Kaspersky malware probers have uncovered a new ‘operating system’-like platform they was developed and used by the National Security Agency (NSA) in its Equation spying arsenal.
The EquationDrug or Equestre platform is used to deploy 116 modules to target computers that can siphon data and spy on victims.
“It’s important to note that EquationDrug is not just a trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims,” Kaspersky researchers say in a report.
“Other threat actors known to use such sophisticated platforms include Regin and Epic Turla.
“The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface.”
The platform is part of the NSA’s possibly ongoing campaign to infect hard disk firmware. It replaces the older EquationLaser and is itself superseded by the GrayFish platform.
Kaspersky says the newly-identified wares are as “sophisticated as a space station” thanks to the sheer number of included espionage tools.
Extra modules can be added through a custom encrypted file system containing dozens of executables that together baffle most security bods.
Most of the unique identifiers and codenames tied to modules is encrypted and obfuscated. Some modules capabilities can be determined with unique identification numbers. Others are dependent on other plugins to function.
Each plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.
Kaspersky bods have found 30 of the 116 modules estimated to exist.
“The plugins we discovered probably represent just a fraction of the attackers’ potential,” the researchers say.
Executable timestamps reveal NSA developers likely work hardest on the platform on Tuesdays to Fridays, perhaps having late starts to Monday.
Modules detected in the tool include code for:
- Network traffic interception for stealing or re-routing
- Reverse DNS resolution (DNS PTR records)
- Computer management
- Start/stop processes
- Load drivers and libraries
- Manage files and directories
- System information gathering
- OS version detection
- Computer name detection
- User name detection
- Locale detection
- Keyboard layout detection
- Timezone detection
- Process list
- Browsing network resources and enumerating and accessing shares
- WMI information gathering
- Collection of cached passwords
- Enumeration of processes and other system objects
- Monitoring LIVE user activity in web browsers
- Low-level NTFS filesystem access based on the popular Sleuthkit framework
- Monitoring removable storage drives
- Passive network backdoor (runs Equation shellcode from raw traffic)
- HDD and SSD firmware manipulation
- Keylogging and clipboard monitoring
- Browser history, cached passwords and form auto-fill data collection.
Month: March 2015
Walmart Not Horsing Around With Parody Domain Site
Another strike for the Streisand Effect
Walmart. Just saying the company’s name is usually enough to evoke unbidden brain-sounds of terrifying organ music and images of pitchfork-wielding devil-imps. But, hey, it’s a large business that’s been around for quite a while, so I guess it’s doing alright. It seems to me that somebody might want to call a meeting with the Walmart legal brain trust, because the company’s campaign against a silly and simple parody website isn’t achieving much of anything at all, and is in fact Streisanding the parody site into national views.
This story starts back in 2012, when ICANN saw fit to hold a firesale on domain extensions. Buying them up was all the rage for reasons unfathomable to this author. Still, that was the impetus for how we arrived at Walmart going after a site with a .horse extension.
That explains why, for the mere price of $29, you can now purchase a .horse domain name, if you want to do such a thing. “With .HORSE, there are no hurdles between equine enthusiasts on the Internet,” says United Domains. “Giddy up and register .HORSE today!” It doesn’t seem like too many people have been receptive to this pun-based sales pitch, but a 34-year-old named Jeph Jacques saw the opportunity for what he calls an “art project.”
“I thought, ‘Alright I’m gonna buy this and do something stupid with it and see what happens,” he told me. And readers, he did just that.
This grand art project? Buying up the domain www.walmart.horse, slapping a picture of the front of a Walmart store with a, you guessed it, horse superimposed over the top, and declaring the whole thing a monumental artistic success. Seriously, this is the only thing at the website if you go there.
Monet it might not be, but the image is suddenly competing with the likes of famous artists for attention and views thanks to Walmart freaking the hell out about it. In its infamous wisdom, Walmart and its crackerjack legal team have demanded that the whole shebang be taken down, claiming infringement of trademark. The C&D letter Walmart helpfully sent along suggested that Jacques’ website would confuse customers into thinking that Walmart, who is not in either the business of horses nor in the business of having a sense of humor, might have some affiliation to walmart.horse. Interestingly, the letter targets the domain name, rather than the image on the site itself. I’m not personally aware of any infringement claim on domain name being refuted by the actual extension used, but this would seem to be a ripe candidate for that argument, given that Walmart is not in the horse business.
