I’ve always had my suspicions that the New York Times is actually a branch office of the NSA; but now we know.
This is an NSA slide leaked by Edward Snowden. It shows how the NSA joins up the dots between known terrorists and possible terrorists.
But it’s the bit at the bottom left that gives the game away…
To find the criminal, you must follow the money. To find the collaborator, you should follow the favours.
Now, if this principle holds true, we’ve got a good game to play – finding which security firms collaborate with government agencies by looking at which companies ingratiate themselves most, and which companies receive the most government favours.
Remember, this is a game. The rules are similar to those used by law enforcement agencies in their own game called Find the Terrorist: one red flag if the suspect denounces the invasion of a foreign land; two red flags if he or she accuses the government of lying or expresses sympathy with Anonymous; three red flags if a Moslem country is visited and so on. Six red flags and you’ve found a terrorist.
In our game, the following are worth one red flag:
- production of absurd statistics that support government policy (such as the cybercrime cost figures generated by McAfee and BAE Systems Detica)
- continuing success against all natural market forces (such as Microsoft Office, when there are better free products such as Open Office and Google Docs)
- purchase of key personal data companies that are outside of core business (such as EMC buying RSA, and Microsoft buying Skype)
- existing accusations of collaboration (such as BT over Tempora, and backdoors in Windows)
- directly accusing foreign governments of involvement in specific cybercrimes when in reality their can be no objective proof (such as Mandiant’s famous accusations against Comment Crew, and various firms’ terminology that implies that ‘hackers in China’ really means ‘Chinese government hackers’).
The following are worth two red flags:
- preferential treatment that does not make economic sense (such as government insistence that costly products – eg MS Office – are used in government departments, schools and examinations – in preference to free products like Open Office)
- sudden increase in direct government-inspired attacks against the major competition (such as those against Google – so who is Google’s primary competition? Note, this doesn’t mean that Google is innocent.)
The following are worth three red flags:
- direct government ‘approval’ (such as the elevation of Mandiant, Detica, Cassidian, and Context to CESG’s Cyber Response Scheme)
- active support for proposals that will make government surveillance more simple, such as support for the Communications Bill in the UK, or the Trusted Computing Platform anywhere.
There aren’t any…
…because you can’t lose. All security firms collaborate with government to one degree or another. If they don’t do it willingly, they do so under coercion; and if they don’t do it yet, it’s because they haven’t been told to, yet. But they do or will do it. The only way for a company to avoid collaborating with government is to shut down – like Lavabit.
Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III
Is the anti-virus industry in bed with the NSA – why do CIPAV, FinFisher and DaVinci still defeat AV?
Is Windows 8 an NSA trojan?
Am I a terrorist?
The following information is intended to list characteristics of persons that may be involved in terrorist activity that are described as “sleepers” or otherwise persons who camouflage their involvement in terrorist activity or planning by attempting to fit in with others in our society.
It then provides five ‘attitude indicators’:
- Support for militant Islamic groups
- Excusing violence against Americans on the grounds that American actions provoked the problem
- Fury at the West for reasons ranging from personal problems to global policies of the U.S.
- Conspiracy theories about Westerners (e.g. the CIA arranged for 9/11 to legitimize the invasion of foreign lands)
- Accusing the West of trying to destroy Islam
Let’s look at these.
1. Support for militant Islamic groups
No, I support no militant groups; but that includes large sections of the UK and US governments and their intelligence and law enforcement agencies whom I classify as militant groups (incidentally, I’m seriously not sure whether the governments run the agencies or the agencies run the governments).
2. Excusing violence against Americans…
No, I do not excuse violence against Americans
…on the grounds that American actions provoked the problem
But, yes, I do believe that US global policies (particularly globalization, control of oil, and support for western banks, defence industries and drug companies) are the ultimate cause of many of the world’s problems.
3. Fury at the West…
Fury, no; but anger, yes.
4. Conspiracy theories about Westerners…
I absolutely believe that the west has engaged in false flag operations to legitimize many things, including the invasion of foreign lands and the restriction of personal freedoms.
5. Accusing the West of trying to destroy Islam
The west is not trying to destroy Islam — the west needs Islam as a fear figure to justify bigger budgets, stronger laws, higher taxes, and, yes, the invasion of foreign lands. Rather than destroy Islam, the west needs to maintain it; but as the bogey man.
On the basis of this document, it seems clear that I am potentially if not actually a sleeper terrorist. This, says the document, “may indicate suspicious activity that warrants law enforcement scrutiny.” My neighbours should, therefore, “notify law enforcement authorities.”
