[wpdm_file id=18 title=”true” desc=”true” template=”bluebox drop-shadow raised” ]
This would affect everything on the internet, worldwide:
The FBI is quietly pushing its plan to force surveillance backdoors on social networks, VoIP, and Web e-mail providers, and that the bureau is asking Internet companies not to oppose a law making those backdoors mandatory.
The FBI is asking Internet companies not to oppose a controversial proposal that would require firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.
In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.
The FBI general counsel’s office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly.
“If you create a service, product, or app that allows a user to communicate, you get the privilege of adding that extra coding,” an industry representative who has reviewed the FBI’s draft legislation told CNET. The requirements apply only if a threshold of a certain number of users is exceeded, according to a second industry representative briefed on it.
The FBI’s proposal would amend a 1994 law, called the Communications Assistance for Law Enforcement Act, or CALEA, that currently applies only to telecommunications providers, not Web companies. The Federal Communications Commission extended CALEA in 2004 to apply to broadband networks.
FBI Director Robert Mueller is not asking companies to support the bureau’s CALEA expansion, but instead is “asking what can go in it to minimize impacts,” one participant in the discussions says. That included a scheduled trip this month to the West Coast — which was subsequently postponed — to meet with Internet companies’ CEOs and top lawyers.
A further expansion of CALEA is unlikely to be applauded by tech companies, their customers, or privacy groups. Apple (which distributes iChat and FaceTime) is currently lobbying on the topic, according to disclosure documents filed with Congress two weeks ago. Microsoft (which owns Skype and Hotmail) says its lobbyists are following the topic because it’s “an area of ongoing interest to us.” Google, Yahoo, and Facebook declined to comment.
In February 2011, CNET was the first to report that then-FBI general counsel Valerie Caproni was planning to warn Congress of what the bureau calls its “Going Dark” problem, meaning that its surveillance capabilities may diminish as technology advances. Caproni singled out “Web-based e-mail, social-networking sites, and peer-to-peer communications” as problems that have left the FBI “increasingly unable” to conduct the same kind of wiretapping it could in the past.
In addition to the FBI’s legislative proposal, there are indications that the Federal Communications Commission is considering reinterpreting CALEA to demand that products that allow video or voice chat over the Internet — from Skype to Google Hangouts to Xbox Live — include surveillance backdoors to help the FBI with its “Going Dark” program. CALEA applies to technologies that are a “substantial replacement” for the telephone system.
“We have noticed a massive uptick in the amount of FCC CALEA inquiries and enforcement proceedings within the last year, most of which are intended to address ‘Going Dark’ issues,” says Christopher Canter, lead compliance counsel at the Marashlian and Donahue law firm, which specializes in CALEA. “This generally means that the FCC is laying the groundwork for regulatory action.”
Subsentio, a Colorado-based company that sells CALEA compliance products and worked with the Justice Department when it asked the FCC to extend CALEA seven years ago, says the FBI’s draft legislation was prepared with the compliance costs of Internet companies in mind.
In a statement to CNET, Subsentio President Steve Bock said that the measure provides a “safe harbor” for Internet companies as long as the interception techniques are “‘good enough’ solutions approved by the attorney general.”
Another option that would be permitted, Bock said, is if companies “supply the government with proprietary information to decode information” obtained through a wiretap or other type of lawful interception, rather than “provide a complex system for converting the information into an industry standard format.”
A representative for the FBI told CNET today that: “(There are) significant challenges posed to the FBI in the accomplishment of our diverse mission. These include those that result from the advent of rapidly changing technology. A growing gap exists between the statutory authority of law enforcement to intercept electronic communications pursuant to court order and our practical ability to intercept those communications. The FBI believes that if this gap continues to grow, there is a very real risk of the government ‘going dark,’ resulting in an increased risk to national security and public safety.”
The FBI’s legislation, which has been approved by the Department of Justice, is one component of what the bureau has internally called the “National Electronic Surveillance Strategy.” Documents obtained by the Electronic Frontier Foundation show that since 2006, Going Dark has been a worry inside the bureau, which employed 107 full-time equivalent people on the project as of 2009, commissioned a RAND study, and sought extensive technical input from the bureau’s secretive Operational Technology Division in Quantico, Va. The division boasts of developing the “latest and greatest investigative technologies to catch terrorists and criminals.”
