibly invasive thing to do," he said. "Monitoring and logging DNS gives the listener a history of every website or service that your computer and/or phone has ever interacted with."
The news comes just after Google rolled out a number of security upgrades designed to protect its customers' data.
Google adjusted its systems earlier in March to ensure Gmail messages go through an encrypted hypertext transfer protocol secure (HTTPS) connection. Google also began encrypting its customers' search data using the secure sockets layer (SSL) protocol.
Sullivan questioned the effectiveness of the new security features, pointing out that even with them the ISPs could still siphon some useful data.
"Your connection to sites and services might be encrypted, but it will be known that you used those sites. I believe it has been very well argued since June of last year just how much metadata can reveal about our lives," he said.
"Ideally, you don't want your DNS provider to log IPs any more than it needs in order to provide a stable service."
The ISP monitoring is the latest development in a spate of internet crackdowns in Turkey. Reports broke that the Turkish government attempted to block access to Twitter earlier in March.
The Turkish government is one of many known to have attempted to spy on web users by monitoring technology companies' systems. The US National Security Agency (NSA) gathered vast amounts of customer data from technology companies such as Google during its PRISM campaign.

Microsoft will not access content of private email accounts any more

Microsoft logo
Microsoft has decided it will no longer access the emails of Hotmail users it suspects of foul deeds, announcing that from now on it will leave this activity to law enforcement officials.
The move comes a week after the firm reported the arrest of former employee Alex Kibkalo, who was apprehended after Microsoft's Trustworthy Computing unit accessed his Hotmail account without a warrant to prove he had sent proprietary code to a blogger based in France.
The news caused widespread criticism over Microsoft using powers outside the realm of data privacy rules, to monitor and access the content of private emails that happened to be sent via its email system.
In the wake of the backlash, general counsel and executive vice president for Legal and Corporate Affairs at Microsoft Brad Smith revealed that the firm would be swiftly changing its ways.
"Last Thursday, news coverage focused on a case in 2012 in which our investigators accessed the Hotmail content of a user who was trafficking in stolen Microsoft source code," he noted in a blog post. "Over the past week, we've had the opportunity to reflect further on this issue, and as a result of conversations we’ve had internally and with advocacy groups and other experts, we’ve decided to take an additional step and make an important change to our privacy practices."
Smith said that as of now, it will pass on any information related to suspected intellectual property or physical theft to law enforcement officials to decide if further action is required, rather than inspecting customers' private content itself. This change will also be put into Microsoft terms and conditions, so it is binding.
Smith cited Edward Snowden’s exposure of PRISM, and Microsoft’s discomfort with the NSA monitoring its customers’ data as another reason for the firm taking this step. "We've advocated that governments should rely on formal legal processes and the rule of law for surveillance activities," he noted.
"While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures."
Smith’s approach to email privacy is an about-turn from that outlined by his deputy general counsel John Frank last week. He wrote in a blog post: “While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We applied a rigorous process before reviewing such content. 
“In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.”
Microsoft has also instigated a joint privacy project with the Center for Democracy & Technology and the Electronic Frontier Foundation, aimed at identifying potential best practices.

Chinese CERT accuses US of carrying out 3.6 million cyber attacks on its systems

china-technology-microprocessor-flag
The Chinese Computer Emergency Response Team (CNCERT) has reported linking 30.2 percent of cyber attacks on its networks in 2013 to US sources.

CNCERT reported uncovering the trend in its latest annual threat white paper, confirming a massive 10.9 million Chinese PCs were infected and controlled from outside the Great Firewall last year. Of these, 30.2 per cent of the attacks stemmed from US sources. The figure means the US is responsible for a staggering 3.6 million attacks on Chinese systems.

The Great Firewall is a Chinese government surveillance and censorship program designed to monitor and control what sites its citizens view.

CNCERT said the US hackers' increased interest in China contributed to a 50 percent increase in backdoor attacks on its systems over the past year. Specifically, CNCERT reported 15,000 'hosts' had fallen victim to an unspecified APT Trojan and that 61,000 sites were targeted with backdoor attacks stemming from overseas sources.