But this really shouldn’t even get that far, given the whole purpose of the site itself and the artistic nature of the creator.
Jacques argues that his site is “an obvious parody and therefore falls under fair use.” He also told Walmart in his response that he’d be happy to put a disclaimer on his site to let visitors know he is not actually affiliated with the Waltons. And although he doesn’t want to bow to the company just yet, he says he’s already proved his original hypothesis: that corporations spend an absurd amount of time policing their trademarks.
Point proven, I suppose. Meanwhile, a tiny joke site has been Streisanded into the national conversation because Walmart just couldn’t resist.
More Copyright Trolls Rushing In To Take Advantage Of Canadian Copyright Notice System Loopholes
Canada’s new copyright notice system is swiftly become a playground for copyright trolls. As Michael Geist reports, Canadian legislators could have baked in a few limitations to curb abuse, but chose instead to ensure the Rightscorps of the world could twist the legislation to their advantage.
Despite more than a year of work on potential regulations – including possible costs to rights holders for sending notifications – Industry Minister James Moore abandoned the process, implementing the system with no costs, no limitations on notice content, no restrictions on settlement demands, and no sanctions for the inclusion of false or misleading information. The government’s backgrounder says that the law “sets clear rules on the content of these notices”, however, it does not restrict the ability for rights holders to include information that goes beyond the statutory minimum.
Righstcorp is called out for a reason. It was the first to seize this opportunity to shake down Canadian internet users with pre-settlement offers. To make its requests appear more “reasonable,” Rightscorp lied in its letters to alleged infringers.
The notice falsely warns that the recipient could be liable for up to $150,000 per infringement when the reality is that Canadian law caps liability for non-commercial infringement at $5,000 for all infringements. The notice also warns that the user’s Internet service could be suspended, yet there is no such provision under Canadian law.
Beyond that, Rightscorp has no intention of litigating these cases — which would be the only way for it to secure statutory damages. Even in the US, where the sky-high $150,000 applies, Rightscorp has yet to actually sue anyone for copyright infringement. It instead hopes to nickel-and-dime its way to the top of the troll heap with $20/per infringement “settlements.”
Now another copyright troll is invading the same territory. CEG TEK (Copyright Enforcement Group… um… TEK) has started sending out reams of useless and misleading paper threatening alleged infringers in Canada, citing the new law in order to appear really, really serious about possibly doing something expensive to those on the receiving end.
At least this letter acknowledges the $5,000 cap on infringement awards, but it only uses that higher number to make its demands in the low-hundreds per infringement more palatable. The rest of it is standard demand letter histrionics.
In Canada, the unauthorized copying, performance, and/or distribution of Rights Owner’s Work is illegal and is subject to civil sanctions (with statutory damages of up to $5,000 or non-statutory damages that could be higher) and/or criminal sanctions, and is a violation of the Canada Copyright Act (R.S.C., 1985, c. C-42). The recent amendments to the Copyright Act, which came into force on November 2012, have confirmed Rights Owner’s right to have its copyright protected in Canada.
[…]
If you have questions about your legal rights, you should consult with your own legal counsel (i.e., barrister, solicitor, lawyer, and/or attorney).
CEG HAS BEEN AUTHORIZED BY RIGHTS OWNER TO OFFER A SETTLEMENT SOLUTION TO RESOLVE THIS MATTER AND PREVENT LEGAL ACTION.
You have until Saturday, March 28, 2015 to access the settlement offer and settle online.
Of course, the letter makes it appear as though CEG can actually offer a complete release from legal culpability for only $xxx, and the artful use of ALL CAPS around “SETTLEMENT SOLUTION” and “LEGAL ACTION” could give some recipient the sense that something dangerous lurks behind this mass-mailed “threat.” But CEG, like Rightscorp, can’t make much money with “LEGAL ACTION.” Nope, it’s all about “SETTLEMENT SOLUTIONS.” Serve to thousands. Collect from tens. Call it a day.
