GCHQ Outed – Collecting Just As Much Data As The NSA

As I said last night in the article about the European Court of Justice, every national intelligence agency that has the ability to do so is vacuuming data from the Internet.

The Intercept wrote a very detailed article analyzing some new documents from the Edward Snowden document dump.  The article links to the original documents for those who are interested in even more details.

The goal of this particular program was simple:  Record the website browsing habits of “every visible user on the Internet”.  Pretty simple.  A lot of data.

The program, called Karma Police, was launched by GCHQ, the British equivalent of the NSA, about 7 years ago, quietly.

The documents reveal a series of interrelated programs.  One profiles your browsing habits.  Another analyzes instant messages, emails, Skype usage, text messages, cell phone locations and social media use.  Still other programs track “suspicious” Google searches and another the usage of Google Maps.

Just like the formerly secret NSA programs, the British programs do away with the need for court orders or warrants.

According to the documents, in 2010 GCHQ was logging about 30 billion records a day.  By 2012 they were up to 50 billion records a day with plans to upgrade it to 100 billion records a day.  The claim was that this would be the biggest government surveillance system in the world.

One use, for example, was to collect intelligence about what Internet radio stations people were listening to.  Suspicious listening habits call for more surveillance.  The web browsing habits could be examined.  For one lucky soul who was targeted, they discovered that, in addition to a suspicious radio station, the person also visited Facebook, Yahoo, You Tube, the porn site Redtube, Blogspot and other web sites.

The code name Karma Police likely comes from the British band  Radiohead’s song of the same name.  The lyrics “This is what you’ll get, when you mess with us” is repeated throughout the song.

Like similar NSA programs, the raw data is fed into a holding pen, in this case called The Black Hole.  Between 2007 and 2009, it collected 1.1 trillion events or about 10 billion a day.  Given other numbers in the documents, that volume is likely many times that big now.

Given the volume of data, analysis tools are needed.  One tool, called MUTANT BROTH, was used to sift through all of the cookies captured to correlate data to a particular user.  They can use the cookies to figure out what you do at what time of day.

You may remember that the Dutch SIM card maker Gemalto was hacked (that was revealed last year).  These documents indicate that GCHQ was behind that attack and it now makes sense.  At the time, Gemalto said that the hackers only got 2G (second generation) cellphone SIM card crypto keys, not the 3G or 4G SIMs used in the US and Britain.  Why would the hackers want that?  Because it is likely that middle eastern countries are still running 2G cell networks.  Make sense?  They used the data from Karma Police to target Gemalto employees and then hack their computers to hack the encryption keys they wanted.  While Gemalto denied it, it may be that there was not enough isolation between the administrative network and the network where the encryption keys were stored.

In addition to these programs, there are many other programs, each of which has a special function – analyze emails, analyze search engine queries, look at Google Map queries and other things.

Because of Britain’s location on the planet, many fiber optic cables between the U.S. and the rest of the world flow through Britain, making them a rich opportunity for tapping.  In 2010, GCHQ said there were 1,600 cables passing through Britain and they could tap most of them.  One would assume that capability has increased since then.

Like with the NSA, the rules say that GCHQ is not supposed read the content of citizen’s data they snare, but that does not include metadata of citizens.  This loophole of sifting through the metadata of British citizens also allows for the same action for citizens of the Five Eyes (US, Britain, Canada, Australia and New Zealand).

Because of the volume of data, like with the NSA, GCHQ stores the metadata for between 30 and 180 days and communications for 3 to 30 days, unless they want to keep it longer.

In one document it says that, compared to oversight rules in the U.S., the U.K. has “a light oversight regime”.

One challenge for all of the intelligence agencies is encryption.  While most encryption may not be bullet proof, it is likely bullet resistant and until the encryption is cracked you may not know whether the content is about what to bring home from the store or who the next terrorist target is.

It will be interesting to see if the Brits make a big deal over this.

Information for this post came from The Intercept.

SEC Fines Investment Advisor $75,000 For Breach

The SEC and Investment Adviser R.T. Jones (RTJ) came to an agreement last week regarding a breach that RTJ had.