But the White House, perhaps less inclined than the bureau to initiate what would likely be a bruising privacy battle, has not sent the FBI’s CALEA amendments to Capitol Hill, even though they were expected last year. (A representative for Sen. Patrick Leahy, head of the Judiciary committee and original author of CALEA, said today that “we have not seen any proposals from the administration.”)
Mueller said in December that the CALEA amendments will be “coordinated through the interagency process,” meaning they would need to receive administration-wide approval.
Stewart Baker, a partner at Steptoe and Johnson who is the former assistant secretary for policy at Homeland Security, said the FBI has “faced difficulty getting its legislative proposals through an administration staffed in large part by people who lived through the CALEA and crypto fights of the Clinton administration, and who are jaundiced about law enforcement regulation of technology — overly jaundiced, in my view.”
On the other hand, as a senator in the 1990s, Vice President Joe Biden introduced a bill at the FBI’s behest that echoes the bureau’s proposal today. Biden’s bill said companies should “ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law.” (Biden’s legislation spurred the public release of PGP, one of the first easy-to-use encryption utilities.)
The Justice Department did not respond to a request for comment. An FCC representative referred questions to thePublic Safety and Homeland Security Bureau, which declined to comment.
From the FBI’s perspective, expanding CALEA to cover VoIP, Web e-mail, and social networks isn’t expanding wiretapping law: If a court order is required today, one will be required tomorrow as well. Rather, it’s making sure that a wiretap is guaranteed to produce results.
But that nuanced argument could prove radioactive among an Internet community already skeptical of government efforts in the wake of protests over the Stop Online Piracy Act, or SOPA, in January, and the CISPA data-sharing bill last month. And even if startups or hobbyist projects are exempted if they stay below the user threshold, it’s hardly clear how open-source or free software projects such as Linphone, KPhone, and Zfone — or Nicholas Merrill’s proposal for a privacy-protective Internet provider — will comply.
The FBI’s CALEA amendments could be particularly troublesome for Zfone. Phil Zimmermann, the creator of PGP who became a privacy icon two decades ago after being threatened with criminal prosecution, announced Zfone in 2005 as away to protect the privacy of VoIP users. Zfone scrambles the entire conversation from end to end.
“I worry about the government mandating backdoors into these kinds of communications,” says Jennifer Lynch, an attorney at the San Francisco-based Electronic Frontier Foundation, which has obtained documents from the FBI relating to its proposed expansion of CALEA.
As CNET was the first to report in 2003, representatives of the FBI’s Electronic Surveillance Technology Section in Chantilly, Va., began quietly lobbying the FCC to force broadband providers to provide more-efficient, standardized surveillance facilities. The FCC approved that requirement a year later, sweeping in Internet phone companies that tie into the existing telecommunications system. It was upheld in 2006 by a federal appeals court.
But the FCC never granted the FBI’s request to rewrite CALEA to cover instant messaging and VoIP programs that are not “managed”–meaning peer-to-peer programs like Apple’s Facetime, iChat/AIM, Gmail’s video chat, and Xbox Live’s in-game chat that do not use the public telephone network.
If there is going to be a CALEA rewrite, “industry would like to see any new legislation include some protections against disclosure of any trade secrets or other confidential information that might be shared with law enforcement, so that they are not released, for example, during open court proceedings,” says Roszel Thomsen, a partner at Thomsen and Burke who represents technology companies and is a member of an FBI study group. He suggests that such language would make it “somewhat easier” for both industry and the police to respond to new technologies.
But industry groups aren’t necessarily going to roll over without a fight. TechAmerica, a trade association that includes representatives of HP, eBay, IBM, Qualcomm, and other tech companies on its board of directors, has been lobbying against a CALEA expansion. Such a law would “represent a sea change in government surveillance law, imposing significant compliance costs on both traditional (think local exchange carriers) and nontraditional (think social media) communications companies,” TechAmerica said in e-mail today.
Ross Schulman, public policy and regulatory counsel at the Computer and Communications Industry Association, adds: “New methods of communication should not be subject to a government green light before they can be used.”
A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.
The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.
Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size — the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.
The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.
“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”
Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.
The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
Kaspersky Lab is calling it “one of the most complex threats ever discovered.”
“It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, chief security expert at Kaspersky Lab.
Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies.