There’s no lawsuit coming. A search for CEG in the Justia database returns a single lawsuit — and in that one, CEG was the defendant. Perhaps that’s why the letter stays suitably vague about the consequences of ignoring these missives. At this point. CEG TEK’s business model only allows for repeated sending of demand letters and, if needed, more use of the Caps Lock key.
Still, the shakedowns will have an effect, mostly on the wholly ignorant or easily intimidated — which makes copyright trolling indistinguishable from any number of scams. The victims are those who don’t know any better. And Canada’s decision to enact a copyright notice system filled with holes only encourages entities like CEG and Rightscorp to expand their “markets.”
Music Industry Demands Action Against “Pirate” Domain Names
In recent years copyright holders have demanded stricter anti-piracy measures from ISPs, search engines, advertising networks and payment processors, with varying results.
Continuing this trend various entertainment industry groups are now going after companies that offer domain name services.
The MPAA, for example, has joined the domain name system oversight body ICANN and is pushing for policy changes from the inside.
A few days ago the RIAA added more pressure. The music group sent a letter to ICANN on behalf of several industry players asking for tougher measures against pirate domains.
The RIAA’s senior vice president Victoria Sheckler wants the Internet to be a safe place for all, where music creation and distribution can thrive.
“… we expect all in the internet ecosystem to take responsible measures to deter copyright infringement to help meet this goal,” she notes.
The music groups believe, however, that domain registrars don’t do enough to combat piracy. ICANN’s most recent registrar agreement states that domain names should not be used for copyright infringement, but most registrars fail to take action in response.
Instead, many registrars simply note that it’s not their responsibility to act against pirate sites.
“We […] do not see how it is an appropriate response from a registrar to tell a complainant that it has investigated or responded appropriately to a copyright abuse complaint by stating it does not provide non-registrar related services to the site in question,” Sheckler writes.
In what appears to be a coordinated effort to pressure ICANN and other players in the domain name industry, the U.S. Government also chimed in last week.
According to the U.S. Trade Representative, Canada-based Tucows is reported as “an example of a registrar that fails to take action when notified of its clients’ infringing activity.”
Despite the critique, it’s far from clear that Tucows and other registrars are doing anything wrong. In fact, the Electronic Frontier Foundation
“Domain registrars do not have an obligation to respond to a random third party’s complaints about the behavior of a domain name user. Unless ordered by a court, registrars cannot be compelled to take down a website,” notes Jeremy Malcolm, EFF’s Senior Global Policy Analyst.
“What the entertainment industry groups are doing is exaggerating the obligations that registrars of global top-level domains (gTLDs) have under their agreement with ICANN to investigate reports of illegal activity by domain owners, an expansion of responsibilities that is, to put it mildly, extremely controversial, and not reflected in current laws or norms.”
Law or no law, the entertainment industry groups are not expected to back down. They hope that ICANN will help to convince registrars that pirate sites should be disconnected, whether they like it or not.
Entertainment Industry Demands Swedish ISP Block The Pirate Bay; ISP Says No
There has been an increasing push by the legacy entertainment industry to get “full site blocking,” in which companies can declare sites they don’t like as “rogue” and order ISPs to block all access to them. This was the whole point of SOPA. And while that law failed in the US, the entertainment industry is still interested in figuring out other paths to making it happen. Courts in many other countries have been much more receptive to this form of censorship — and have regularly ordered ISPs to block sites. This is true in Sweden as well, but it appears that one ISP, Bredbandsbolaget, is going to fight back for as long as it can, according to Torrentfreak:
“It is an important principle that Internet providers of Internet infrastructure shall not be held responsible for the content that is transported over the Internet. In the same way that the Post should not meddle in what people write in the letter or where people send letters,” Commercial Director Mats Lundquist says.
“We stick to our starting point that our customers have the right to freely communicate and share information over the internet.”
Of course, this means that they’ll be going to court later this year. Torrentfreak notes that the MPAA is pulling the strings behind this, of course:
Internal movie industry documents obtained by TorrentFreak reveal that IFPI and the Swedish film producers have signed a binding agreement which compels them to conduct and finance the case. However, the MPAA is exerting its influence while providing its own evidence and know-how behind the scenes.
