Your Source for Leaks Around the World!

Archive for the ‘GCHQ’ Category

Mobile Handset Exploitation Team: NSA/GCHQ Hacked Into World’s Largest SIM Card Manufacturer to Steal Encryption Keys

In Archive, GCHQ, Hacking, NSA, NSA Files, Surveillance on February 22, 2015 at 7:56 PM



Jeremy Scahill/Josh Begley/TheIntercept:

American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted.

The Mobile Handset Exploitation Team (MHET), whose existence has never before been disclosed, was formed in April 2010 to target vulnerabilities in cellphones. One of its main missions was to covertly penetrate computer networks of corporations that manufacture SIM cards, as well as those of wireless network providers. The team included operatives from both GCHQ and the NSA.

As part of the covert operations against Gemalto, spies from GCHQ — with support from the NSA — mined the private communications of unwitting engineers and other company employees in multiple countries.

According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.

Additionally, the spy agency targeted unnamed cellular companies’ core networks, giving it access to “sales staff machines for customer information and network engineers machines for network maps.” GCHQ also claimed the ability to manipulate the billing servers of cell companies to “suppress” charges in an effort to conceal the spy agency’s secret actions against an individual’s phone. Most significantly, GCHQ also penetrated “authentication servers,” allowing it to decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network. A note accompanying the slide asserted that the spy agency was “very happy with the data so far and [was] working through the vast quantity of product.”

Gemalto was totally oblivious to the penetration of its systems — and the spying on its employees. “I’m disturbed, quite concerned that this has happened,” Paul Beverly, a Gemalto executive vice president, told The Intercept. “The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers.” He added that “the most important thing for us now is to understand the degree” of the breach.

Beverly said that after being contacted by The Intercept, Gemalto’s internal security team began on Wednesday to investigate how their system was penetrated and could find no trace of the hacks. When asked if the NSA or GCHQ had ever requested access to Gemalto-manufactured encryption keys, Beverly said, “I am totally unaware. To the best of my knowledge, no.”

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.”

“Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”

Neither the NSA nor GCHQ would comment specifically on the key theft operations. In the past, they have argued more broadly that breaking encryption is a necessary part of tracking terrorists and other criminals. “It is longstanding policy that we do not comment on intelligence matters,” a GCHQ official stated in an email, adding that the agency’s work is conducted within a “strict legal and policy framework” that ensures its activities are “authorized, necessary and proportionate,” with proper oversight, which is the standard response the agency has provided for previous stories published by The Intercept. The agency also said, “[T]he UK’s interception regime is entirely compatible with the European Convention on Human Rights.” The NSA declined to offer any comment.

It is unlikely that GCHQ’s pronouncement about the legality of its operations will be universally embraced in Europe. “It is governments massively engaging in illegal activities,” says Sophie in’t Veld, a Dutch member of the European Parliament. “If you are not a government and you are a student doing this, you will end up in jail for 30 years.” Veld, who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept: “The secret services are just behaving like cowboys. Governments are behaving like cowboys and nobody is holding them to account.”



Ryan Devereaux/Cora Currier/TheIntercept:

The French daily L’Express noted today that Gemalto board member Alex Mandl was a founding trustee of the CIA-funded venture capital firm In-Q-Tel. Mandl resigned from In-Q-Tel’s board in 2002, when he was appointed CEO of Gemplus, which later merged with another company to become Gemalto. But the CIA connection still dogged Mandl, with the French press regularly insinuating that American spies could infiltrate the company. In 2003, a group of French lawmakers tried unsuccessfully to create a commission to investigate Gemplus’s ties to the CIA and its implications for the security of SIM cards. Mandl, an Austrian-American businessman who was once a top executive at AT&T, has denied that he had any relationship with the CIA beyond In-Q-Tel. In 2002, he said he did not even have a security clearance.


Edward Snowden on SIM Hack Story and Gemalto:

“Although firmware exploitation is nasty, it’s at least theoretically reparable: tools could plausibly be created to detect the bad firmware hashes and re-flash good ones. This isn’t the same for SIMs, which are flashed at the factory and never touched again. When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim), they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.

Our governments – particular the security branches – should never be weighing the equities in an intelligence gathering operation such that a temporary benefit to surveillance regarding a few key targets is seen as more desireable than protecting the communications of a global system (and this goes double when we are more reliant on communications and technology for our economy productivity than our adversaries).”

