Every day, when a person sends a Tweet, posts a  photo to Flickr, or updates her Facebook page, she is making decisions about which companies to entrust with her thoughts, photos, contacts, identity and location data. In order to make informed decisions, users—especially those at risk of government repression—need to know if governments are asking companies for information about their online activities and what kinds of information the companies are handing over in response to these requests.

Earlier this year, Lebanese security researcher Nadim Kobeissi led a coalition of digital rights advocates, including GVA, in calling on Microsoft to report on government requests for Skype user data (Microsoft is the parent company for Skype). In an open letter to the company, the coalition pointed out that with 600 million users worldwide, Skype is effectively one of the world’s largest communication service providers.

Infographic of recent Google transparency report data, created by EFF and SHARE Defense. (CC BY 3.0)

Many users rely on Skype for secure and private communications and for some—whether they’re activists working in repressive environments or journalists communicating with sensitive sources—the stakes are high.

As a community, we're pleased that Microsoft has not only answered that letter on behalf of Skype, but has done so on behalf of the entire company. Last week Microsoft released its first transparency report, which covers all requests for user data from law enforcement and judicial authorities received in 2012. The report covers all of their online and cloud services, including Hotmail/Outlook.com, SkyDrive, Microsoft Account, and Messenger. Skype data gets it own separate report this year, because different laws apply. As the company notes, Microsoft is based in the United States, but Skype is a “ wholly-owned, but independent division of Microsoft, headquartered in and operating pursuant to Luxembourg [and EU] law.”

The report includes information about requests that the company fulfilled for both Skype and its other products. For non-Skype products, it also reports the number of requests that resulted in the disclosure of user data. This is a great step forward, since it gives more information about what user information is being sought and how often it is being turned over.

Australia, Brazil, France, Germany, Hong Kong, Italy, Mexico, Spain, Taiwan, Turkey, the UK and the US made the most requests for Microsoft user data in 2012 (including Skype and other products/services listed above). How does Microsoft determine the list of countries for which it will accept government requests for user data?

The company writes,

Microsoft maintains operations and a physical presence in more than 100 countries around the world, which makes it easier for law enforcement authorities and/or courts to contact local Microsoft offices with requests for customer data. However, we only disclose data in 46 countries where we have the ability to validate the lawfulness of the request.

Even when restricted to 46 countries, the quantity of requests is surprising. In 2012, Microsoft and Skype received a total of 75,378 requests from law enforcement agencies, potentially impacting 137,424 accounts. For comparison, in the same period Google received 42,327 requests. One possible explanation is that, especially when combined with Skype, Microsoft serves a significantly larger number of users than Google. More user accounts may translate into more requests for user data. Microsoft has also had an international presence for much longer than Google.

Other highlights include generalized information about the number of National Security Letters (NSLs) that Microsoft has received, going back to 2009, as well as generalized information about the total number of accounts that may have been affected by those requests. These letters — which are issued to communications service providers such as phone companies and ISPs and are authorized by US law (18 U.S.C. 2709) — allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters’ existence to anyone. EFF just successfully argued that the NSL gag orders are unconstitutional, but that court order is on hold pending an appeal by the government.

Until recently, none of the companies that issue transparency reports included statistics on NSLs. But a few weeks ago, Google published these figures for the first time as part of their transparency report, shining some limited light on the ways in which the US government uses these secretive demands for data about users. We are happy to see Microsoft follow suit. Because the numbers are so generalized (Microsoft received 1,000-1,999 NSLs in 2011, affecting 3,000-3,999 accounts), it is difficult to make comparison with Google, but speaking broadly, the Microsoft appears to receive more NSLs than Google.

What’s even more interesting is the claim regarding Skype that out of 4,713 requests for user data that potentially affect 15,409 accounts, the number of requests resulting in the disclosure of user content is zero. The Skype report does not specify how often the company complied with government requests for transactional data, (this might include a user’s name, billing address, or IP history, but not the content of his or her communications) noting that Skype did not keep this information for 2012. We expect that this will be clarified in future reports. But for users who expressed concern that Microsoft might be turning over their Skype conversations and messages in response to a warrant, these figures may appear reassuring.

The Skype report goes one step further and offers the following clarification regarding its obligations under the Communications Assistance for Law Enforcement Act (CALEA), a US law that forces broadband Internet and interconnected voice over Internet Protocol (VoIP) services to become wiretap-friendly:

The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier. Skype is an independent division headquartered and operating under Luxembourg law.