The CNCERT's report is the latest in a long line of accusations between the US and Chinese governments. The US government has mounted a steady stream of accusations over the Chinese government sponsoring cyber attacks on American systems, leading White House security advisor Tom Donilon warned China to stop cyber attacks on US businesses in March 2013.
The US government has since been accused of hypocrisy after whistleblower Edward Snowden leaked documents to the press indicating the National Security Agency (NSA) had mounted a sophisticated PRISM hack campaign against numerous foreign governments.
Outside of state-sponsored hacking, CNCERT's report highlighted detecting a massive growth in the number of malware families targeting Google's Android operating system. CNCERT said it collected 703,000 new mobile samples over the year, 99.5 percent of which were designed to target Android. The figure marks a 3.3 time increase on the mobile malware levels reported by CNCERT in 2012.
CNCERT is one of many institutions to report detecting a marked increase in Android attack levels. Telecoms giant Cisco said Google's Android mobile operating system (OS) is the target of 99 percent of the world's mobile malware earlier in January. Finnish security firm F-Secure reported 97 percent of all mobile malware it found in 2013 was designed to target Android users in its own threat report mere weeks later.

Anti-hacker CERT-UK opens for business

hacker1
The UK's Computer Emergency Response Team (CERT-UK) has opened for business, marking the latest step in the government's ongoing effort to bolster the nation's cyber defences.
Minister for the Cabinet Office Francis Maude opened the CERT-UK at a private press event, promising it will aid both the public and private sectors' cyber defence efforts in a variety of ways.
"At the sharp end, the CERT will take the lead in co-ordinating the management of national cyber-security incidents. One area where it will play a particularly important role is in providing support to our Critical National Infrastructure companies," he said.
"CERT-UK will provide an authoritative voice to those agencies and organisations that are helping the UK to become more resilient and to prosper in the internet age. It will also share information with companies to promote situational awareness and effective mitigation of threats."
Maude added that the cyber-defence team has a proactive international role and will work closely with foreign CERT teams to help spot and share information about emerging threats.
"CERT-UK will be the single point of contact for our international partners for CERT-to-CERT engagement, an increasingly important area of dialogue. It will manage incidents that cross national borders and it will share information that promotes situational awareness and effective mitigation of threats," he said.
Maude said the UK's existing Cyber Security Information Sharing Partnership (CISP) will be integrated into CERT-UK. CISP is an opt-in initiative designed to facilitate and promote information-sharing between the public and private sector. It was originally launched in March 2013 with around 100 participating companies. Maude said since launching, the number of companies participating in the CISP programme has skyrocketed.
"We started with fewer than 100 individual members, but there are now over 1,000, and over 350 businesses and organisations have registered," he said.
Despite Maude's positive comments, the security industry has been less positive about the CISP initiative. Experts from the International Information Systems Security Certification Consortium (ISC2) and FireEye said at the RSA conference in October 2013 that, despite positive work, CISP is failing to support small to medium-sized businesses (SMBs).
The UK government also launched a new SMB-focused Cyber Assist programme alongside CERT-UK to help address the problem. The Cyber Assist programme will be managed by Nominet and will offer guidance regarding cyber strategy and attack-mitigation specific to SMBs.
Maude said the initiatives are an essential step in the government's ongoing cyber strategy, warning that more than 90 percent of businesses have fallen victim to hackers over the past year, despite the government's efforts.
"93 percent of large corporations had a breach over the past financial year. The average cost of each one is somewhere between £450,000 and £850,000, although we know of one London-based company which lost £800m worth of revenue because of an attack," he said.
The CERT-UK launch has been welcomed by the technology industry. Martin Sutherland, managing director of BAE Systems Applied Intelligence, said he expects CERT-UK to play a vital role in combating cyber threats.

"It's only by working together that we will rise to the challenge the cyber threat presents and the establishment of CERT-UK is a positive step forward, which emphasises the importance of effective incident-response and information-sharing to protect vital UK assets. CERT-UK will also be valuable in increasing international collaboration on cyber incidents," he said.

CERT-UK's opening comes during a tense period within the cyber security space. The tensions began in June 2013 when whistleblower Edward Snowden leaked documents to the press indicating that the National Security Agency (NSA) had mounted a sophisticated hack campaign called PRISM, acting against numerous foreign governments.
The revelation led to a dissolution of trust within the international community. The Chinese CERT team issued a recent report claiming that more than a third of cyber attacks targeting the country originated from the US.