Redditor: So far Gemalto is claiming SIMs are still secure. Not believing them at this point.

“I wouldn’t believe them either. When we’re talking about how to weight reliability between specific government documents detailing specific Gemalto employees and systems (and tittering about how badly they’ve been owned) against a pretty breezy and insubstantial press release from a corporation whose stock lost 500,000,000 EUR in value in a single day, post-report, I know which side I come down on.

That’s not to say Gemalto’s claims are totally worthless, but they have to recognize that their business relies on trust, and if they try to wave away a serious compromise, it’ll cost them more than it saves them.”


Russell Brandom/TheVerge:

In the days since the report published, there’s been concern over an even more frightening line of attack. The stolen SIM keys don’t just give the NSA the power to listen in on calls, but potentially to plant spyware on any phone at any time. Once the stolen keys have bypassed the usual protections, the spyware would live on the SIM card itself, undetectable through conventional tools, able to pull data and install malicious software. If the NSA and GCHQ are pursuing that capability, it could be one of the biggest threats unearthed by Snowden so far.

Our earlier report focused on the Ki keys, used to encrypt traffic between the phone and the tower — but this new attack uses a different set of keys known as OTA keys, short for “over-the-air.” Each SIM card gets its own OTA key, typically used to remotely install updates. Manufacturers can send a binary text message directly to the SIM card, and as long as it’s signed with the proper OTA key, the card will install the attached software without question. If those keys were compromised, it would give an attacker carte blanche to install all manner of spyware. Researcher Claudio Guarnieri, who’s researched the Snowden documents extensively, says the OTA keys could make the Gemalto heist the most important news to come out of the documents so far. “It’s scary,” Guarnieri says. “If the NSA and GCHQ have obtained a large quantity of OTA keys, we’re facing the biggest threat to mobile security ever.”

The OTA key works as a kind of golden key to the SIM card, allowing almost total access to anyone who has it. Karsten Nohl, a researcher best known for his work on BadUSB, explored SIM hacks as part of a Black Hat presentation in 2013 (PDF), and says the OTA keys would be a very likely target for an intelligence agency. The Intercept’s documents also mention compromising Gemalto’s ability to alter SMS records, which could be used to erase any suspicious OTA updates. The result would be a completely invisible program, running in an inaccessible portion of the phone. “It would be completely hidden from the user,” says Nohl.

Earlier leaks show that the NSA has already developed malware that would work in just this way. The NSA’s exploit catalog lists two different SIM-based malware apps: MONKEYCALENDAR sends back location data through hidden SMS messages, while GOPHERSET pulls a user’s phone book, text and call logs. In both cases, the malware lives entirely on the SIM card, leaving no trace on the internal storage of the device. Neither slide says how the malware would be implanted, but once the OTA keys have been stolen, it would be as simple as sending a text.

But while the OTA keys are certainly valuable to the NSA and GCHQ, it’s harder to say whether the agencies are actively harvesting them. The latest batch of documents shows that the agencies had full access to Gemalto’s network, including the authentication servers that manage OTA keys, so at the very least, they could have stolen the keys if they wanted. But while the other documents show a concerted effort to harvest Ki keys, there’s little mention of OTA keys beyond a single slide. The lack of evidence doesn’t mean the agencies were ignoring the keys, of course; they may just have kept the harvesting efforts off Powerpoint.


Gemalto Presents Findings of Internal Investigation:

  • The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened
  • The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys
  • The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft
  • In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack
  • None of our other products were impacted by this attack
  • The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator

Following the release of a report by a news website on February 19, 2015, Gemalto (Euronext NL0000400653 GTO), has conducted a thorough investigation, based in particular on two elements: the purported NSA and GCHQ documents which were made public by this website, and our internal monitoring tools and their past records of attempts of attacks.

All comments in this publication assume that the published documents are real and refer accurately to events that occurred during 2010 and 2011. Our publication here below does not aim at confirming partially or entirely nor at providing elements to refute partially or entirely the contents of those website published documents.

As a digital security company, people try to hack Gemalto on a regular basis. These intrusion attempts are more or less sophisticated and we are used to dealing with them. Most are not successful while only a few penetrate the outer level of our highly secure network architecture.

If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks. In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation.

In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network. By office network we mean the one used by employees to communicate with each other and the outside world. Action was immediately taken to counter the threat.

In July 2010, a second incident was identified by our Security Team. This involved fake emails sent to one of our mobile operator customers spoofing legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code. We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used.

