I had just begun to think that Apple had usurped the title of Evil Empire from Microsoft when I heard about Microsoft’s patent application for a system designed “to regulate the presentation of content.” Just another digital rights management system you might think. Well, not quite.
Filed a year ago but only just now coming to media attention, this is spyware of a new magnitude. While you watch the screen, the screen watches you. And in some detail. It counts how many viewers are present. If there are more viewers than are licensed to view, it takes ‘remedial action’. What this is remains to be seen. It could simply prevent any further showing of the content – although it could equally report the matter to the content police. It could pop up a message on the screen. “Will two of you please leave the room. Close the door behind you – and don’t slam it!”
It also estimates the age of the viewers. Youngsters can be prevented from viewing adult material. Presumably, Muslims could be prevented from watching the Innocence of Muslims (or anything similar); and the Amish from watching anything (although the beards could lead to confusion between the two).
Should we worry? Yes, that any company could even dream that such a thing is acceptable is a deep concern. Expect it in a few years time, because Hollywood will love it, and governments love Hollywood’s cash-strewn lobbying.
Years ago, when broadband first arrived, security experts warned of the dangers inherent in ‘always on’. That danger has increased exponentially with the rise of smartphones and their always-on sensors and cameras. Now a new proof of concept demonstrates the potential of 3D mobile spyware.
‘Proofs of concept’ (POCs) are developed by researchers to demonstrate what could be done in the future, in order to aid legitimate new development and to help anti-malware vendors produce defenses against less legitimate developments. What a new paper from researchers at the US Naval Surface Warfare Center in Crane, Indiana, and scientists from the University of Indiana demonstrates is spyware science fiction come true: a 3D visual map of the victim’s environment.
“We introduce,” say the researchers, “a proof-of-concept Trojan called ‘PlaceRaider’ to demonstrate the invasive potential of visual malware beyond simple photo or video uploads.” The paper describes an Android app (but suggests the concept will work equally well on iOS and Windows Phone), which it calls PlaceRaider, and “which we assume is embedded within a Trojan Horse application (such as one of the many enhanced camera applications already available on mobile app market places).” This app can then secretly and silently take photographs via the Android phone, and send them back to a C&C server for 3D processing.
PlaceRaider does three things. It collects orientation data from the Android’s sensors (“related to the accelerometers, gyroscopes, or magnetometers that a phone possesses”) in order to easily relate different photographs. It then surreptitiously takes photographs – in this case, one every 2 seconds. To remain unnoticed, it uses low resolution (so as to not use too much of the phone’s power), and temporarily mutes the shutter sound while the photo is taken. Finally, it uses a special algorithm to judge the quality of the photographs, discarding poor ones and transmitting the good ones.
Back at the main server, the received photos are compiled and used to construct a 3D map of the target’s location. Subsequent tests with volunteers showed that recognition of ‘points of interest’ is much higher from the 3D map than from static photos. However, since the original photos are of low resolution, further capabilities allow the attacker to use the orientation data to instruct the phone to take and transmit a high-resolution photo on demand – perhaps an open cheque book, or exposed documents.
The attraction of such spyware for both intelligence agencies and criminals is obvious – but the report also shows that there are easy defenses that the OS and hardware manufacturers could implement: making it impossible to mute the shutter sound, introducing permissions for collecting data from the sensors, and ensuring that photos can only be taken by physical interaction with the user. Furthermore, “There is no logical motivation for users to intentionally take poor-quality photos that have any combination of improper focus, motion blur, improper exposure, or unusual orientations/twist” – making heuristic detection of PlaceRaider by the anti-malware vendors a distinct probability.
Hat tip to Daniel Gyenesse for pointing me to the story
My news stories today:
Flaming Hack: What does ‘Flame’ mean for the rest of us?
We’ve all heard about Flame, the ‘mother of all cyberweapons’, the attack tool that takes cyberwarfare to a new level. But what does it actually mean for the rest of us?
30 May 2012
Neelie Kroes Promises champagne connection – for the wealthy
Neelie Kroes, European Commissioner for the Digital Agenda, has promised a champagne connection for those who can afford it.