NSA performed warrantless searches on Americans' calls and emails – Clapper

James Clapper NSA
Clapper said: 'These queries were performed pursuant to minimization procedures and consistent with the statute and the fourth amendment.' Photo: Shawn Thew/EPA
US intelligence chiefs have confirmed that the National Security Agency has used a "back door" in surveillance law to perform warrantless searches on Americans’ communications.
The NSA's collection programs are ostensibly targeted at foreigners, but in August the Guardian revealed a secret rule change allowing NSA analysts to search for Americans' details within the databases.
Now, in a letter to Senator Ron Wyden, an Oregon Democrat on the intelligence committee, the director of national intelligence, James Clapper, has confirmed for the first time the use of this legal authority to search for data related to “US persons”.
“There have been queries, using US person identifiers, of communications lawfully acquired to obtain foreign intelligence targeting non-US persons reasonably believed to be located outside the United States,” Clapper wrote in the letter, which has been obtained by the Guardian.
“These queries were performed pursuant to minimization procedures approved by the Fisa court and consistent with the statute and the fourth amendment.”
The legal authority to perform the searches, revealed in top-secret NSA documents provided to the Guardian by Edward Snowden, was denounced by Wyden as a “backdoor search loophole.”
Many of the NSA's most controversial programs collect information under the law affected by the so-called loophole. These include Prism, which allows the agency to collect data from Google, Apple, Facebook, Yahoo and other tech companies, and the agency's Upstream program – a huge network of internet cable taps.
Clapper did not disclose how many warrantless searches had been performed by the NSA.
Confirmation that the NSA has searched for Americans’ communications in its phone call and email databases complicates President Barack Obama’s initial defenses of the broad surveillance in June.
“When it comes to telephone calls, nobody is listening to your telephone calls. That’s not what this program’s about,” Obama said. “As was indicated, what the intelligence community is doing is looking at phone numbers and durations of calls. They are not looking at people’s names, and they’re not looking at content.”
Obama was referring specifically to the bulk collection of US phone records, but his answer misleadingly suggested that the NSA could not examine Americans’ phone calls and emails.
At a recent hearing of the Privacy and Civil Liberties Oversight Board, administration lawyers defended their latitude to perform such searches. The board is scheduled to deliver a report on the legal authority under which the communications are collected, Section 702 of the Foreign Intelligence Surveillance Act (Fisa), passed in 2008.
Wyden and Colorado Democrat Mark Udall failed in 2012 to persuade their fellow Senate intelligence committee members to prevent such warrantless searches during the re-authorisation of the 2008 Fisa Amendments Act, which wrote Section 702 into law.
Dianne Feinstein, the California Democrat who chairs the committee, defended the practice, and argued that it did not violate the act’s “reverse targeting” prohibition on using NSA’s vast powers to collect content on Americans.
“With respect to analysing the information lawfully collected under Section 702, however, the intelligence community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession,” Feinstein said in June 2012.
“The Department of Justice and the intelligence community reaffirmed that any queries made of Section 702 data will be conducted in strict compliance with applicable guidelines and procedures, and do not provide a means to circumvent the general requirement to obtain a court order before targeting a US person under Fisa.”
Clapper referred to that debate in his letter to Wyden, which came in response to the senator’s request in January for a public answer on whether the NSA had in fact conducted such searches.
“As you know, when Congress reauthorized Section 702, the proposal to restrict such queries was specifically raised and ultimately not adopted,” Clapper wrote.
Much of the NSA's bulk data collection is covered by section 702 of the Fisa Amendments Act. This allows for the collection of communications – content and metadata alike – without individual warrants, so long as there is a reasonable belief the communications are both foreign and overseas.
The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as "incidental collection".

Initially, NSA rules on such data prevented the databases being searched for any details relating to "US persons" – that is, citizens or residents of the US. However, in October 2011 the Fisa court approved new procedures which allowed the agency to search for US person data, a revelation contained in documents revealed by Snowden.

The ruling appears to give the agency free access to search for information relating to US people within its vast databases, though not to specifically collect information against US citizens in the first place. However, until the DNI's disclosure to Wyden, it was not clear whether the NSA had ever actually used these powers.
On Tuesday, Wyden and Udall said the NSA’s warrantless searches of Americans’ emails and phone calls “should be concerning to all.”
“This is unacceptable. It raises serious constitutional questions, and poses a real threat to the privacy rights of law-abiding Americans. If a government agency thinks that a particular American is engaged in terrorism or espionage, the fourth amendment requires that the government secure a warrant or emergency authorisation before monitoring his or her communications. This fact should be beyond dispute,” the two senators said in a joint statement.
They continued: “Today’s admission by the Director of National Intelligence is further proof that meaningful surveillance reform must include closing the back-door searches loophole and requiring the intelligence community to show probable cause before deliberately searching through data collected under section 702 to find the communications of individual Americans."