Does this mean that Skype is safe and secure for users who are concerned about the possibility of government surveillance? Not necessarily. Microsoft offers this important caveat:

While we may not receive law enforcement requests from some countries, or may not honor requests that do not follow our principles and policies, we nevertheless understand some users of our services may be subject to government monitoring or the suppression of ideas and speech. We provide SSL encryption for Microsoft services and Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure. For example Skype Out/In calls route through the existing telecommunications network for part of the call and users of the Skype thin client (used on smartphones, tablets and other hand-held devices) route communications over a wireless or mobile provider network. In addition, the end points of a communication are vulnerable to access by third parties such as criminals or governments.

Filtering and censorship of TOMSkype in China is one example of the kind of monitoring and suppression of Skype traffic to which Microsoft alludes in its report.

Skype's 2005 external security audit indicated that “digital certificates created by the [central Skype] certificate authority are the basis for identity in Skype” and that, if falsified, these certificates could allow interception of Skype users’ communications (see section 3.4.1). Microsoft's Skype division still controls and operates this authority. A troubling question about the report's definition of “Disclosure of Content” is whether falsified certificates or disclosure of cryptographic secrets—which are perhaps not themselves seen as user content, but can be directly used by an outside party to intercept it—counts as “Disclosure of Content” or not. Observers including security expert Chris Soghoian worried that “leakage of crypto keys would…not be considered release of content” by the report, even though they result in content getting intercepted. It's important for Microsoft to clarify this point to make the information reported about Skype meaningful.

None of this should take away from the big credit that Microsoft deserves for publishing this report in the first place or for including as much information as it did. By joining the ranks of companies that issue transparency reports, Microsoft has cleared up some of the confusion about the risks users are taking when they use Microsoft products, and added to our body of knowledge about the scope of government surveillance. We hope that 2013 is the year that transparency reports become the new normal. Now that Microsoft has done it, perhaps it will be less and less acceptable for companies like Facebook and Yahoo! to leave their users in the dark about government requests for their data.

Written by Eva Galperin · comments (0)
Share: facebook · twitter · reddit · StumbleUpon · delicious · Instapaper

In the United States, companies are not required by law to alert their users when they receive a government request for their data. In some circumstances, they are explicitly prohibited from doing so. As part of our ongoing Who Has Your Back campaign, EFF has called on companies to be transparent by publishing their law enforcement guidelines and statistics on government requests for user data.

Image by EFF (CC BY 2.0)

When we first launched Who Has Your Back in 2011, only Google published the number of demands it had received for user data, ranging from subpoenas and warrants issued by courts to written requests from law enforcement. Since then, several more companies have stepped up, including the ISP Sonic.Net, cloud storage providers SpiderOak and DropBox, as well as social media companies such as LinkedIn and Twitter (which published its latest transparency report in January 2013). These reports, now commonly known as transparency reports, have provided an invaluable source of information about the extent of law enforcement access to private data, and we commend these companies for collecting and publishing them.

Yet still, there are important gaps in our understanding of the issue that won't be filled until even more companies stand up for their users and demonstrate a commitment to transparency. As part of our push for corporations to tell users about government requests for their data, EFF has joined a group of concerned privacy advocates in calling for Microsoft to issue a transparency report on Skype, which it purchased in 2011 for $8.5 billion. Spearheaded by computer security researcher Nadim Kobeissi, this important call for corporate transparency has also garnered signatures from organizations including Reporters Without Borders and Global Voices Advocacy.

From Concerned Privacy Advocates, Internet Activists, Journalists & Other Organizations

Thursday January 24th, 2013

Skype Division President Tony Bates
Microsoft Chief Privacy Officer Brendon Lynch
Microsoft General Counsel Brad Smith

Dear Mr. Bates, Mr. Lynch and Mr. Smith:

Skype is a voice, video and chat communications platform with over 600 million users worldwide, effectively making it one of the world’s largest telecommunications companies. Many of its users rely on Skype for secure communications—whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends.

It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications. We understand that the transition of ownership to Microsoft, and the corresponding shifts in jurisdiction and management, may have made some questions of lawful access, user data collection, and the degree of security of Skype communications temporarily difficult to authoritatively answer. However, we believe that from the time of the original announcement of a merger in October 2011, and on the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for Microsoft to publicly document Skype’s security and privacy practices.

