Some essential additions to our Internet glossary

1390397_79061953_330Times are changing and we have to learn new things all the time. People interested in privacy on the Internet have been faced with a flood of new acronyms and terms lately. Here comes a brief list of terminology that has remained fairly unknown for a long time, but suddenly become very central to how our cyber society is developing. Keep these in mind if you want to be privacy-savvy.

The best know signal intelligence system of the cold war era. Operated by the NSA and capable to store and analyze both data and telephone traffic globally. Today a legacy system.

FISA, Foreign Intelligence Surveillance Act
A US law that, together with other related laws and amendments, controls usage of non-US citizens’ communications for the benefit of US interests. Controls is however a misleading word as it pretty much boils down to carte blanche to spy on foreigners. This is of paramount importance for the whole Internet as most of the cloud services are run by American companies, and most users are foreigners.

FISC, FISA-Court, United States Foreign Intelligence Surveillance Court
A secret US court that is supposed to review and approve data gathering efforts under the FISA and related laws. Evil tongues call it a rubber stamp, but it has actually denied 11 requests out of a total of 33 949 during 1979-2012. (Some of those 11 were approved after modification.)

Gag Order
A court order to shut up about something.

GCHQ, Government Communications Headquarters
UK’s own NSA. Responsible for gathering info from Internet traffic for the needs of the UK government and military.

A former encrypted mail service run by Ladar Levinson. Became iconic in the fight for Internet privacy when closed down in August 2013. According to Ladar: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.” This smells NSL (see below) to high heaven.

NSA, National Security Agency
USA’s main signals intelligence agency. Operates globally to intercept and decode information. Recent reports indicate that NSA’s strategy largely seems to be to store as much information as possibly for further use, rather than picking targets and eavesdropping selectively. NSA is also a leader in cryptography and cryptanalysis, and is believed to have more supercomputer capacity than anyone else on this planet.

NSL, National security letter
An order from a US agency to hand over information or implement information gathering systems. These letters come with strict gag orders that even prevents the subject from revealing the existence of a NSL or seeking legal advice about it. Their legal status is controversial because of the broad gag orders that are in conflict with the 1st amendment. Anyone should keep the NSLs in mind when listening to top executives of Google, Facebook, Apple etc. who denies that NSA can tap into their systems.

Currently the best known of all the data gathering programs run by NSA. PRISM is apparently a database application that stores data from many sources.

SIGINT, Signals intelligence
Operations aiming to gather information by eavesdropping on communications and other signals or stored data. Involves the art of decoding or decrypting messages as well as gathering information by analyzing traffic patterns.

A system run by UK’s GCHQ that collects data in real time from internet and telephone communications.

Utah data center
A data center located in Bluffdale, Utah and operated by the NSA. The center is about to be finalized and believed to provide 3 – 12 Exabyte of storage data right now, more in the future as storage technology evolves. It has been said that five Exabyte is equivalent to all words ever spoken by humans since the dawn of time. This is outdated, but still interesting when trying to imagine how much an Exabyte really is. So what exactly is NSA going to do with all this storage?

A NSA system that gives analysts powerful tools to query for information about identified targets or suspicious patterns in larger datasets.

A person who makes crimes or other unethical activities known to a larger public, often by violating agreements or the law. A significant portion of what we know about SIGINT on the Internet has been revealed by whistleblowers.

This list of secret NSA programs and codenames is far from complete. Security guru Bruce Schneier puts it very well in a TED interview together with our Mikko Hyppönen.

Bruce Schneier: “First, be careful with names. PRISM is a specific NSA database, just a part of the overall NSA surveillance effort. The agency has been playing all sorts of games with names, dividing their efforts up and using many different code names in an attempt to disguise what they’re doing. It allows them to deny that a specific program is doing something, while conveniently omitting the fact that another program is doing the thing and the two programs are talking to each other. So I am less interested in what is in the specific PRISM database, and more what the NSA is doing overall with domestic surveillance.”

Very well said! Here you can find a more comprehensive list of NSA programs and codenames.

Safe surfing,

More posts from this topic


Cyber Monday Mythbusting

It's Cyber Monday, and marketing companies expect online shoppers to flock to websites and apps in order to take advantage of holiday sales. And naturally, this causes concerns about what kind of risks people are taking when they shop online. But F-Secure Security Advisor Sean Sullivan says any security warnings focusing on Cyber Monday are simply part of the hype. “Cyber Monday is no more or less safe than any other day of the year. People just expose themselves to more online threats when they do more stuff online, but that really has nothing to do with Cyber Monday. And people that tell you otherwise aren’t doing you any favors.” So there you have it. On the other hand, Sullivan does point out that holiday shoppers should beware of the extent to which they expose themselves while online shopping, which is becoming more popular during the holidays. Adobe is projecting an eleven percent increase in online spending during the holidays this year, amounting to a whopping 83 billion dollars. So that’s 83 billion dollars that will be up for grabs (compared to just 3 billion on Cyber Monday), so it’s naïve to think that criminals are just going to ignore the opportunity. Last year, F-Secure Labs registered a sharp increase in ransomware detections during November and December, including a 300 percent increase in the Browlock police-themed ransomware family. Sullivan published a recent blog post examining the Crytowall ransomware family, which he says is prevalent during the holiday season but virtually disappears in early January – when people celebrating Orthodox Christmas in Russia begin their holidays. One easy way to protect yourself from ransomware and other online threats while holiday shopping is to be conscious of the threat landscape. Its trends like these that Sullivan pays attention to, and warns others to do the same. “It would be safe to say that people should be worried about ransomware this holiday season, and probably through next year. I expect that we, or at least security researchers, will look back on 2016 as the year of extortion.” For example, even though mobile device are now widespread and used by many people, they’re not necessarily good tools to use for making financial transactions while online shopping. “I use an iPad running Freedome for the vast majority of my online browsing, which works great for me because it’s easy to use and I can bring it with me if I leave the house. And between the security benefits of a VPN and the relatively small amount of malware targeting iOS devices, I feel pretty confident in using it to casually window shop on different websites. But I always use a PC to make actual purchases. I trust that my PC is secure and the actual keyboard makes it easier to enter financial data.” You can find more great advice on how to stay safe while online shopping here. [Image by Atomic Taco | Flickr]