Also of interest is that IFPI took a decision to sue Bredbandsbolaget and not Teliasonera (described by the MPAA as “the largest and also very actively ‘copy-left’ Swedish ISP”). The reason for that was that IFPI’s counsel represents Teliasonera in other matters which would have raised a conflict of interest.
Meanwhile, we’re still left wondering how any of this encourages people to actually spend more money to support content creators.
Maybe Obama’s Sanctions on Venezuela are Not Really About His “Deep Concern” Over Suppression of Political Rights
Oil. The answer is always oil.
The White House on Monday announced the imposition of new sanctions on various Venezuelan officials, pronouncing itself “deeply concerned by the Venezuelan government’s efforts to escalate intimidation of its political opponents”: deeply concerned. President Obama also, reportedly with a straight face, officially declared that Venezuela poses “an extraordinary threat to the national security” of the U.S. — a declaration necessary to legally justify the sanctions.
Today, one of the Obama administration’s closest allies on the planet, Saudi Arabia, sentenced one of that country’s few independent human rights activists, Mohammed al-Bajad, to 10 years in prison on “terrorism” charges. That is completely consistent with that regime’s systematic and extreme repression, which includes gruesome state beheadings at a record-setting rate, floggings and long prison terms for anti-regime bloggers, executions of those with minority religious views, and exploitation of terror laws to imprison even the mildest regime critics.
Absolutely nobody expects the “deeply concerned” President Obama to impose sanctions on the Saudis — nor on any of the other loyal U.S. allies from Egypt to the UAE whose repression is far worse than Venezuela’s. Perhaps those who actually believe U.S. proclamations about imposing sanctions on Venezuela in objection to suppression of political opposition might spend some time thinking about what accounts for that disparity.
That nothing is more insincere than purported U.S. concerns over political repression is too self-evident to debate. Supporting the most repressive regimes on the planet in order to suppress and control their populations is and long has been a staple of U.S. (and British) foreign policy. “Human rights” is the weapon invoked by the U.S. Government and its loyal media to cynically demonize regimes that refuse to follow U.S. dictates, while far worse tyranny is steadfastly overlooked, or expressly cheered, when undertaken by compliant regimes, such as those in Riyadh and Cairo (see this USA Today article, one of many, recently hailing the Saudis as one of the “moderate” countries in the region). This is exactly the tactic that leads neocons to feign concern for Afghan women or the plight of Iranian gays when doing so helps to gin up war-rage against those regimes, while they snuggle up to far worse but far more compliant regimes.
Any rational person who watched the entire top echelon of the U.S. government drop what they were doing to make a pilgrimage to Riyadh to pay homage to the Saudi monarchs (Obama cut short a state visit to India to do so), or who watches the mountain of arms and money flow to the regime in Cairo, would do nothing other than cackle when hearing U.S. officials announce that they are imposing sanctions to punish repression of political opposition. And indeed, that’s what most of the world outside of the U.S. and Europe do when they hear such claims. But from the perspective of U.S. officials, that’s fine, because such pretenses to noble intentions are primarily intended for domestic consumption.
As for Obama’s decree that Venezuela now poses an “extraordinary threat to the national security” of the United States, is there anyone, anywhere, that wants to defend the reasonability of that claim? Think about what it says about our discourse that Obama officials know they can issue such insultingly false tripe with no consequences.
But what’s not too obvious to point out is what the U.S is actually doing in Venezuela. It’s truly remarkable how the very same people who demand U.S. actions against the democratically elected government in Caracas are the ones who most aggressively mock Venezuelan leaders when they point out that the U.S. is working to undermine their government.
The worst media offender in this regard is The New York Times, which explicitly celebrated the 2002 U.S.-supported coup of Hugo Chavez as a victory for democracy, but which now regularly derides the notion that the U.S. would ever do something as untoward as undermine the Venezuelan government.
The real question is this: if concern over suppression of political rights is not the real reason the U.S. is imposing new sanctions on Venezuela (perish the thought!), what is? Among the most insightful commentators on U.S. policy in Latin America is Mark Weisbrot of Just Foreign Policy. Read his excellent article for Al Jazeera on the recent Obama decree on Venezuela.
