Perpetual IT

The FBI said on Monday that it figured out how to unlock the iPhones of the shooter who killed three young US Navy students and injured eight at a Pensacola, Florida naval base in December 2019.

No thanks to you, Apple, Attorney General William P. Barr said in a news release:

Thanks to the great work of the FBI – and no thanks to Apple – we were able to unlock Alshamrani’s phones.

Barr has on multiple times issued public calls for encryption backdoors.

On Monday, the AG joined FBI Director Christopher Wray in a virtual press conference. Barr used the opportunity to once again call for a “legislative solution” to the roadblock of Apple’s encryption, while Wray referred to the FBI’s “Apple problem.”

Both gave FBI workers a pat on the back for the months they spent working to unlock the damaged iPhones.

In January, following the shootings, the bureau had asked Apple to help it unlock two iPhones that belonged to murderer Mohammed Saeed Alshamrani. Also in January, the Department of Justice (DOJ) said that its investigations showed the incident was an act of terrorism, motivated by jihadist ideology. On 2 February, al-Qaeda in the Arabian Peninsula (AQAP) claimed responsibility for the shooting spree.

The FBI had gotten a subpoena allowing it to search content on the iPhones, both of which were password-protected and one of which Alshamrani put a bullet hole through, further complicating forensics on the device and its data.

An FBI press release related to Monday’s conference included a photo of the hole in one iPhone and of an iPhone alert saying “Authorized Service Provider Only.”

Wray said that FBI agents had spent months trying to crack the iPhones – hours, days and weeks of hard work that otherwise would have been spent protecting Americans from terrorists if not for what he called law enforcement’s “Apple problem.”

He praised the FBI staff’s hard work…

I want to thank and congratulate the men and women at the FBI who devoted months of hard work to accessing these devices. They successfully tackled a problem that required tenacity, creativity, and technical expertise.

…and then lashed out at Apple for not making it easier to do:

The technique that we developed is not a fix for our broader Apple problem.

The “broader Apple problem” refers to apps with end-to-end, warrant-proof encryption: apps that Alshamrani and his AQAP associates deliberately used in order to evade law enforcement while communicating their plans.

Wray didn’t give details on the technique used to crack Alshamrani’s iPhones. What he did say was that the FBI tried every encryption-bypass tool and technique out there, but that none of them worked:

We canvassed every partner, and every company, that might have had a solution to access these phones. None did, despite what some claimed in the media. So we did it ourselves.

When it asked for Apple’s help in January, the FBI said that it had tried the same tactics it used when it was trying to unlock the iPhone of San Bernardino terrorist Syed Farook. Namely, it asked for help from other federal agencies – it sent the iPhones to the FBI’s crime lab in Quantico, Virginia – and from experts in other countries, as well as “familiar contacts in the third-party vendor community.”

The last was seen as a possible reference to the tool that the FBI used to finally break into Farook’s encrypted phone and thereby render moot the FBI versus Apple legal battle over encryption.

Apple: Backdoors weaken security for all

Throughout the San Bernardino encryption battle and up until the current battle over Alshamrani’s locked phones, Apple CEO Tim Cook has taken a firm stand, publicly stating the company’s refusal to break its own encryption. Apple has steadfastly maintained that weakening encryption so as to give law enforcement a backdoor would weaken security for all, giving bad actors a foothold into getting at innocent people’s data.

We’ve just as steadfastly concurred with that line of thinking: saying #nobackdoors and agreeing with the Information Technology Industry Council that “Weakening security with the aim of advancing security simply does not make sense.”

In response to the FBI’s request for help in January, Apple had said that, short of breaking its own security technology, it was helping the government in any way that it could:

We have the greatest respect for law enforcement and have always worked cooperatively to help in their investigations. When the FBI requested information from us relating to this case a month ago, we gave them all of the data in our possession and we will continue to support them with the data we have available.

On Monday, Apple’s response to Wray’s wrath was in keeping with everything that it’s already said on the matter. Apple’s statement:

The false claims made about our company are an excuse to weaken encryption and other security measures that protect millions of users and our national security. It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor – one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers.

There is no such thing as a backdoor just for the good guys, and the American people do not have to choose between weakening encryption and effective investigations.