CIA misled on interrogation program, Senate report says

A report by the Senate Intelligence Committee concludes that the CIA misled the government and the public about aspects of its brutal interrogation program for years — concealing details about the severity of its methods, overstating the significance of plots and prisoners, and taking credit for critical pieces of intelligence that detainees had in fact surrendered before they were subjected to harsh techniques.
The report, built around detailed chronologies of dozens of CIA detainees, documents a long-standing pattern of unsubstantiated claims as agency officials sought permission to use — and later tried to defend — excruciating interrogation methods that yielded little, if any, significant intelligence, according to U.S. officials who have reviewed the document.
“The CIA described [its program] repeatedly both to the Department of Justice and eventually to Congress as getting unique, otherwise unobtainable intelligence that helped disrupt terrorist plots and save thousands of lives,” said one U.S. official briefed on the report. “Was that actually true? The answer is no.”
Current and former U.S. officials who described the report spoke on the condition of anonymity because of the sensitivity of the issue and because the document remains classified. The 6,300-page report includes what officials described as damning new disclosures about a sprawling network of secret detention facilities, or “black sites,” that was dismantled by President Obama in 2009.
Classified files reviewed by committee investigators reveal internal divisions over the interrogation program, officials said, including one case in which CIA employees left the agency’s secret prison in Thailand after becoming disturbed by the brutal measures being employed there. The report also cites cases in which officials at CIA headquarters demanded the continued use of harsh interrogation techniques even after analysts were convinced that prisoners had no more information to give.
The report describes previously undisclosed cases of abuse, including the alleged repeated dunking of a terrorism suspect in tanks of ice water at a detention site in Afghanistan — a method that bore similarities to waterboarding but never appeared on any Justice Department-
approved list of techniques.
U.S. officials said the committee refrained from assigning motives to CIA officials whose actions or statements were scrutinized. The report also does not recommend new administrative punishment or further criminal inquiry into a program that the Justice Department has investigated repeatedly. Still, the document is almost certain to reignite an unresolved public debate over a period that many regard as the most controversial in CIA history.
A spokesman for the CIA said the agency had not yet seen a final version of the report and was, therefore, unable to comment.
Current and former agency officials, however, have privately described the study as marred by factual errors and misguided conclusions. Last month, in an indication of the level of tension between the CIA and the committee, each side accused the other of possible criminal violations in accessing each other’s computer systems during the course of the probe.
The Senate Intelligence Committee is expected to vote Thursday to send an executive summary of the report to Obama for declassification. U.S. officials said it could be months before that section, which contains roughly 20 conclusions and spans about 400 pages, is released to the public.
The report’s release also could resurrect a long-standing feud between the CIA and the FBI, where many officials were dismayed by the agency’s use of methods that Obama and others later labeled torture.
CIA veterans have expressed concern that the report reflects FBI biases. One of its principal authors is a former FBI analyst, and the panel relied in part on bureau documents as well as notes from former FBI agent Ali Soufan. Soufan was the first to interrogate Zayn al-Abidin Muhammed Hussein, the suspected al-Qaeda operative better known as Abu Zubaida, after his capture in Pakistan in 2002 and has condemned the CIA for water­boarding a prisoner he considered cooperative.
The Senate report is by far the most comprehensive account to date of a highly classified program that was established within months of the Sept. 11, 2001, attacks, a time of widespread concern that an additional wave of terrorist plots had already been set in motion.
‘Damaging’ misstatements
Several officials who have read the document said some of its most troubling sections deal not with detainee abuse but with discrepancies between the statements of senior CIA officials in Washington and the details revealed in the written communications of lower-level employees directly involved.
Officials said millions of records make clear that the CIA’s ability to obtain the most valuable intelligence against al-Qaeda — including tips that led to the killing of Osama bin Laden in 2011 — had little, if anything, to do with “enhanced interrogation techniques.”
