Microsoft, Yahoo, Google, Facebook, AOL, Verizon, and Apple might breathe a little easier today. Their denials of working with the NSA’s PRISM program to turn over huge quantities of customer data over to the secretive U.S. intelligence agency just got a little bit more credible today thanks to testimony from NSA Director General Keith Alexander.

“The U.S. government does not unilaterally obtain information from the servers of U.S. companies,” Alexander said. “Rather, the U.S. companies are compelled to provide these records by U.S. law using methods that are in strict compliance with that law.”

Unfortunately, Alexander also referred to the companies as “our industry partners.”

Alexander testified before the House Standing Committee on Intelligence today, saying that it was a “privilege and honor” to serve the United States as director of the NSA, also that data accessed by PRISM and other NSA surveillance programs has spared the U.S. from over 50 terrorist attacks since 9/11.

Facebook, Google, Apple, Microsoft, and other companies have denied allowing the U.S. government full access to their customer data. But their denials have strange similarities and significant gaps, and initial whistle-blower Edward Snowden has stuck to his guns, saying that their responses were misleading.

Alexander’s words are, frankly, in tune with the companies’ denials.

Based on his testimony alone, obtaining information from Facebook servers, for instance, could happen as long as it was not “unilateral.” That seems to be written by the same speechwriter who crafted the companies’ denials, which all said that any governmental access is not “direct.”

In addition, Alexander said that “virtually all countries” have laws that sanction them to get data from communications providers and companies and that therefore the U.S. is not alone in this regard. And, that this data is critical to keeping America safe.

“The U.S. operates its program with careful oversight by the courts, Congress, and the administration,” Alexander said. “In the 12 years since 9/11, we have lived in relative security as a nation as a direct result of the Intelligence communities’ quiet efforts to connect the dots.”

That’s a contention that organizations like StopWatching.Us, which includes the EFF, Reddit, the Mozilla Foundation, and the American Library Association might find difficult to believe.

“The revelations about the National Security Agency’s surveillance apparatus, if true, represent a stunning abuse of our basic rights,” the organization’s said recently in an open letter. “We demand the U.S. Congress reveal the full extent of the NSA’s spying programs.”

Officials such as Alexander and Robert Litt, who leads the Office for the Director of National Intelligence, repeatedly stated that all data access had “multilayered levels of oversight” and that the NSA’s programs were limited, focused, and disciplined. But all the denials appear to be couched in language that allows for a significant amount of interpretation.

Image credits: John Koetsier, Steampunk eyes by Daniel Proulx/Flickr

At least according to one cybersecurity expert.

James Foster, the founder and CEO of Riskive, a cybersecurity company that works with large companies and, yes, (alert, alert) government agencies, says PRISM is impossible. In fact, Foster claims, it would require an annual budget of at least $4.56 trillion dollars:

“The National Security Agency is not spying on our U.S. citizens — and the thought is not only illegal — it’s ludicrous. A simple mathematical analysis proves this point. If we can assume that one person has the capacity to fully scour 100 people’s communication a day, a feat in and of itself, to read all of someone’s email, text messages, phone calls, and overall interaction then the NSA would have to have over three million employees and would have an annual budget that would be 20 percent greater than the entire U.S. Federal budget. The bigger threat is from rogue individuals who waste millions of U.S. taxpayer dollars by revealing insights into government programs intended to protect our citizens.

We are in the midst of an era where national security is paramount and the balance between security and privacy will continue to be tested. Complete transparency is an oxymoron in a post 9/11 world.”

Journalists get a lot of pitches. I guess the law of averages says some of them have to be stupid. This one landed in my inbox about 45 minutes ago.

Foster has never heard of “big data,” apparently. He isn’t aware of technologies like cluster analysis, machine learning, predictive modeling, sentiment analysis, or association rule learning that drive automated analysis of massive datasets. He doesn’t know that three-letter-organizations like the CIA, NSA, and FBI have been asking Silicon Valley data scientists for help by appealing to their patriotism. And he is not aware that individual humans will never see most of the 97 billion data points that the NSA has admitted snooping on.

Either that, or perhaps he thought that a quote like this would help defuse the scandal.

I suppose the possibilities here include that various men in black are mobilizing security experts to cast aspersions on the press reports about PRISM. Another might be that a security company that wants to do business with secretive government agencies wants to be seen visibly supporting their interests in public.