Apple blamed for delaying investigation

The DOJ succeeded in cracking the iPhones. Why, then, does it feel the need to berate Apple? This time around, it’s blaming the company’s encryption for causing a delay in the related national security investigation. The company’s refusal to weaken encryption meant that its agents didn’t know what to ask or what to look for, Wray said. Therefore, they wasted time tracking down anything and everything, incapable as they were of zeroing in on the likeliest leads:

In the aftermath of the attack, we and our Joint Terrorism Task Force partners worked urgently to collect and analyze evidence. In the weeks immediately following December 6, we conducted over 500 interviews of witnesses, base personnel, and the shooter’s friends, classmates, and associates – among many other efforts. Because the crucial evidence on the killer’s phones was kept from us, we did all that investigating not knowing what we do now: valuable intelligence about what to ask, what to look for. If we had, our round-the-clock, all-hands-on-deck effort would have been a lot more productive.

The terrorists have been able to use that time to their advantage, Wray said, concocting and comparing stories with co-conspirators:

As a result, there’s a lot we just can’t do at this point that we could have done months ago.

For his part, Barr reiterated his belief that things can’t go on this way:

…if not for our FBI’s ingenuity, some luck, and hours upon hours of time and resources, this information would have remained undiscovered. The bottom line: our national security cannot remain in the hands of big corporations who put dollars over lawful access and public safety. The time has come for a legislative solution.

Carving up privacy one chunk at a time

Those “legislative solutions” are in the works. The FBI’s most recent fuming over Apple’s encryption is only the latest of several legislative moves to carve up Americans’ privacy. One such: the EARN-IT Act, or the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act. The bill would require tech companies to meet safety requirements for children online before obtaining immunity from lawsuits. You can read the discussion draft here.

To kill that immunity, the bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. Section 230, considered the most important law protecting free speech online, states that websites aren’t liable for user-submitted content.

Strip away Section 230, and platforms like Facebook, Reddit, and even end-to-end encrypted apps like WhatsApp and Signal would essentially have to give the government a backdoor to any and all customer information.

In other “let’s carve chunks out of privacy” moves, the Senate voted last week to reauthorize the Patriot Act while also renewing warrantless searches of web histories. The USA Freedom Reauthorization Act restores government powers that expired in March with Section 215 of the Patriot Act.

The bill has already been approved by both the House and Senate. All that’s left now to make it law is for Congress to iron out the differences in their drafts and for President Trump to sign the completed version.

---

Latest Naked Security podcast

Some technologies attract a “love it or hate it” response.

Bluetooth doesn’t seem to be one of those, because many of us have a love and hate relationship with it.

It’s incredibly useful when it works well, but at other times it makes you wonder why you didn’t just use a simple, old-fashioned cable instead – when your keyboard stops typing in the middle of a vital message, for example, or every time your headphones demand to be paired yet again.

Bluetooth has had its fair share of security scares, too, not least because one end of a Bluetooth connection is often a low-cost, low-power, low-budget device that doesn’t have a lot of budget or processing power available for cryptography and security.

As you can imagine, for a device such as a wireless headset, which may end up sending and receiving a complete record of all your phone calls, Zoom meetings and online chats, strong encryption is important.

Otherwise, anyone who could sniff out your Bluetooth signals (or set up a rogue Bluetooth receiver in a cupboard or under the table to record your data for later) could listen in to your business and personal life.

Bluetooth encryption

Bluetooth does support encrypted connections, but by default the encryption process doesn’t provide what’s known as “forward secrecy”.

Forwards secrecy is perhaps better understood as “backward secrecy” – in a system that offers it, there’s no point in someone who hasn’t yet hacked your master password – the one that you chose on day one – keeping recordings of your messages.

But if you don’t have forward secrecy, then an attacker who has a recording of your last year’s worth of encrypted phone calls might as well hold onto them indefinitely.

If ever they manage to get hold of your original master password, any time in the future, they can go back to the start of their recorded data and roll forward through all of your scrambled data, decrypting every message or conversation in their stash.

In other words, without forward secrecy you can never truly leave your cryptographic past behind, which is considered a serious issue these days for voice systems and instant messaging services.

Long Term Keys

Loosely speaking, Bluetooth’s regular encryption relies on a cryptographic key generated and shared when you pair a device, called the Link Key or Long Term Key (LTK).

Every time a new connection is established, the two devices that are connecting up exchange random numbers that are combined with the LTK to produce a session key (SK) that’s unique to that connection.