The report is divided into three volumes — one that traces the chronology of interrogation operations, another that assesses intelligence officials’ claims and a third that contains case studies on virtually every prisoner held in CIA custody since the program began in 2001. Officials said the report was stripped of certain details, including the locations of CIA prisons and the names of agency employees who did not hold ­supervisor-level positions.
One official said that almost all of the critical threat-related information from Abu Zubaida was obtained during the period when he was questioned by Soufan at a hospital in Pakistan, well before he was interrogated by the CIA and waterboarded 83 times.
Information obtained by Soufan, however, was passed up through the ranks of the U.S. intelligence community, the Justice Department and Congress as though it were part of what CIA interrogators had obtained, according to the committee report.
“The CIA conflated what was gotten when, which led them to misrepresent the effectiveness of the program,” said a second U.S. official who has reviewed the report. The official described the persistence of such misstatements as among “the most damaging” of the committee’s conclusions.
Detainees’ credentials also were exaggerated, officials said. Agency officials described Abu Zubaida as a senior al-Qaeda operative — and, therefore, someone who warranted coercive techniques — although experts later determined that he was essentially a facilitator who helped guide recruits to al-Qaeda training camps.
The CIA also oversold the role of Abd al-Rahim al-Nashiri in the 2000 bombing of the USS Cole in Yemen, which killed 17 U.S. sailors. CIA officials claimed he was the “mastermind.”
The committee described a similar sequence in the interrogation of Hassan Ghul, an al-Qaeda operative who provided a critical lead in the search for bin Laden: the fact that the al-Qaeda leader’s most trusted courier used the moniker “al-Kuwaiti.”
But Ghul disclosed that detail while being interrogated by Kurdish authorities in northern Iraq who posed questions scripted by CIA analysts. The information from that period was subsequently conflated with lesser intelligence gathered from Ghul at a secret CIA prison in Romania, officials said. Ghul was later turned over to authorities in Pakistan, where he was subsequently released. He was killed by a CIA drone strike in 2012.
Sen. Dianne Feinstein (D-
Calif.), chairman of the Senate Intelligence Committee, has previously indicated that harsh CIA interrogation measures were of little value in the bin Laden hunt.
“The CIA detainee who provided the most significant information about the courier provided the information prior to being subjected to coercive interrogation techniques,” Feinstein said in a 2013 statement, responding in part to scenes in the movie “Zero Dark Thirty” that depict a detainee’s slip under duress as a breakthrough moment.
Harsh detainee treatment
If declassified, the report could reveal new information on the treatment of a high-value detainee named Ali Abdul Aziz Ali, the nephew of Khalid Sheik Mohammed, the self-proclaimed mastermind of the Sept. 11 attacks. Pakistan captured Ali, known more commonly as Ammar al-Baluchi, on April, 30, 2003, in Karachi and turned him over to the CIA about a week later. He was taken to a CIA black site called “Salt Pit” near Kabul.
At the secret prison, Baluchi endured a regime that included being dunked in a tub filled with ice water. CIA interrogators forcibly kept his head under the water while he struggled to breathe and beat him repeatedly, hitting him with a truncheon-like object and smashing his head against a wall, officials said.
As with Abu Zubaida and even Nashiri, officials said, CIA interrogators continued the harsh treatment even after it appeared that Baluchi was cooperating. On Sept. 22, 2003, he was flown from Kabul to a CIA black site in Romania. In 2006, he was taken to the U.S. military prison at Guantanamo Bay, Cuba. His attorneys contend that he suffered head trauma while in CIA custody.
Last year, the Senate Intelligence Committee asked Baluchi’s attorneys for information about his medical condition, but military prosecutors opposed the request. A U.S. official said the request was not based solely on the committee’s investigation of the CIA program.
Two other terrorism suspects, from Libya — Mohammed al-Shoroeiya and Khalid al-Sharif — endured similar treatment at Salt Pit, according to Human Rights Watch. One of the men said CIA interrogators “would pour buckets of very cold water over his nose and mouth to the point that he felt he would suffocate. Icy cold water was also poured over his body. He said it happened over and over again,” the report says. CIA doctors monitored the prisoners’ body temperatures so they wouldn’t suffer hypothermia.
The CIA denies waterboarding them and says it used the technique on only three prisoners.
The two men were held at Salt Pit at the same time as Baluchi, according to former U.S. intelligence officials.
Officials said a former CIA interrogator named Charlie Wise was forced to retire in 2003 after being suspected of abusing Abu Zubaida using a broomstick as a ballast while he was forced to kneel in a stress position. Wise was also implicated in the abuse at Salt Pit. He died of a heart attack shortly after retiring from the CIA, former U.S. intelligence officials said.

