2013-12-21

Just one heckuva lot happening today, with yet more Snowden bombshells and lots of blowback.

From The Guardian, the headline-grabber:

GCHQ and NSA targeted charities, Germans, Israeli PM and EU chief

Unicef and Médecins du Monde were on surveillance list

Targets went well beyond potential criminals and terrorists

Revelations could cause embarrassment at EU summit

British and American intelligence agencies had a comprehensive list of surveillance targets that included the EU’s competition commissioner, German government buildings in Berlin and overseas, and the heads of institutions that provide humanitarian and financial help to Africa, top secret documents reveal.

The papers show GCHQ, in collaboration with America’s National Security Agency (NSA), was targeting organisations such as the United Nations development programme, the UN’s children’s charity Unicef and Médecins du Monde, a French organisation that provides doctors and medical volunteers to conflict zones. The head of the Economic Community of West African States (Ecowas) also appears in the documents, along with text messages he sent to colleagues.

More from Spiegel:

Friendly Fire: How GCHQ Monitors Germany, Israel and the EU

Documents from the archive of whistleblower and former NSA worker Edward Snowden show that Britain’s GCHQ signals intelligence agency has targeted European, German and Israeli politicians for surveillance.

The documents SPIEGEL was able to examine do not indicate how intensively and during which periods of time the individual targets were actually monitored. However, the example of an African politician shows that even during a surveillance test run, the British intercepted and stored his mobile phone text messages in their entirety.

And from the New York Times:

N.S.A. Dragnet Included Allies, Aid Groups and Business Elite

Secret documents reveal more than 1,000 targets of American and British surveillance in recent years, including the office of an Israeli prime minister, heads of international aid organizations, foreign energy companies and a European Union official involved in antitrust battles with American technology businesses.

While the names of some political and diplomatic leaders have previously emerged as targets, the newly disclosed intelligence documents provide a much fuller portrait of the spies’ sweeping interests in more than 60 countries.

And from El País:

US spied on European Commission vice president, internal sources claim

NSA reported to have monitored Joaquín Almunia’s phone calls at the start of Europe’s financial crisis

The US National Security Agency (NSA) tapped the cellphone of European Commission Vice President Joaquín Almunia between 2008 and 2009, when the Spaniard served as commissioner for economic and monetary affairs, EC sources have told EL PAÍS.

The former leader of the Spanish Socialist Party is the first high-level EC official known to have been a target of the NSA’s spying activities. Sources said that the 65-year-old Almunia has been made aware that his phone was tapped.

And blowback from EUobserver:

EU: US spying on Almunia ‘unacceptable if true’

A European Commission spokeswoman said on Friday that, “if proven true,” it is “unacceptable” that the UK and US spied on EU competition commissioner Joaquin Almunia. The revelations, published Friday by The Guardian, are the latest in a series of leaks by former US intelligence contractor Edward Snowden.

And the usual huckin’ ‘n’ jivin’, from PCWorld:

NSA defends foreign surveillance after new reports of targets

An NSA spokeswoman defended the NSA’s surveillance programs, without commenting specifically on the report.

“We do not use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—U.S. companies to enhance their international competitiveness or increase their bottom line,” she said in an email. “The United States collects foreign intelligence just as many other governments do.”

The NSA collects information to understand other countries’ policies and to “monitor anomalous economic activities,” she said. Those efforts “are critical to providing policy-makers with the information they need to make informed decisions that are in the best interest of our national security.”

Meanwhile, Techdirt smells a rat in the official White House review:

Report Suggests NSA Engaged In Financial Manipulation, Changing Money In Bank Accounts

from the that-would-be-big dept

Matt Blaze has been pointing out that when you read the new White House intelligence task force report and its recommendations on how to reform the NSA and the wider intelligence community, that there may be hints to other excesses not yet revealed by the Snowden documents. Trevor Timm may have spotted a big one.

And here’s a screengrab of the section in question, notably the second point:



Global blowback to earlier revelations from MercoPress:

Brazil and Germany, with UN support hit back at US cyber spying

UN General Assembly has adopted a resolution aimed at protecting the right to privacy of internet users. The resolution was introduced by Brazil and Germany after allegations that the US had been eavesdropping on foreign leaders, including Brazil’s Dilma Rousseff and Germany’s Angela Merkel.

The two powerful ladies, Angela and Dilma are furious about US NSA spying into their countries and even their personal mobiles The two powerful ladies, Angela and Dilma are furious about US NSA spying into their countries and even their personal mobiles

The claims stem from leaks by US intelligence fugitive Edward Snowden.