However, a Bluetooth sniffer that records an entire conversation will end up with the random numbers and the encrypted data, so the LTK can be used later to reconstruct the SK for that conversation and thus to unscramble the data.

Only by regularly unpairing a device and then pairing it up again can you reliably discard the old LTK and replace it with a new one, thus starting a fresh sequence of session keys.

MagicPairing to the rescue

Apple’s efforts to overcome this limitation is a proprietary system called MagicPairing, which uses your iCloud account for secure storage of cryptographic material for a more sophisticated session key system than the one used in regular Bluetooth connections.

In particular, MagicPairing doesn’t rely on an LTK that’s stored when you first set a device up, and used over and over until you delete and pair them again.

The Bluetooth chip in the device you’re connecting up asks for an LTK as usual (so this system is backwards-compatible with most Bluetooth chipsets), which is normally supplied directly from a local database by the host system it’s connecting to, typically your phone or laptop.

MagicPairing, however, via your iCloud account, essentially generates a new LTK for every connection, not merely every time you pair a device.

Simply put, it turns the LTK into a short-term key to provide forward secrecy.

The one-time LTK then generates a session key for that connection, as usual – this makes it compatible with existing Bluetooth devices – so that the cryptographic security of each connection stands on its own.

There’s no LTK that a crook can steal from your laptop or your mobile phone later on that will unlock the secrets of everything you’ve ever said.

MagicPairing considered imperfect

The bad news is that researchers at the Technical University of Darmstadt in Germany have come up with a pair of open source tools called InternalBlue (geddit?) and ToothPicker that have revealed a number of flaws in Apple’s MagicPairing software code.

Ten different bugs were found and reported to Apple over a six-month period from October 2019 to March 2020:

The report and proof-of-concept (PoC) code for these flaws has now been made public, even though Apple hasn’t patched them yet.

The good news, however, is that none of the bugs are exploitable for attacks such as implanting malware, or even for giving an existing malware program additional powers.

(Those exploit classes are known as Remote Code Execution, or RCE, and Elevation of Privilege, or EoP, respectively.)

Denial of Service

Fortunately, this pre-patch disclosure isn’t that big of a deal, because the only attacks known so far are Denial of Service (DoS) problems.

The researchers were only able to cause three issues, namely: crashing the Bluetooth software, thus killing all Bluetooth connections and forcing it to restart; hogging all the CPU power to make the device unresponsive; or making a device disassociate so that it needed to be paired up all over again.

Three of the ten vulnerabilities were disclosed less than 90 days ago – the time limit that Google’s Project Zero has established as a “reasonable period” to give a vendor to get a patch out.

This might seem a little abrupt for researchers keen on practising responsible disclosure, but the researchers told online tech publication The Register that:

[We] were surprised that Apple did not fix the rather simple bugs that could be fixed by adding a few checks. However, we are also a bit ahead of the originally planned timeline, as the conference [where we are presenting this work] is virtual this year [due to coronavirus precautions] and authors were asked to pre-publish their papers. Nonetheless, we informed Apple about the changed timeline and they did not disallow publication. And as even the oldest bugs are not fixed, this probably does not have [anything to do] with the changed timeline.

What to do?

At the moment, there aren’t any patches you can fetch from Apple, but also there’s no immediate cause for concern.

The researchers haven’t yet figured out how to exploit any of the Bluetooth crashes they were able to provoke, or even if exploitation is technically feasible.

(We’re assuming that if Apple felt that exploitation were likely then it would quite reasonably have asked for publication of the relevant vulnerabilities to be delayed and that the researchers would happily have obliged.)

Nevertheless, it does mean that even MagicPairing hasn’t yet turned Bluetooth into a love-or-hate proposition – it’s still love-and-hate until further notice.

Presumably, when Apple does complete its patches for these bugs they will quietly appear in an update for macOS, iOS and RTKit, which is the mini-operating system that Apple Bluetooth devices such as AirPods use.

Watch this space!

A 29-year-old Russian rapper who loved to do what rappers do – as in, post photos of himself on social media as he made kissy-kissy with wads of cash or swigged pricey champagne – will be appearing in court in Pennsylvania this week to face charges of money laundering for cybercrooks.