30 May 2012
Assange’s appeal fails: extradition lawful – everything left to play for
By a majority of 5 to 2 (Lord Mance and Lady Hale dissented) the UK supreme court has this morning ruled that Julian Assange’s extradition to Sweden is lawful, “and his appeal against extradition is accordingly dismissed.” Assange was not present in court.
30 May 2012
Is this really the sort of world we want? Amac Keylogger for Mac OS X is sold on the basis of providing four solutions “by applying a smart and stealthy approach”:
- Parental control
- Catch a cheating spouse
- Employee monitoring
- Get back a lost/stolen Macbook
Let’s look at these.
Parental control. Like spying on your kids is a great way to build or maintain a fantastic relationship! But what really happens here? You catch them doing something wrong. If you ignore it, then what’s the point? If you respond, then they know you’re spying on them – and ten to one they’re more cyber-savvy than you. They’ll find a way round, and learn to hate you at the same time.
Cheating spouse. This can only be useful if you’re trying to defend your wealth at a time of divorce. But if that’s the case, and you have wealth to defend, keep your hands clean and employ a detective agency. But be sure of one thing: no relationship was ever saved by spying. A bad one may be confirmed, or a good one destroyed – nothing else.
Employee monitoring. Be very careful about the legality of this. You need to make it very clear to your staff that you monitor them. What they can and cannot do must be specified very clearly in an AUP. But do you really think you can keep good staff by spying on them? Would you, for example, accept a job knowing that your employer is monitoring every keystroke you make?
Retrieving a lost or stolen Macbook. Not if I don’t connect to the internet, or find some other way to remove the software…
So all in all – don’t go there. Distrust breeds distrust – let’s try to be honest in all of our dealings. Honesty is not merely the best policy, ultimately it is the only thing that works.
We’ve known it’s been around for a long time, but now the Electronic Frontier Foundation (EFF) has released new information on the FBI’s spyware. Gathered in response to a Freedom of Information Act request, EFF explains that the spyware (Computer and Internet Protocol Address Verifier – CIPAV) gathers the following information from the target’s computer:
- IP Address
- Media Access Control (MAC) address
- “Browser environment variables”
- Open communication ports
- List of the programs running
- Operating system type, version, and serial number
- Browser type and version
- Language encoding
- The URL that the target computer was previously connected to
- Registered computer name
- Registered company name
- Currently logged in user name
- Other information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”
EFF goes on to explain
It’s not clear from the documents how the FBI deploys the spyware, though Wired has reported that, in the Washington state case, the FBI may have sent a URL via MySpace’s internal messaging, pointing to code that would install the spyware by exploiting a vulnerability in the user’s browser. Although the documents discuss some problems with installing the tool in some cases, other documents note that the agency’s Crypto Unit only needs 24-48 hours to prepare deployment. And once the tool is deployed, “it stay[s] persistent on the compromised computer and . . . every time the computer connects to the Internet, [FBI] will capture the information associated with the PRTT [Pen Register/Trap & Trace Order].
New FBI Documents Provide Details on Government’s Surveillance Spyware
There are almost certainly legal issues here. There are most definitely moral issues. But there are also other issues. The first is this: what is the AV industry’s attitude towards what David Harley, senior research fellow at ESET and a director of the Anti-Malware Testing Standards Organization, describes as ‘policeware’? Luis Corrons, technical director at PandaLabs, doesn’t hesitate: “Panda Security endeavours to detect any kind of malicious application which attempts to corrupt or intercept legitimate client communication. Malware is malware no matter who creates it and our customers pay to have the best protection against any malicious software created.”
Sophos’ Graham Cluley is equally forthright: “Sophos’s position [is] that we detect any malware that comes to our attention, regardless of who might have written it.”
ESET is the same: “I don’t know if we detect it but our attitude is clear: we detect everything that might be dangerous or potentially unsafe/unwanted. We can’t make exceptions because of a specific origin of some spyware/malware, it would compromise security and consistency of our product. Period.”