I’m so glad I live in the free world.
Is the anti-virus industry in bed with the NSA – why do CIPAV, FinFisher and DaVinci still defeat AV?
September 2013 is the month in which the extent of direct government hacking – as opposed to traffic surveillance – became known.
4 September – WikiLeaks releases Spy Files 3, demonstrating increasing use of third-party hacking tools, such as FinFisher.
6 September – Bruce Schneier writes in the Guardian
The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
7 September – details of an NSA MITM operation against Google users in Brazil revealed.
12 September – FBI admits that it hacked Freedom Hosting. The implications are that it inserted the malware that monitored visitors, and the almost certainty that the malware was CIPAV.
FinFisher and CIPAV stand out as government operated spyware; but there are others: RCS (DaVinci), Bundestrojaner etcetera – and, of course, Stuxnet and Flame. We’ve known about them for a long time: see
- CIPAV: FBI, CIPAV spyware, and the anti-virus companies (this site, May 2011)
- RCS: Hacking Team’s RCS: hype or horror; fear or FUD? (this site, Nov 2011)
- FinFisher: Use of FinFisher spy kit in Bahrain exposed (Infosecurity Mag, August 2012)
- Bundestrojaner: Chaos Computer Club warns on “German government” communications trojan (Infosecurity Mag, Oct 2011)
This leaves a major question begging: if we’ve known about this malware for such a long time, how come it can still be used? Why doesn’t anti-malware software stop it?
There are two possible reasons that we’ll explore:
- the AV industry, like so many others, is in bed with the NSA
- the AV industry is not as good as the ‘stops 100% of known malware’ claims that it makes – or put another way, virus writers are generally one-step ahead of the AV industry
In bed with the NSA
This has been vehemently denied by every AV company I have spoken to (see the articles on CIPAV and RCS for examples). Bruce Schneier doesn’t believe it is:
I actually believe that AV is less likely to be compromised, because there are different companies in mutually antagonistic countries competing with each other in the marketplace. While the U.S. might be able to convince Symantec to ignore its secret malware, they wouldn’t be able to convince the Russian company Kaspersky to do the same. And likewise, Kaspersky might be convinced to ignore Russian malware but Symantec would not. These differences are likely to show up in product comparisons, which gives both companies an incentive to be honest. But I don’t know.
Explaining the latest NSA revelations – Q&A with internet privacy experts
And yet the possibility lingers. When Flame was ‘discovered’, Mikko Hypponen issued a mea culpa for the industry. Admitting that F-Secure had Flame samples on record for two years, he said,
Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.
What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.
It wasn’t the first time this has happened, either. Stuxnet went undetected for more than a year after it was unleashed in the wild…
Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
Forget the ‘hand on heart’ for a moment, and consider… That’s the two major government-sponsored malware samples known about and ignored by multiple AV companies for several years. Coincidence? Maybe. But to echo Schneier’s last sentence, I don’t know.
Malware writers are one step ahead of the AV industry
If you listen to the AV marketers, this cannot be true. Every month we hear claims that AV products stop 99.9% to 100% of all known viruses (remember that they ‘knew’ about Stuxnet and Flame, but did nothing). I’ve written on my dismay at this sort of advertising elsewhere (for example, Anti Malware Testing Standards Organization: a dissenting view).
However, if you listen to the foot soldier researchers – and sometimes even higher –within the individual companies, you realise that it is absolutely, inherently, and unavoidably true. Luis Corrons, the technical director at PandaLabs, puts it like this:
The effectiveness of any malware sample is directly proportional at the resources spent. When we talk about targeted attacks (and [CIPAV and FinFisher] are developed to perform targeted attacks) the most important part is the ability to be undetected. Bypassing signature detection is trivial, although it is almost useless too, as most anti-malware programs have several different layers of protection which do not rely on signatures.
The attackers probably know which security solution(s) the potential victim is using. Then it is as ‘simple’ as replicating the same scenario (operating system, security solution, etc.) and verifying that the malware is not being detected. As soon as it is flagged they will change it to avoid detection, until they have the final version.
Once they are done, they will infect the victim and will be spying / stealing information out of him until they are detected. This could be a matter of days, months or even years.
Claudio Guarnieri of Rapid7 said very similar:
Since FinFisher, just as any other commercial spyware, is a very targeted and sophisticated (besides expensive) malware, it’s part of Gamma’s development lifecycle to make sure that they tweaked all the different components to avoid antiviruses before shipping the new FinFisher out to the customers.
