This Week in SSL – Gmail’s Malware Accounts, FBI Phishing, Perma-Cookies, and Brazil’s New Internet

Here is our latest news roundup of informative articles about network and SSL security.

Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data

A communication technique long used by everyone from adulterers to terrorists has now been co-opted by hackers. This article by Andy Greenberg of Wired reports on the technique, wherein an individual uses Google Gmail to write a draft of a message, but never sends it. Their compatriot then logs into the account to access the draft, and then deletes it, without the message ever being transmitted. Hackers have discovered this method can be used by their malware to securely move data.

“Here’s how the attack worked… The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware…. After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer—IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer.”

Greenberg further explains, “With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden.”

Seattle Times ‘Outraged’ FBI Created Fake Web Page, News Story to Catch Suspect

The FBI reportedly used a fake Seattle Times website to lure a suspected bomb threat caller to visit a site that installed spyware to locate the suspect. Benjamin Fearnow of CBS Seattle reports on this story that has led the Seattle Times to decry the use of their brand to capture the suspect.

“The documents detailing the FBI’s investigation to lure out the juvenile bomb threat suspect were obtained by the EFF in San Francisco and then publicized via Twitter on Monday by Christopher Soghoian, the principal technologist for the American Civil Liberties Union in Washington, D.C. The 172 pages of documents released by the FBI show their software tool called a “Computer and Internet Protocol Address Verifier” (CIPAV) in two cases, with one being the Timberline High School bomb threats. The documents show how the FBI is able to ‘geophysically’ locate a computer and track its Internet Protocol address. According to Soghoian, the software was activated by the suspect when they clicked on the bogus link – a tactic similar to that used by hackers.”

Brazil Is Keeping Its Promise to Avoid the U.S. Internet

Brazil was famously incensed when news first broke that the NSA was using its resources to spy on the South American country. Gizmodo’s Adam Clark Estes writes about the fact that Brazil’s threats to disconnect from the US-dominated internet seemed at the time fantastical, but the country now appears intent on doing just that with the construction of a new data pipeline reaching to Europe. “Brazil made a bunch of bold promises, ranging in severity from forcing companies like Facebook and Google to move their servers inside Brazilian borders, to building a new all-Brazilian email system—which they’ve already done. But the first actionable opportunity the country was presented with is this transatlantic cable, which had been in the works since 2012 but is only just now seeing construction begin. And with news that the cable plan will not include American vendors, it looks like Brazil is serious; it’s investing $185 million on the cable project alone. And not a penny of that sum will go to an American company.”

Estes continues, “The implications of Brazil distancing itself from the US internet are huge. It’s not necessarily a big deal politically, but the economic consequences could be tremendously destructive. Brazil has the seventh largest economy in the world, and it continues to grow. So when Brazil finally does divorce Uncle Sam—assuming things continue at this rate—a huge number of contracts between American companies and Brazil will simply disappear. On the whole, researchers estimate that the United States could lose about $35 billion due to security fears. That’s a lot of money.”

Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine

Researchers have discovered that Verizon has been surreptitiously altering the web traffic of its customers with tracking info for the past couple years according to Wired’s Robert McMillan. Called the Unique Identifier Header, or UIDH, it is a short-term serial number used by advertisers to identify individual users as part of a far-reaching ad tracking program. The program, used on over 123 million customers, has earned the attention and criticism of the Electronic Frontier Foundation.

“According to Verizon spokeswoman Debra Lewis, there’s no way to turn it off. She says that Verizon doesn’t use the UIDH to create customer profiles, and if you opt out of the company’s Relevant Mobile Advertising program (you can do this by logging into your Verizon account here), then Verizon and its advertising partners won’t be using it to create targeted ads. But that’s beside the point, says Hoffman-Andrews. Because Verizon is broadcasting this unique identifier to every website, ad networks could start using it to build a profile of your web activity, even without your consent. The fact that the UIDH was around for two years before getting any serious attention is a testament to the murky and challenging nature of privacy on today’s internet. Verizon has made no secret of its ambitions to cash in on the mobile advertising market. But the technical details of how it is doing this have been hard to uncover.”

Focus on NSA surveillance limits turns to courts

Could the NSA soon be facing court-ordered restrictions on its surveillance programs? Eric Tucker of the Associated Press takes a look at some of the legal challenges the NSA is facing from civil liberty groups. Issues being litigated include the NSA’s alleged bulk phone records programs and whether evidence obtained through warrantless surveillance is admissible in court. “‘The thing that is different about the debate right now is that the courts are much more of a factor in it,” said Jameel Jaffer, deputy legal director at the American Civil Liberties Union. Before the Snowden disclosures, he said, courts were generally relegated to the sidelines of the discussion. Now, judges are poised to make major decisions on at least some of the matters in coming months.”

People trust NSA more than Google, survey says

In an interesting twist, research company Survata released the results of a poll that “has respondents claiming they’re more concerned about Google seeing all their private data than the government.” Chris Matyszczyk of CNET expresses amazement over the results, but points out that the results are consistent with a Washington Post-Pew Research Center poll from last year. Matyszczyk says, “I asked Survata’s co-founder, Chris Kelly, what he thought were the reasons. He told me: ‘Survata was surprised to see respondents said they’d be more upset with a company like Google seeing their personal data than the NSA. We did not ask respondents for the reasons or motivations behind their answers; so we can only conjecture based on our previous research. One guess is that respondents assume the NSA is only looking for ‘guilty’ persons when scouring personal data, whereas a company like Google would use personal data to serve ads or improve their own products.’”