The Central Intelligence Agency has conducted a series of covert cyber operations against Iran and other targets since winning a secret victory in 2018 when President Trump signed what amounts to a sweeping authorization for such activities, according to former U.S. officials with direct knowledge of the matter.
The secret authorization, known as a presidential finding, gives the spy agency more freedom in both the kinds of operations it conducts and who it targets, undoing many restrictions that had been in place under prior administrations. The finding allows the CIA to more easily authorize its own covert cyber operations, rather than requiring the agency to get approval from the White House.
Unlike previous presidential findings that have focused on a specific foreign policy objective or outcome — such as preventing Iran from becoming a nuclear power — this directive, driven by the National Security Council and crafted by the CIA, focuses more broadly on a capability: covert action in cyberspace.
The “very aggressive” finding “gave the agency very specific authorities to really take the fight offensively to a handful of adversarial countries,” said a former U.S. government official. These countries include Russia, China, Iran and North Korea — which are mentioned directly in the document — but the finding potentially applies to others as well, according to another former official. “The White House wanted a vehicle to strike back,” said the second former official. “And this was the way to do it.”
President Trump and the CIA. (Photo illustration: Yahoo News; photos: AP(3), Getty Images)
The CIA’s new powers are not about hacking to collect intelligence. Instead, they open the way for the agency to launch offensive cyber operations with the aim of producing disruption — like cutting off electricity or compromising an intelligence operation by dumping documents online — as well as destruction, similar to the U.S.-Israeli 2009 Stuxnet attack, which destroyed centrifuges that Iran used to enrich uranium gas for its nuclear program.
The finding has made it easier for the CIA to damage adversaries’ critical infrastructure, such as petrochemical plants, and to engage in the kind of hack-and-dump operations that Russian hackers and WikiLeaks popularized, in which tranches of stolen documents or data are leaked to journalists or posted on the internet. It has also freed the agency to conduct disruptive operations against organizations that were largely off limits previously, such as banks and other financial institutions.
Another key change with the finding is it lessened the evidentiary requirements that limited the CIA’s ability to conduct covert cyber operations against entities like media organizations, charities, religious institutions or businesses believed to be working on behalf of adversaries’ foreign intelligence services, as well as individuals affiliated with these organizations, according to former officials.
“Before, you would need years of signals and dozens of pages of intelligence to show that this thing is a de facto arm of the government,” a former official told Yahoo News. Now, “as long as you can show that it vaguely looks like the charity is working on behalf of that government, then you’re good.”
The CIA has wasted no time in exercising the new freedoms won under Trump. Since the finding was signed two years ago, the agency has carried out at least a dozen operations that were on its wish list, according to this former official. “This has been a combination of destructive things — stuff is on fire and exploding — and also public dissemination of data: leaking or things that look like leaking.”
Some CIA officials greeted the new finding as a needed reform that allows the agency to act more nimbly. “People were doing backflips in the hallways [when it was signed],” said another former U.S. official.
But critics, including some former U.S. officials, see a potentially dangerous attenuation of intelligence oversight, which could have unintended consequences and even put people’s lives at risk, according to former officials.
The involvement of U.S. intelligence agencies in hack-and-dump activities also raises uncomfortable comparisons for some former officials. “Our government is basically turning into f****ing WikiLeaks, [using] secure communications on the dark web with dissidents, hacking and dumping,” said one such former official.
The CIA declined to comment or respond to an extensive list of questions from Yahoo News. The National Security Council did not respond to multiple written requests for comment.
Zoom says it has fixed a security issue that would have let hackers manipulate organizations’ custom URLs for the service and send legitimate-seeming meeting invitations. If a victim accepted the invitation and attended the meeting, the phony caller may have been able to inject malware into their device or carry out a phishing attack.
Hackers could have taken advantage of the exploit in two ways. One involved changing a vanity URL (i.e. http://[whatever].zoom.com) to include a direct link to a phony meeting. The other centered around targeting an organization’s own Zoom web interface, and urging a victim to enter their meeting ID into a malicious vanity URL instead. A video shared by Zoom and Check Point Research, which helped identify and resolve the issue, shows how the exploit worked.
Zoom’s popularity exploded amid the COVID-19 pandemic as people were looking to chat with friends, family and co-workers via video call. In December, around 10 million people participated in Zoom meetings each day, but by April, that figure had shot up exponentially to 300 million. It just launched a lineup of video-calling devices targeted at people who are working from home.
Twitter has offered its initial analysis of the Wednesday mass hijacking of prominent twits’ accounts – and suggested it all kicked off after its staff fell for social engineering.
Judging from leaked screenshots of Twitter’s internal systems circulating online and seen by El Reg, it appears one or more miscreants were able to gain direct or indirect access to an administration panel used by Twitter employees to configure accounts, by tricking or coercing the social network’s staff.