“It’s a very big chunk of code. Because of that, it’s quite interesting that it stayed undetected for at least two years,” Gostev said. He noted that there are clues that the malware may actually date back to as early as 2007, around the same time-period when Stuxnet and DuQu are believed to have been created.
Gostev says that because of its size and complexity, complete analysis of the code may take years.
“It took us half-a-year to analyze Stuxnet,” he said. “This is 20-times more complicated. It will take us 10 years to fully understand everything.”
Kaspersky discovered the malware about two weeks ago after the United Nations’ International Telecommunications Union asked the Lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been hit with malware that was stealing and deleting information from the systems. The malware was named alternatively in news articles as “Wiper” and “Viper,” a discrepancy that may be due to a translation mixup.
Kaspersky researchers searched through their reporting archive, which contains suspicious filenames sent automatically from customer machines so the names can be checked against whitelists of known malware, and found an MD5 hash and filename that appeared to have been deployed only on machines in Iran and other Middle East countries. As the researchers dug further, they found other components infecting machines in the region, which they pieced together as parts of Flame.
Kaspersky, however, is currently treating Flame as if it is not connected to Wiper/Viper, and believes it is a separate infection entirely. The researchers dubbed the toolkit “Flame” after the name of a module inside it.
Flame is named after one of the main modules inside the toolkit.
Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.
The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.
Flame does contain a module named Viper, adding more confusion to the Wiper/Viper issue, but this component is used to transfer stolen data from infected machines to command-and-control servers. News reports out of Iran indicated the Wiper/Viper program that infected the oil ministry was designed to delete large swaths of data from infected systems.
Kaspersky’s researchers examined a system that was destroyed by Wiper/Viper and found no traces of that malware on it, preventing them from comparing it to the Flame files. The disk destroyed by Wiper/Viper was filled primarily with random trash, and almost nothing could be recovered from it, Gostev said. “We did not see any sign of Flame on that disk.”
Because Flame is so big, it gets loaded to a system in pieces. The machine first gets hit with a 6-megabyte component, which contains about half-a-dozen other compressed modules inside. The main component extracts, decompresses and decrypts these modules and writes them to various locations on disk. The number of modules in an infection depends on what the attackers want to do on a particular machine.
Once the modules are unpacked and loaded, the malware connects to one of about 80 command-and-control domains to deliver information about the infected machine to the attackers and await further instruction from them. The malware contains a hardcoded list of about five domains, but also has an updatable list, to which the attackers can add new domains if these others have been taken down or abandoned.
While the malware awaits further instruction, the various modules in it might take screenshots and sniff the network. The screenshot module grabs desktop images every 15 seconds when a high-value communication application is being used, such as instant messaging or Outlook, and once every 60 seconds when other applications are being used.
Although the Flame toolkit does not appear to have been written by the same programmers who wrote Stuxnet and DuQu, it does share a few interesting things with Stuxnet.
Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June 2009. It is widely believed to have been designed to sabotage centrifuges used in Iran’s uranium enrichment program. DuQu was an espionage tool discovered on machines in Iran, Sudan, and elsewhere in 2011 that was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques.
But Flame doesn’t resemble either of these in framework, design or functionality.
Stuxnet and DuQu were made of compact and efficient code that was pared down to its essentials. Flame is 20 megabytes in size, compared to Stuxnet’s 500 kilobytes, and contains a lot of components that are not used by the code by default, but appear to be there to provide the attackers with options to turn on post-installation.
“It was obvious DuQu was from the same source as Stuxnet. But no matter how much we looked for similarities [in Flame], there are zero similarities,” Gostev said. “Everything is completely different, with the exception of two specific things.”
One of these is an interesting export function in both Stuxnet and Flame, which may turn out to link the two pieces of malware upon further analysis, Gostev said. The export function allows the malware to be executed on the system.
Also, like Stuxnet, Flame has the ability to spread by infecting USB sticks using the autorun and .lnk vulnerabilities that Stuxnet used. It also uses the same print spooler vulnerability that Stuxnet used to spread to computers on a local network. This suggests that the authors of Flame may have had access to the same menu of exploits that the creators of Stuxnet used.
Unlike Stuxnet, however, Flame does not replicate automatically by itself. The spreading mechanisms are turned off by default and must be switched on by the attackers before the malware will spread. Once it infects a USB stick inserted into an infected machine, the USB exploit is disabled immediately.