General Assembly resolutions are non-binding but they can carry significant moral and political weight. The resolution calls for all countries to guarantee privacy rights to users of the internet and other forms of electronic communications.

Snowden gets Nordic conformation, via TheLocal.no:

Norway data helps target US drones: spy chief

Data collected by Norway’s intelligence services in Afghanistan is used by US and Nato forces to target controversial drone attacks, the organisation’s head has revealed.

Lieutenant General Kjell Grandhagen told Aftenposten newspaper that the data Norway’s E-Service handed over to the US’s National Security Agency was “part of an overall information base used for operations”.

“Such operations may include the use of drones or other legal weapons platforms,” he confirmed.

And yet another revelation, this time from Reuters:

Exclusive: Secret contract tied NSA and security industry pioneer

As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

We love the headline Metafilter gave to the story:

RSA Paid by the NSA to screw the USA

And here’s TechCrunch’s headline, which says it all:

NSA Reportedly Paid A Security Firm Millions To Ship Deliberately Flawed Encryption Technology

In a related development, Ars Technica headlines dismissively:

Critics: NSA agent co-chairing key crypto standards body should be removed

There’s an elephant in the room at the Internet Engineering Task Force.

Security experts are calling for the removal of a National Security Agency employee who co-chairs an influential cryptography panel, which advises a host of groups that forge widely used standards for the Internet Engineering Task Force (IETF).

Kevin Igoe, who in a 2011 e-mail announcing his appointment was listed as a senior cryptographer with the NSA’s Commercial Solutions Center, is one of two co-chairs of the IETF’s Crypto Forum Research Group (CFRG). The CFRG provides cryptographic guidance to IETF working groups that develop standards for a variety of crucial technologies that run and help secure the Internet. The transport layer security (TLS) protocol that underpins Web encryption and standards for secure shell (SSH) connections used to securely access servers are two examples. Igoe has been CFRG co-chair for about two years, along with David A. McGrew of Cisco Systems.

Igoe’s leadership had largely gone unnoticed until reports surfaced in September that exposed the role NSA agents have played in “deliberately weakening the international encryption standards adopted by developers.”

Meanwhile, Barry O spins away in the year’s last Wbite House presser. From Bloomberg:

Obama Says Surveillance Program Changes Coming in January

President Barack Obama said he will act in January on the recommendations of an advisory panel suggesting changes to government surveillance programs.

“What we’re doing now is evaluating all of the recommendations that have been made,” Obama said at a news conference today. “I’m going to make a pretty definitive statement about all of this in January.”

He’ll decide which recommendations “make sense” and which need further work, Obama said at a White House news conference, his final planned for 2013.

More from The Guardian:

Obama concedes NSA bulk collection of phone data may be unnecessary

President: ‘There may be a better way of skinning the cat’

‘Potential abuse’ of collected data cited as concern

President Barack Obama speaks President Barack Obama speaks during a news conference at the White House. Photograph: Alex Wong/Getty Images

President Barack Obama has conceded that mass collection of private data by the US government may be unnecessary and said there were different ways of “skinning the cat”, which could allow intelligence agencies to keep the country safe without compromising privacy.

In an apparent endorsement of a recommendation by a review panel to shift responsibility for the bulk collection of telephone records away from the National Security Agency and on to the phone companies, the president said change was necessary to restore public confidence.

“In light of the disclosures, it is clear that whatever benefits the configuration of this particular programme may have, may be outweighed by the concerns that people have on its potential abuse,” Obama told an end-of-year White House press conference. “If it that’s the case, there may be a better way of skinning the cat.”

Still more from The Guardian:

Obama: Snowden leaks caused ‘unnecessary damage’

Obama said he could not comment specifically on possible amnesty because Snowden was ‘under indictment’

Barack Obama has declined to be drawn into a debate about possible amnesty for Edward Snowden, the whistleblower whose revelations about the NSA have sparked intense internal deliberation about changing US surveillance activities.

In a press conference at the White House, the president distinguished between Snowden’s leaks and the debate those leaks prompted, which he said was “an important conversation we needed to have”, but left open the question of whether he should still be prosecuted.

“The way in which these disclosures happened has been damaging to the United States and damaging to our intelligence capabilities,” he said. “I think that there was a way for us to have this conversation without that damage. As important and as necessary as this debate has been, it’s important to keep in mind this has done unnecessary damage.”

