• Tag Archives hacking
  • Dark Caracal: Good News and Bad News

    Yesterday, EFF and Lookout announced a new report, Dark Caracal, that uncovers a new, global malware espionage campaign. One aspect of that campaign was the use of malicious, fake apps to impersonate legitimate popular apps like Signal and WhatsApp. Some readers had questions about what this means for them. This blog post is here to answer those questions and dive further into the Dark Caracal report.

    First, the good news: Dark Caracal does not mean that Signal or WhatsApp themselves are compromised in any way. It only means that attackers found new, insidious ways to create and distribute fake Android versions of them. (iOS is not affected.) If you downloaded your apps from Google’s official app store, Google Play, then you are almost certainly in the clear. The threat uncovered in the Dark Caracal report referred to “trojanized” apps, which are fake apps that pretend to look like real, trusted ones. These malicious spoofs often ask for excessive permissions and carry malware. Such spoofed versions of Signal and WhatsApp were involved in the Dark Caracal campaign.

    The malicious actors behind Dark Caracal got these fake, malicious apps onto people’s phones by spearphishing. Several types of phishing emails directed people—including military personnel, activists, journalists, and lawyers—to go to a fake app store-like page, where fake Android apps waited. There is even evidence that, in some cases, Dark Caracal used physical access to people’s phones to install the fake apps. Again, if you downloaded your apps from the official app store, you can rest easy that this has likely not affected you.

    And now the bad news: Dark Caracal has wide-reaching implications for how state-sponsored surveillance and malware works. Most people do not have to worry about this very specific threat. But for the small minority of users who may be directly targeted by nation-states or other skilled, motivated adversaries—and for the malware researchers who try to track those adversaries down—the Dark Caracal report uncovers a new infrastructure that makes it even harder to attribute attacks and malware campaigns to a particular nation or actor. More details are available in the report.

    Dark Caracal is also a reminder that most modern hacking requires the unwitting participation of the user. The most dangerous thing in the online environment is not necessarily complex, headline-grabbing vulnerabilities, but well-crafted phishing messages and fake apps that trick users into handing over log-in credentials and granting excessive permissions. Keep an eye out for links, attachments, and apps pretending to be something they’re not, and make sure your friends, neighbors, and others in your community are informed too.

    Source: Dark Caracal: Good News and Bad News | Electronic Frontier Foundation



  • The Fight Against General Warrants to Hack Rages On

    The federal government thinks it should be able to use one warrant to hack into an untold number of computers located anywhere in the world. But EFF and others continue to make the case that the Fourth Amendment prohibits this type of blanket warrant. And courts are starting to listen.

    Last week, EFF pressed its case against these broad and unconstitutional warrants in arguments before a federal court of appeals in Boston, Massachusetts. As we spelled out in a brief filed earlier this year, these warrants fail to satisfy the Fourth Amendment’s basic safeguards.

    The case, U.S. v. Levin, is one of hundreds of prosecutions resulting from the FBI’s 2015 seizure and operation of a child pornography site “Playpen.” While running the site, the FBI used malware—or a “Network Investigative Technique” (NIT), as they euphemistically call it—to infect computers used to visit the site and then identify those visitors. Based on a single warrant, the FBI ended up hacking into nearly 9,000 computers, located in at least 26 different states, and over 100 countries around the world.

    But that’s unconstitutional. One warrant cannot allow law enforcement to hack into thousands of computers wherever they are in the world. As law enforcement defended these blanket hacking warrants and pushed for federal rule changes to allow them—and as Congress stood by and idly let this rule change go into effect—we’ve been fighting in court to make sure that the Fourth Amendment’s protections don’t disappear as law enforcement begins to rely on hacking more and more.

    And there are signs that courts are beginning to recognize the threats to privacy these warrants pose. Earlier this year, a federal magistrate judge in Minnesota found [PDF] that the warrant the FBI relied on in the Playpen case—the same warrant we were arguing against in Levin—violated the Fourth Amendment.