His name is Maksim Boiko, also known as Maxim Boyko, “gangass”, or the rapper Plinofficial. Here he is, documenting his big-ticket fun-funs:

Those posts are just part of the what the FBI calls “evidence of unexplained wealth”. Here’s more: a photo posted to Boiko’s Instagram account in August 2015, showing a big stack of Chinese Yuan on a table, along with signs that say “Maksim” (after all, why brag-post unexplained wealth without making sure your name appears, over and over?).

If you’re interested in a) Russian rap, b) how a young man originally from Siberia became enamored with African American music, black hip-hop style and the famous “money phone” meme of using stacks of cash to pretend you’re speaking on one of the “brick” mobile phones of the 1980s, and/or d) the rise of the Trap genre of hip-hop and Boiko’s part in its entrance to the Russian music scene, the BBC’s got you covered.

If not, don’t sweat it. Suffice it to say that he never got far in his musical career: according to the BBC, MTV Russia fans voted Boiko the 74th best Russian rapper, and he rarely performed in public.

He allegedly did a whole lot better with money laundering.

In an affidavit filed in March and unsealed in April, FBI Special Agent Samantha Shelnick said that Boiko was in thick with BTC-e: a popular, fraudulent Russian cryptocurrency exchange that – up until the US seized the site in 2017 – was used by lots and lots of cybercrooks for money laundering.

The (ongoing) BTC-e saga

One of the specialties of BTC-e was laundering ransomware profits. At the time the exchange was shuttered, Google research showed that BTC-e was handling 95% of all ransomware payments.

According to the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN), BTC-e processed at least $3m in payments made by victims of the Cryptolocker and Locky ransomware attacks. It also allegedly took in money hacked out of Mt. Gox, which was one of the first and most successful exchanges – that is, until 2014, when it collapsed after a massive bitcoin heist.

According to the US Justice Department (DOJ), by the time it was seized, BTC-e had allegedly taken in deposits valued at over USD $4 billion.

As of July 2019 – two years after the BTC-e takedown – the US was still chasing the defunct exchange, trying to get at a fine of USD $100 million that it had imposed in 2017 for facilitating ransomware and dark web drug sales.

How does Boiko fit in?

The FBI alleges that Boiko helped launder money for BTC-e. The rapper allegedly used the alias Gangass to cover his dealings with cybercrooks. He also allegedly chatted with them on secure, encrypted Jabber instant message platforms, including “exploit.im”, which the bureau says is used almost exclusively by cybercriminals.

According to the affidavit, a search of FBI databases revealed that the email account plinofficial@me.com was used to register an account on BTC-e. Whoever registered the account using that email also provided the name “Maksim Boiko” and the username “gangass.” Data from BTC-e showed that before BTC-e was seized, the account allegedly belonging to Boiko had received $387,964 worth of deposits and had withdrawn approximately 136 Bitcoin.

How do you get evidence from an encrypted messaging app?

In a nutshell, a secure encrypted messaging app isn’t all that secure if you take screenshots of your chats and then stick them in an email.

According to the 29-page affidavit, the FBI got to Boiko’s alleged Jabber conversations through a court-authorized search of his Apple iCloud account, which, conveniently enough, contained photos of his alleged Jabber communications with accounts held by crooks.

One example was a screenshot of a Jabber chat with the account salazar001@xmpp.jp: an account that the FBI says was associated with one of the leaders of a transnational organized crime group called QQAAZZ. The leader is referred to as “Conspirator A” in the affidavit. In the conversation, dated July 2019, salazar001@xmpp.jp receives confirmation of payment sent in the amount of 3.482 Bitcoin: approximately $35,000. Another Jabber conversation negotiated the sale of 300 credit cards.

In another conversation between gangass@exploit.im and what the FBI calls a known cybercrook using the alias “Moneybooster,” Moneybooster put in a request for a corporate account that could handle a transfer of “200-300k.” Gangass responded by providing an account for a Hong Kong company called Arco Technology (Hongkong) Limited, along with a bank address and account number. When the transfer was blocked a few days later, the two talked over whether they could keep using the credentials or not. Moneybooster’s reply:

… it won’t kill your credentials … but the same bank won’t work for me because it’s on the Chase blacklist.

… which the FBI says shows that “gangass was aware that the funds are being obtained from a victim whose bank account login information was stolen and that the attempted transfer was fraudulent.”