Hacked passwords can enable remote unlocking, tracking of Tesla cars

Tesla Motors accounts are protected only by simple passwords, making it easy for hackers to potentially track and unlock cars, according to a security researcher.
Tesla Model S owners need to create an account on teslamotors.com when they order their cars and the same account allows them to use an iOS app to remotely unlock the car's doors, locate it, close and open its roof, flash its lights or honk its horn.
Despite providing access to important car features, these accounts are only protected by a password with low-complexity requirements -- six characters long and at least one number and one letter -- a security researcher named Nitesh Dhanjani said Friday in a blog post.
The Tesla Motors site also doesn't seem to have an account lockout policy based on incorrect log-in attempts, which makes accounts registered on the site susceptible to brute-force password guessing attempts, Dhanjani said.
However, the brute-force attacks are just one potential threat. Tesla accounts could also be targeted through phishing and malware or could be compromised as a result of third-party password leaks if car owners reuse their passwords on multiple sites, the researcher said. In addition, if the email associated with a Tesla account is compromised, an attacker could simply reset the account's password because there are no other checks involved, like answering secret questions, he said.
The researcher also believes that in its current implementation, the Tesla REST API (application programming interface) used by the official iOS app to interact with the online service, can also pose a security risk.
The API can be used by third-party apps that require users to log in with their Tesla credentials, the researcher said. For example, one app called Tesla for Glass, which lets users monitor and control their cars through Google Glass, stores the user's credentials, he said.
This behavior is dangerous because if an intruder compromises the app's infrastructure, he could collect Tesla account credentials and abuse the remote car control functionality they enable, the researcher said.
Dhanjani believes Tesla Motors should should do more to protect accounts beyond using a static password and advises Tesla car owners to take precautions against potential security risks until that happens.
"Given the serious nature of this topic, we know we can't attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks," Dhanjani said. "The implications to physical security and privacy in this context have raised stakes to the next level."
"Our customers' security is our top priority, be that in developing a car with the highest safety rating or doing everything we can to protect them against online security breaches," Tesla Motors said in an emailed statement. "We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process."

"Automotive manufacturers though innovative in engineering can often oversee the security aspects just because there was no need to digitally safeguard cars in the past," said Bogdan Botezatu, a senior e-threat analyst at security firm Bitdefender. "While it may be true that the online account does not allow a potential attacker to control the car's critical systems, it could allow somebody to physically locate the car and unlock it."
Botezatu believes that Tesla accounts should require a second authentication factor when users attempt to authenticate from new devices or when their active sessions expire.
An increasing number of manufacturers allow users to remotely control their devices through cloud-based services. Devices with such functionality range from IP-based cameras to network-attached storage devices and home automation sensors.
It's unlikely that manufacturers will take a secure approach to designing so-called Internet-of-things devices anytime soon, Botezatu said, pointing out that at the moment most engineering efforts focus on functionality and battery performance.

Password bug let me see shoppers' credit cards in eBay ProStores, claims infosec bod

A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed – according to the security researcher who says he found the hole.
Mark Litchfield, an infosec pro at Securatary, told us he discovered a flaw in eBay-owned ProStores that not only opened the door to store account hijackers, but also leaked "full access to all their customers PII [Personally identifiable information] as well as their full credit information in clear text."
ProStores hosts online shops for eBay sellers to use to flog their stuff, and provides a wizard for creating the traders' websites.
"Like the gostorego vulnerability (also eBay), we could shop for free by giving ourselves store credit or gift cards or created our own orders for free," Litchfield told The Reg.
After he reported the bug in February, the flaw was fixed, clearing the way for Litchfield to go public [PDF] on March 20. eBay has yet to respond to repeated requests for comment from The Reg – we've been on their case since last week.
Lichfield characterizes the vulnerability as a serious string of blunders that took too long to fix. According to the researcher: in order to gain control of a victim's eBay ProStores site, the attacker must create her own ProStores account – there's a handy 30-day free trial available – and then use that as a springboard to infiltrate the victim's web bazaar.
"In short, it was possible to change the password of another administrator, then you could log in as that user with full administrative access to the store," Litchfied claimed. "With this attack I guess I was more shocked than anything to find the credit card information being displayed back in clear text. If people are buying things online, why would the full card information need to returned in clear text to the administrator?"
ProStores is aimed at small to medium businesses, and was bought by eBay in 2005. The outfit offers inventory management, supplier communication and integration with Quickbooks, Dreamweaver and other tools. Litchfield also claimed there was an XML external entity vulnerability [PDF] in ProStores.