R.T. Jones, an investment advisor in St. Louis with about 8,000 clients, has agreements with retirement plan administrators to offer investment advice to participants in those plans via the web.

To log in to the site the participant enters their name, date of birth and social security number, since that is all secret information (Hint: NOT!).  In order to do that, the information for a hundred thousand POSSIBLE users was stored on the web server, unencrypted.

The web server, hosted at a third party, had administrative rights limited to two employees (that is a good move).  Unfortunately, the server was hacked.

RTJ hired a forensics company to assess the damage.  The investigators concluded that the hack came from multiple IP addresses in mainland China, but that the logs had been destroyed and therefore, there was no way to tell what the hackers took, if anything.

This wasn’t a great outcome, so RTJ hired another firm to see if they could provide a better assessment, but they could not.  In the end, RTJ notified all 100,000 people that their information had been breached.

In hindsight it seems obvious that using your birth date and social as a login is not a great thing to do.

In addition, storing that data unencrypted was not wise, but since the administrative credentials got compromised, the outcome would have been the same whether it was encrypted or not.

The fact that they had information for all possible customers instead of only the few that chose to avail themselves of RTJ’s advice is also a problem.

As the SEC investigated, it turned out that RTJ did not have written security policies, did not conduct periodic risk assessments, did not use a firewall to protect the web server with the client data on it and other measures that would be reasonably expected.

In the end, the SEC sanctioned them, fined them $75,000 and issued a cease and desist regarding every violating rule 30 (a) of regulation S-P (safeguarding customer information).

While marketing people say that there is no such thing as bad publicity, this is probably an exception to that saying.

The bad news here is that 92,000 of the people who’s information was compromised were not even customers of RTJ.  The plan administrators had provided that information to RTJ as a service to the participants.

Some attorneys are saying that this action along with  issuing the risk alert that they issued last week marks a new age for the SEC and that they plan to more aggressively go after brokers and advisers that do not protect customer information.

Information for this post came from the SEC web site.

European Court Of Justice To Rule Next Week On Max Schrems’ Case

For those of you (all 3 of you) who follow European privacy law, you can skip this post.  The rest may find it interesting.

Max Schrems, who was an Austrian law student and now a lawyer has been battling Facebook in particular and claiming that they are violating E.U. law by their various privacy policies.  He has gone to a variety of courts and none of the courts have been willing to touch the case – I suspect due to politics.

Back in 2000, the U.S. and E.U. came up with this agreement called safe harbor agreement.  Supposedly, U.S. companies could transfer data from the E.U. to the U.S. to use if they agreed to abide by this agreement which was designed to protect European’s privacy rights.  The E.U. decided this was necessary because U.S.. privacy laws, in their view, are much weaker than E.U. laws.

Well, after trying to get someone to rule on the case, Schrems went to the European Court of Justice.

Based in large part on documents disclosed by Edward Snowden, Schrems claimed that because the U.S Intelligence community (like every other intelligence community in the world) vacuums up billions of items a day, U.S. companies had no way to comply with the safe harbor agreement.  Fundamentally, this is likely true.

The way the process works at the ECJ, they have an advisor, in the case a guy named Yves Bot review the case and make a recommendation.  Yves agreed with Schrems.  The court usually sides with the advisor.

Needless to say, this has the U.S. Mission to the E.U. scared to death.  If the safe harbor agreement gets shredded, then any U.S. company that wants to export data about E.U. residents to the U.S. will need to go through a somewhat convoluted process to convince the E.U. that they are protecting that data in a manner similar to the way E.U. companies do for their citizens.

This could also open many U.S. companies to lawsuits – likely in the E.U., because currently E.U. citizens cannot sue in U.S. court for things like privacy violations.  In fact, the U.S. and E.U. have a draft agreement to replace the 2000 agreement, but the E.U. is refusing to sign that new agreement until the U.S. passes a law allowing E.U. citizens to sue in U.S. court – something that has to  make it through Congress, which is no small task these days.