These are just some examples of the funds stolen from US victims that were transferred, or attempted to be transferred, to bank accounts under the QQAAZZ group’s control:

Over the ocean and straight into the FBI’s arms

In January, Boiko and his wife came to the US. They arrived at the Miami airport and were caught carrying USD $20,000 in cash. US Customs and Border Patrol wanted to know, Where’d he get all that? Bitcoin investments and Russian rental properties, Boiko said.

Nah, we don’t think so, the FBI said. It turns out that besides the suspicious $20K in US currency, agents had been monitoring all those social media photos and chats, eyeballing Boiko’s documentation of piles of cash that dated back as far as 2015.

The photographs … are evidence of Boiko’s unexplained wealth, [and] are inconsistent with the practices of a legitimate business operation and are consistent with the allegations set forth herein.

The FBI arrested Boiko at a Miami condo on 28 March – a date that the BBC says was just days before the rapper’s album launch. As it turns out, this wasn’t the first time that noteworthy events in Boiko’s musical career have coincided with money-laundering busts. In fact, Boiko announced his long-awaited solo album on the same day in July 2017 that Greek police arrested Russian citizen Alexander Vinnik, the alleged mastermind of BTC-e. Vinnik was indicted in the US on 21 counts.

Vinnik was incarcerated in Greece until January 2020, when France won out over Russia and the US in the battle to extradite him.

Earlier this month, Boiko’s lawyer, Arkady Bukh, told Cyberscoop that the rapper plans to plead not guilty. Due to the pandemic, he was arraigned via Zoom in the Western District of Pennsylvania. There was a fact-finding session held on 11 May. There hasn’t yet been a date set for the next hearing.

The latest research report from SophosLabs deals with the fascinating case of the RATicate gang.

This reports make for intriguing reading because it unravels the recent operation and evolution of a bunch of cybercriminals, whom we’ve dubbed RATicate, who seem to have their money-grabbing fingers in a number of malware-related pies.

Indeed, these crooks have been attacking a wide range of companies in numerous industry sectors in at least Europe, the Middle East and Asia.

RAT, if you haven’t seen the word used in cybersecurity articles before, is short for Remote Access Trojan, a type of malware that’s designed to set up your computer so that cybercriminals can send it rogue commands across the internet.

A RAT infection means that crooks can quietly instruct your computer to carry out a troublesome range of activities, including:

• Reporting back with a detailed inventory of your computer, including installed software, network connectivity and speed, configuration settings and licence codes.
• Riffling through your files to search for “trophy data” that’s worth stealing.
• Monitoring your keystrokes and your network traffic in the hope of extracting passwords and network authentication tokens.
• Launching criminal attacks on other networks and computers so that the source of the attack seems to trace directly back to you.
• Sending enormous quantities of spam and scam emails so that any attempt to blocklist the offending messages affects your internet connection and leaves the crooks untouched.
• Taking screenshots secretly to keep track of what you are up to online.
• Activating your webcam remotely to snoop on you while you’re using your computer. (Some laptops have webcam lights that can be turned off independently of the camera to disguise that the webcam is turned on.)
• Downloading and implanting additional malware on your computer, possibly as part of an underground service to distribute other crooks’ malware for a fee. These “malware upgrades” may culminate in a ransomware attack.

In media stories, the term RAT has often been used to refer to remote control malware used with the primary purpose of abusing your webcam, typically for pervily prurient purposes – where the word RAT is use metaphorically to refer to the creepiness of the crook who deployed it.

Here on Naked Security, we’ve recounted numerous cases of prurient RAT attacks, including several that involved the Blackshades Trojan, infamously abused by a US college student who pleaded guilty back in 2014 to spying on some 150 young women via their webcams.

As the list above reveals, however, RATs can be used for any number of other purposes – you’ll often hear them referred to as “bots” or “zombies” because they turn your computer into surreptitious servants of cybercriminal sleazebags who could be just about anywhere in the world.

Port blocking no barrier

Worse still, RATs aren’t stopped by a conventional home router that blocks incoming connections by default.

As we’ve explained before on Naked Security, early RATs, dating to the turn of the millennium, often took the simplest possible approach to opening up your computer to the outside – they basically turned themselves into servers and listened out for incoming connections from their criminal controllers.

If you’ve heard of notorious early remote access tools such as Back Orifice, from the erstwhile hacking group Cult of the Dead Cow, you’ll know that this toolkit typically opened up a TCP network socket, on a computer inside your network, that listened on port 31337 (which is read as elite in hacker speak).