Angry Birds developers downplay fresh data leak claims

The developers of Angry Birds have hit back at renewed allegations that the ultra-popular game leaks users' personal information.
Security vendor FireEye put out a detailed critique of Angry Birds last week claiming that the smartphone game leaked data like a sieve.
An early March update of Angry Birds, available through Google Play, works together with ad-mediation platform Burstly and third-party ad networks such as Jumptap and Millennial Media to store and share users information. FireEye researchers warn that the system as a whole is insecure. As a result, users' personal email addresses, ages and genders entered into Angry Birds' servers are potentially being gathered, stored and shared across the web, they claim.
Rovio, the Finnish firm behind Angry Birds, downplayed these concerns while adding that it was migrating towards its own ad platform.
Millions of commercial web sites and mobile applications across all industries, use third party ad networks. Our fans trust is the most important thing to us. Rovio does not require end users to share data. The traffic between our games and the Rovio cloud is always encrypted. Rovio does not allow any third party network to use or hand over personal end-user data from Rovio’s games. In addition, Rovio is increasingly moving towards managing its own ad platform.'
Rovio's analytics and data usage policy is here. Its privacy policy is here.
Back in January a leak from the Snowden files revealed that GCHQ and the NSA were slurping data leaked from smartphone apps such as Angry Birds.
The leak revealed that the spy agencies were sniffing out users' locations, their political beliefs and even their sexual preferences through smartphone apps. Angry Birds was used as a case study in the leaked data, which drew a hacklash against Rovio even though it was only one developer among many that was unwittingly helping the Five Eyes with their dragnet surveillance programme.
Rovio issued a statement at the time stating that it "does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world," and blaming third-party ad networks for any personal data spillage.

Middle Eastern hackers use remote access Trojan to infect 24,000 machines worldwide

Malware cyber criminal
Security firm Symantec has uncovered 487 groups actively using njRAT malware, claiming the malicious users have managed to infect 24,000 machines worldwide.
Symantec threat lab researchers reported the campaigns in a blog post, confirming the hackers are using the njRAT malware for a variety of purposes.
"Symantec has identified 487 groups of attackers mounting attacks using njRAT. These attacks appear to have different motivations, which can be broadly classed as hacktivism, information theft and botnet building," the researchers said.
"The malware can be used to control networks of computers, known as botnets. While most attackers using njRAT appear to be engaged in ordinary cyber-criminal activity, there is also evidence that several groups have used the malware to target governments in the region."
Symantec said the attacks mainly originate from the Middle East, though they have managed to infect thousands of systems worldwide.
"Symantec analysed 721 samples of njRAT and uncovered a fairly large number of infections, with 542 control and command (C&C) server domain names found and 24,000 infected computers worldwide," read the post.
"Nearly 80 percent of the C&C servers were located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya. "
The njRAT malware is a simple attack tool that originally appeared for download on several black market forums in June 2013.
The malware grants hackers basic powers, such as the ability to download and execute additional malware on infected systems, execute shell commands, read and write registry keys, capture screenshots, log keystrokes and hijack control of webcams.
The Symantec researchers said they expect hackers' interest in njRAT to end fairly quickly, as the new hacker groups realise its limitations and move on to more advanced malware.

"The more advanced threat actors, such as hacker groups, may continue to use njRAT for targeted attacks in the short term," read the post.
"For example, a report by the Electronic Frontier Foundation (EFF) and Citizen Lab found that njRAT is one of a number of tools being used to target Syrian opposition groups during the Syrian conflict. However, Symantec anticipates that such groups will eventually depart from using publicly available tools like njRAT and begin to develop their own tools and more advanced RATs for cyber attacks."
Symantec's discovery follows wider reports within the security community that hackers are tweaking their attacks to use RATs. Advanced threat specialist FireEye uncovered evidence in February that hackers are dropping standard malware such as Zeus, in favour of more advanced but harder-to-use RATs, such as Xtreme RAT.