During the same period, we also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers.

At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation. These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.

The risk of the data being intercepted as it was shared with our customers was greatly reduced with the generalization of highly secure exchange processes that we had put in place well before 2010. The report indicates that attacks were targeted at mobile operators in Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan. It also states that when operators used secure data exchange methods the interception technique did not work. In particular it “…failed to produce results against Pakistani networks”. We can confirm that the transmission of data between Pakistani operators and Gemalto used the highly secure exchange process at that time. In 2010 though, these data transmission methods were not universally used and certain operators and suppliers had opted not to use them. In Gemalto’s case, the secure transfer system was standard practice and its non-use would only occur in exceptional circumstances.

The analysis of the documents shows that the NSA and GCHQ targeted numerous parties beyond Gemalto. As the leader in the market, Gemalto may have been the target of choice for the intelligence services in order to reach the highest number of mobile phones. However, we can see in the document that many aspects do not relate to Gemalto, for example:

  • Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen.
  • A list claiming to represent the locations of our personalization centers shows SIM card personalization centers in Japan, Colombia and Italy. However, we did not operate personalization centers in these countries at the time.
  • Table 2 indicates that only 2% of the exchanges of encryption keys (38/1719) came from SIM suppliers and states that the use of strong encryption methods by SIM suppliers means that the other groups (98%) are much more vulnerable to these types of attacks.

In 2010-2011 most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms. However, even if the encryption keys were intercepted by the Intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months.

This known weakness in the original 2G standards was removed with the introduction of proprietary algorithms, which are still used as an extra level of security by major network operators. The security level was further increased with the arrival of 3G and 4G technologies which have additional encryption. If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications. Therefore, 3G and 4G cards could not be affected by the described attack. However, though backward compatible with 2G, these newer products are not used everywhere around the world as they are a bit more expensive and sometimes operators base their purchasing decision on price alone.

Digital security is not static. Today’s state of the art technologies lose their effectiveness over time as new research and increasing processing power make innovative attacks possible. All reputable security products must be re-designed and upgraded on a regular basis. SIM cards are no different and they have evolved over time. In particular, the technology was massively re-developed for 3G and 4G networks.

Security is even higher for mobile operators who work with Gemalto to embed custom algorithms in their SIM cards. The variety and fragmentation of algorithmic technologies used by our customers increases the complexity and cost to deploy massive global surveillance systems. This is one of the reasons why we are opposed to alternative technologies which would limit operators’ ability to customize their security mechanisms. Such technology would make it much simpler to organize mass surveillance should the technology unfortunately be compromised or fail.

Gemalto would like to reiterate its commitment to providing the best security levels for civilian applications. Our security products, infrastructure and processes are designed to ensure the highest degree of security in a global, open, and commercial environment. These are regularly audited and certified by third-party private and public organizations.

Nevertheless, we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.

In light of the recent events our main focus is our customers. Our teams have particularly appreciated the support that they have shown us in the past few days. These events inspire our people to work even closer with our customers and the industry to build even more sophisticated solutions to serve the needs of end users.

In today’s world, any organization could be subject to a cyber-attack. Therefore, it has never been more important to follow security best practices and adopt the most recent technologies. These include advanced data encryption, so that even if networks are breached, third parties cannot access any of the stolen information.

Gemalto will continue to monitor its networks and improve its processes. We do not plan to communicate further on this matter unless a significant development occurs.​


Jeremy Scahill/TheIntercept:

This morning, Gemalto tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys — and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.

The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.

After the brief investigation, Gemalto now says that the NSA and GCHQ operations in 2010-2011 would not allow the intelligence agencies to spy on 3G and 4G networks, and that theft would have been rare after 2010, when it deployed a “secure transfer system.” The company also said the spy agency hacks only affected “the outer parts of our networks – our office networks — which are in contact with the outside world.”

Security experts and cryptography specialists immediately challenged Gemalto’s claim to have done a “thorough” investigation into the state-sponsored attack in just six days, saying the company was greatly underestimating the abilities of the NSA and GCHQ to penetrate its systems without leaving detectable traces, and that Gemalto’s statements about its investigation contained a significant error about cellphone technology.

Christopher Soghoian, Chief Technologist at ACLU:

“Gemalto learned about this five-year old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks. Their ‘investigation’ seem to have consisted of asking their security team which attacks they detected over the past few years. That isn’t much of an investigation, and it certainly won’t reveal successful nation-state attacks Gemalto is as much of an interesting target in 2015 as they were in 2010. Gemalto’s security team may want to keep looking, not just for GCHQ and NSA, but also, for the Chinese, Russians and Israelis too.”