Of course, none of this changes the issues surrounding NSA snooping.  Curiously, the Intercept wrote a very detailed article that I will write about tomorrow talking about GCHQ (Britain’s equivalent of the NSA) doing the same kind of snooping the NSA does.  In fact, that is what all government intelligence agencies do.  The Internet is the go to place for terrorists, so you can’t exactly expect them to ignore it.

In any case, the ECJ has announced that they will rule on October 6th.  The U.S. Mission has asked them to ignore Mr. Bot and rule against Schrems and, basically, for the United States.  It is not at all clear which way this will go, but it is guaranteed that some people will be unhappy no matter what happens – there is no Solomon solution here.

Stay tuned for the details next week.


Why Is Apple Adding Ad Blocking To iOS9?

There is a lot of ink (digital ink that is) being spilled on the topic of ad supported content.  The basic theory is that ad supported content allows you the reader to get a lot of content without having to shell out cash.  Notice that I didn’t say the content is free.  It is not.  You are paying for it by allowing advertising to track you.  Which in turn allows advertisers to show you more ads.

I don’t know about you, but it is extremely rare that I click on an ad.  MAYBE a couple of times a month – but most of them are by accident.  And I consider ads pretty invasive, so I tend to ignore them on principal.

Assuming other people are like me, that means most people are ignoring the ads, which means that publishers need to put more ads up in order to get the same revenue.

Now on to Apple’s ad blocking strategy.

First (and probably really last), users would like a simple, easy to use ad blocker to get rid of that annoying content.  I am a geek, so I can install and tweak software to get rid of ads.  That covers maybe 10% of the population.  Apple is addressing the other 90%.

So if my first reason is not really first in Apple’s mind, what is?

If ad supported content does not work, who does that hurt?  No, this is not a trick question.  Yes it hurts a lot of people, but it hurts one company in particular and that is Google.  Gee, do you think that Apple might want to hurt Google (AKA Android).  NAH!

Now of course, Google won’t take this lying down and neither will the publishers.  There may be editorials.  There may be lawsuits.  But in the end, this is a genie that is out of the bottle.

Now here is the conspiracy theory that I did not see before.

Who does ad blocking help?  APPLE!  Why?  Because if advertising supported content goes away, it may be replaced by subscription based content.  Which is sold through Apple’s store. Which Apple gets a 30% cut of.

Unlike Android, where you can subscribe to content directly without paying Google a cut, Apple really forces people to get their content from Apple – which is my basic beef with the company and why I don’t use any Apple products.  That, however, is my battle to fight, not yours.

But the challenge with subscription based content is that people are not going to subscribe to 100 sites, even if it is only 50 cents a month each.

New market:  content aggressors.  Actually, an old market.  Subscribe to one provider and settle for whatever content they give you.  That may or may not be satisfying to the user.

BUT, someone (Google?) may figure out a way (micropayments?) to do content aggregation without doing content aggregation (maybe they do the subscription to the 100 sites but you subscribe to Google and they dole out the money).

So, if ad supported content dies, Google loses and Apple wins.

THAT is a goal worth pursuing in Cupertino.

There are other scenarios of course.  We are already seeing sites that detect that you are using an ad blocker (since ads are two-way, it is pretty easy to detect that the ads are blocked).  These sites throw up a banner that says if you want the content for free, turn off your ad blocker.  There are only a few of these, but if publisher’s livelihoods are threatened, you may see more.


Some content providers will give you a warning but allow you to continue – for fear of offending you.  Others will just stop the site from working unless you turn off ad blocking.

But I am OK with that.  At least it is honest.  You can then decide if you want to trade your information for viewing the content.  If so, you can turn off ad blocking.  If not, you can go elsewhere.

The market will decide the outcome.

Some content providers will go out of business.

Some content providers will decide that their content is not a DIRECT revenue source and ignore ads.

And still other very smart people (like Google) will come up with a new revenue model that ad blockers won’t kill.

It is fun to live in interesting times.  Stay tuned for the next Apple-Google war.

AND, stay tuned for the next evolution of content on the web.

Some information for this post came from a Linked In Pulse post.

Systema Leaves Insurance Claims Data In The Cloud – Unprotected

Databreaches is reporting that someone discovered a large amount of data on a public segment of Amazon Web Services.  This person, described as a technology enthusiast (i.e. a geek) downloaded some of this data and discovered it contained medical claims data.