From there, the crooks were, at least in some cases, seemingly able to change the registered email addresses of celebrities, corporations, crypto-coin exchanges, publications, and politicians’ accounts – think Apple, Uber, Bill Gates, Elon Musk, Joe Biden, and so on – to an inbox they controlled, requested password resets, and logged in to tweet Bitcoin scams to millions of followers. The miscreants may have been able to disable multi-factor authentication from the inside, too.
According to Vice, hackers boasted they had a paid mole inside Twitter who did all the dirty work for them. The social network’s spokespeople said it was still investigating exactly how it all went down.
Twitter’s support account spelled out its side of the story so far this evening:
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.
Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.
The Twitter accounts of both The Register and your humble hack’s brother Anthony Sharwood are verified by the avian network. Both were unable to tweet once Twitter discovered the incident and both received no direct communication from Twitter about the status of our accounts nor any details of whether the incident posed a risk to personal data.
But not all functionality was removed. Sharwood the younger said he was able to send direct messages during the incident. “I sent a guy a DM to apologise that I couldn’t respond to a tweet,” he said.
Indeed, The Register‘s own verified account couldn’t tweet, but could send direct messages as well as retweet and like other tweets.
[…]
The hijackers used their ill-gotten access to post tweets in which celebrities promised to double users’ Bitcoin balances as an act of philanthropy – and more than $100,000 in cryptocurrency was transferred by hopefuls with no sign of any payback. That’s probably a better result than putting incendiary remarks in the mouth of a world leader with millions of followers, though. Or more-than-usually incendiary in the case of a certain US President
The companies that do most to develop and evolve the LibreOffice productivity suite, both for desktop and cloud, say the project’s business model is “beyond utterly broken” and that The Document Foundation (TDF), the charity that hosts the project, has to change its approach.
The matter is a subject of intense debate within the board of the foundation, set up in 2010 to oversee LibreOffice, a fork of Oracle’s OpenOffice. It touches on a question that crops up repeatedly in various contexts: as usage of open-source software continues to grow, what is the right business model to fund its development?
The TDF’s manifesto promises “to eliminate the digital divide in society by giving everyone access to office productivity tools free of charge.” The document adds that “we encourage corporate participation” but there is nothing about providing an incentive for such companies.
Michael Meeks, managing director at Cambridge-based Collabora, the company that contributes most full-time developers to LibreOffice, has set out the situation in (opinionated) detail here and here.
Meeks is an open-source veteran, having worked on GNOME, OpenOffice, and other prominent projects. Everything was fine at LibreOffice to begin with, and he calls 2012-2014 “the flourishing years.”
Alongside Collabora, there were 15 developers from SUSE, five from Red Hat, one from Canonical, seven from the city of Munich (part of its embrace of open source), and some 40 others from various companies. Many of those have now dropped out, or reduced their commitment, leaving around 40 paid developers in total – of whom Collabora provides 25 and CIB, a Munich-based specialist in document management, seven.
Meeks believes “LibreOffice is at serious risk,” though the matter is complex. TDF has around €1.5m in the bank, Meeks said, but something that may surprise outsiders is that the foundation cannot and does not use that money to employ developers.
Thorsten Behrens, IT lead for LibreOffice at CIB, told The Register: “The TDF is a charity; it’s not in the business of developing software and actually cannot, because that would put it in competition with the commercial ecosystem,” as well as threatening its charitable status.
Most donations go to TDF so if the commercial providers of developers reduce their commitment, TDF remains but the development effort diminishes.
This also means that contributing to LibreOffice by paying for support is currently more effective than donating money to TDF.
Could LibreOffice succeed without paid-for developers?
Behrens pointed to Apache OpenOffice as an example of why this does not work. “It is limping,” he said. “Every two years they release a new version, but everyone who cares moved on to LibreOffice. OpenOffice is the best argument that we have that we need a commercial ecosystem. If we don’t have that, we will end up like them.”
In 2017 I spoke about this – it’s a tough nut to crack, because there are open source fanatics – who just happen to be paid to develop and promote open source – who keep holding onto a definition of “open source” developed in the 70s. Open source projects are much more complex than they were then, have a much larger user base and require much more coordination from people who aren’t being paid (by a university or foundation) to develop them.
The European Union’s top court ruled Thursday that an agreement that allows big tech companies to transfer data to the United States is invalid, and that national regulators need to take tougher action to protect the privacy of users’ data.
The ruling does not mean an immediate halt to all data transfers outside the EU, as there is another legal mechanism that some companies can use. But it means that the scrutiny over data transfers will be ramped up and that the EU and U.S. may have to find a new system that guarantees that Europeans’ data is afforded the same privacy protection in the U.S. as it is in the EU.