Matthew Green, Cryptography Specialist at Johns Hopkins Information Security Institute:

“This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all. No encryption mechanism stands up to key theft, which means Gemalto is either convinced that the additional keys could not also have been stolen or they’re saying that their mechanisms have some proprietary ‘secret sauce’ and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That’s a deeply worrying statement. I think you could make that statement against some gang of Internet hackers, but you don’t get to make it against nation state adversaries. It simply doesn’t have a place in the conversation. They are saying that NSA/GCHQ could not have breached those technologies due to ‘additional encryption’ mechanisms that they don’t specify and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys.”

In a press conference today in Paris, Gemalto’s CEO, Olivier Piou said his company will not take legal action against the NSA and GCHQ. “It’s difficult to prove our conclusions legally, so we’re not going to take legal action,” he said. “The history of going after a state shows it is costly, lengthy and rather arbitrary.”There has been significant commercial pressure and political attention placed on Gemalto since The Intercept’s report. Wireless network providers on multiple continents demanded answers and some, like Deutsche Telekom, took immediate action to change their encryption algorithms on Gemalto-supplied SIM cards. The Australian Privacy Commissioner has launched an investigation and several members of the European Union parliament and Dutch parliament have asked individual governments to launch investigations. German opposition lawmakers say they are initiating a probe into the hack as well.

On Wednesday, Gerard Schouw, a member of the Dutch parliament, submitted formal questions about the Gemalto hack and the findings of the company’s internal investigation to the interior minister. “Will the Minister address this matter with the Ambassadors of the United States and the United Kingdom? If not, why is the Minister not prepared to do so? If so, when will the Minister do this?” Schouw asked. “How does the Minister assess the claim by Gemalto that the attack could only lead to wiretapping 2G-network connections, and that 3G and 4G-type networks are not susceptible to this kind of hacks?”

China Mobile, which uses Gemalto SIM cards, has more wireless network customers than any company in the world. This week it announced it was investigating the breach and the Chinese government said it was “concerned” about the Gemalto hack. “We are opposed to any country attempting to use information technology products to conduct cyber surveillance,” Foreign Ministry spokesman Hong Lei said. “This not only harms the interests of consumers but also undermines users’ confidence.” He did not mention that China itself engages in widespread, state-sponsored hacking.

While Gemalto is clearly trying to calm its investors and customers, the company’s statements appear intended to reassure the public about the company’s security rather than to demonstrate that it is taking the breach seriously.

Related Links:

Most Widely Used Cellphone Encryption Can Easily Be Cracked By NSA

AURORAGOLD: NSA Spying on Cellphone Companies to Exploit Networks & Introduce New Flaws

NSA/CIA “Special Collection Service” Agents Posing as Diplomats in Embassies/Consulates, 80 Locations Worldwide

UK Interception of Communications & Equipment Interference Codes of Practice

In Archive, GCHQ, Hacking, MI5, MI6, NSA Files, Surveillance, UK on February 22, 2015 at 4:31 AM



Alan Travis/Guardian (1) (2)/James Ball/Guardian:

The British government has for the first time offered an official definition of computer hacking by the security services. In a Home Office “draft equipment interference code of practice” released on Friday, the government defines it as:

Any interference (whether remotely or otherwise) by the intelligence services, or persons acting on their behalf or in their support, with equipment producing electromagnetic, acoustic and other emissions, or information derived from or related to such equipment, which is to be authorised under section 5 of the 1994 [Intelligence Services] Act, in order to do any or all of the following:

a) obtain information from the equipment in pursuit of intelligence requirements;

b) obtain information concerning the ownership, nature and use of the equipment with a view to meeting intelligence requirements;

c) locate and examine, remove, modify or substitute equipment hardware or software which is capable of yielding information of the type described in a) and b);

d) enable and facilitate surveillance activity by means of the equipment.

‘Information’ may include communications content, and communications data as defined in section 21 of the 2000 [Regulation of Investigatory Powers] Act.

Britain’s security services have acknowledged they have the worldwide capability to bypass the growing use of encryption by internet companies by attacking the computers themselves.

The Home Office release of the innocuously sounding “draft equipment interference code of practice” on Friday put into the public domain the rules and safeguards surrounding the use of computer hacking outside the UK by the security services for the first time.