Let’s hear it for the little guy! From The Wire:

Report: The NSA Misses a Lot of Phone Call Records, Especially from Smaller Carriers

After the jump, Danish spy scandals, calling out the National Guard as cyber warriors, the latest saber-rattling in Asia, massive corporate data thefts, Turkish turmoil, and much more. . .

Marching orders from Ars Technica:

Congress tells DOD to consider “cyber militia” for National Guard

Part-time civilian employees would help defend against cyberattacks

Part of the funding bill passed by Congress this week includes provisions that call for the Department of Defense to formally consider the creation of a part-time civilian force to assist in times of cyberattacks. As NextGov reports, the 2014 National Defense Authorization Act (NDAA) calls for the DOD to conduct a formal evaluation of the role that the National Guard and the Army, Air Force, and Naval Reserve could play in bolstering network defenses against attack, including the hiring of additional civilian “technicians.”

Some countries already have volunteer civilian “cyber militias”—Estonia, for example, has a civilian cyber reserve that it put together after cyberattacks on the country’s national Internet infrastructure that appeared to originate from Russia. Maryland has created a cyberwarfare unit as part of its Air National Guard. But the Defense Department has resisted previous efforts by members of Congress to establish National Guard “Cyber and Computer Network Incident Response Teams” in every state.

Nextgov gives ‘em a home away form home:

Army Settles on Augusta for Cyber Forces Headquarters

Army Cyber Command troops for the first time will be housed together under one chief, service officials said on Thursday, in announcing a collective move to Fort Gordon, Ga., home of the service’s Signal Center and Signal Corps, which is responsible for electronic communications.

Until now, the command, established in 2010, has operated out of numerous facilities and leased space in the Washington metropolitan area. The Fort Gordon consolidated location will require 150 fewer personnel and cost 23 percent less than other sites contemplated, Army officials said

Ma Bell limps along, from The Verge:

AT&T follows Verizon’s lead, will start publishing law enforcement request data in early 2014

Never let it be said that AT&T and Verizon don’t follow each other’s leads. Just one day after Verizon announced it would start publishing a semiannual transparency report that details all of the law enforcement requests it receives, AT&T announced that it would being doing the same in early 2014. The carrier’s report will include info on the total number of law-enforcement data requests received from the government in criminal cases, the number of subpoenas, court orders, and warrants received, and the total number of customers affected. The first report issued should cover all of the requests from 2013.

AT&T also reiterated that it ensures all data requests and its responses are “completely lawful and proper in that country” and that it doesn’t allow the government direct connections or access to its network or customer information. However, AT&T also noted that it believes “any disclosures regarding classified information should come from the government.” That’s not exactly a surprise, as the carrier is legally prevented from detailing requests that come from FISA warrants or National Security Letters, which the NSA and DHS commonly use.

From the Copenhagen Post, first the blowback [for snooping on a national legislator to discredit a right wing group], then the replacement:

New PET boss named

Jens Madsen takes the reins of domestic intelligence agency

Public prosecutor Jens Madsen has been named the new head of domestic intelligence agency PET.

The 45-year-old Madsen replaces Jakob Scharf, who stepped down amid scrutiny over the illegal prying into Pia Kjærsgaard’s personal calendar. The same scandal also cost Morten Bødskov (S) the job of justice minister.

And his new office chair promptly turns into the hot seat. From the Copenhagen Post:

PET in yet another storm

National security cops refuse to protect ex-agent

Domestic intelligence agency PET did little to help former agent Morten Storm when his life was threatened by Islamic militants.

After a video was posted in August in which militants targeted six “enemies of Islam”, Storm, who was one of those named, sent an email to PET saying he felt his life had been threatened and asking for protection.

After three weeks, PET General Counsel Lykke Sørensen replied that Storm should refer his requests and questions to his local police force and that PET would not be getting involved.

Next up the ongoing Asian security crises, zonal and purging, first with some reassurance about the two leading players from Kyodo News:

Japan’s envoy in China says bilateral ties not fragile

Japan’s ambassador in China said Friday he has become convinced that bilateral relations are multidimensional and “will not easily be broken,” despite some lingering diplomatic difficulties, after serving in the post for almost one year.

“Japan’s relations with China have been supported by so many people,” Masato Kitera told a year-end press conference at the Japanese Embassy in Beijing.