This is likely intended to control the spread of the malware and lessen the likelihood that it will be detected. This may be the attackers’ response to the out-of-control spreading that occurred with Stuxnet and accelerated the discovery of that malware.
It’s possible the exploits were enabled in early versions of the malware to allow the malware to spread automatically, but were then disabled after Stuxnet went public in July 2010 and after the .lnk and print spooler vulnerabilities were patched. Flame was launched prior to Stuxnet’s discovery, and Microsoft patched the .lnk and print spooler vulnerabilities in August and September 2010.
Any malware attempting to use the vulnerabilities now would be detected if the infected machines were running updated versions of antivirus programs. Flame, in fact, checks for the presence of updated versions of these programs on a machine and, based on what it finds, determines if the environment is conducive for using the exploits to spread.
The researchers say they don’t know yet how an initial infection of Flame occurs on a machine before it starts spreading. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.
The earliest sign of Flame that Kaspersky found on customer systems is a filename belonging to Flame that popped up on a customer’s machine in Lebanon on Aug. 23, 2010. An internet search on the file’s name showed that security firm Webroot had reported the same filename appearing on a computer in Iran on Mar. 1, 2010. But online searches for the names of other unique files found in Flame show that it may have been in the wild even earlier than this. At least one component of Flame appears to have popped up on machines in Europe on Dec. 5, 2007 and in Dubai on Apr. 28, 2008.
Kaspersky estimates that Flame has infected about 1,000 machines. The researchers arrived at this figure by calculating the number of its own customers who have been infected and extrapolating that to estimate the number of infected machines belonging to customers of other antivirus firms.
All of the infections of Kaspersky customers appear to have been targeted and show no indication that a specific industry, such as the energy industry, or specific systems, such as industrial control systems, were singled out. Instead, the researchers believe Flame was designed to be an all-purpose tool that so far has infected a wide variety of victims. Among those hit have been individuals, private companies, educational institutions and government-run organizations.
Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran, and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.
Researchers say the compilation date of modules in Flame appear to have been manipulated by the attackers, perhaps in an attempt to thwart researchers from determining when they were created.
“Whoever created it was careful to mess up the compilation dates in every single module,” Gostev said. “The modules appear to have been compiled in 1994 and 1995, but they’re using code that was only released in 2010.”
The malware has no kill date, though the operators have the ability to send a kill module to it if needed. The kill module, named browse32, searches for every trace of the malware on the system, including stored files full of screenshots and data stolen by the malware, and eliminates them, picking up any breadcrumbs that might be left behind.
“When the kill module is activated, there’s nothing left whatsoever,” Gostev said.
[UPDATE: Iran’s Computer Emergency Response Team announced on Monday that it had developed a detector to uncover what it calls the “Flamer” malware on infected machines and delivered it to select organizations at the beginning of May. It has also developed a removal tool for the malware. Kaspersky believes the “Flamer” malware is the same as the Flame malware its researchers analyzed.]
With ever-increasing restrictions on online activity, Chinese authorities are trying to make Internet service providers act as Web police for the government.
Last month it was blog users, this month it’s blog owners. The Chinese government announced today that it will tighten restrictions on all Internet service providers for blogs, microblogs, and online forums — forcing them to act as Web police, according to the Associated Press.
This is just the latest in a long list of restrictions that the government is enforcing on its citizens. According to the Associated Press, China began requiring real-name registration on all microblogs in December. However, people still seem to be sneaking under the radar.
The new restrictions entail making the Internet providers act as regulators in for real-name registration, according to the Associated Press. The blogs and microblogs are now required to work with the police and warn users of criminal punishment if they don’t follow the rules and use their real identities. Additionally, all providers must be licensed and keep logs for a year that will serve to “provide technical assistance” to the authorities.
China is a blogging and microblogging powerhouse with hundreds of millions of people using those sites daily. Sina Weibo, a Twitter-like service, has more than 300 million users, which is far more than Twitter’s active users. The growth of blogging sites has resulted in a rapid expansion of places where Chinese people can express themselves — something the government has long viewed as a threat.
At the end of April, Sina Weibo came under fire by the government for fueling “toxic rumors” about a possible political coup and the social network was punished by having user comments deactivated for three days.
