Computer Security: Why Yahoo email surveillance is a big deal

Reuters reported yesterday that Yahoo had actioned a secret dictate by a US security agency to search all it’s customers’ incoming emails.

A small excerpt of Reuters report

“…

Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful.

Some Yahoo employees were upset about the decision not to contest the more recent edict and thought the company could have prevailed, the sources said.

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

…”

A program was written to search emails “for character strings”.

Yahoo facilitated remote retrieval.

Yahoo’s security team were excluded from the process.

Yahoo’s security team discovered the program in May 2015.

“within weeks of it’s installation”.

Chief Information Security Officer Alex Stamos resigns claiming that he was excluded from a decision that hurts client security.

Stamos says that hackers could have accessed the stored emails due to a programming flaw.

Why it’s a big deal

I’m not at all surprised that Stamos was pissed off. His security team would have their systems watching their networks for the slightest hint that anyone was thinking about hacking them. They would be watching which processes were running and be continually confirming the integrity of their programs. And then his boss allowed the government to root (rootkit) his systems.

In simple terms, the backdoor (remote retrieval) and it’s traffic was hidden, the running process was hidden and file system integrity checking was bypassed to hide the new program. That’s serious shit needing changes to the running system. It needs a rootkit to make a system hide all those things and behave as normal while hiding the rootkit itself. It was Stamos’s job to prevent some evil hackers from installing rootkits and therefore owning his systems and his boss has gone and installed one behind his back – and it may have been an insecure one at that.

There is a problem that the security team can’t really know how long they were pwned once the system is controlled by a rootkit. A competent rootkiter would certainly be able to fix the security archive as it was written to hide it’s existence and activity. This raises further questions: How long were they owned? Was the earlier security breach of late 2014 related in some way? The earlier security breach is attributed to state-sponsored actors.

[Even more: Take for example file integrity checking. The classic example is tripwire. At intervals it will check the integrity of system files. It’s basically enumerating system files checking that there are not more or less without reason and checking the integrity of important files e.g. program that run, to make sure that they haven’t changed.

To list files on Unix, the command ‘ls’ is used. ‘ls -al’ also shows hidden files and their lengths. The action of the ‘ls’ and similar commands are changed so that rootkit files and the new spying program is hidden – everything needs to appear normal and unchanged. The new program and the rootkit hides from everything by altering the running system.]

6/10/16 8am update:

Later reports suggest that the spying / scanning program was integrated with a pre-existing programme scanning for child pornography, malware and spam. This presents a reasonable explanation so that the new program changes and consequent process (running programme) were part of normal development / evolution of systems.

It still leaves the issue of the backdoor (remote access). It appears that a choice is presented: either there is a rootkit hiding the backdoor and it’s traffic or the string being searched for is the security agency’s string allowing remote access. It’s difficult to hide that backdoor and overall I’d go with a rootkit.

A rootkit tends to support Yahoo’s useless security over the past few years and the fact that it took so long to realise i.e. their systems were owned.

Continue ReadingComputer Security: Why Yahoo email surveillance is a big deal

Politics news allsorts

Image of GCHQ donught buildingHuge tech firms have formed the Reform Government Surveillance group to demand changes to excessive surveillance by world governments. The group has published an open letter to President Obama and Congress:

Dear Mr. President and Members of Congress,

We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.

For our part, we are focused on keeping users’ data secure — deploying the latest encryption technology to prevent unauthorized surveillance on our networks and by pushing back on government requests to ensure that they are legal and reasonable in scope.

We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight. To see the full set of principles we support, visit ReformGovernmentSurveillance.com

Sincerely,

AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo

Malcolm Rifkind, chairman of the Intelligence and Security Committee is dismissive of the call:

“So I start off by recognising that, in the modern world, the terrorists use all the technology available to them.

“It would be foolish for the intelligence agencies in free societies not to start by using that technology.

Isn’t there a contradiction there?

Amnesty International is to start legal action against the UK government through the Investigatory Powers Tribunal. While it’s quite clear that Amnesty is not involved in terrorism, that will be used as the justification since it is the normal BS justification.

 

MPs to honour Mandela today.

Iain Duncan Smith again

I watched the 4th episode of The Revolution Will be Televised last night. First broadcast on 1st December, it’s very good.

Continue ReadingPolitics news allsorts