Reinforcement from NewsOnJapan:

Japan foreign minister, China envoy agree importance of dialogue

Japanese Foreign Minister Fumio Kishida and Chinese Ambassador to Japan Cheng Yonghua agreed Friday to make efforts to improve relations between the two countries through dialogue.

After their talks at the Japanese Foreign Ministry, Cheng told reporters that the two “affirmed to each other their commitment to work to return bilateral relations to the track of a mutually beneficial strategic partnership through dialogue.”

But China Daily bites:

Chinese military lashes out at Japanese defense documents

Chinese military on Friday accused Japan of using the pretext of safeguarding its own national security and regional peace for military expansion.

The Japanese government approved its first national security strategy on Tuesday. Based on it, new defense program guidelines and a mid-term defense buildup plan were also adopted.

“China is firmly opposed to Japan’s relevant actions,” said Defense Ministry spokesman Geng Yansheng in a statement.

The Japan Times gets litigious:

LDP wants Japan-China gas field issue taken to international courts

The ruling Liberal Democratic Party proposed Friday that the issue of China potentially deciding to unilaterally develop natural gas fields in contested waters be taken to international tribunals.

An LDP task force asked the government to take the issue to the International Court of Justice or the International Tribunal for the Law of the Sea. The party is headed by Prime Minister Shinzo Abe.

And then there’s Russia. From the Japan Daily Press:

Japanese SDF fighter jets scrambled after Russian patrol planes fly near Hokkaido

Japan’s Defense Ministry scrambled several Air Self Defense Force fighter jets against a pair of Russian Tu-142 planes that flew around the country this Thursday. While the two patrol planes were in no direct violation of the Japanese airspace, it still caused a major concern for the ministry, which has been monitoring Russian military activities in light of recent similar incidents.

Russian planes were seen circulating the archipelago in March much in the same way the Tu-142s were monitored Thursday.

More Russian muscle-flexing from RIA Novosti:

Russia Needs Naval Buildup in Arctic – Deputy Premier

Russia should beef up its naval presence in the Arctic to protect its economic interests in the region from the encroachment of NATO nations, a senior minister said on Friday.

“Obviously military efforts safeguard economic ambitions. It would be strange for Russia, which has an enormous Arctic coastline, not to begin energetic, firm action for exploiting the region,” Deputy Prime Minister Dmitry Rogozin said. “This is not an economic task, it’s a geopolitical one. It’s a question of national defense.”

Next, and most ominously, there’re the Koreas. From CNN:

North Korea threatens to ‘strike South Korea mercilessly’

North Korea sent a fax to South Korea on Thursday, threatening to “strike mercilessly without notice” after protests against the secretive regime this week in Seoul.

The message warned that North Korea would strike if “the provocation against our highest dignity is to be repeated in the downtown of Seoul.”

Earlier this week, on the second anniversary of the death of former North Korean leader, Kim Jong Il, conservative protesters rallied in Seoul, burning effigies of the country’s leaders as well as its flag. Such protests are common during North Korean festivals and anniversaries.

Meanwhile, Uncle Sam keeps droning on. Via NHK WORLD:

US to deploy drones at Misawa

The US military is planning to deploy unmanned reconnaissance aircraft at the Misawa air base in Aomori Prefecture, northeastern Japan next summer.

A ranking US military officer told NHK on Thursday that Global Hawk aircraft will be moved temporarily from Guam to Misawa, mainly during summer, to avoid typhoons, from next year.

US forces deployed the reconnaissance jets in Guam 3 years ago for surveillance of China and North Korea. Currently 3 Global Hawks are stationed on the Pacific island.

Deutsche Welle takes us to Turkey and turmoil:

More arrests amid Turkish power struggle

Turkish media say more arrests have been made and police heads dismissed in connection with a probe into official corruption. Prime Minister Tayyip Erdogan has called it a “dirty operation” aimed at undermining his rule.

Istanbuler Poizeichef Huseyin Capkin

The Turkish channels, NTV and CNN Turk, reported Thursday that another 14 heads of police units had been removed from their posts. The newspaper Hurriyet said eight people had been arrested, bringing the number of detainees since Tuesday to 50.

An exiled Muslim cleric, Fethullah Gulen, who was once a key electoral supporter of Erdogan’s Justice and Development Party (AKP), has denied pressing via Turkey’s secret services and its judiciary for the arrests.

Creating massive insecurity, from RT:

Ugandan MPs pass bill punishing homosexuality with life in prison

The Ugandan parliament has ratified a bill that will see homosexuals imprisoned for life, if the person is caught in the act more than once, according to activists and reports on Friday.