The publication of the draft code follows David Cameron’s speech last month in which he pledged to break into encryption and ensure there was no “safe space” for terrorists or serious criminals which could not be monitored online by the security services with a ministerial warrant, effectively spelling out how it might be done.

Privacy campaigners said the powers outlined in the draft guidance detail the powers of intelligence services to sweep up content of a computer or smartphone, listen to their phonecalls, track their locations or even switch on the microphones or cameras on mobile phones. The last would allow them to record conversations near the phone or laptop and snap pictures of anyone nearby.

The code spells this out by saying the new rules give the security services the power to use hacked computers to “enable and facilitate surveillance activity”.

Eric King of Privacy International, said: “They hack their way, remove and substitute your hardware and software and enable intelligence collection by turning on your webcams and mice and shipping the data back to GCHQ at Cheltenham.”

The security minister, James Brokenshire, said the draft code, which is subject to a six-week consultation ending on 20 March, details the safeguards applied to different surveillance techniques, including “computer network exploitation” to identify, track and disrupt the most sophisticated targets.

Computer network exploitation, or mass hacking, is a technique through which computer networks are used to infiltrate target computers’ networks in order to extract and gather intelligence data.

It enables intelligence services to penetrate and collect any sensitive or confidential data which is typically kept hidden and protected from the public. It may also be used to bypass the end-to-end encryption increasingly used by the US internet companies to protect their customers’ communications in the aftermath of the Snowden disclosures of bulk internet surveillance. End-to-end encryption secures messages by ensuring that only the recipient of a message can decode it: not any of the supplying companies computers’ in between.

The publication for the first time of the legal codes of practice under the Regulation of Investigatory Powers Act 2000 surrounding “equipment interference” was timed to coincide with the landmark ruling that GCHQ had been operating a bulk intelligence sharing operation with the Americans within an unlawful framework for the past seven years.

That ruling by the investigatory powers tribunal required the internal GCHQ rules and safeguards to be made public surrounding their receipt of the bulk collection of British citizens’ personal data by the American National Security Agency.

Privacy campaigners say the powers outlined in the draft code were more intrusive than intercepting the content of phone calls or emails or scooping up communications data, because they included sweeping up files and material on the computer that had never been shared with anybody else.

The powers in the draft code at 7.11 also appear to give the security services wide-ranging powers to “self-authorize” or give “internal approval” for particular operations once they have the authorization of a secretary of state for a “broad class of operations”. This would mean that, unlike an operation to put a bug in a particular house, they would not necessarily need a specific warrant to do the same thing by hacking a computer.

A 2008 GCHQ memo from the Snowden cache, addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”, requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements.

The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Security experts regularly say that keeping software up to date and being aware of vulnerabilities is vital for businesses to protect themselves and their customers from being hacked. Failing to fix vulnerabilities leaves open the risk that other governments or criminal hackers will find the same security gaps and exploit them to damage systems or steal data, raising questions about whether GCHQ and the NSA neglected their duty to protect internet systems in their quest for more intelligence.

The Home Office also published an updated and revised code of practice surrounding the interception of communications, including details of the rules. There were also stronger safeguards surrounding the security services’ interception of the most sensitive communications, including between lawyers and their clients, doctors and patients and journalists and sources. These are generally protected by laws of confidentiality.

It is thought that these previously secret rules have been put into the public domain for the first time in anticipation of two further rulings challenging the lawfulness of security services’ activity later this year.

In the first ruling expected next month the IPT will rule on whether the intelligence services have routinely intercepted legally privileged communications in sensitive security cases without adequate safeguards. The case involves two Libyans, Abdel-Hakim Belhaj and Sami al-Saadi and their families after they were abducted in a joint MI6-CIA operation and sent back to be tortured by Colonel Muammar Gaddafi’s regime in 2004.

The second ruling follows a legal claim brought by Privacy International demanding an end to the use of computer hacking tools by GCHQ and the NSA. They claim they have used the hacking tools disclosed by the whistleblower Edward Snowden to infect potentially millions of computers and mobile devices around the world with malicious software to surreptitiously conduct a new dimension of surveillance.