But few home networks allow inbound connections by default any more, because few computers are directly connected to the internet these days – home connections are almost always shared by a router between multiple devices including laptops and mobile phones.

The router therefore requires a specific computer inside the network to connect outwards first, in order to figure out where the replies on that connection should be sent.

However, incoming connections can only connect to the router itself, so that by default the router has no idea which internal computer they were meant for, and simply discards them.

(This process, known as NAT, short for Network Address Translation, was devised so that networks could share a single IP number to make this scarce resource go further, rather than for security purposes, but had the fortuitous side-effect of automatically blocking many types of attack.)

Today’s RATs get around this problem simply by turning the client-server process around.

Instead of the crooks running RAT clients that connect inwards to RAT servers implanted on infected computers on your network…

…the crooks set up their own distributed network of so-called Command-and-Control servers (also known as C&Cs or C2s) somewhere on the internet, and infected computers act as RAT clients that connect outwards, often using innocent-looking traffic such as HTTP (web) requests, to call home.

If a call-home succeeds, then the RAT client downloads a set of commands that tells it what to do next, so the incoming data is just the reply part of what started as an outbound request.

The RATicate crew

In the SophosLabs report, you can read just how many different campaigns, using many different C&C servers, the RAticate gang has worked through in recent months.

You will also learn how the gang disguises its attacks by wrapping up the malware into an unexceptionable-looking software installer using the popular and widely-used open source toolkit NSIS (Nullsoft Scriptable Install System).

Instead of minimising the size of their malware, the RATicate crew deliberately pad out their installers with innocent files including text documents, source code, Python scripts, images, XML data and legitimate program files (EXEs and DLLs) that aren’t malicious and might reasonably be expected in a genuine installer.

In the sample above, for example, the files in $TEMP/careers are a curious mixture of non-malicious files of many types; the files in $PLUGINSDIR are legitimate addons for NSIS itself; the curiously named file $TEMP/Cluck is a scrambled BLOB of malware that looks like random data; and $TEMP/aventailes.dll is the actual malware that will run during “installation”.

The report shows you the trail of tricks that the malicious installer uses to activate itself, where the installer itself loads aventailes.dll, which reads in Cluck and decrypts from it a small chunk of code…

…that then decrypts the rest of Cluck using a different scrambling algorithm and injects it into memory, which kicks off the RATtiness.

How the RATs arrived

SophosLabs tracked five different RATicate malware campaigns delivering a wide range of different RATs, each using a wide range of different C&C servers to download their malevolent instructions.

The RAT variants delivered by this group of crooks included the zombie malware families Betabot, Lokibot, Formbook, AgentTesla, Netwire, Bladibindi and more.

The rogue installers were spammed out in emails where they were sometimes attached directly in archive files using the well-known ZIP format, as well as lesser known archive types UDF and IMG formats; and sometimes delivered as Excel or RTF files that included links to download the “installer” from a booby-trapped server.

Interestingly, SophosLabs found that some victims received a mix of the two delivery types during the same campaign, as though the crooks were purposefully targeting victims with malware delivered in multiple ways, suggesting what you might call an “attack in depth” or “layered attack” strategy.

If you’ve ever wondered why it’s hard to figure out these days exactly what might happen next after the first indication of a cyberattack, this report will put you in the picture.

As you’ll see, the crooks can deliver completely different malware samples in the same guise and can adjust the behaviour of their C&C servers at any time depending on who you are and where you are connecting from.

Worse still, almost every RAT you’ll find these days includes its own “upgrade yourself to something new” command, whatever else it’s programmed to do.

What looked like a keylogger yesterday might morph into a spambot tomorrow, and into a ransomware attack the day after that.

What to do?

• Read the report. The backstory gives useful insight into the many layers of subterfuge that the crooks are prepared to employ.
• Filter email attachments aggressively. Don’t let little-used archive files through just because you assume they’re harmless. Many users install free archiving tools that have built-in support for archive formats you’ve never heard of, so even if you think that XYZ files will come to nothing in your organisation, the crooks might get lucky.
• Filter outgoing web connections to block access to known hacked servers. If you bring your remote users back through the company network using a VPN (virtual private network), you can help to ensure that everyone gets the same level of protection against rogue downloads.
• Follow layered protection, also known as defence-in-depth. The criminals are practising “layered attacks” so that each step of the process looks more innocent on its own, but this often means that you can often prevent the overall attack if you block just one part of it.
• Keep an eye on your logs. A modest looking attack that you spotted today could be a handy warning of what the crooks have in mind next. If you are short of time to do your own threat response, the Sophos Managed Threat Response team is here to help!