And finally, David Emm, senior security researcher at Kaspersky Lab, comments “In general, I can say that Kaspersky Lab is focused on providing the best possible protection for its customers, without distinguishing the source of the malware. And in practice, we would be unable to distinguish between programs authored by criminals and those authored by government or law enforcement agencies: it is likely that in both cases a sample would be sent to us by one of the victims and we would add detection automatically.”
Almost universally, then, we can say that the anti-virus industry makes no distinction between crimeware and policeware: both are automatically remedied if detected.
But equally universally the AV industry claims to not know whether they detect this spyware or not. Graham Cluley again: “How would we know if we detect it or not? To determine if we detected it or not, we’d have to have a confirmed sample of CIPAV. As it’s highly unlikely that the FBI has put a copyright message inside their spyware and it’s unlikely to announce that it’s ‘CIPAV’, it’s impossible for us to confirm if we have a sample of it in our malware collection or not.”
Well, I’m not so sure. Much of AV detection is now behaviour-based. A file is bad if it tries to do bad things – like spyware phoning home. If a bad file is detected, it is analysed. Where for example, is the home that is being phoned? I would be surprised if the sort of analysis undertaken by AV researchers would not turn up some indication of an FBI source. But I may be wrong.
So what are the options here? Does the AV industry detect and remove CIPAV without knowing that it’s CIPAV? In which case, why does the FBI persist with it, and why do other agencies and even other countries, express interest in it (EFF: “Other agencies, and even other countries have shown interest in the tool, indicating its effectiveness. Emails from 2006 discuss interest from the Air Force, the Naval Criminal Investigative Service and the Joint Task Force-Global Network Operations, while another email from 2007 discusses interest from the German government.”)?
Or does the AV industry simply fail to detect it? In which case, does this imply that the industry is no match for the FBI? That’d be worrying.
Or finally, is the AV industry under strict instructions, in the overstretched name of national security, to leave well alone; but deny any such instruction? David Harley is fairly convinced that this does not apply: “I suppose they could conceivably ask us to whitelist a given file hash, which would actually be technically problematic,” he told me. “Apart from the possibility of an accidental hash collision, it would also be possible for a malware author to engineer a hash collision. And such whitelisting wouldn’t necessarily stop the presence of the ‘policeware’ being flagged, if it launched processes or initiated symptoms that were detected heuristically as spyware-like.
“While I don’t speak for the lab [ESET],” he continued, “I’d personally find non-detection ethically uncomfortable. While I don’t have a problem with a legitimate agency ‘invading the privacy’ of a suspected terrorist, drug-runner etc in the course of a properly conducted criminal investigation (and AV does, of course, cooperate with law enforcement and related agencies from time to time in some contexts), it would be very different if there were grounds for thinking it was likely to be used without due legal process.
“However,” he concluded, “I don’t know of any instance of an AV company being asked not to detect it; and in fact, it occurs to me that since it wouldn’t be possible to guarantee that it would only be found on systems within the FBI’s jurisdiction, deliberate non-detection could put an AV company in legal jeopardy in other jurisdictions, even if they were sure that it wouldn’t be installed illegally in the US.”
Frankly, I don’t know the truth here. But what I do know is that it is a worrying society where the law for law enforcement is different to the law for everyone else. ‘All are equal in the eyes of the law’ should not be a proverb – it should be a fact. And if we are reduced to using the same tactics as the criminals, then what exactly do we have that is worth defending?
There is a short report of Samsung pre-installing spyware on its own laptops before sale:
In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.
Samsung responds to installation of keylogger on its laptop computers
The report adds:
Samsung’s conduct may be illegal; even if it is eventually ruled legal by the courts, the issue has legal, ethical, and privacy implications for both the businesses and individuals who may purchase and use Samsung laptops. Samsung could also be liable should the vast amount of information collected through StarLogger fall into the wrong hands.
Frankly, I cannot see how this could possibly be anything but illegal in the EU. The report, however, doesn’t say whether this is worldwide or just North American – so clearly we need to know more. Frankly, I hope that the FTC in the States and the EDPS in the EU stamps very hard on Samsung. This is simply unacceptable.
What I can say for certain, however, is that the Samsung R540 I was looking at is now not going to happen. Ever.