The case began after former U.S. National Security Agency contractor Edward Snowden revealed in 2013 that the American government was snooping on people’s online data and communications. The revelations included detail on how Facebook gave U.S. security agencies access to the personal data of Europeans.
Austrian activist and law student Max Schrems that year filed a complaint against Facebook, which has its EU base in Ireland, arguing that personal data should not be sent to the U.S., as many companies do, because the data protection is not as strong as in Europe. The EU has some of the toughest data privacy rules under a system known as GDPR.
On July 27th, the CEOs of Apple, Facebook, Amazon and Google — the “GAFA” companies — will testify in front of the House Judiciary Antitrust Subcommittee. Getting those four people into the same room — even virtually — on the same day is something of a feat and it speaks to how seriously these companies are taking the committee’s long-standing investigation into their practices.
In June last year, the House Judiciary Committee launched a bipartisan investigation into competition in “digital markets.” It said that a “small number of dominant, unregulated platforms,” hold “extraordinary power” over e-commerce, online communication and digital information. It added that this power has a stifling effect on competition and entrepreneurship in both the US and the wider world.
Each CEO will need to explain how their monolithic platforms, like Facebook’s social network, Google’s advertising business and Apple’s App Store, do not violate antitrust law. “Antitrust” is shorthand for the rules around businesses stifling competition in a free and fair market. That includes blocking powerful companies from buying up, copying or pricing out their rivals to the detriment of competition. Regulators are now turning their beady eye toward what ‘big tech’ has been up to for all of these years.
“Both Democrats and Republicans do seem to believe that there’s something wrong with how these big tech companies are operating.” Joel Mitnick is an antitrust lawyer at Cadwalader in New York who began his career as a trial lawyer at the Federal Trade Commission. He says that lawmakers suspect that there’s “something abusive going on terms of their market power.” He added that there’s a belief that these companies are blocking, or excluding, competitors.
As well as these hearings, it’s likely that Google is going to face a separate antitrust lawsuit that’ll be filed towards the end of 2020. The Wall Street Journal said a cadre of attorneys general want to scrutinize Google’s online advertising business. Apple looks like it’ll be next on the block, with a Politico report from last month saying that Apple’s “easy ride” from lawmakers is coming to an end. It contends that Apple’s control of the app store, and how it treats competing apps from rival developers within its ecosystem, is under quiet scrutiny.
News of a potential US probe into Apple came roughly a week after the European Union began its own investigation. EU officials are investigating whether Apple’s control of the app store “violate EU competition rules,” because you can only buy system apps from the App Store. The fact that apps that offer in-app purchases can only do so through Apple’s system, earning the latter 30 percent commission, is also under scrutiny.
The ultimate goal of any antitrust investigation is to promote competition that will, it’s hoped, benefit the consumer. Critics believe that Apple’s control of the App Store stifles competition and, by extension, is ultimately harmful to consumers. They believe that Apple is essentially creating a market that forces people to use Apple’s own products and services.
The obvious example is the App Store, which is the only way for developers to get their software onto people’s iOS, iPad OS and Watch OS devices. But look at HomePod, the Apple speaker that can only directly access Apple Music. If you want to play from Spotify or other services, you’ll have to use your phone to cast to the speaker. In late June, however, Apple said that it would open HomePod up to third-party services in the coming months as it opens up its products.
Mitnick explained that rather than simply examining companies through the lens of being a “monopolist,” you need to look at “market power.” Apple has historically eschewed being the biggest player in town in favor of catering to a smaller, premium segment of the market. And in consumer technology, there is a wide variety of cheaper products available from its bigger, albeit potentially less profitable, rivals.
But that’s not the case with the iOS ecosystem. In the US, StatCounter says that iOS has around 58 percent of the market compared to Android’s 41 percent. iPad OS, the tablet-friendly version of iOS, is even more dominant in the US, with StatCounter reporting close to 65 percent of the market. It’s not a monopoly, but Apple appears to be the dominant player in the US.
And, says Mitnick, when a company gets that big “they lose the right to be so exclusionary,” essentially that with great power comes an obligation to be even more scrupulous. After all, if officials can demonstrate in a court that the App Store rules are boxing out developers and stifling competition, they could insist on radical changes. Or, they could decide that buying an Android phone offers enough of an alternative, and that Apple isn’t doing anything wrong.
Apple’s counter-argument to this is that it has done plenty to create a level playing field for its rivals. It charges just a $99 flat fee to any app developer and only asks for a 30-percent cut of any qualifying transaction. (That includes digital goods within the app or subscriptions, although that fee falls to 15 percent in subsequent years.) So long as apps don’t contravene Apple’s own rules, or break the law then developers have carte blanche to do whatever they want. And, right now, the arrangement benefits iPhone/iPad/Watch users who can count on secure apps that have been vetted by Apple.