UK Gov’t Concedes Policies Re: Intel Agencies Snooping on Lawyer/Client Communications Unlawful, Breached ECHR

In Archive, Belhaj, Gaddafi, GCHQ, IPT, Libya, MI5, MI6, Surveillance, UK on February 22, 2015 at 4:25 AM




The UK Government has today conceded that its policies governing the ability of intelligence agencies to spy on lawyer-client communications were unlawful, in response to a case brought by two victims of an MI6-orchestrated ‘rendition’ operation.

Abdul-hakim Belhaj and Fatima Boudchar were tortured and rendered to Libya in 2004 in a joint MI6-CIA operation. They filed a case in 2013 with the Investigatory Powers Tribunal (IPT) concerning alleged eavesdropping by UK intelligence services on their confidential communications with their lawyers.

In 2012, the Belhaj family had brought a separate, civil case against the UK Government over the part it played in their mistreatment.   The IPT case centered around whether Government lawyers and officials involved in the civil case could have, through surveillance, gained access to confidential communications between the family and their lawyers, thereby giving the Government an unfair advantage.

Today, the Government has conceded that safeguards to prevent this from taking place were inadequate, and did not meet the requirements of the European Convention on Human Rights (ECHR). However, the Government has yet to say whether or not these failings of policy specifically affected the Belhaj case, which is due to see a further hearing in the IPT on 10th March.

Cori Crider, a director at Reprieve and one of Mr Belhaj & Ms Boudchar’s lawyers said: “By allowing the intelligence agencies free rein to spy on communications between lawyers and their clients, the Government has endangered the fundamental British right to a fair trial. Reprieve has been warning for months that the security services’ policies on lawyer-client snooping have been full of loopholes big enough to drive a bus through.

“For too long, the security services have been allowed to snoop on those bringing cases against them when they speak to their lawyers. In doing so, they have violated a right that is centuries old in British common law. Today they have finally admitted they have been acting unlawfully for years.

“Worryingly, it looks very much like they have collected the private lawyer-client communications of two victims of rendition and torture, and possibly misused them. While the government says there was no ‘deliberate’ collection of material, it’s abundantly clear that private material was collected and may well have been passed on to lawyers or ministers involved in the civil case brought by Abdul-hakim Belhaj and Fatima Boudchar, who were ‘rendered’ to Libya in 2004 by British intelligence.

“Only time will tell how badly their case was tainted. But right now, the Government needs urgently to investigate how things went wrong and come clean about what it is doing to repair the damage.”

Alan Travis/Owen Bowcott/Guardian:

Government sources, in line with all such cases, refuse to confirm or deny whether the two Libyans were the subject of an interception operation. They insist the concession does not concern the allegation that actual interception took place and say it will be for the investigatory powers tribunal hearing to determine the issue.

An updated draft interception code of practice spelling out the the rules for the first time was quietly published at the same time as the Investigatory Powers Tribunal ruling against GCHQ earlier this month in the case brought by Privacy International and Liberty.

The government spokesman said the draft code set out enhanced safeguards and provided more detail than previously on the protections that had to be applied in the security agencies handling of legally privileged communications.

The draft code makes clear that warrants for snooping on legally privileged conversations, emails and other communications between suspects and their lawyers can be granted if there are exceptional and compelling circumstances. They have to however ensure that they are not available to lawyers or policy officials who are conducting legal cases against those suspects.

Exchanges between lawyers and their clients enjoy a special protected status under UK law. Following exposure of widespread monitoring by the US whistleblower Edward Snowden in 2013, Belhaj’s lawyers feared that their exchanges with their clients could have been compromised by GCHQ’s interception of phone conversations and emails.

To demonstrate that its policies satisfy legal safeguards, MI6 were required in advance of Wednesday’s concession to disclose internal guidance on how intelligence staff should deal with material protected by legal professional privilege.

The MI6 papers noted: “Undertaking interception in such circumstances would be extremely rare and would require strong justification and robust safeguards. It is essential that such intercepted material is not acquired or used for the purpose of conferring an unfair or improper advantage on SIS or HMG [Her Majesty’s government] in any such litigation, legal proceedings or criminal investigation.”

The internal documents also refer to a visit by the interception commissioner, Sir Anthony May, last summer to examine interception warrants, where it was discovered that regulations were not being observed. “In relation to one of the warrants,” the document explained, “the commissioner identified a number of concerns with regard to the handling of [legal professional privilege] material”.

Amnesty UK’s legal programme director, Rachel Logan, said: “We are talking about nothing less than the violation of a fundamental principle of the rule of law – that communications between a lawyer and their client must be confidential.