We call on Skype to release a regularly updated Transparency Report that includes:

1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.

2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.

3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.

4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.

5. Skype's interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere. Other companies, such as Google, Twitter and Sonic.net already release transparency reports detailing requests for user data by third parties twice a year.[9]

We believe that this data is vital to help us help Skype’s most vulnerable users, who rely on your software for the privacy of their communications and, in some cases, their lives.

Sincerely, The Undersigned

The full text of the letter, with extensive footnotes and a list of signatories is available here.

As the company behind a telco with hundreds of millions of customers, Microsoft possesses a treasure trove of Skype caller data that is potentially of interest to governments and law enforcement. Without a transparency report, concerned and vulnerable users all over the world are left guessing about what Microsoft might be doing with their data. A transparency report would allow Skype and Microsoft to set the record straight and permit users to make an informed decision about the surveillance risks they’ve taken when they use their product.

With great user data comes great responsibility: The time has come for companies to step up — and not just Skype. All of the other Microsoft products — such as Bing and Hotmail — as well as social media companies such as Facebook and Foursquare, telephone companies, and ISPs should develop a transparency reporting system and make these reports available (and easily accessible) for the public. Surveillance is a growth industry: every existing report shows that the number of government requests for user data is rising, and this trend shows no sign of abating. Transparency reports are essential to helping users understand the scope of Internet surveillance and make informed decisions about storing their sensitive data or engaging in private communications. Companies should not wait until their users are clamoring for clarification. It is time for transparency reports to become the new normal.

Written by Eva Galperin · comments (1)
Share: facebook · twitter · reddit · StumbleUpon · delicious · Instapaper

Last week, when the Assad regime shut down the Internet across the country for three days, one of the few IP addresses to stay online was the address implicated in the ongoing campaign of surveillance malware targeting Syrian dissidents since November 2011, including a fake anti-hacking tool, a fake Skype encryption tool, and fake documents allegedly pertaining to the formation of the leadership council of the Syrian revolution. Now EFF has detected two new campaigns of surveillance malware associated with the same IP address–the first we have detected since this summer.

The first campaign began on November 21st, coinciding with a week in which the Syrian opposition made considerable headway against the Assad regime. Users are enticed to download a file called “اسماء بعض الممولين في سوريا والخارج المطلوبين لدى النظام السوري_m-fdp.scr,” (hash: ed86876db98db35d8c205f8c0b92b0a4) which translates roughly as “Names of some financiers in Syria and abroad who are wanted by the Syrian regime _m-fdp.scr.” This file appears to be a PDF, but is actually a self-extracting rar archive in the form of an executable .scr (screensaver file). Immediately after the Internet shutdown ended on December 1st, a new version of this campaign was distributed, this time enticing users to download a document called “اسماء بعض المسلحين في سورية والخارج المطلوبين لدى النظام السوري2012_m-fdp.scr,” (hash: 02c2ee77cf5aaf8ac03739640c46e822) roughly translated as “Names of some militants in Syria and abroad who are wanted by the Syrian regime 2012_m-fdp.scr.”

Users were contacted via Skype and social media platforms, possibly through accounts that had been compromised, and encouraged to download these files from two Mediafire links, shown in the screenshots below: http://www.mediafire.com/?btdkh64ebedrc0h Rather than sending short, spammy messages, these conversations are reported to be highly interactive.

http://www.mediafire.com/?zr42ka5838ev4po

Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.

Both of these links have been disabled by Mediafire for abuse.

On execution, this link opens a 285-page file which allegedly contains names and personal information about people who are wanted by the Assad regime for their involvement in the opposition movement. The file is shown in the screenshot below.

Opening the file displays a PDF, shown in the screenshot below. It also installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. Over a dozen of the attacks EFF has analyzed have installed versions DarkComet RAT. It's increasingly close association with pro-Syrian-government hackers, combined with the Human Rights Watch report on the Assad regime's network of torture centers, may have motivated the project's sole developer to shut it down, declaring his intention to work on an alternative tool that more closely resembles VNC and requires administrative access to install. While DarkComet RAT is no longer supported by its original developer, it is still the covert surveillance tool of choice for this persistent group of pro-Syrian-government actors.