One gay activist speaking to AFP following the vote said that now he is “officially illegal.”

This is the toughest measure to have been accepted in the country yet, although there was an even more severe version of the bill, which involved a controversial death penalty clause, something that was excluded from the final draft, said the politician behind the bill, David Bahati.

Corporate snooping gets a slapdown from BBC News:

Spain levies maximum fine over Google privacy policy

Google has been fined 900,000 euros (£751,000) for breaking Spanish data protection laws.

The fine is the maximum it is possible to levy on a firm that has broken the nation’s privacy laws.

It was imposed after Google changed its privacy policy and started combining personal information across its online services.

Bloomberg with more corporate blowback, this time with help from Uncle Sam:

NSA Fallout in Europe Boosts Alternatives to Google

During its first four years, Berlin-based Posteo e.K. struggled to find customers for its secure e-mail service. That changed in June, when U.S. National Security Agency contractor Edward Snowden revealed that his former employer monitored phones and e-mails worldwide. In the past six months, Posteo has tripled the subscribers of its 1-euro-per-month ($1.37) encryption service, to more than 30,000.

“The NSA reports were the final straw,” said Daniel Hundmaier, a 42-year-old communications officer in Berlin who switched to Posteo, stopped using Google Inc. (GOOG)’s search engine, and changed the operating system on his phone.

As European consumers like Hundmaier focus more on Internet privacy, they’re avoiding the likes of Google, Amazon.com Inc. (AMZN) and Yahoo! Inc. Phone operators such as Vodafone Group Plc (VOD) and Orange SA (ORA) and providers of Internet computing services like Deutsche Telekom AG (DTE)’s T-Systems have started stressing that stricter European laws on privacy make the region a safer place to store client data.

PCWorld proves crime does pay, in this case, malware creators who infected computers [mostly in Europe], then demanded ransoms for stopping the computers from systemic lockdown:

Crime pays very well: Cryptolocker grosses up to $30 million in ransom

No wonder street crime is down. If you want to make a dishonest living, cybercrime is the place to be. According to a Dell SecureWorks report by Keith Jarvis, the creators of the notorious CryptoLocker ransomware virus may have made as much as $30 million in a mere 100 days.

That’s a lot more than you’d earn stealing people’s iPhones –and you’re far less likely to get caught. (It’s also a lot more than you’d get doing honest work.)

More cybercriminal profiteering from The Verge:

Stolen Target customer data is flooding the black market

With Target already reeling from a massive hack that left up to 40 million credit and debit cards compromised, The New York Times now reports that all that data has been pouring into the black market since the break-in. With the breach taking place between Black Friday and December 15th, criminals on hundreds of illicit card-selling markets have likely had access to consumer information for weeks to date.

Security experts, including security blogger Brian Krebs, say that criminals sell stolen credit cards in bulk, with individual cards going for as little as a quarter or as high as $100 depending on the credit limit. With that kind of access, they can then burn the information onto counterfeit cards or use them to purchase gift cards that siphon off the victim’s account.

The Los Angeles Times has consequences:

Target faces lawsuits, state probes after customer data breach

The attorneys general of four states eye Target after its system is hacked, exposing account information of some 40 million customers. The retailer promises free credit monitoring to those affected.

And from the San Francisco Chronicle, yet another cybercrime:

Affinity casino company warns of data breaches

A Las Vegas company that owns casinos in Nevada, Colorado, Iowa and Missouri fell victim to a cyberattack earlier this year, compromising the credit and debit card information of patrons at 11 sites, company officials said Friday.

Affinity Gaming officials said its system is now secure, but it recommended that customers who visited its casinos and hotels between March 14 and Oct. 16 check their card statements for suspicious activity and put a fraud alert on their accounts.

And for our final item, all that glitters is terrorist? From Boing Boing:

Oklahoma City cops charge Keystone XL protesters with “terrorism hoax” because their banner shed some glitter

Two protesters who held up an anti-Keystone-XL-pipeline banner at the Oklahoma City headquarters of Devon Energy have been charged with perpetrating a “terrorism hoax” because some of the glitter on their banner fell on the floor and was characterized by OKC cops as a “hazardous substance.”

The arrest is an extreme example, but it’s not an isolated one. Indeed, leaked documents show that TransCanada has an army of spies assembling dossiers on protesters, and has been briefing the FBI and local law on techniques for prosecuting anti-pipeline protesters as terrorists.

Show more