The repository, which supposedly contained gigabytes of data was later identified to belong to Systema Software.  Systema is a vendor of claims processing software and offers cloud services to host the claims data.

In the data which was publicly available on Amazon, were insurance claims forms, address books with over a million names, addresses and social security numbers, birth dates, financial information and claims information.

Also included in the repository was a database with 3 million payment records and another database with 4.7 million notepad entries.  Still other databases include bank account information.

At least some of the records were workers compensation claims from Kansas and Utah.

The geek who found this reported it to the entities who’s data he found such as the state of Kansas.  The person said that within 30 minutes of him reporting what he found to officials in Kansas, the data was no longer publicly available.

Likely the data had been publicly available for months.

What is interesting here is not that Systema screwed up or that data records for Workers compensation claims were exposed, but rather that as we move more and more information to the cloud, the opportunity for human error to make data that should be private public increases.

If Systema stored these records on a file server in their office instead of in the cloud and they screwed up the permissions, then maybe some people in their office might be able to see data that they should not see.

However, if you store this data in the Amazon cloud and screw up the permissions, then the potential is that anyone in the world might be able to see it.

The interesting question is whether this is a HIPAA breach.  Some of the businesses involved with this may not be HIPAA “Covered Entities” while others may be “Business Associates” of covered entities.  It seems likely that it violated state privacy laws due to the financial data exposed.

As of right now, no one has posted a breach notice on their web site other than databreaches.

In fairness to the states involved such as Kansas, Utah and California, this revelation of the breach is only a few weeks old, so they are likely still trying to figure out what was compromised, who is responsible, etc.

This is a reason why having an incident response plan in place before a breach is important.  Even with one, it still takes time to sort things out.

But this breach does point out the obvious – when you put things in the cloud, it is critical that you set the access permissions correctly!

Information for this post came from Databreaches.com ,

The Target Breach Story – How Did They Let This Out?

Krebs On Security has extensive reporting of an investigation by Verizon conducted starting a few days after the Target breach was announced.

Target has refused to confirm or deny the report .

One thing to consider.  We do not know how Brian (Krebs) got the report, so all we can do is speculate.

This report, in my opinion, is a wonderful tool for the banks and consumers who are suing Target.  It shows all the things that Target was not doing or was doing wrong.  This report makes it so much easier to show Target was not treating cyber security consistent with even reasonable industry practices, never mind best industry practices.

What Target should have done is have their outside counsel manage the engagement of Verizon so that this report could have been shielded by attorney-client privilege.

It is certainly possible that they did that, but then, how did the report get out to a reporter?  Part of engaging the attorneys to manage this is to control the distribution of the final work product.

Any way you look at it, in my opinion, letting this report out of their control is yet another FAIL! by Target.  

While Target spokesperson Molly Snyder said that Target believes that sharing information will make everyone stronger – thereby basically validating that the report is real – it doesn’t make sense to release this kind of detail while there are so many lawsuits pending.

You can go to Brian’s web site (see link below) for the long gory details, but here is the short version:

  • Once the Verizon hacking team was inside Target’s core network, there was nothing stopping them from communicating directly with the cash registers – violating every principal of segmentation known to IT.  They should never have been able to do that.
  • Target had guessable passwords on Microsoft SQL servers and weak passwords for system accounts.
  • Target had a password policy, but it was not being followed. Verizon found clear text password files for system accounts on several servers.
  • Verizon was able to create domain administrator accounts and dump all of the password hashes.
  • Within one week, the consultants were able to crack 472,000 (86%) of the passwords.
  • Patches to systems and services were not applied consistently.
  • Verizon said that Target, who was using Tenable’s vulnerability scanning system, had a comprehensive scanning program in place but was not acting on the vulnerabilities discovered.

There is more in the report, but you get the idea.

If you are a security person, the report is a fascinating indictment of Target and a roadmap of what not to do.

If you are a CEO, the leak of a report like this falls into the worst nightmare category.

Information for this post came from KrebsOnSecurity.