DarkComet RAT drops the following files, shown in the screenshot below:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\system.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\StartMenu.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\اسماء بعض الممولين في سوريا والخارج المطلوبين لدى النظام السوري.pdf

Additionally, once you start typing, it creates a keylogger file called C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dclogs.sys, which is also shown.

It also creates C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\..lnk, shown in the screenshot below:

It communicates with the remote command and control server at 216.6.0.28 on port 885

TCP 0.0.0.0:0 Connect 216.6.0.28:885

This IP address is owned by the STE (Syrian Telecommunications Establishment) and is registered in Damascus.

These two Trojans are detected by some anti-virus software at this time, but the sale of AV software from the United States to Syria is currently banned under U.S. export controls–just one more example of the ways in which export controls keep Syrians accessing the tools they need to protect themselves from government surveillance.

DarkComet RAT is also detected by the DarkComet RAT Removal Tool, written by the same developer that originally wrote DarkComet RAT. The screenshot below shows the removal tool detecting DarkComet RAT on an infected computer.

If your computer is infected, removing DarkComet RAT does not guarantee that your computer will be safe or secure. This attack eventually gives an attacker the ability to execute arbitrary code on the infected computer. There is no guarantee that the attacker has not installed additional malicious software while in control of the machine. The safest course of action is to re-install the operating system on your computer and change all passwords to accounts you may have logged into while the computer was infected.

EFF is deeply concerned by the reemergence of pro-government malware targeting online activists in Syria. We will continue to keep a close eye on developments in this area.

Written by Eva Galperin · comments (1)
Share: facebook · twitter · reddit · StumbleUpon · delicious · Instapaper

Now we've seen reports of new malware, Xtreme RAT, which sends data back to the same address in Syrian IP space and whose release appears to predate the Darkcomet RAT Trojan. Reports indicate the Trojan is being spread through email and chat programs. The malware was used to log keystrokes and take screenshots of the victim's computer, and it is likely that other functionality was also used.

You should take steps to protect yourself from being infected by not running any software received through e-mail, not installing software at all except over HTTPS, and not installing software from unfamiliar sources even if recommended by a pop-up ad or a casual recommendation from a friend. EFF also recommends keeping your computer's operating system up-to-date by immediately installing security updates from their operating system vendor. Do not use an operating system that is obsolete and no longer getting security updates.

Finding any of the following files or processes is an indicator that your computer has been compromised by Xtreme RAT. More indicators are a stronger sign of compromise.

How to identify Xtreme RAT if it is running on your computer, if you are running Microsoft Windows:

1. Go to your Windows Task Manager by pressing Ctrl+Shift+Esc and click on the Processes tab.
Look for a process called svchost.exe running under your username. In this example, the user is Administrator.

2. Open your Documents and Settings folder. Click on your username (in this example, “Administrator”). Click on “All Programs.” Click on “Startup.” Look for a link labeled “(Empty)”, which is a sign of infection.

3. Open your Documents and Settings folder. Click on your username (in this example, “Administrator”). Open the Local Settings folder. Open the Temp folder. Look for two files: _$SdKdwi.bin and System.exe. If “display file extension” is on the file will appear as System.exe. If it is off, it will display as System Project Up-date DMW.

4. Open your Documents and Settings folder. Click on your username (in this example, “Administrator). Open the Local Settings folder. Open the Application Data folder. Open the Microsoft folder. Open the Windows folder. Look for two files: fQoFaScoN.dat and fQoFaScoN.cfg.

5. Click the Start button. Type “cmd” to open a command window. Type “netstat”. In the resulting list of active connections, look for an outbound connection to the following IP address: 216.6.0.28.

What To Do If Your Computer is Infected:

If your computer is infected, deleting the above files or using anti-virus software to remove the Trojan does not guarantee that your computer will be safe or secure. This malware gives an attacker the ability to execute arbitrary code on the infected computer. There is no guarantee that the attacker has not installed additional malicious software while in control of the machine.

As of March 6, 2011, there is only one anti-virus vendor which recognizes this Trojan. You may try updating your anti-virus software, running it, and using it to remove the Trojan if it comes up, but the safest course of action is to re-install the OS on your computer.

Written by Eva Galperin · comments (4)
Share: facebook · twitter · reddit · StumbleUpon · delicious · Instapaper

Written by Eva Galperin · comments (8)
Share: facebook · twitter · reddit · StumbleUpon · delicious · Instapaper