[Plura-list] Hackers' code-free exploit: pretend to be cops
Cory Doctorow
doctorow at craphound.com
Wed Mar 30 04:24:59 EDT 2022
Read today's issue online at: https://pluralistic.net/2022/03/30/lawful-interception/
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
This Thursday (Mar 31), I'm appearing on a panel at the Charles River Associates Competition & Regulation in Disrupted Times conference in Brussels. It's free to attend or stream.
https://www.cra-brusselsconference.com/
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
Today's links
* Hackers' code-free exploit: pretend to be cops: The predictable outcome of the Emergency Data Request system.
* Hey look at this: Delights to delectate.
* This day in history: 2002, 2007, 2012, 2017, 2021
* Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🚱 Hackers' code-free exploit: pretend to be cops
Back in 1994, Bill Clinton signed CALEA into law, mandating that all switches capable of carrying voice-traffic include a "lawful interception" backdoor that would let cops listen in on phone calls without having to actually physically access the switch itself.
https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
CALEA came with three promises:
I. The backdoor would only be used by cops;
II. They would get a warrant first;
III. It would only apply to voice traffic, not the internet.
All of these promises were lies. Anyone who's ever watched a detective show where a PI says, "I have a cop who can run that license plate" knows that if you give cops oversight-free, unaudited access to a database, you're also giving access to anyone any cop owes (or sells) a favor to.
When CALEA passed, its opponents warned that a "voice capable" switch would soon be indistinguishable from an "internet" switch. Less than a decade later, the FBI successfully argued that all internet switches were now capable of carrying voice traffic, so they, too, must have CALEA backdoors.
That didn't just expose Americans to surveillance by cops, their friends, and anyone who gained access by pressuring or impersonating a cop. Vendors installed CALEA backdoors in all their switches, to ensure that they could access the US market. These backdoors made their way into countries *without* CALEA mandates, where they were abused.
Most notoriously: the Greek government and prime minister were wiretapped in 2004 in order to sabotage the Greek Olympics bid. Greece doesn't have CALEA on its law-books, but it *did* have CALEA-compliant switches in its telephone network.
https://www.schneier.com/blog/archives/2007/07/story_of_the_gr_1.html
Any time you mandate "extraordinary access" to an otherwise secure system, you create an opportunity for exploitation by criminals, spies, and snoops.
Take the "Emergency Data Request" (EDR), a US system that allows cops to demand warrantless access to your online account data. This is supposed to be used in white-hot emergencies, like kidnappings or Jack Bauer-style hypotheticals where there's a ticking bomb and only warrantless access will let you defuse it.
By their nature, EDRs are meant to be obeyed without a sanity-check or other verification. When a provider gets an EDR from a cop, they're supposed to hop to, because the alternative might abet a murder or other grave crime.
If a provider thinks an EDR is legit, they'll honor it. But with 18,000 US police agencies, there's no way to validate and EDR *a priori*, and if just one of those police agencies suffers a breach, anyone who can exploit it can issue their own EDRs.
Ever hear of LAPSUS$? That's the notorious hacker gang (which appears to have been helmed and operated primarily by teenagers) that has been on a planet-wide rampage, stealing and dumping sensitive data and blackmailing its targets, from governments to corporations to individuals.
https://www.wired.com/story/lapsus-okta-hack-sitel-leak/
LAPUS$'s methods have been a mystery, but now, Brian Krebs has shed some light on how the gang pulled off its data-heists: they pretended to be cops, and issued EDRs to service providers, who *just handed over the data* they needed to break into agencies, companies, and personal accounts.
https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/
In 2021, a criminal connected to LAPUS$ - a 14 year old who used the handle Everlynn - advertised that they could generate EDRs from a real law-enforcement agency, and sold this capability to would-be hackers for $150.
Everlynn understood something that the creators of EDRs did not. In their sales pitch, they wrote, "This is very illegal and you will get raided if you don’t use a vpn. You can also breach into the government systems for this, and find LOTS of more private data and sell it for way, way more."
