This may already be old news since everybody always reads the terms and conditions of the software they install, but we sometimes don't — and we think this section of iOS 8.1.3's terms to be of interest.
Location Services part we kind of assumed.
But automatically including your zip code? New to us. We didn't notice that bit earlier.
As Carl Sagan used to say, extraordinary claims require extraordinary evidence. And recently, the public has been asked to believe one particularly extraordinary claim: that North Korea attacked Sony Pictures Entertainment and destroyed an incredible amount of its data. Thus far, there hasn't yet been any extraordinary evidence offered.
Much of the "evidence" that has been offered has mainly come from anonymous senior US officials most of whom are reportedly not actively involved in the FBI's investigation.
And the FBI itself? Well, Director James Comey's position can be summed up rather simply as… trust us. But many in the information security industry don't trust Comey's position, an attitude that he has reportedly attributed to "post-Snowden mistrust". He apparently fails to realize that in many circles mistrusting US government conclusions long pre-dates Edward Snowden.
Whomever hacked Sony Pictures Entertainment may never be known. But no matter, whomever is responsible, what's especially enlightening about this case is the US government's "trust us" stance. It demonstrates a continued lack of respect for the intelligence of US citizens and other people around the world.
Trust is an act of faith. But trust in government shouldn't require a leap of faith. Trust in extraordinary claims in the face of murky and what appears to be contradictory information… is simply a leap too far. And so, the Obama administration's rush to judge North Korea despite the lack of any real evidence brings us to our unfortunate prediction for 2015.
Prediction: Section 215 and Section 206 of the USA PATRIOT Act and Section 6001 of the Intelligence Reform and Terrorism Prevention Act will be reauthorized before their June 1, 2015 expiration date.
Post-Snowden, it appeared as though the controversial provisions might lack the political support needed to avoid sunset. But now, we are confident that Washington D.C. will act to protect itself from "nation state cyber-terrorism" and will renew them after all.
Don't expect reform in 2015. The violation of your digital freedom will continue. Within 144 days from now. Mark your calendars.
P.S. Bonus speculation!
You can track "cyber" related legislation at congress.gov. Keep an eye out for new Clipper chips and/or other backdoor mandates.
In September, we blogged about CosmicDuke leveraging timely, political topics to deceive the recipient into opening the malicious document. After a more detailed analysis of the files we made two major discoveries.
Based on emails that we found from VirusTotal, at least one European Ministry of Foreign Affairs has been targeted. Here is a redacted version of one of the emails:
It’s heartwarming to see how kind the attackers are: when you open the email attachment, the Word document helps you enable macros by instructing you to click ‘Enable Content’.
Once the victim enables macros the system gets infected with CosmicDuke, which brings us to our second discovery: in addition to the usual infostealer features, the CosmicDuke executables also install MiniDuke.
In our analysis released in July we mentioned that CosmicDuke seems to be connected to MiniDuke because both malware families use the same loader which has been exclusively used by the MiniDuke group. The CosmicDuke samples that infect the system with MiniDuke give us further evidence that the same actor is behind both malware families.
Looking at the targets of malware campaigns often helps us understand who might be behind the operations. In this sense, CosmicDuke is quite interesting. The malware has a distinctly dual nature: it targets people involved with illegal substances but also high-profile organizations like government agencies. This same kind of duality can also be seen in a related case, OnionDuke. When we first blogged about OnionDuke in November, we mentioned that OnionDuke is connected to MiniDuke through the use of shared command and control infrastructure. We also mentioned that OnionDuke appears to be used for two distinct purposes: in targeted attacks against high-profile targets such as government agencies and interestingly also in mass infection campaigns against Tor users and downloaders of torrent files. Further research has shown that not only can the victims of OnionDuke be clearly divided into two groups, but the versions of OnionDuke used and the command and control infrastructure used are also similarly divisible.
In the mass infection campaigns of OnionDuke, the attackers have used compromised web servers and free hosting providers for command and control. In these campaigns, the victim computer has been infected with a limited backdoor version of OnionDuke whose main purpose is to contact the C&C server to download and execute additional components. These downloaded components then perform tasks such as collecting system information and user credentials. On the contrary, in the attacks on high-profile targets, the C&C infrastructure used by OnionDuke has been solely owned and operated by the attackers. This infrastructure is also largely shared with known MiniDuke infrastructure. In these cases, the attackers have used a much more full-featured version of OnionDuke that doesn’t need to download any additional components to perform its tasks. Importantly, this division of tactics perfectly aligns with the division of victims.
We have shown a connection between MiniDuke, OnionDuke, and CosmicDuke. We have also observed an interesting duality in the uses of OnionDuke and CosmicDuke. The question then is: what does all this mean? Like Kaspersky pointed out in their excellent blog post, one explanation is that CosmicDuke is used as a “legal spyware” tool by law enforcement agencies – and interestingly Kaspersky observed “victims” involved with illegal substances only in Russia. Our data supports this observation. Moreover, none of the high-profile targets of CosmicDuke that we’ve seen have been from Russia – but what these targets have in common is that their interests aren’t exactly aligned with Russia. Likewise, similar distinctions hold true for OnionDuke suggesting it may be part of the same “collection” of spyware tools. Considering the victims of the law enforcement use case seem to be from Russia, and none of the high-profile victims are exactly pro-Russian, we believe that a Russian government agency is behind these operations.
“EU sanctions against Russia over Ukraine crisis“ .docm: 82448eb23ea9eb3939b6f24df46789bf7f2d43e3 “A Scottish ‘Yes’ to independence“ .docm: c86b13378ba2a41684e1f93b4c20e05fc5d3d5a3 32-bit dropper DLL: 241075fc1493172c47d881bcbfbf21cfa4daa42d 64-bit dropper DLL: 51ac683df63ff71a0003ca17e640bbeaaa14d0aa CosmicDuke-MiniDuke combo: 7ad1bef0ba61dbed98d76d4207676d08c893fc13 OnionDuke limited backdoor: b491c14d8cfb48636f6095b7b16555e9a575d57f OnionDuke full backdoor: d433f281cf56015941a1c2cb87066ca62ea1db37