In essence, Venezuela is one of the very few countries with significant oil reserves which does not submit to U.S. dictates, and this simply cannot be permitted (such countries are always at the top of the U.S. government and media list of Countries To Be Demonized). Beyond that, the popularity of Chavez and the relative improvement of Venezuela’s poor under his redistributionist policies petrifies neoliberal institutions for its ability to serve as an example; just as the Cuban economy was choked by decades of U.S. sanctions and then held up by the U.S. as a failure of Communism, subverting the Venezuelan economy is crucial to destroying this success.
Apartment Complex Claims Copyright Of Tenants’ Reviews And Photos, Charges $10k Fee For Criticism
If you wanted more bad reviews than you could shake a legally-unenforceable clause at, you’d do this:
[Windermere Cay’s] Social Media Addendum, published here, is a triple-whammy. First, it explicitly bans all “negative commentary and reviews on Yelp! [sic], Apartment Ratings, Facebook, or any other website or Internet-based publication or blog.” It also says any “breach” of the Social Media Addendum will result in a $10,000 fine, to be paid within ten business days. Finally, it assigns the renters’ copyrights to the owner—not just the copyright on the negative review, but “any and all written or photographic works regarding the Owner, the Unit, the property, or the apartments.” Snap a few shots of friends who come over for a dinner party? The photos are owned by your landlord.
The Florida apartment complex claims the stupid clause is needed to prevent “unjust and defamatory reviews.” It makes this claim — not in a statement given to Ars Technica (which was tipped off by a resident) — but in the introductory paragraph of the Addendum. From there it gets worse. Doing any of the following triggers a $10,000 fine, with $5,000 added on for each additional “infraction.”
This means that Applicant shall not post negative commentary or reviews on Yelp!, Apartment Ratings, Facebook, or any other website or Internet-based publication or blog. Applicant agrees that Owner shall make the determination of whether such commentary is harmful in Owner’s sole discretion, and Applicant agrees to abide by Owner’ determination as to whether such commentary is harmful.
Then come the copyright demands.
Additionally, each Applicant hereby assigns and transfers to Owner any and all rights, including all rights of copyright as set forth in the United States Copyright Act, in any and all written or photographic works regarding the Owner, the Unit, the property, or the apartments. This means that if an Applicant creates an online posting on a website regarding the Owner, the Unit, the property, or the apartments, the Owner will have the right to notify the website to take down any such online posting pursuant to the Digital Millennium Copyright Act.
Of course, when confronted by Ars about the Addendum, the property managers claimed this was all someone else’s fault.
Asked about the Social Media Addendum by Ars, Windermere Cay’s property manager sent this response via e-mail: “This addendum was put in place by a previous general partner for the community following a series of false reviews. The current general partner and property management do not support the continued use of this addendum and have voided it for all residents.”
I would imagine the support was removed and addendum voided shortly after Ars publicized it, and not a moment before. According to Ars, the resident who contacted the site was asked to sign this suddenly-unsupported addendum only “days before.” But Windermere Cay’s management now very likely regrets ever including it in the first place. Like so many others before it, Windermere Cay is learning that attempting to preemptively shut down criticism with bogus clauses and high fees almost always results in more criticism. Its Yelp page is swiftly filling up with negative reviews and — like every other emotionally-charged incident on the internet, has already achieved Godwin.
Feds Say They Have Accused Fraudster’s Ankle Bracelet in Custody
Unfortunately, he’s not in it at the moment.
Paul Ceglia, who once sued Mark Zuckerberg claiming half of Facebook, and who last appeared here back in Assorted Stupidity #39 after his ninth set of lawyers withdrew from that case, has disappeared. His case against Zuckerberg was, surprisingly, dismissed after the judge found it was based on fabricated evidence, and Ceglia was later charged with fraud. Ceglia denounced that move, indignantly pleading not guilty. “I have no interest in a plea deal of any sort,” he told Ars Technica in August, facing a May trial date. “The very idea of it suggests that I have done something wrong. Of course I intend to go to trial,” he said.