Everlynn's identity was revealed by a dox attack allegedly launched by "White," a founder of LAPUS$; they were colleagues in an earlier hacking group called Recursion Team. White, in turn, was allegedly outed by the staff who worked under him at a site called Doxbin, who were upset that White's mismanagement exposed the site's user database. These children aren't criminal mastermind prodigies, in other words: they're normal, fallible people, who nevertheless gained access to LDR facilities that compromised governments, corporations and individuals around the world.
Everlynn isn't the only bad actor using LPRs to compromise accounts. One of Krebs's sources, who goes by KT, reports that this is a common tactic, and the go-to pretense is "Terroristic threats with a valid reason to believe somebody’s life is in danger."
Among the targets successfully compromised with this tactic is Discord, which was induced to reveal sensitive user information in less than 30 minutes. Discord admitted to Krebs that it had been fooled: "we later learned that [the law enforcement account that sent the LPR] had been compromised by a malicious actor."
How do bad actors gain access to police emails? The same way they gain access to any service: compromising the website and installing a reverse shell; guessing passwords; or recycling passwords breached from other services.
Krebs's expert sources are pessimistic about the possibility of fixing the LPR system. Former DoJ prosecutor Mark Rasch told him that "spotting unauthorized EDRs would require these companies to somehow know and validate the names of every police officer in the United States."
UC Berkeley's Nicholas Weaver told Krebs that securing EDRs is "a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale."
This is a lesson as old as CALEA - if you create a backdoor that tens of thousands of people can access, then you create a backdoor that anyone can access, because it's impossible to prevent the impersonation, subordination, or corruption of that many people.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🚱 Hey look at this
* Portal Turret Build Guide https://joranderaaff.nl/portal-sentry/ (h/t JWZ)
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🚱 This day in history
#20yrsago Bruce Sterling's short story using the 300 most common English words https://people.well.com/user/doctorow/300wordstory.txt
#15yrsago Canada’s copyright czar’s boomerang tantrum at Museum Assoc meeting https://web.archive.org/web/20080520023502/http://www.canada.com/topics/news/politics/story.html?id=659307fc-78b2-48b8-bf2d-cc4a8d481391&k=64575
#15yrsago TSA missed 90% of bombs at Denver airport https://webcache.googleusercontent.com/search?q=cache:6SPMRgSi68YJ:https://www.9news.com/article/news/local/investigations/undercover-agents-slip-bombs-past-dia-screeners/73-343504198&client=ubuntu&hs=0Ta&hl=en&gl=uk&strip=1&vwsrc=0
#10yrsago Canada to stop issuing pennies, businesses told to round off to nearest 5 cents, or “work it out for themselves” https://web.archive.org/web/20120331000257/https://www.theglobeandmail.com/news/politics/ottawa-to-scrap-the-penny-this-year/article2386120/
#10yrsago Spiders made from TSA-confiscated scissors http://www.heartlessmachine.com/spiders
#10yrsago Matt Stone on the corruption in the MPAA’s ratings board https://www.youtube.com/watch?v=nDzblNKjsO0
#10yrsago User uploads to YouTube hit one hour per second http://www.onehourpersecond.com/
#10yrsago Paul Vixie’s firsthand account of the takedown of DNS Changer https://circleid.com/posts/20120327_dns_changer/
#5yrsago How the EU’s imaginary “value gap” would kill user-generated content online https://www.youtube.com/watch?v=qoxsJRKh3c8
#5yrsago Stingray for criminals: spreading mobile malware with fake cellphone towers https://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-authors-arrest/
#5yrsago 20 years ago, Ted Cruz published a law paper proving companies could always beat customers with terms of service https://www.vice.com/en/article/ezwme7/ted-cruz-law-paper-vote-with-your-wallet-doesnt-work
#5yrsago The “universal adversarial preturbation” undetectably alters images so AI can’t recognize them https://arxiv.org/abs/1610.08401
#5yrsago The 265 Republican Congressjerks who just nuked your online privacy sold out for chump change https://www.theverge.com/2017/3/29/15100620/congress-fcc-isp-web-browsing-privacy-fire-sale