November 30, 2015

Why Cameron hates WhatsApp so much

It’s a well-known fact that UK’s Prime Minister David Cameron doesn’t care much about peoples’ privacy. Recently he has been driving the so called Snooper’s Charter that would give authorities expanded surveillance powers, which got additional fuel from the Paris attacks. It is said that terrorists want to tear down the Western society and lifestyle. And Cameron definitively puts himself in the same camp with statements like this: “In our country, do we want to allow a means of communication between people which we cannot read? No, we must not.” David Cameron Note that he didn’t say terrorists, he said people. Kudos for the honesty. It’s a fact that terrorist blend in with the rest of the population and any attempt to weaken their security affects all of us. And it should be a no-brainer that a nation where the government can listen in on everybody is bad, at least if you have read Orwell’s Nineteen Eighty-Four. But why does WhatsApp occur over and over as an example of something that gives the snoops grey hair? It’s a mainstream instant messenger app that wasn’t built for security. There are also similar apps that focus on security and privacy, like Telegram, Signal and Wickr. Why isn’t Cameron raging about them? The answer is both simple and very significant. But it may not be obvious at fist. Internet was by default insecure and you had to use tools to fix that. The pre-Snowden era was the golden age for agencies tapping into the Internet backbone. Everything was open and unencrypted, except the really interesting stuff. Encryption itself became a signal that someone was of interest, and the authorities could use other means to find out what that person was up to. More and more encryption is being built in by default now when we, thanks to Snowden, know the real state of things. A secured connection between client and server is becoming the norm for communication services. And many services are deploying end-to-end encryption. That means that messages are secured and opened by the communicating devices, not by the servers. Stuff stored on the servers are thus also safe from snoops. So yes, people with Cameron’s mindset have a real problem here. Correctly implemented end-to-end encryption can be next to impossible to break. But there’s still one important thing that tapping the wire can reveal. That’s what communication tool you are using, and this is the important point. WhatsApp is a mainstream messenger with security. Telegram, Signal and Wickr are security messengers used by only a small group people with special needs. Traffic from both WhatsApp and Signal, for example, are encrypted. But the fact that you are using Signal is the important point. You stick out, just like encryption-users before. WhatsApp is the prime target of Cameron’s wrath mainly because it is showing us how security will be implemented in the future. We are quickly moving towards a net where security is built in. Everyone will get decent security by default and minding your security will not make you a suspect anymore. And that’s great! We all need protection in a world with escalating cyber criminality. WhatsApp is by no means a perfect security solution. The implementation of end-to-end encryption started in late 2014 and is still far from complete. The handling of metadata about users and communication is not very secure. And there are tricks the wire-snoops can use to map peoples’ network of contacts. So check it out thoroughly before you start using it for really hot stuff. But they seem to be on the path to become something unique. Among the first communication solutions that are easy to use, popular and secure by default. Apple's iMessage is another example. So easy that many are using it without knowing it, when they think they are sending SMS-messages. But iMessage’s security is unfortunately not flawless either.   Safe surfing, Micke   PS. Yes, weakening security IS a bad idea. An excellent example is the TSA luggage locks, that have a master key that *used to be* secret.   Image by Sam Azgor

November 26, 2015
Secure Wordpress site, mobile blogging, tablet by the bay

This is why you need to protect your WordPress username and password

If you run a Wordpress site, you know that criminals around the world would love to use it to spread malware. Last month, F-Secure Labs spike in "Flash redirectors" that automatically redirect the visitor to a site with the goal of infecting them with malware, in this case the Angler exploit kit. The source was compromised websites -- specifically Wordpress sites. This isn't a new find for the Labs but what is unique is one of the tactics of the attack -- seeking out Wordpress usernames. Why? "After obtaining the username, the only thing that the attacker would need to figure out is the password," Patricia from The Labs explains. "The tool used by the attacker attempted around 1200 passwords before it was able to successfully login." If you happen to have one of those passwords, bam. You site is serving up malware, which is not only harmful to your visitors, it can cost you tons of traffic as Google delists you. Keeping your server and plugins up to date is essential for avoiding most attacks. Beyond that, this attack points to the need to both protect your Wordpress username AND always use a unique, strong password. "Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything," Patricia notes. You can also protect your server from enumeration attacks that discover the usernames of your bloggers. To see how to do that, visit our News from the Labs blog. It's pretty amazing what people can figure out about you with just your login and password. But when you're running a website, which can be part or all of your livelihood, the only way to keep from handing criminals the key to your front door is to make sure your password can't be figured out by anyone but you. And turn on two-step authentication if you haven't already. Cheers, Jason

November 26, 2015