But you’d think he might have used a little intelligence in crafting the message.

Photo credit: striatic via photopin cc

While official reaction to the PRISM Internet surveillance scandal in the U.S. has been muted at best, the European Union is up in arms over the NSA’s access to data from Facebook, Apple, Microsoft, Google, and other companies. Now, the EU’s justice commissioner, Viviane Reding, has written a letter to the US attorney general asking some very pointed questions about PRISM and other U.S. civilian spying programs.

After all, if the NSA were — shockingly — telling the truth that its surveillance is mostly targeted at foreign nationals, European citizens are right in the crosshairs. And Europe has some of the strongest data protection laws in the world.

Reding’s questions to the attorney general, as quoted by the BBC, include:

• Are they (PRISM and any other surveillance programs) only aimed at gathering the data of US citizens and residents, or are they also — or even primarily — targeting non-US nationals, including EU citizens?
• Is the data collection limited to specific and individual cases and, if so, what criteria is applied?
• How regularly is the data of individuals collected or processed in bulk?
• What is the scope of Prism and other such programmes? Is it limited to national security and foreign intelligence, and if so how are such terms defined?
• How might companies in the US and EU challenge the efforts to access and analyse the data?
• What ways might EU citizens find out if they have been affected? How is this different to the situation for US citizens and residents?
• How might EU citizens and companies challenge any effort to access and process their personal data? How does this compare to the rights offered to US citizens and residents?

Those questions have answers that Europeans won’t like.

Based on what we know of PRISM so far, non-U.S. nationals are indeed targeted, along with U.S. citizens. The data collection doesn’t appear to be very limited; rather, it looks rather broad. The scope of PRISM is massive. Companies are not able to challenge the law, or even discuss it publicly, although Google has challenged it, apparently. And private individuals have no hope of knowing whether they’ve been sucked up in the dragnet, and also no hope of challenging any collection of their private data.

How do you like them apples, Ms. Reding?

Probably not very much. And the EU justice commissioner will no doubt be asking these and other uncomfortable questions of U.S. attorney general Eric Holden in person on Friday, when they meet at a previously-scheduled event.

Any answers she gets — and any pressure Europe can bring to bear on PRISM and other spying programs — could help U.S. citizens challenge the NSA’s efforts to surveil Americans, as well as Europeans. Eighty-five organizations, including the Electronic Frontier Foundation, are already gathering to fight PRISM, while the only substantive response from the U.S. government has been a possible criminal investigation into the leaks.

Which is one reason I’m hoping the Pardon Edward Snowden petition at WhiteHouse.gov gets 100,000 signatures. At least that will force some kind of response.

And, as Jill Killock, the executive director of the Open Rights Group, recently said:

“European governments respect the rights of U.S. citizens. Why shouldn’t [the U.S.] do the same?”

Image credit: EU

Sept. 9 - 10, 2013 San Francisco, CA

Early Bird Tickets on Sale

The hottest enterprise startups will take investment from In-Q-Tel, regardless of whether or not they need the cash.

Today, a well-funded enterprise company called Apigee revealed it has taken a highly-strategic investment from the firm. But the details of the deal have deliberately been kept under wraps. It’s a similar story to Huddle, the cloud collaboration startup that had just closed a sizable funding round when In-Q-Tel offered to invest. For the founders and board of directors, it was a no brainer to take the additional check.

Why is In-Q-Tel treated with such reverence by business software providers? It is the investment arm of the CIA and specializes in funding technology that is secure enough for government agencies. It was founded during the dotcom boom when the agency was drowning in data that it needed a secure technology to manage.

Huddle’s exec team took “purely strategic” investment from In-Q-Tel.

“In-Q-Tel is a great stamp of approval on any company, and opens up a huge market,” said Alistair Mitchell, Huddle’s CEO, in an interview. As a direct result of the In-Q-Tel investment, Huddle gained two large customers: the Department of Homeland Security and the National Geospatial-Intelligence Agency.

It’s an ego boost to get a phone call from In-Q-Tel, but more importantly, it’s a direct path to major government customers. In-Q-Tel has had its hands in virtually every enterprise success story, and has invested in a lot of the technology we use in our daily lives.

