Spy Games? Google Play targeted by NSA

ExpressVNP谷歌 play store compromised by nsa

As the NSA fights to retain its spying power with the Patriot Act now under review, more documents from whistleblower Edward Snowden have begun to surface. This newest leaks suggest the spy agency had plans to hack the Google Play store and inject malware into users’ seemingly-legitimate downloads. While it appears the plan was never put into practice, even the thought is worrisome, since most users have no qualms about trusting “secure” app stores like Google Play or iTunes — *** it the perfect target for the NSA.

No fun

According to The Verge, documents released by Edward Snowden and published by The Intercept spell out a plan called “IRRITANT HORN” which would inject malware after intercepting Web traffic moving to and from mobile application servers. The documents clearly showed device-maker Samsung’s update protocol and Google Play servers located in France and used to deliver updates to phones in northern Africa. In other words, this wasn’t a plan confined to the United States — the NSA also had a vested interest in hacking the devices of users worldwide.

The Intercept reports that the project came from a joint effort by the Network Tradecraft Advancement Team, which has members from each nation of the Five Eyes alliance: Canada, the United States, the United Kingdom, New Zealand and Australia. According to the Snowden documents, this group held secret meetings in Australia and Canada between November 2011 and February 2012 to develop new ways they could exploit smartphones as surveillance devices.

Using an Internet spying system known as XKEYSCORE, the group zeroed in on traffic flowing to and from the app marketplaces operated by Google and Samsung. The idea  was to intercept traffic sent between users and legitimate apps stores, and, using a man-in-the-middle attack, compromise the device to add NSA-crafted malware which could grab a user’s contact list or provide their location in near real-time. Although Samsung and Google use TLS encryption which should theoretically defend against these kind of attacks, there has long been speculation that the NSA has found a way around this kind of encryption.

The ultimate goal here? Snowden’s documents say IRRITANT HORN was part of a campaign to deliver “selective misinformation” to specific phones and was crafted in large measure as a response to the Arab Spring. The NSA and other international spy agencies wanted to make sure if any more social media-empowered unrest occurred, they were prepared to mitigate the effects through compromised devices.

Safe and sound?

While there’s no evidence that the NSA was successful — both Google and Samsung are staying mute — there’s a pertinent lesson here: app stores are not safe havens, even those operated by dominant companies like Google or Samsung. This shouldn’t come as a surprise, since it’s already possible to sneak malicious apps into these “secure” stores and “dead” apps that are no longer updated are often still available for download with no warning about their potentially compromised security.

What’s more, the level of trust users have for these app stores makes them the perfect vehicle for a spy agency attack. Beyond just the Five Eyes, government agencies across the globe have a vested interest when it comes what users are doing with their smartphones when political change or unrest occurs. In other words, while governments often pay lip service to the notion of consumer privacy, they’re not above denying any wrongdoing as federally-funded spy agencies work to uncover personal data for political use.

Tough sell?

In the US, at least, NSA powers are under the microscope. While the Senate failed to pass the USA Freedom Act, a Second Circuit Court of Appeals ruled that Section 215 of the Patriot Act — which supposedly covered bulk telecom records collection — doesn’t actually hold water, leaving the program on hold. And with revelations like the Google Play hack continuing to trickle out of the Snowden files, it may be tough for the agency to get any traction.

But here’s the thing: when it comes to spy agencies, laws only matter if they get caught. Net-savvy citizens are better off assuming that no service is safe, no store is secure, and no device is invincible.


Are the US and EU pulling in different directions over privacy?

ExpressVNPthe us and eu have different views on surveillance

Whatever your opinion of ex-NSA contractor Edward Snowden, there is no doubt  that he opened a can of worms when he first began leaking documents detailing the surveillance efforts of the US.

Since then, major world powers have come under increasing scrutiny from their citizens, as well as varying amounts of pressure to cut or curtail their own international and domestic spying efforts.

Interestingly, however, EU nations appear to be pulling in the opposite direction to the US.

While the United States debates privacy reform — its ability to collect phone records in bulk is currently on hold after the Senate both vetoed the USA Freedom Act and failed to extend the Patriot Act recently — governments in Europe have been seeking ever more surveillance powers.