He seems to have changed his mind, or else he went on an unapproved vacation and forgot to take his electronic-monitoring bracelet along. Maybe he was just concerned about tan lines?
Ceglia had been released on $250,000 bond and was required to give up his passport, so most likely he has gone to ground somewhere in the United States. A federal marshal was unable to confirm that, though, telling a reporter that he did not know whether Ceglia was still in the country. “Our responsibility is to locate him,” he told the reporter, which at first seemed like stating the obvious but now seems like a polite answer to what was probably a stupid question.
“I can confirm that the suspect has disappeared.”
“Do you know whether he’s still in the country?”
“We don’t know where he is. That’s what ‘disappeared’ means.”
The judge presiding over the case said he was “cautiously optimistic” that Ceglia would return to the jurisdiction in the near future, though he didn’t say why. Since Ceglia most likely is still in the U.S., because he doesn’t have a passport and our borders are hermetically sealed, it probably is just a matter of time before he is recaptured. Although it could take a while if he were to do something especially sneaky like, let’s say, get a job with the Homeland Security Department. That’s the last place they’d look, or at least it used to be.
AT&T’s Cozy NSA Ties Brought Up In Attempt To Scuttle DirecTV Merger
Before there was Edward Snowden, there was of course the notably less celebrated Mark Klein. As most of you probably recall, Klein, a 22-year AT&T employee, became a whistleblower after hehighlighted how AT&T was effectively using fiber splits to give the NSA duplicate access to every shred of data that touched AT&T’s network. Of course, once it was discovered that AT&T was breaking the law, the government decided to just change the law, ignore Klein’s testimony, and give all phone companies retroactive immunity. It really wasn’t until Snowden that the majority of the tech press took Klein’s warnings seriously.
AT&T’s been loyally “patriotic” ever since, often giving the government advice on how to skirt the lawor at times even acting as intelligence analysts. Business repercussions for AT&T have been minimal at best; in fact, you’ll recall that Qwest (now CenturyLink) claimed repeatedly that government cooperation was rewarded with lucrative contracts, while refusal to participate in government programs was punished. In fact, the only snag AT&T’s seen in the years since was to have its European expansion plans thwarted, purportedly by regulators uncomfortable with the carrier’s cozy NSA ties (AT&T instead simply expanded into Mexico).
Fast forward a few years and The Hill is now claiming that AT&T’s relationship with the NSA could harm the company’s $48 billion attempt to acquire DirecTV. This claim is apparently based on the fact that a coalition of AT&T business partners, called the Minority Cellular Partners Coalition, is warning the FCC in a letter that AT&T’s enthusiastic voluntary cooperation with the NSA shows the company’s total disregard for consumer privacy.
“(Despite immunity) the Commission is still obliged to execute and enforce the provisions of § 229 of the Act, see 47 U.S.C. § 151, and it is still empowered to conduct an investigation to insure that AT&T complies with the requirements of CALEA. See id. § 229(c). And the Commission is obliged to determine whether AT&T is qualified to obtain DIRECTV’s licenses in light of its egregious violations of CALEA. This is particularly true given AT&T’s continued and ongoing pattern of misconduct. Accordingly, the Commission should investigate AT&T’s complicity in the PSP to determine whether AT&T engaged in unlawful conduct that abridged the privacy interests of telecommunications consumers on a vast scale and, if so, whether AT&T is qualified to obtain DIRECTV’s licenses.”
Of course, that’s simply not happening. While the NSA cooperation can be used as a broader example of AT&T’s character (like the repeatedly nonsensical claims the company makes when it wants a merger approved, or how AT&T tries to charge its broadband customers extra for no deep packet inspection), it’s incredibly unlikely that the same government that granted AT&T’s immunity will turn around and sign off on using AT&T’s behavior to squash a merger. If the merger is blocked, it will be due to more practical considerations — like the fact that DirecTV is a direct competitor to AT&T and eliminating them would lessen competition in the pay TV space. When it comes to AT&T’s relationship with the NSA, it’s pretty clear by now that these particular chickens may never come home to roost.
Che Vergogna
Italy does not exactly have the greatest track record of being nice to Ethiopians. Things haven’t changed, as an Italian group is helping the Ethiopian government spy on uncooperative journalists.