“Much of the touch-screen technology used now in iPads and other things came out of various companies that In-Q-Tel identified,” said Jeffrey Smith, the former general counsel of the CIA, in a rare interview with NPR. Google Maps is another example of In-Q-Tel-backed tech.

Don’t miss the shortlist of In-Q-Tel’s portfolio investments in the gallery below.

Government customers are also a strong indicator of a company’s commitment to security. According to Mitchell, Huddle won new clients in the health and financial sectors, who viewed the In-Q-Tel investment as proof the product was sufficiently “vetted and accepted by the best.”

In-Q-Tel has invested in cool tech, like this pen that can expedite data entry.

When pressed, Apigee wouldn’t reveal much about its relationship with In-Q-Tel, or the amount of funding it received. The company’s head of marketing Dave Jordan said little more in an interview than they were “thrilled” about the investment and “looked forward to expanding our relationship with In-Q-Tel and its government partners.”

Jordan and the Apigee team view this investment as a sign that it’s core product, an API management platform, will become more of a priority in Washington D.C. Developers can use the platform to build applications that will prove useful to the various government agencies.

Curious about In-Q-Tel’s current portfolio? Here are some of the firm’s most cutting edge investments.

Top image via Adapx

Rupert Murdoch, owner of the Wall Street Journal’s parent company Dow Jones, says Chinese hackers are still attacking the paper’s systems.

Last week a number of well-known newspapers reported hacks on their systems. This included both the New York Times and the Wall Street Journal. It was rumored that The Washington Post has been experiencing breaches as well. The New York Times reported that Chinese hackers had accessed its systems specifically breaking into the accounts of its Shanghai bureau chief and the South Asia bureau chief.

The Wall Street Journal soon followed up, saying Chinese hackers also broke into its systems “apparently to spy on reporters covering China.” This was on January 31. A week later, Murdoch says the paper is still being attacked by Chinese hackers.

He tweeted, “Chinese still hacking us, or were over the weekend.”

According to the New York Times the attacks began soon after the newspaper published a story about China’s Prime Minister and his family’s wealth. The Wall Street Journal is another obvious target given its coverage of the region and popularity. But why the newspapers? The information in those emails is important, especially if these were state sponsored attacks. An attacker may be able to see who the reporter’s source is, where they are at any given time, and gain more understanding of how that reporter gets her information.

You can’t write cyber espionage off as a thing of the future. While the New York Times says that the hackers didn’t actually steal any important information, the technology is there. Viruses like Flame and Gauss that can turn on your camera, record your audio, and take screenshots only when communications apps are open show just how strong spyware is today.

At the time a spokesperson for Dow Jones said that this is an “ongoing issue” and promised the publication is working with law enforcement and security professionals to protect its reporters.

hat tip Cnet; Rupert Murdoch image via World Economic Forum/Flickr

A special White House investigation couldn’t find any evidence of Chinese spying through Huawei telecommunications systems, according to Reuters‘ sources, though the U.S. recently warned businesses using the vendor that it “cannot be trusted to be free of foreign state influence.”

This comes after the White House investigated Chinese telecommunications vendors Huawei and ZTE last week, saying American companies should look for other partners for their communications needs. It seems the government issued this warning not based on evidence that the companies were spying for the Chinese government, but rather for the security vulnerabilities that already exist in their products.

The U.S. government fears that these vulnerabilities may open doors for hackers (likely from any nation state) to come in and siphon off data from Huawei’s customers.

Soon after the report was initially released, Huawei responded, calling the claims “baseless suggestions” that “recklessly threaten American jobs and innovation, do nothing to protect national security, and should be exposed as dangerous political distractions.”

The Chinese Commerce Ministry also stepped in, saying the government was playing with “suggestive guesswork.” It seems, however, that while the U.S. can’t prove Huawei is guilty of spying on Americans, the security issues are enough of a threat when a seemingly increasing number of cyber attacks in the U.S. are traced back to Chinese IP addresses.

Huawei image via HuaweiPress/Flickr

Researchers announced a new malware called miniFlame today that may be monitoring and stealing data from specific, highly profitable victims. It is a sister to the Flame malware that made headlines earlier this year.

The malware was found by Kaspersky Lab after it discovered and began monitoring the command and control servers of Flame. It recorded communications between Flame and the command and control servers as expected, but there was a separate, unexpected entity communicating with the same server. That turned out to be miniFlame.