Just a couple of weeks later, in May, the Twitter-like service announced plans to establish a “user contract.” The contract, which has dozens of rules, bans “promoting evil teachings and superstitions,” “spreading rumors,” and “calling for disruption of social order through illegal gatherings.”
ELS stands for Easy Linux Security. ELS was created by the Server Monkeys Founder, Richard Gannon. ELS takes many of the tasks performed by our Administrators and puts it into an easy to use program for anyone to use. It is released under the GNU/GPL so it is free to use.
This program is always being improved with new features and bugfixes, so be sure to keep it up to date. If you found a bug or would like an improvement, please let us know! This program was made and is maintained in Rich’s free time (which isn’t often anymore). If you really like this program, donations are more than welcome! The only donation isn’t a monetary donation. If you have experience with coding in Linux Shell or other languages, anything you can add to improve this program is very welcome.
Supported Operating Systems
- Red Hat Linux 9
- Red Hat Enterprise Linux 3, 4
- Fedora Core 1, 2, 3, 4
- CentOS 3, 4
What ELS Does
- Install RKHunter
- Install RKHunter Cronjob which emails a user-set email address nightly
- Install/update APF
- Add SM/TP monitoring IPs (view information on these in Orbit)
- Install/update BFD
- Install CHKROOTKIT
- Install CHKROOTKIT Cronjob which emails a user-set email address nightly
- Disable Telnet
- Force SSH Protocol 2
- Secure /tmp
- Secure /var/tmp
- Secure /dev/shm
- Install/update Zend Optimizer
- Install/update eAccelerator
- MySQL 4.0 and 4.1 Configuration Optimization (cPanel only)
- Upgrade MySQL to 4.1 (cPanel only)
- Tweak WHM Settings for security and stability
- Configure RNDC if not already done (cPanel only)
- Change SSH port (also configure APF as necessary)
- Add wheel user and disable direct root login over SSH
- Optimize MySQL tables
- Install/update Libsafe
- Install/update ImageMagick (from latest source)
- Uninstall LAuS
- Harden sysctl.conf
- Install Chirpy’s Free Exim Dictionary Attack ACL
- And more!
To install ELS, simply run the following command as root:
wget --output-document=installer.sh http://servermonkeys.com/projects/els/installer.sh; chmod +x installer.sh; sh installer.sh
UNIX vs. Windows Hosting
In the world of web site hosting there are two main types of operating system platforms on which you may host your web site, namely: UNIX and Windows. Each has its own set of unique features, advantages and disadvantages.
While it is difficult to say which one is the better choice, it is not as difficult to answer which is the better choice given your needs. The language which your site is programmed in is what primarily dictates the type of hosting you need.
Note: The operating system that you use on your desktop computer (the vast majority of people use some flavor of Windows) has absolutely nothing to do with the one that your host needs to serve your web site. Most personal sites are created with MS FrontPage and even although that is a Microsoft product, it can be hosted perfectly on a UNIX web server with FrontPage Extensions installed.
UNIX systems (we actually use Linux but for comparison purposes they are identical) are hands-down the winner in this category. There are many factors here but to name just a couple big ones: in our experience UNIX handles high server loads better than Windows and UNIX machines seldom require reboots while Windows is constantly needing them. Servers running on UNIX enjoy extremely high up-time and high availability/reliability.
While there is some debate about which operating system performs better, in our experience both perform comparably in low-stress conditions however UNIX servers under high load (which is what is important) are superior to Windows.
Web sites usually change over time. They start off small and grow as the needs of the person or organization running them grow. While both platforms can often adapt to your growing needs, Windows hosting is more easily made compatible with UNIX-based programming features like PHP and MySQL. UNIX-based web software is not always 100% compatible with Microsoft technologies like .NET and VB development. Therefore if you wish to use these, you should choose Windows web hosting.
Web sites designed and programmed to be served under a UNIX-based web server can easily be hosted on a Windows server, whereas the reverse is not always true. This makes programming for UNIX the better choice.
Servers hosting your web site require operating systems and licenses just like everyone else. Windows 2003 and other related applications like SQL Server each cost a significant amount of money; on the other hand, Linux is a free operating system to download, install and operate. Windows hosting results in being a more expensive platform.
To sum it up, UNIX-based hosting is more stable, performs faster and more compatible than Windows-based hosting. You only need Windows hosting if you are going to developing in .NET or Visual Basic, or some other application that limits your choices.