Spying in France

In the wake of the Charlie Hebdo attacks in Paris, France’s governing body approved a new spying bill that affords its intelligence services sweeping new powers to monitor, track, and identify mobile phones, people, and vehicles, all without any meaningful judicial oversight.

The newly enacted law also requires telecommunications companies to analyse their own phone and Internet metadata and to report any signs of potential terrorist communication to the government. Where such activity is suspected, the telecoms will be expected to grant intelligence agents real-time access to relevant data.

Watching you in Germany

Once revered as a country that values privacy and the freedom of speech it affords (look at all the activists who live there, such as Jacob Appelbaum and Laura Poitras), Germany has also been participating in mass surveillance of its own. It has recently come to light that German intelligence services have been cooperating heavily with the American National Security Agency, allegedly spying on European companies and officials.

Chancellor Merkel, who received much sympathy from her people two years ago when it was revealed that American spy agencies may have been bugging her phone, now appears to have lost huge amounts of goodwill: one in three Germans say they feel deceived by her apparent approval of the German-US spying program.

Eyes everywhere, Ireland

Ireland, too — despite *** a stand against the execution of US warrants against data stored on servers within its borders — has recently been accused of undermining its citizen’s rights.

Privacy campaign group Lobbyplag claims the nation is the third-worst offender (after Germany and the UK) in terms of pushing for changes to European privacy laws that would favor corporate entities and public bodies over the rights of ordinary citizens.

Surveillance OK in the UK

And in the UK, the recent election, which saw David Cameron return as Prime Minister, has also paved the way for the resurrection of the Communications Data bill, colloquially known as ‘The Snooper’s Charter’.

Previously resisted by the UK Conservative’s coalition partners, the party’s post-election majority paves the way for a fresh attempt at instigating the controversial legislation that would allow British intelligence agents to access just about every piece of data transmitted over the Internet.

The reintroduction of the bill, mooted by British Home Secretary Theresa May even before the final election results were known, coincides with the UK government rewriting the Computer Misuse Act to give GCHQ spies immunity from hacking laws.

How effective is mass surveillance?

It is perhaps no surprise that Europe seeks to strengthen its ability to spy on citizens both foreign and domestic in the wake of the horrific acts of terrorism that threaten the security of European nations. But, as we have seen in the US, the erosion of civil liberty has done little to enhance security. In October 2014, NSA Director Keith Alexander told a Senate Judiciary Committee that NSA data collection programs had foiled only one or two terrorist plots since they began in 2006.

Nonetheless, it looks as though it may be a long time yet before Europe wakes up to the lessons learned across the Atlantic.


Featured image: ExpressVNP


Sweet news, Australians! Seven Sport will live stream LOADS of sports!


Are you an Aussie expatriate or Aussie abroad?

Missing out on your favorite sports back home is one of the biggest compromises you can make when you leave Australia in search of love and adventure.

Lucky for Aussie sports fans all over the world, Seven plans to expand its live-stream programming of major sporting events on its website. So if you love tennis, swimming, golf, and racing, you’ll soon be able to watch it all — LIVE — wherever you are.

New Seven websites:

7sport.com.au (already established)

Free sports!

According to a post on the 7Sport Facebook page, “Channel 7 is about to create sporting history with its ’40 Days of live and free sport on your mobile anywhere, anytime’ initiative.”

Catch all the action with Seven’s live streams of your favorite events, like Wimbledon, the Davis Cup, the Australian Masters, the Australian Open, the Australian PGA Championships, and loads more.

Use ExpressVNP to Secure Your Connections

Before you start streaming, make sure your Internet is secure! Download ExpressVNP and you’ll be able to avoid ISP throttling and secure your Internet connection.

Grab a pint and enjoy!

Click here to get ExpressVNP today!


Google in talks with privacy regulators over ‘right to be forgotten’


One year after the Court of Justice of the European Union (ECJ) ruled that individuals have the right to ask search engines to remove certain search results about them, Google has published some statistics about how it has implemented its response.

Since the search giant began offering the “right to be forgotten” on 29 May, 2014, it has received 925,586 URLs from 255,143 requests for removal. Of those, the company has approved 41.3 percent.

Since last year’s ruling, Google has been obliged to remove links to web content that presents information about an individual if it is deemed to be “inadequate, irrelevant or no longer relevant”.

In *** its decision, the ECJ effectively put the onus on the search engines to administer and police the removal request process, requiring users to contact them directly with details of the URLs they wished to see removed from web indexes.

That left Google and others complaining about the workload it presented and also left the search companies in the difficult position of deciding which removal requests to approve and which to deny.

That situation has now left Google at loggerheads with privacy regulators who say the company has made errors in some of its decisions.

In the UK, the Information Commissioner’s Office (ICO) is in talks with the company over 48 such cases that it believes it has not got “quite right”.

The regulator says it hopes a further round of talks will lead to a satisfactory resolution but also noted that it could fall back on enforcement measures (fines and legally binding enforcement notices) if no progression materialises.

Speaking to the BBC, an ICO spokesman said:

“Since the details of the right to be forgotten ruling were first announced, we have handled over 183 complaints from those unhappy with Google’s response to their takedown request.

In around three-quarters of these cases, we have ruled that Google was correct to turn down an individual’s request to have their information removed. This suggests that, for the most part, Google are getting the balance right between the protection of the individual’s privacy and the interest of internet users.”

In response, a spokesman for Google admitted the company had sometimes failed to get a proper grip over privacy rights in Europe due to both errors and in the attitude it had adopted, but claimed the company was now working hard to improve. The spokesman added that users have been given “more control over the data we collect” and hinted of changes to come that would see such tools easier to find and use.

Speaking to the Times, the ICO’s deputy information commissioner David Smith appeared more bullish, saying “at some point, we’ll have to reach a decision as to whether we pursue any [cases] where Google doesn’t agree with us, through formal action”.

Smith went on to say that, while the ECJ ruling only pertained to links on European search sites, he believed that Google and others should take a blanket approach, removing the same links from US and other indexes.

While it will be interesting to see how the standoff between the ICO and Google plays out, it is almost certain that not everyone will be entirely satisfied with the outcome.

Individuals undoubtedly see the “right to be forgotten” as a means of removing links to content that they would prefer to see buried and there are many privacy campaigners who agree with such a viewpoint.

On the other hand, free speech advocates oppose the removal of some negative information on the grounds that its original reporting was fair, accurate and/or in the public interest.


Internet.org: Too good to be true?


Mark Zuckerberg never sleeps. With Facebook now topping 1.44 billion active users worldwide, the founder of the social network could rest on his laurels. Instead, he and other Facebook executives have been busy developing “Internet.org”, which, according to the official website, will “connect the two thirds of the world that doesn’t have Internet access.”

Given that only 33 percent of global citizens have regular Internet access, more and more advocacy groups are calling for Internet access as a basic human right. At first glance, then, the mission of Internet.org seems noble. But concerns about profit and privacy have emerged, leading some to conclude that this “free” Internet may be too good to be true.

The Big Idea

Here’s how it works: Facebook has partnered with a number of mobile phone companies and third-world telecom providers to offer free Internet service for those who cannot otherwise afford access. As of May 10th, the company has rolled out Internet.org in Zambia, Tanzania, Kenya, Colombia, Ghana, India, Philippines, Guatemala, Indonesia, and Bangladesh.

Users are provided no-cost access from a specific carrier but aren’t able to leverage high-bandwidth services like file downloads or streaming video. The idea here is to provide basic access to information and communication. The problem? It may also run afoul of Net Neutrality.

Closed System

What happens when Facebook supplies the Internet.org app and runs all traffic through its own massive servers? It becomes a de facto Internet service provider (ISP), but without the same kind of restrictions placed on for-pay carriers.

What’s more, Zuckerberg and his company get to decide which websites are part of their Internet and which are blocked off for free users — who always have the option of upgrading to paid plans, many of which are prominently displayed through on-site ads.

According to Wired, this kind of gatekeeping led to pushback from several Indian publications, which said that the company was violating the very Net Neutrality principles it claimed to uphold. Put simply: if Facebook decides what’s free and what isn’t by standing guard over website access, then its Internet isn’t really free.

As a result, the Facebook CEO has announced that any company or website can now apply to join the Internet.org initiative and become part of the content pipeline which users can access freely. Internet.org VP of Product Chris Daniels claims that opening the gates to developers at large was always part of the “roadmap,” and that concerns from Indian users simply accelerated plans that were already in the works. But not everyone is buying this explanation.

Not All Bad?

Some organizations are voicing their support for the Facebook-powered Internet. Venture Beat, for example, points out that while it’s easy to throw stones at Zuckerberg et al. because they’re rich and powerful, there’s nothing inherently wrong with *** a profit. In fact, as a publicly-traded company, the social media site has the responsibility to do right by its shareholders and generate as much revenue as possible. Since Facebook is under no obligation to offer any kind of free Internet service, even something that’s clearly an advertising vehicle can’t be all bad if it gets more people online, right?

But Not So Great

Two large issues with Internet.org spring to mind, however, even under the new model: control and security. Sure, any developer can now apply to join the community — and have their information routed through Facebook’s servers. As more data gets through the gate, the social media giant gains more control and simply isn’t under the same kind of obligation to disclose their use of this information as a for-pay ISP.

There’s also the issue of security, since Facebook won’t allow any sites that use SSL or TLS — two key security measures which encrypt data and help deflect malicious attacks. The company claims this is a technical issue but could potentially put free users at risk of having their data compromised, especially if more “secure” online services choose to join the Internet.org movement.

So what’s the final word on a Facebook-powered Internet? The road to Hell is a good example: Zuckerberg may have the best of intentions, but the easy road to online access may burn users’ privacy.


Great white north goes pro-spy with Bill C-51


Canadians aren’t regarded as masters of intrigue and secrecy. While the country’s intelligence service, CSIS, is decently funded and provides a measure of protection to citizens, it’s got nothing on the NSA or the GCHQ. But times may be changing thanks to a new law just passed in the Great White North. Have these peaceful, poutine-loving puck droppers finally gone pro-spy like the rest of the “civilized” world?

Terror Targets

According to the Winnipeg Free Press, the Harper government has pledged almost $300 million this year to provide additional resources to Canada’s national police force, the RCMP, along with the Canada Border Services Agency and the Canadian Security Intelligence Service (CSIS). The reason? To fight “terrorists and terrorist financing.” That’s also the thought process behind Bill C-51, which has been under debate in the House of Commons for several years. As reported by France 24, just one-third of Canadians support the broader security powers, even in the wake of a terrorist attack last October when a gunman killed a ceremonial guard at the National War Memorial and stormed Parliament Hill. But the majority government has bulled ahead with this legislation in hopes of increasing CSIS’s reach both at home and abroad.

Current Oversight

As noted by a recent article from The Star, CSIS is already keeping tabs on ordinary Canadian citizens. Journalist Craig Desson filled out an online request form asking for any data the spy agency had on file about him, and got a 15-page package in return. To the organization’s credit, it took them just three weeks to compile and send the results, but according to Desson, they were mostly confusing and vague. There was a copy of an article he wrote about a Chrome plug-in to alert users about sites with unencrypted cookies along with information about his date of birth and employer and a large volume of data relating to an RCMP background check.

Some information was deliberately withheld, however, and when Desson emailed to inquire, he was told by CSIS that there was “information in the records we processed that we determined needed to be withheld because its release would be injurious to the efforts of Canada toward detecting, preventing, or suppressing subversive or hostile activities.” In plain English: We’re not telling. The agency also noted that Desson’s background check information could be kept on file from 6 to 50 years at the discretion of CSIS.

Even without enhanced powers, the agency already has the ability to tap  communication among Canadians; as reported by Mobile Syrup, for example, Google Hangouts do not use end-to-end encryption, meaning they could be wiretapped by the search giant itself or a motivated spy organization.

New Powers

So what exactly is the Harper government giving CSIS license to do both inside and outside of Canada? It starts with intercepting financial transactions and extends to preventing suspected criminals from boarding planes, allowing the agency to intercept weapons or hijack suspicious social media accounts and use them for “counter messaging.” Opposition party members have slammed the bill as an erosion of Canadian rights and freedoms, while Canada’s Privacy Commissioner Daniel Therrien calls the new powers “excessive” and says Bill C-51 is “seriously deficient” when it comes to safeguarding privacy. Prolific author Margaret Atwood, meanwhile, believes that these new powers could put any citizen in the line of fire for their online conduct, tweeting:

#BillC51 about to be passed in Canada. See you in the slammer, kids, where I’ll doubtless be put on suspicion of being reckless. Me + many.

— Margaret E. Atwood (@MargaretAtwood) May 5, 2015

Empty Promises?

Dick Fadden, national security adviser to the Prime Minister, says that these new powers only seem frightening but in reality aren’t so bad. He argues that “there has to be an actual threat to national security” for CSIS to leverage its authority, but who exactly determines this threat level and how they’re held accountable isn’t covered. If it’s anything like other countries with similar legislation, the spy agency will effectively become self-policing. John Bennet of environment protection agency The Sierra Club of Canada says that his organization has already been targeted by CSIS as a potential threat, and likens the new powers to “using a bulldozer to catch ants.”

Bottom line for Canadians or anyone doing business in this “friendly” nation? When even CSIS wants to read your mail and know what you’ve ordered from Amazon, it’s time to safeguard yourself online. As for Canada? There’s a federal election on the way — citizens can decide what matters more: privacy or “protection.”


Featured image: Bobby Mikul / Public Domain Pictures.net (image has been modified)


Undiscovered malware turns Linux and BSD servers into spamming botnets


A new family of malware, dubbed “Mumblehard” by security researchers, has been successfully infecting web servers running on Linux and BSD for more than five years.

Despite being uploaded to VirusTotal in 2009, the malware has gone largely undetected since and, over the last six months alone, has doubled in size, leading to a botnet capable of blasting out a huge amount of spam email.

Researchers from antivirus company ESET first became aware of Mumblehard after a systems administrator requested help after discovering one of their servers had been blacklisted for sending spam.

Since then, ESET has monitored the botnet for several months, discovering its command and control mechanism as well as 8,867 unique IP addresses connected to it, 3,000 of which were added in the last three weeks alone.

They also discovered that Mumblehard possesses two key components – one that is responsible for the spam operation, and another which acts as a backdoor. Both components were found to have been written using Perl and contain the same custom packer written in assembly language.

In a23-page report issued by ESET, the researchers wrote:

“Malware targeting Linux and BSD servers is becoming more and more complex. The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption.”

Further investigation into Mumblehard appears to link it to Yellsoft, a company selling DirectMailer, an automated email distribution system that allows user to send messages anonymously.

DirectMailer, which is also written in Perl and runs on UNIX-type systems, is available for $240, though it is interesting to note that the developers actually link to a site offering a cracked copy of the software. As if this isn’t shady enough, they also note that they are unable to provide any technical support for pirated versions of the software.

Lo and behold, the ESET researchers subsequently discovered that the cracked copy of the software contains the Mumblehard backdoor, meaning that once it is installed, the operator of the botnet can then send spam and proxy traffic through the infected device. Whether or not the official version of DirectMailer contains the malware is not known.

The researchers are continuing to analyse how Mumblehard installs itself on a system and currently believe that, beyond the pirated DirectMailer software, systems may also be at risk if running a vulnerable version of the Joomla or WordPress content management systems.

Therefore, ESET’s advice to systems administrators is obvious – keep operating systems and applications fully updated with patches and be sure to run security software provided by a reputable vendor.

Administrators can also look out for unexplained cron jobs running on servers – Mumblehard uses them to dial home to its command and control servers exactly every 15 minutes.

Also, the backdoor is typically found within the /tmp or /var/tmp folders and can be nullified by mounting those directories with the noexec flag.


Featured image: Derek Quantrell / Public Domain Pictures.net