People are spending a lot of time online these days. They’re helping kids with homework, looking up prices for a sick parent’s prescriptions, or visiting who knows what websites in search of who knows what content: researching the pandemic, hanging out virtually with friends, shopping, or whatever else floats their boats.

Unfortunately, the answer to the “who” in “who knows what” is “the government.” Last week, the Senate narrowly missed an opportunity to protect Americans’ web histories from government surveillance.

On Thursday, an amendment to the controversial Patriot Act fell short by a single vote. The final tally was 59-37, but the amendment needed at least 60 votes to pass.

The amendment, sponsored by Senator Ron Wyden, would have expressly excluded internet browsing and history from what the government is allowed to collect through the approval of a secret court established by the Foreign Intelligence Surveillance Act (FISA).

The Patriot Act, designed as a response to the intelligence failures leading up to the 9/11 terrorist attacks, was signed into law by President George W. Bush in October 2001. Twelve years later, former National Security Agency (NSA) contractor Edward Snowden leaked classified documents that revealed how the law was being used to snoop on everything and everybody.

In June 2015, the Patriot Act was replaced by the USA Freedom Act: a bill meant to clip the NSA’s spying powers by slightly inconveniencing its metadata collection from US citizens and introducing more accountability and transparency for it and the FISA court.

Last week’s Senate vote to reauthorize the USA Freedom Act brings the surveillance bill one step closer to becoming law. The bill originally passed in the House in March, got amended last week in the Senate to pick up additional legal protections for some individuals targeted by the FISA court, and now heads back to the House for a vote on the newly amended version. If the new version passes the House, it will then land on President Trump’s desk.

The USA Freedom Reauthorization Act restores government powers that expired in March with Section 215 of the Patriot Act.

Some history on Section 215: in 2001, it amended Title V, Section 501 of FISA, allowing intelligence agencies to collect metadata on calls (known as call detail records, or CDRs) that it stores in repositories and secure networks. Section 215 allows the government to demand “tangible things,” such as records deemed relevant to terrorism investigations.

The metadata has been used to secretly surveil Americans, sometimes for purposes that have absolutely nothing to do with protecting the country from terrorists, such as snooping on former girlfriends.

According to The Hill, besides reauthorizing Section 215, The USA Freedom Reauthorization Act also would reauthorize two expired programs: One dealing with “lone wolf” suspects who aren’t tied to any known terrorist organization, and another on “roving” wiretaps that allow the federal government to track a suspect across multiple devices.

Last week, Senator Wyden issued a plea for his proposed amendment to ban warrantless government surveillance on Americans’ internet browsing histories. He said that warrantless collection of browsing histories “offers endless opportunities for abuse,” pointing to investigations of political enemies that could lead to the government swooping in on web browsing histories that could be used against people, regardless of whether they’re relevant to a given investigation:

Donald Trump has called for investigations of his political enemies. Attorney General Barr has injected himself into investigations that affect the personal or political interests of Donald Trump. All it would take is for some innocent American’s web browsing history to be deemed relevant to one of those investigations, and the government could start collecting it.

And then it wouldn’t even matter whether that web browsing history had anything to do with the original goal of the investigation. For any number of reasons, the web browsing history of that innocent American could reveal personal, even embarrassing information that could then be used against him or her.

The Senate passed the reauthorization act on an 80-16 vote.

The ban on collecting web histories without a warrant needed 60 votes to pass. It only got 59. As Vox points out, the vote was particularly frustrating given that four senators didn’t vote on the amendment at all, and at least one would have voted yes.

Wyden, the sponsor of the failed amendment, voted against the reauthorization. He put out this statement about the dangers of the act:

The legislation hands the government power for warrantless collection of Americans’ web browsing and internet searches, as well as other private information, without having to demonstrate that those Americans have done anything wrong, or even were in contact with anyone suspected of wrongdoing.

Without further reform of these vague and dangerous Patriot Act authorities, Congress is inviting more secret interpretations of the law and more abuses.