The developers likely have their own internal systems to do these testings: think of something as a private VirusTotal. Every time they develop a new feature or a new release, they’ll test it against as many antiviruses as possible and if something gets detected, they debug and try to understand why and find a way around it.
The ‘problem’ with this approach is that they rely on the AV industry not knowing and not having access to their malware: whenever that happens AV vendors react pretty effectively and in fact if you look at FinFisher samples discovered 1 year ago they are now largely detected by most antivirus products.
Is the AV industry in bed with the NSA? The simple fact is that we just do not know. The industry itself denies it – but, well, it would, wouldn’t it? Statistically, since almost every other aspect of the security industry collaborates with or has been subverted by the NSA, my suspicion is that it is. At the very least, I suspect it engages in ‘tacit connivance’.
Are malware developers one step ahead of the AV industry? That depends. As Corrons says, it depends on the resources available to the bad guys, whether that’s NSA, FBI, GCHQ or the Russian Business Network. Well-resourced bad guys will always get in. As Schneier puts it, “if the NSA wants in to your computer, it’s in. Period.” But that probably applies to all governments and all seriously organized criminal gangs engaged in targeted hacking.
But one final comment: nothing said here should be taken to suggest that we don’t need the AV industry. It may not be able to stop the NSA, but it can and does stop a million script kiddie wannabe hackers every day.
Even if you can’t get off the pot, at least you can decide which side of the fence you wish to pee. Bruce Schneier, precariously positioned as the CTO of one of the ISPs known to have helped GCHQ tap the world’s fibre cables, and simultaneously a director of the EFF, has decided on the direction of his stream of anger.
I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better.
(Actually, the UK would be far worse if GCHQ had half the money that the NSA commands.)
But what to do? Schneier offers three suggestions: expose, design and influence governance.
Expose means to subject bad things to the disinfectant of sunlight. We need whistleblowers, says Schneier.
I already have five stories from people like you, and I’ve just started collecting. I want 50. There’s safety in numbers, and this form of civil disobedience is the moral thing to do.
Design is to redesign the internet and its software and hardware components in a manner that is resistant to government subversion.
In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.
And governance requires influencing the future governance of the internet.
We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.
But he accepts that it won’t be easy or overnight.
Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian?
What we need now is for all the internet and security luminaries of the world to come out and stand with Schneier, and to say to government in a voice that cannot be ignored: Enough. You don’t get security by spying on everyone. And you don’t have secret projects hidden from your own people. You are our servants. You are not our masters.
Readers will know I believe there is a conspiracy involving the security industry, intelligence agencies/law enforcement and governments. The purpose is to over-hype the security threat so that the industry can sell more product, intelligence and law enforcement can get bigger budgets and government can pass an increasing amount of more controlling legislation.
Now this doesn’t mean that there is no security threat nor that every person working for the security industry is involved in the conspiracy. But therein lies the problem: how do you navigate your way through all the hype that comes from
- a security industry that needs to sell product
- a security industry that seeks to ingratiate itself with government via clearly bloated threat estimates in order to land lucrative government contracts
- a marketing industry skilled in turning an incident into a crisis
- intelligence agencies/law enforcement seeking to justify increasingly out of control budgets
- governments wishing to control the electorate via 1984-style legislation
in order to find what you actually need to stop the genuine threats that really do exist.
Wisegate can help. It’s an independent organization of senior IT managers from across the whole spectrum of industry – and it regularly publishes reports drawn from its own internal roundtables and discussion groups. One recent report covers just this topic: CISOs Share Top 10 Tips for Managing Vendors.
Quite simply, this report is packed with ideas for getting past the hype to find the right product from the right vendor; and it then explains how to maintain the best possible relationship with that vendor going forwards.
For a taster, my favourite tip actually suggests asking the wrong question to get the right answer. One of the CISO members of Wisegate (this one from a large industrial manufacturing company) uses ‘disruptive questioning’ – he doesn’t just ask, what are your strengths?’; he more specifically says, “When are you not good? What do you do worse than your competitor?”
How the vendor answers these questions will tell you a lot about that vendor, his attitudes, and whether you will be able to work with him in the future.
For the full ten tips, see the Wisegate report, CISOs Share Top 10 Tips for Managing Vendors.
But I particularly like this one – which could be a rule for life in general: “Demand what you pay for, and say thank you when you get it.”