“The government has been caught red-handed. The security agencies have been illegally intercepting privileged material and are continuing to do so – this could mean they’ve been spying on the very people challenging them in court.

“This is the second time in as many weeks that government spies have been rumbled breaking the law.”

IPT Rules NSA/GCHQ Intel Sharing Illegal Prior to December 2014, Legal Now Since It’s Not Secret Anymore … Huh?

In Archive, GCHQ, IPT, NSA, Surveillance on February 22, 2015 at 4:16 AM




British intelligence services acted unlawfully in accessing millions of people’s personal communications collected by the NSA, the Investigatory Powers Tribunal ruled today. The decision marks the first time that the Tribunal, the only UK court empowered to oversee GHCQ, MI5 and MI6, has ever ruled against the intelligence and security services in its 15 year history.

The Tribunal declared that intelligence sharing between the United States and the United Kingdom was unlawful prior to December 2014, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programs were secret.

Related: Leaked Memos Reveal GCHQ Efforts to Keep Mass Surveillance Secret

It was only due to revelations made during the course of this case, which relied almost entirely on documents disclosed by NSA whistleblower Edward Snowden, that the intelligence sharing relationship became subject to public scrutiny.

The claimants in the case are Privacy International, Bytes for All, Liberty, and Amnesty International.

In a previous December 2014 ruling, the IPT held that GCHQ’s access to NSA data was lawful from that time onward because certain parts of the secret policies governing the US-UK intelligence relationship were made public during Privacy International’s case against the security services. Yet that belated disclosure could not remedy the lack of transparency regarding the UK-US sharing prior to December 2014, meaning that all UK access to NSA intelligence material was unlawful before the Court’s judgement.

In light of today’s ruling, Privacy International and Bytes for All will now ask the court to confirm whether their communications were unlawfully collected prior to December 2014 and, if so, demand their immediate deletion.

Related: Unmasked: GCHQ Allows NSA to Collect Phone/Internet/Email Records of Innocent UK Citizens

While we welcome today’s decision, Privacy International and Bytes for All disagree with the tribunal’s earlier conclusion that the forced disclosure of a limited subset of rules governing intelligence-sharing and mass surveillance is sufficient to make GCHQ’s activities lawful as of December 2014. Both organizations will shortly lodge an application with the European Court of Human Rights challenging the tribunal’s December 2014 decision.

While that appeal is pending, GCHQ will retain unfettered access to this material intercepted by the NSA. The two agencies by default share intelligence gleaned from PRISM and UPSTREAM, sometimes with few or no safeguards.

Related: GCHQ Wish List: “Unsupervised Access” to NSA’s PRISM/Upstream Data

Secret policies divulged during Privacy International’s case revealed that British intelligence services can request or receive access to bulk data from foreign agencies like the NSA without a warrant whenever it would “not be technically feasible” for the government to obtain it themselves.

Related: Secret Five Eyes Doc Shows Intelligence Partners Discussing What Info They Can Pool About Citizens, Australia Most Willing to Share

PRISM and UPSTREAM, which have been in existence for nearly a decade, were made public in June 2013 by NSA whistleblower Edward Snowden. Through PRISM, the NSA has gained access to the data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple. With UPSTREAM, the NSA intercepts bulk data via fibre optic cables that carry the world’s communications. The scope of this surveillance is unprecedented.  For instance, the top five programs within UPSTREAM created 160 billion interception records in one month. In one day, the NSA was able to collect 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers. Other programs part of UPSTREAM to which GCHQ has had access include CO-TRAVELER, which collects five billion locational records a day, and DISHFIRE which harvests 194 million text messages daily.


Trevor Timm/Guardian:

Now that the some of the secrecy surrounding the spying program has finally been declared illegal, this should have huge implications for both the British government and many members of the British media, who purposefully ignored the clearly illegal GCHQ mass surveillance program for so long (though the chances of either admitting they were wrong even in the face of this ruling is slim).

The complicit British media (with only a few exceptions) refused to cover the GCHQ story at all unless they were called in to act as public relations agencies for the government by printing fear-mongering stories claiming that anyone reporting on the issue of privacy was just helping terrorists and pedophiles.

Snowden once rightly called the UK media’s coverage of the GCHQ story “a disservice to the public.” Those papers that failed to cover their own government’s illegal surveillance program should be particularly embarrassed today, given that they were not only complicit in keeping much of GCHQ’s activities secret, but also assisted GCHQ in maintaining its illegality.