MiniFlame is an extension of cyber espionage malware Flame in that it can be used as a plug in but is also capable of operating as its own entity. Kaspersky says it is a “high precision, surgical attack tool” that is likely reserved for bigger, more profitable targets. Indeed, researchers believe that Flame has infected up to 6,000 people, while miniFlame has only attacked around 60 people, or one percent of Flame’s pool.

The malware is one of the four strains of viruses Kaspersky found after analyzing code from Flame’s command and control servers. There, researchers discovered communications protocols for IP, SPE, SP, and FL. “FL” was quickly identified as Flame. SPE is today’s miniFlame. Kaspersky says SP is likely an older version of SPE. IP is yet to be found and is the youngest of the four.

Flame was discovered earlier this year and was quickly labeled one of the most advanced cyber espionage tools known. It targets the Middle East and is packed with modules that all perform some sort of spying technique such as turning on the computer’s microphones to record audio and taking screen shots when certain communications apps are open such as email or Skype. Gauss was found soon thereafter targeting systems in Lebanon, specifically programmed to steal bank account login credentials and other associated data.

Gauss can also use miniFlame as a plug-in, which strengthens the idea that the Flame and Gauss malware writers were in some way connected. When Gauss uses miniFlame, however, it refers to it as “John.”

Flame is similarly connected to the Stuxnet and Duqu viruses, as it shares a separate module with the two.

MiniFlame doesn’t target specific regions, but there are several variations of miniFlame that target places like Pakistan and Iran. There have also been some cases found in France. Thus far, researchers have only found six of these variants but believe there are up to six more. Those currently under watch were created between 2010 and 2011, though the protocol for miniFlame, SPE, was created in 2007.

Unlike Flame or Gauss, the creators of miniFlame can control the computer it infects through a backdoor miniFlame sets up. Once in it listens to commands that all go by names. These include:

• Fiona: Writes files to the machine
• Sonia: Data stealing, sends files back to the command and control servers
• Sam: Puts the computer to sleep for “specified amount of time”
• Barbara: Takes a screenshot if a specific application is open

Others include Elvis, Eve, Drake, Charles, Alex, and Tiffany.

How miniFlame actually gets installed onto victims’ computers is still unknown. Researchers believe it could be deployed from the command and control server when Flame and Gauss infect the system, though it can operate without the aid of Flame and Gauss.

hat tip Wired; Candles image via Shutterstock; Flame command and control server image via Kaspersky Lab

Sept. 9 - 10, 2013 San Francisco, CA

Early Bird Tickets on Sale

The U.S. Congress Intelligence Committee and telecommunications vendor Cisco are agreed on one thing: Chinese networking equipment companies can’t be trusted.

Whether that’s just political posturing and jingoistic protectionism or the plain simple facts of global geopolitics depends a lot on who you believe.

According to Reuters, this morning Cisco killed a seven-year partnership with Chinese networking manufacturer ZTE after investigations reportedly showed that ZTE sold banned technology to Iran. Sending U.S.-developed technology that could allow Iran to monitor and control Internet usage violates U.S. sanctions against that country — and could put Cisco’s U.S. business in jeopardy.

According to Cisco’s financial statements, more than half of its revenue is from North and South America, and most of that will be from the U.S. Cisco had partnered with ZTE, licensing Cisco technology to the up-and-coming company in an attempt to fight larger and more dangerous competitor Huawei in emerging markets.

Coincidentally, perhaps, the U.S. House of Representatives’ Intelligence Committee released a draft report saying, in part, that both Huawei and ZTE “cannot be trusted to be free of foreign state influence,” and therefore, U.S.-based Internet service providers and telecommunications companies should “seek other vendors” for infrastructure projects.

This is not new.

Congress has been concerned about China electronically spying on the U.S. for some time now. The concern is that, since Chinese companies either have close ties to the Chinese government or can be compelled to allow significant amounts of government access to their technology, products used in the sensitive telecom industry could contain backdoors or intentional security holes to facilitate espionage.

Very similar, of course, to what the FBI wants Facebook, Twitter, and Skype to grant it. Or to what the NSA was rumored to have built into various version of Windows.