    In the February report, Magistrate Judge Franklin Noel described how the government’s NIT fails the Fourth Amendment’s requirement that warrants describe a particular place to be searched, agreeing with arguments we’ve made to courts in other Playpen prosecutions. The warrant in this case fails to satisfy that requirement because, at the time the warrant was issued, “it is not possible to identify, with an specificity, which computers, out of all of the computers on earth, might be searched pursuant to this warrant,” Noel wrote.

    He also explained how the warrant essentially flips the Fourth Amendment’s particularity requirement on its head, searching and then identifying specific computers instead of identifying specific computers and then searching them. “Only with [information gathered through the use of malware] could the Government begin to describe with any particularity the computers to be searched; however, at that point, the computer had already been searched.”

    It’s encouraging that courts are beginning to agree with arguments from us and others that these warrants far exceed the Fourth Amendment’s limits on government searches.

    As the Playpen prosecutions begin to work their way up to the courts of appeals, the stakes become higher. The decisions these courts reach will likely shape the contours of our constitutional protections for years to come. We’ve filed briefs in every appeal so far, and we’ll continue to make the case that unfamiliar technology and unsavory crimes can’t justify dispensing with the Fourth Amendment’s requirements altogether.



    Source: The Fight Against General Warrants to Hack Rages On | Electronic Frontier Foundation


  • D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes

    The United States Court of Appeals for the District of Columbia Circuit today held that foreign governments are free to spy on, injure, or even kill Americans in their own homes–so long as they do so by remote control. The decision comes in a case called Kidane v. Ethiopia, which we filed in February 2014.

    Our client, who goes by the pseudonym Mr. Kidane, is a U.S. citizen who was born in Ethiopia and has lived here for over 30 years. In 2012 through 2013, his family home computer was attacked by malware that captured and then sent his every keystroke and Skype call to a server controlled by the Ethiopian government, likely in response to his political activity in favor of democratic reforms in Ethiopia. In a stunningly dangerous decision today, the D.C. Circuit ruled that Mr. Kidane had no legal remedy against Ethiopia for this attack, despite the fact that he was wiretapped at home in Maryland. The court held that, because the Ethiopian government hatched its plan in Ethiopia and its agents launched the attack that occurred in Maryland from outside the U.S., a law called the Foreign Sovereign Immunities Act (FSIA) prevented U.S. courts from even hearing the case.

    The decision is extremely dangerous for cybersecurity. Under it, you have no recourse under law if a foreign government that hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil. It flies in the face of the idea that Americans should always be safe in their homes, and that safety should continue even if they speak out against foreign government activity abroad.  

    Factual background

    Mr. Kidane discovered traces of state-sponsored malware called FinSpy, a sophisticated spyware product which its maker claims is sold exclusively to governments and law enforcement, on his laptop at his home in suburban Maryland. A forensic examination of his computer showed that the Ethiopian government had been recording Mr. Kidane’s Skype calls, as well as monitoring his (and his family’s) web and email usage. The spyware was launched when Kidane opened an attachment in an email. The spying began at his home in Maryland.

    The spyware then reported everything it captured back to a command and control server in Ethiopia, owned and controlled by the Ethiopian government. The infection was active from October 2012 through March 2013, and was stopped just days after researchers at the University of Toronto’s Citizen Lab released a report exposing Ethiopia’s use of FinSpy. The report specifically referenced the very IP address of the Ethiopian government server responsible for the command and control of the spyware on Mr. Kidane’s laptop.

    We strenuously disagree with the D.C. Circuit’s opinion in this case. Foreign governments should not be immune from suit for injuring Americans in their own homes and Americans should be as safe from remote controlled, malware, or robot attacks as they are from human agents. The FSIA does not require the courts to close their doors to Americans who are attacked, and the court’s strained reading of the law is just wrong. Worse still, according to the court, so long as the foreign government formed even the smallest bit of its tortious intent abroad, it’s immune from suit. We are evaluating our options for challenging this ruling.

    Source: D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes | Electronic Frontier Foundation