The UK government’s own staggering chutzpah was on full display in Downing Street’s bizarrely positive reaction to the ruling: in one breath, they claimed GCHQ doesn’t engage in “mass surveillance”; in another, they bragged about how their “bulk interception” program is perfectly lawful now that their previously secret rules are public. (Good luck sorting out the difference.)

But Carly Nyst of Privacy International explained why this is a landmark ruling:

“Not once have the spooks been taken to task for overstepping the lawful boundaries of their conduct. Not a single British spy has been held accountable for mass surveillance, unlawful spying or snooping on private emails and phone calls. Until now.”

While much of the outcry over the Snowden stories around the world has focused on the NSA, GCHQ has often been much more flagrant in its violations of privacy rights of the world’s citizens. Indeed, Snowden has repeatedly mentioned – including the first time he met with journalists in Hong Kong – that GCHQ’s activities are much worse than the NSA. Reporting since that meeting has revealed GCHQ’s “full intake” tapping of Internet cables, its mass interception of journalists’ emails, its aggressive hacking of non-terrorist groups that are not a threat to the government, and many other disturbing revelations.

Say what you want about the NSA’s misleading statements and obfuscation with the American press (and there’s a lot to say), but the American spy agency has been forced to repeatedly and publicly respond to allegations about its conduct both in Congress and to the press.

GCHQ, in contrast, has arrogantly refused to even address the most outrageous allegations, sticking to the exact same script every single story: “All of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate …”

Well, turns out their framework wasn’t legal – or, at least, it wasn’t until the Snowden documents forced GCHQ to release more information after being dragged into court, thereby creating one. The decision Friday was just the first of potentially dozens of cases that will come before the court, all of which were brought by privacy interest groups, and many of which will hopefully force the court to address the illegality of the actual mass spying conducted by GCHQ on a regular basis.

This case also calls for a re-examination of the British government’s deplorable actions against those who have merely reported on the Snowden stories. They’ve forced the Guardian to destroy a hard drive full of Snowden documents, outrageously detained Glenn Greenwald’s partner David Miranda under the Terrorism Act and threatened Guardian reporters with prosecution for doing their jobs. Until now, the UK government has used vague excuses related to “terrorism” for their authoritarian actions – but now their motives should now be clear to all: they were trying to cover up an illegal program.

It remains to be seen how the court will react, if at all, to future cases. But this should be a warning for both the UK government and the media: the law and even the most obsequious of courts are not on your side. Your citizens aren’t either.

LOVELY HORSE: GCHQ Program Monitored Hacker/InfoSec Community on Social Media

In Anonymous, Archive, GCHQ, Hacking, InfoSec, NSA Files, Surveillance on February 16, 2015 at 1:54 AM



Glenn Greenwald/TheIntercept:

GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge, according to top secret documents leaked by Edward Snowden. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” notes one document.

GCHQ created a program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. The Twitter accounts designated for collection in the 2012 document:


These accounts represent a cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick, who was sent to prison in 1999 for various computer and fraud related offenses.

The U.S. Government once characterized Mitnick as one of the world’s most villainous hackers, but he has since turned security consultant and exploit broker.

Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy, from Google’s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov, who at the time both worked for New York-based offensive security company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert “The Grugq”.

GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).

The GCHQ document states that they “currently have a list of around 60 blog and Twitter sources” that were identified by analysts for collection. A prototype of the LOVELY HORSE program ensured that “Twitter and (and subject to legal/security approval) blog content [was] manually scraped and uploaded to GCDesk.” A later version would upload content in real time.

Several of the accounts to be mined for expertise are associated with the hactivist collective Anonymous. Documents previously published by The Intercept reveal extensive, and sometimes extreme, tactics employed by GCHQ to infiltrate, discredit and disrupt that group. The agency employed some of the same hacker methods against Anonymous (e.g., mass denial of service) as governments have prosecuted Anonymous for using.

A separate GCHQ document details the open-source sites monitored and collected by the agency, including blogs, websites, chat venues and Twitter. It describes Twitter monitoring undertaken for “real-time alerting to new security issues reported by known security professionals, or planned activity by hacking groups, e.g. Anonymous.” The agency planned to expand its monitoring and aggregation program to a wide range of web locations, including IRC chat rooms and Pastebin, where “an increasing number of tip-offs are coming from . . . as this is where many hackers anonymously advertise and promote their exploits, by publishing stolen information.”


%d bloggers like this: