Connect with us

Biz & IT

An embattled group of leakers picks up the WikiLeaks mantle

Published

on

Getty Images

For the past year, WikiLeaks founder Julian Assange has sat in a London jail awaiting extradition to the US. This week, the US Justice Department piled on yet more hacking conspiracy allegations against him, all related to his decade-plus at the helm of an organization that exposed reams of government and corporate secrets to the public. But in Assange’s absence, another group has picked up where WikiLeaks left off—and is also picking new fights.

For roughly the past year and a half, a small group of activists known as Distributed Denial of Secrets, or DDoSecrets, has quietly but steadily released a stream of hacked and leaked documents, from Russian oligarchs’ emails to the stolen communications of Chilean military leaders to shell company databases. Late last week, the group unleashed its most high-profile leak yet: BlueLeaks, a 269-gigabyte collection of more than a million police filesprovided to DDoSecrets by a source aligned with the hacktivist group Anonymous, spanning emails, audio files, and interagency memos largely pulled from law enforcement “fusion centers,” which serve as intelligence-sharing hubs. According to DDoSecrets, it represents the largest-ever release of hacked US police data. It may put DDoSecrets on the map as the heir to WikiLeaks’ mission—or at least the one it adhered to in its earlier, more idealistic years—and the inheritor of its never-ending battles against critics and censors.

“Our role is to archive and publish leaked and hacked data of potential public interest,” writes the group’s cofounder, Emma Best, a longtime transparency activist, in a text message interview with WIRED. “We want to inspire people to come forward, and release accurate information regardless of its source.”

Firefight time

In another message, Best sums up that mission in a Latin phrase that better captures the adversarial nature—and inherent controversy—of DDoSecrets’ work: “Veritatem cognoscere ruat cælum et pereat mundus.” Best translates the slogan to, “Know the truth, though the heavens may fall and the world burn.”

For DDoSecrets, the firefight has already started. On Tuesday evening, as media attention grew around the BlueLeaks release, Twitter banned the group’s account, citing a policy that it doesn’t allow the publication of hacked information. The company followed up with an even more drastic step, removing tweets that link to the DDoSecrets website, which maintains a searchable database of all of its leaks, and suspending some accounts retroactively for linking to the group’s material.

Best says DDoSecrets, an organization with no address and whose shoestring budget runs mostly on donations, is still strategizing a response and the best workaround to publicize its leaks—potentially shifting to Telegram or Reddit—but has no intention of letting the ban halt its work. “‘Too dangerous for Twitter’ is some Nixonian shit I didn’t expect,” Best says.

From the start, DDoSecrets has distinguished itself by its willingness to publish not just the same sort of raw leaks and hacked files that WikiLeaks published for years, but also some that even WikiLeaks refused to. The group’s first major release after its founding in late 2018 was a 175-gigabyte cache of Russian emails that included a collection of Russian political leaders’ and oligarchs’ communications, from the Russian interior ministry to arms exporter Rosoboronexport, provided by the Russian hacktivist group Sholtai Boltai along with other unknown sources.

WikiLeaks had obtained but declined to publish some of the same documents, Foreign Policy revealed in 2017, stating that it “rejects submissions that have already been published elsewhere or which are likely to be considered insignificant.” But when DDoSecrets published the full Russian collection in early 2019, The New York Times covered the document dump as a kind of counterblow to the Kremlin’s hacking and leaking operations that targeted the 2016 election.

Six months later, DDoSecrets returned with what it called #29 Leaks, a collection of 15 years of hacked emails from Formations House, a London financial firm involved in the creation of shell companies. Those shell companies had been tied to allegations of money laundering, including by arms dealers, car smugglers, and the ousted Ukrainian president Viktor Yanukovych.

A few months after that, the pseudonymous hacktivist Phineas Fisher revealed that they had broken into the network of the Cayman National Bank and Trust, another player in the world of offshore banking. Fisher gave the resulting 2-terabyte trove of stolen data to DDoSecrets. The files revealed, among other things, how the former head of Azerbaijan’s national security agency allegedly used embezzled funds to buy UK properties. DDoSecrets’ Best says that journalists are still digging into the massive data set today.

With BlueLeaks, however, DDoSecrets has, for the first time, published a major leak of files from US organizations, raising the stakes. Activists and journalists combing through the files immediately found evidence that the FBI had monitored the social accounts of protesters on behalf of local law enforcement and tracked bitcoin donations to protest groups. The leak also includes personally identifiable information about police officers and even banking details—though Best says BlueLeaks tried to redact all identifiable victim information—which has fueled controversy around the publication and no doubt contributed to the group’s Twitter ban. (Twitter did not respond to a request for comment.) “The public has an interest in the identities of public servants,” Best writes.

That red-hot disclosure, perfectly timed to follow the global protests in the wake of police killing of George Floyd, shows how the organization is coming into its own, says Birgitta Jonsdottir, a former member of WikiLeaks and the Icelandic parliament who now serves as an adviser to DDoSecrets. “They remind me of the people who were risking a lot for WikiLeaks back in the day,” Jonsdottir says. “There’s been a vacuum for a long time. So I’m just glad this is taking off, with this very important leak at this time.”

Learning from the experience of others

But Best, who identifies with the pronouns they/them, says that DDoSecrets has learned from WikiLeaks’ mistakes as well as its successes. Best has collaborated with WikiLeaks in the past—the relationship was complicated; Best later published a trove of the group’s own leaked chats in 2018—and points to a long list of what they see as WikiLeaks’ missteps: publishing materials without a source’s permission, as they found to be the case of the leak of emails from the Turkish government’s ruling party; inexplicably declining to publish leaked files, as with the Russia dump that DDoSecrets later published; or adding unnecessary editorial spin to documents, as they argue WikiLeaks did with the Vault7 leak of CIA secrets.

Best also faults Assange specifically for trying to hide the fact that certain documents are provided by state-sponsored hackers, as when he intimated that the documents taken from the Democratic National Committee and the Clinton Campaign might have come from murdered Clinton staffer Seth Rich. In fact, Russian military intelligence hackers stole the documents and provided them to WikiLeaks. DDoSecrets, Best says, won’t shy away from publishing files stolen by state-sponsored hackers if they’re of real public interest. But those documents will be clearly labeled as coming from state-sponsored hackers when DDoSecrets can determine as much, they say, and will be kept on a portion of the site devoted to the spoils of government hacking. “Valid information is valid regardless of the source,” Best says. “But the source is important context.”

DDoSecrets is also taking a very different tack from WikiLeaks in protecting the anonymity of sources. It doesn’t host a WikiLeaks-style submission system on a server protected by the anonymity software Tor, as WikiLeaks and most other leaking sites have done. Best says they don’t actually believe that DDoSecrets, an organization without a physical presence or a headquarters, could sufficiently protect a physical server running an anonymous submission system such as SecureDrop. Instead, the group simply provides a list of security tool recommendations to sources like Tor and the anonymous, ephemeral operating system Tails, as well as a variety of means to reach them via an encrypted message.

The approach hints that the group sees principled hackers as its core sources rather than non-technical leakers or whistleblowers inside of companies, says Gabriella Coleman, a hacker-focused anthropologist at McGill University who wrote a seminal book on the hacktivist group Anonymous and is friendly with some of DDoSecrets’ staff. The group’s name, a reference to the cybersecurity term “distributed denial of service,” and its relationship with Phineas Fisher further suggests an intended audience of hackers. “Using a name like that, it’s signaling a certain message to the hacker and hacktivist world, where they have certain relationships,” says Coleman. “They’re happy to accept leaks from whistleblowers, but they come from the hacker world. They’re going to be very well positioned to take leaks from more progressive hackers.” (Best declined to comment on the group’s sources, or what fraction are insider leakers versus outside hackers.)

Perhaps most importantly, Best says DDoSecrets wants to avoid the cult of personality that formed around Julian Assange. The WikiLeaks leader had exerted near-monarchic rule before being indicted for computer hacking conspiracy and arrested in London’s Ecuadorian embassy, where he had sought asylum, last spring. Best says DDoSecrets is moving toward a “co-op” model with a “horizontal structure” of leadership, with no single person in charge of the group’s direction.

Former WikiLeaker Jonsdottir, who has both criticized Assange and called for support for him after his arrest, believes this time will be different. “I don’t see anyone in the organization that can be made into the stories we had about Assange, a mysterious superhero,” Jonsdottir says. “Like Tina Turner said, we don’t need another hero.”

The Twitter ban following its BlueLeaks publication represents a setback for the group. But Jonsdottir says it also shows the importance of the work they’re doing. “They will definitely rise above this,” Jonsdottir says. “Somebody trusted them with a massive leak at a critical time. And I’m excited to see if it will help spawn more like it.”

This story originally appeared on wired.com.

Continue Reading

Biz & IT

The cryptopocalypse is nigh! NIST rolls out new encryption standards to prepare

Published

on

Enlarge / Conceptual computer artwork of electronic circuitry with blue and red light passing through it, representing how data may be controlled and stored in a quantum computer.

Getty Images

In the not-too-distant future—as little as a decade, perhaps, nobody knows exactly how long—the cryptography protecting your bank transactions, chat messages, and medical records from prying eyes is going to break spectacularly with the advent of quantum computing. On Tuesday, a US government agency named four replacement encryption schemes to head off this cryptopocalypse.

Some of the most widely used public-key encryption systems—including those using the RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman algorithms—rely on mathematics to protect sensitive data. These mathematical problems include (1) factoring a key’s large composite number (usually denoted as N) to derive its two factors (usually denoted as P and Q) and (2) computing the discrete logarithm that keys are based on.

The security of these cryptosystems depends entirely on classical computers’ difficulty in solving these problems. While it’s easy to generate keys that can encrypt and decrypt data at will, it’s impossible from a practical standpoint for an adversary to calculate the numbers that make them work.

In 2019, a team of researchers factored a 795-bit RSA key, making it the biggest key size ever to be solved. The same team also computed a discrete logarithm of a different key of the same size.

The researchers estimated that the sum of the computation time for both of the new records was about 4,000 core-years using Intel Xeon Gold 6130 CPUs (running at 2.1GHz). Like previous records, these were accomplished using a complex algorithm called the Number Field Sieve, which can be used to perform both integer factoring and finite field discrete logarithms.

Quantum computing is still in the experimental phase, but the results have already made it clear it can solve the same mathematical problems instantaneously. Increasing the size of the keys won’t help, either, since Shor’s algorithm, a quantum-computing technique developed in 1994 by the American mathematician Peter Shor, works orders of magnitude faster in solving integer factorization and discrete logarithmic problems.

Researchers have known for decades these algorithms are vulnerable and have been cautioning the world to prepare for the day when all data that has been encrypted using them can be unscrambled. Chief among the proponents is the US Department of Commerce’s National Institute of Standards and Technology (NIST), which is leading a drive for post-quantum cryptography (PQC).

On Tuesday, NIST said it selected four candidate PQC algorithms to replace those that are expected to be felled by quantum computing. They are: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.

CRYSTALS-Kyber and CRYSTALS-Dilithium are likely to be the two most widely used replacements. CRYSTALS-Kyber is used for establishing digital keys two computers that have never interacted with each other can use to encrypt data. The remaining three, meanwhile, are used for digitally signing encrypted data to establish who sent it.

“CRYSTALS-Kyber (key-establishment) and CRYSTALS-Dilithium (digital signatures) were both selected for their strong security and excellent performance, and NIST expects them to work well in most applications,” NIST officials wrote. “FALCON will also be standardized by NIST since there may be use cases for which CRYSTALS-Dilithium signatures are too large. SPHINCS+ will also be standardized to avoid relying only on the security of lattices for signatures. NIST asks for public feedback on a version of SPHINCS+ with a lower number of maximum signatures.”

The selections announced today are likely to have significant influence going forward.

“The NIST choices certainly matter because many large companies have to comply with the NIST standards even if their own chief cryptographers don’t agree with their choices,” said Graham Steel, CEO of Cryptosense, a company that makes cryptography management software. “But having said that, I personally believe their choices are based on sound reasoning, given what we know right now about the security of these different mathematical problems, and the trade-off with performance.”

Nadia Heninger, an associate professor of computer science and engineering at University of California, San Diego, agreed.

“The algorithms NIST chooses will be the de facto international standard, barring any unexpected last-minute developments,” she wrote in an email. “A lot of companies have been waiting with bated breath for these choices to be announced so they can implement them ASAP.”

While no one knows exactly when quantum computers will be available, there is considerable urgency in moving to PQC as soon as possible. Many researchers say it’s likely that criminals and nation-state spies are recording massive amounts of encrypted communications and stockpiling them for the day they can be decrypted.

Continue Reading

Biz & IT

Google allowed sanctioned Russian ad company to harvest user data for months

Published

on

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

The day after Russia’s February invasion of Ukraine, Senate Intelligence Committee Chairman Mark Warner sent a letter to Google warning it to be on alert for “exploitation of your platform by Russia and Russian-linked entities,” and calling on the company to audit its advertising business’s compliance with economic sanctions.

But as recently as June 23, Google was sharing potentially sensitive user data with a sanctioned Russian ad tech company owned by Russia’s largest state bank, according to a new report provided to ProPublica.

Google allowed RuTarget, a Russian company that helps brands and agencies buy digital ads, to access and store data about people browsing websites and apps in Ukraine and other parts of the world, according to research from digital ad analysis firm Adalytics. Adalytics identified close to 700 examples of RuTarget receiving user data from Google after the company was added to a US Treasury list of sanctioned entities on Feb. 24. The data sharing between Google and RuTarget stopped four months later on June 23, the day ProPublica contacted Google about the activity.

RuTarget, which also operates under the name Segmento, is owned by Sberbank, a Russian state bank that the Treasury described as “uniquely important” to the country’s economy when it hit the lender with initial sanctions. RuTarget was later listed in an April 6 Treasury announcement that imposed full blocking sanctions on Sberbank and other Russian entities and people. The sanctions mean US individuals and entities are not supposed to conduct business with RuTarget or Sberbank.

Of particular concern, the analysis showed that Google shared data with RuTarget about users browsing websites based in Ukraine. This means Google may have turned over such critical information as unique mobile phone IDs, IP addresses, location information, and details about users’ interests and online activity, data that US senators and experts say could be used by Russian military and intelligence services to track people or zero in on locations of interest.

Last April, a bipartisan group of US senators sent a letter to Google and other major ad technology companies warning of the national security implications of data shared as part of the digital ad buying process. They said this user data “would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”

Google spokesperson Michael Aciman said that the company blocked RuTarget from using its ad products in March and that RuTarget has not purchased ads directly via Google since then. He acknowledged the Russian company was still receiving user and ad buying data from Google before being alerted by ProPublica and Adalytics.

“Google is committed to complying with all applicable sanctions and trade compliance laws,” Aciman said. “We’ve reviewed the entities in question and have taken appropriate enforcement action beyond the measures we took earlier this year to block them from directly using Google advertising products.”

Aciman said this action includes not only preventing RuTarget from further accessing user data, but from purchasing ads through third parties in Russia that may not be sanctioned. He declined to say whether RuTarget had purchased ads via Google systems using such third parties, and he did not comment on whether data about Ukrainians had been shared with RuTarget.

Krzysztof Franaszek, who runs Adalytics and authored the report, said RuTarget’s ability to access and store user data from Google could open the door to serious potential abuse.

“For all we know they are taking that data and combining it with 20 other data sources they got from God knows where,” he said. “If RuTarget’s other data partners included the Russian government or intelligence or cybercriminals, there is a huge danger.”

In a statement to ProPublica, Warner, a Virginia Democrat, called Google’s failure to sever its relationship with RuTarget alarming.

“All companies have a responsibility to ensure that they are not helping to fund or even inadvertently support Vladimir Putin’s invasion of Ukraine. Hearing that an American company may be sharing user data with a Russian company—owned by a sanctioned, state-owned bank no less—is incredibly alarming and frankly disappointing,” he said. “I urge all companies to examine their business operations from top to bottom to ensure that they are not supporting Putin’s war in any way.”

Continue Reading

Biz & IT

Google closes data loophole amid privacy fears over abortion ruling

Published

on

Google is closing a loophole that has allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy campaigners in the wake of the US Supreme Court’s decision to end women’s constitutional right to abortion.

It also took a further step on Friday to limit the risk that smartphone data could be used to police new abortion restrictions, announcing it would automatically delete the location history on phones that have been close to a sensitive medical location such an abortion clinic.

The Silicon Valley company’s moves come amid growing fears that mobile apps will be weaponized by US states to police new abortion restrictions in the country.

Companies have previously harvested and sold information on the open market including lists of Android users using apps related to period tracking, pregnancy and family planning, such as Planned Parenthood Direct.

Over the past week, privacy researchers and advocates have called for women to delete period-tracking apps from their phones to avoid being tracked or penalised for considering abortions.

The US tech giant announced last March that it would restrict the feature, which allows developers to see which other apps are installed and deleted on individuals’ phones. That change was meant to be implemented last summer, but the company failed to meet that deadline citing the pandemic among other reasons.

The new deadline of July 12 will hit just weeks after the overturning of Roe vs Wade, a ruling that has thrown a spotlight on how smartphone apps could be used for surveillance by US states with new anti-abortion laws.

“It’s long overdue. Data brokers have been banned from using the data under Google’s terms for a long time, but Google didn’t build safeguards into the app approvals process to catch this behavior. They just ignored it,” said Zach Edwards, an independent cyber security researcher who has been investigating the loophole since 2020.

“So now anyone with a credit card can purchase this data online,” he added.

Google said: “In March 2021, we announced that we planned to restrict access to this permission, so that only utility apps, such as device search, antivirus, and file manager apps, can see what other apps are installed on a phone.”

It added: “Collecting app inventory data to sell it or share it for analytics or ads monetisation purposes has never been allowed on Google Play.”

Despite widespread usage by app developers, users remain unaware of this feature in Android software—a Google-designed programming interface, or API, known as the “Query All Packages.” It allows apps, or snippets of third-party code inside them, to query the inventory of all other apps on a person’s phone. Google itself has referred to this type of data as high-risk and “sensitive,” and it has been discovered being sold on to third parties.

Researchers have found that app inventories “can be used to precisely deduce end users interests and personal traits,” including gender, race and marital status, among other things.

Edwards has found that one data marketplace, Narrative.io, was openly selling data obtained by intermediaries in this way, including smartphones using Planned Parenthood, and various period tracking apps.

Narrative said it removed pregnancy tracking and menstruation app data from its platform in May, in response to the leaked draft outlining the Supreme Court’s forthcoming decision.

Another research company, Pixalate, discovered that consumer apps, like a simple weather app, were running bits of code that exploited the same Android feature and were harvesting data for a Panamanian company with ties to US defense contractors.

Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover violations we take action,” adding it had sanctioned multiple companies believed to be selling user data.

Google said it would restrict the Query All Packages feature to only those who require it from July 12. App developers will be required to fill out a declaration explaining why they need access, and notify Google of this before the deadline so it can be vetted.

“Deceptive and undeclared uses of these permissions may result in a suspension of your app and/or termination of your developer account,” the company warned.

Additional reporting by Richard Waters.

© 2022 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Trending