China has been accused of industrial espionage many times, as well as of spying on activists and political dissidents, and very recently was reported to be attempting to access military systems in the White House itself (not for the first time). So it’s hard for China to wear the white cape here.

But that doesn’t stop the country from trying, and a spokesman for China called upon Congress to “set aside prejudices and respect the facts,” according to Reuters, as well as offering a veiled threat, saying the U.S. should “do more that is beneficial to Sino-American economic and trade ties, rather than the contrary.”

The story won’t end here.

But if it continues in the current path, this war of words threatens to become something more substantial, potentially involving trade sanctions on both sides.

photo credit: ukaszSie via photopin cc

One of the employees, according to Korea Times, was a key engineer in Samsung’s development of AMOLED technology (Active-Matrix Organic Light-Emitting Diode). He has since become an LG employee, violating (Samsung claims) the non-compete clause in his employment contract.

AMOLED technology, or an even more advanced variant known as Super-AMOLED, is used in Samsung’s smartphones such as the Galaxy S series, helping the company to sell more than 50 million smartphones in the second quarter of 2012.

Samsung has demanded an apology from LG and asked a Korean judge to impose a 10 million won/day penalty (about $10,000 USD.) In addition, Samsung wants assurances from LG that the company will not poach its workers in the future.

According to Bloomberg, LG says that any intelligence gained from former Samsung engineers was “widely known in the industry” and not a trade secret.

LG is countersuing, alleging defamation.

The emergence of Chinese telecom companies Huawei and ZTE has meant a larger selection of cheaper phones for U.S. consumers. But the companies may also present a security threat to the U.S., according to U.S. Congressman Mike Rogers. Rogers says hardware from the two companies could make it easier for China to spy on U.S. companies and government agencies, Reuters reports.

Rogers heads up the U.S. House of Representatives’ Intelligence Committee, which began investigating the allegations last November. Topping the committee’s list is the concern that China-made software and hardware contain security backdoors that could facilitate espionage.

According to one claim, China has even gone as far as to subsidize the products of Huawei and ZTE in an effort to secure market share.

As a result of the fears, Rogers warns that the U.S. government may seek legislation to protect U.S. networks. ”This is going to be a huge problem that we’re going to have to get a handle on very quickly,” he said at the Bloomberg Government conference in Washington.

Unsurprisingly, Huawei has countered similar allegations in the past.

“Given that Huawei has publicly and repeatedly and in a detailed fashion debunked this type of misinformation with solid facts, it would be truly unfortunate if such unsubstantiated and unclearly motivated statements persist,” Huawei told Reuters in a statement.

ZTE responded similarly, denying that it receives support from the Chinese government.

These sorts of denials haven’t sated the concerns, however. Earlier this year, the Australian government prevented Huawei from bidding on construction of its $38 million nationwide high-speed Internet network. The decision, which followed a similar situation in India in 2006, was a result of fears that Huawei was too close with the Chinese government.

Federal law enforcement agencies have had difficulties tracking and recording criminal and terrorist conversations online. Back in September, it was reported that law enforcement officials wanted to expand the government’s powers to wiretap Internet services. Microsoft’s new technology could help make this a reality.

The spying technology, called “Legal Intercept,” would allow currently existing products to be modified to “cause the communication to be established via a path that includes a recording agent,” according to the filing with the U.S. Patent and Trademark Office. Once a connection is established, the agent is able to “silently record” a conversation.

The filing specifically calls out the ability to record any kind of voice-over-Internet-protocol (VoIP) communications. “VoIP may include audio messages transmitted via gaming systems, instant messaging protocols that transmit audio, Skype and Skype-like applications, meeting software, video conferencing software, and the like,” Microsoft said in the filing.

Microsoft filed for the patent in Dec. 2009, long before it acquired Skype. It’s possible Microsoft simply has this on the books so it could profit from licensing the technology to law enforcement agencies. Alternately, Skype’s purchase could have been a strategic buy to help test and deploy this new technology.

The Federal Trade Commission approved Microsoft’s $8.5 billion Skype purchase earlier this month, which inches it closer to completing the acquisition. Microsoft said it expects to close the deal by the end of the year.

What do you think of this new spying technology? Are you concerned about law enforcement agencies or corporations violating your privacy while you use the web?

Update: The story originally suggested Microsoft had been granted the Legal Intercept patent, but the approval process is still ongoing.