#5yrsago A rare class-action victory over Wells Fargo’s fake accounts proves binding arbitration sucks https://www.nakedcapitalism.com/2017/03/wells-fargo-gets-additional-110-million-wrist-slap-fake-accounts-scandal.html
#5yrsago The Army is using quack “battlefield acupuncture” based on junk science https://scienceblogs.com/insolence/2017/03/29/the-quackery-that-is-battlefield-acupuncture-continues-to-metastasize
#5yrsago How East Germany’s Stasi tried to drive activists insane, and how they resisted https://www.maxhertzberg.co.uk/background/politics/stasi-tactics/
#5yrsago Laurie Penny blazes: Brexit is just the latest alibi for austerity https://thebaffler.com/latest/brexit-austerity-penny
#5yrsago Australia leads the world in selling housing to money-launderers https://www.transparency.org/en/publications/doors-wide-open-corruption-and-real-estate-in-four-key-markets
#5yrsago Prison sentence for Spanish woman who tweeted jokes about the assassination of Franco’s fascist successor https://www.theguardian.com/world/2017/mar/30/spanish-woman-given-jail-term-for-tweeting-jokes-about-franco-era-assassination
#5yrsago Hungary’s ultra-right government wants to shut down its storied, amazing Central European University https://www.npr.org/sections/thetwo-way/2017/03/29/521948051/hungarian-legislation-threatens-american-university-in-budapest
#1yrago America needs a high-fiber broadband diet https://pluralistic.net/2021/03/30/fight-for-44/#slowpokes
#1yrago Minimum wage vs Wall Street bonuses: The fight for $44 https://pluralistic.net/2021/03/30/fight-for-44/#fight-for-44
#1yrago Big Salmon's aquaturf: Cheaper for fish farms to smear scientists than to clean up their act https://pluralistic.net/2021/03/29/efficient-markets-hypothesis/#aquaturf
#1yrago Monopoly so fragile: Sharpening the contradictions in the Suez Canal https://pluralistic.net/2021/03/29/efficient-markets-hypothesis/#too-big-to-sail
#1yrago Noble Lies: "Experts" aren't experts on when to lie https://pluralistic.net/2021/03/29/efficient-markets-hypothesis/#masks-and-trade
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🚱 Colophon
Today's top sources: Eva Galperin (https://twitter.com/evacide/).
Currently writing:
* Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Yesterday's progress: 605 words (77618 words total).
* A Little Brother short story about DIY insulin PLANNING
* Vigilant, Little Brother short story about remote invigilation. FIRST DRAFT COMPLETE, WAITING FOR EXPERT REVIEW
* Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION
* Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE
* A post-GND utopian novel, "The Lost Cause." FINISHED
* A cyberpunk noir thriller novel, "Red Team Blues." FINISHED
Currently reading: Analogia by George Dyson.
Latest podcast: The Byzantine Premium
Upcoming appearances:
* Competition & Regulation in Disrupted Times (Charles River Associates/Brussels), Mar 31
https://www.cra-brusselsconference.com/
* Seize the Means of Computation, Emerging Technologies For the Enterprise, Apr 19-20
https://2022.phillyemergingtech.com/talks/keynote/
Recent appearances:
* The Bitcoin Podcast:
https://thebitcoinpodcast.com/the-bitcoin-podcast-387/
* Dangerous Visions: False Dawns and Wandergrounds - Dystopia, Then and Now
https://www.youtube.com/watch?v=h7W77EbjPaM
* Safety Orange (This Week in Tech)
https://twit.tv/shows/this-week-in-tech/episodes/865
Latest book:
* "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The *Washington Post* called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
* "Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
* "Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.
Upcoming books:
* Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin, nonfiction/business/politics, Beacon Press, September 2022
This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🚱 How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Pluralistic.net
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
https://mamot.fr/web/accounts/303320
Medium (no ads, paywalled):
https://doctorow.medium.com/
(Latest Medium column: "Rubber Hoses: The Best Defense Against Tyranny Is Democratic Accountability" https://doctorow.medium.com/rubber-hoses-fd685385dcd4)
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
https://twitter.com/doctorow
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion Guy" DeVilla
More information about the Plura-list
mailing list