US lawmakers introduce bill to delay enhanced government hacking powers

The U.S. Capitol in Washington.

Credit: Elizabeth Heichler

U.S. lawmakers have introduced legislation to delay the coming into force on Dec. 1 of a rule change that aims to expand the government’s ability to search computers and other digital devices across many jurisdictions with a single warrant.

The new Review the Rule Act aims to delay for discussion proposed amendments to rule 41 of the Federal Rules of Criminal Procedure until July 1 next year. The changes to the rule have already been approved by the Supreme Court in April, and if Congress doesn’t act to the contrary, they will go into effect on Dec. 1.

[ Watch out for 11 signs you've been hacked -- and learn how to fight back, in InfoWorld's PDF special report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

The modified rule would remove the current prohibition with some exceptions on a federal judge issuing a search warrant  outside of the judge’s district, so as to enable the remote search by law enforcement of computers whose locations are concealed using technology such as anonymizing techniques. The changes in rule 41 were proposed by the Advisory Committee on the Rules of Criminal Procedure at the request of the Department of Justice.

The rule changes have been opposed by lawmakers, industry and civil rights groups who are concerned about their implications on privacy and surveillance.

“Remote searches of media or information that have been ‘concealed through technological means’ may take place anywhere in the world,” said Google in a filing to the committee in February last year.

Under the modified rule, a judge may issue a warrant to remotely search, copy, and seize information from a device that does not have a known location, and may not even be in the district, because the location has been concealed through technological means, according to the lawmakers who introduced the legislation. They are also concerned about a provision that allows a single judge to issue a warrant to remotely search and copy information from suspected devices across five or more districts.

“A single prosecutor should not have the power to hack into the phone or computer of virtually anyone in the United States,” said Senator Mike Lee, a Republican from Utah and a member of the Senate Judiciary Committee.

Others backing the bill are Senators Chris Coons, a Democrat from Delaware; Steve Daines, a Republican from Montana; Ron Wyden, a Democrat from Oregon, and Al Franken, a Democrat from Minnesota. The bill is also supported by Representatives John Conyers, Jr., a Democrat from Michigan and Ted Poe, a Republican from Texas. Wyden and four others had introduced in May legislation for preventing the changes from coming into effect but that went on the back burner in the election year.

The expanded surveillance authority to allow the U.S. to hack multiple computers in unknown locations, including overseas, with a single warrant has far-reaching consequences for U.S. citizens and people around the world, warned Ed Black, president and CEO of the Computer & Communications Industry Association in a statement Thursday. “This policy impacts the relationship between citizens and our government and between the U.S. and allies,” he added.

The change is scheduled to come into force a little before a new president takes over in the U.S. in January, and will take over the vast surveillance apparatus the country already runs.

A delay in the proposed changes to rule 41 is required to ensure that the newly elected Congress and administration can carefully evaluate the amendment before it goes into effect to ensure that it is constitutional and in the best interests of the American people, said Rep. Poe.

The DOJ holds that “the amendments would not authorize the government to undertake any search or seizure or use any remote search technique, whether inside or outside the United States, that is not already permitted under current law.”

“This change would not permit indiscriminate surveillance of thousands of victim computers—that is against the law now and it would continue to be prohibited if the amendment goes into effect,” wrote Assistant Attorney General Leslie R. Caldwell of the Criminal Division in June in a blog post.

The amendments would make a difference in cases where a suspect has hidden the location of his computer using technological means, so that now the investigator would know which judge to approach for a warrant and go discover the computer’s location, Caldwell wrote. When a crime has affected computers in multiple judicial districts, the amendment removes the requirement to submit separate warrant applications in each district where a computer is affected, he added. 

That blog post and other statements by the DOJ have not satisfied lawmakers, who wrote in October to Attorney General Loretta Lynch asking for information, among other things, on how the government intends to “prevent forum shopping” by prosecutors seeking court approval to hack into Americans’ devices, and how the government plans to prevent “collateral damage” to innocent Americans’ devices and electronic data during remote searches of devices such as smartphones or medical devices.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and
InfoWorld Security

Acting on a piece of malware provided by a victim, researchers discovered a new type of Android spyware capable of recording audio and video, turning GPS on or off, and stealing or modifying data on the phone.

While the researchers at first believed the malware originated from the notorious Italian surveillance software vendor Hacking Team, the source of the new Android spyware software may be another Italian company that provides spyware to government agencies.

"There really isn't much going on outside of the run-of-the-mill, boring, commercial spyware junk," according to researchers at the Oakland, Calif. based security firm Red Naga, LLC. They found the suspicious software appeared to be "an app requesting almost every permission possible, claims to be an Android update, and purports to have something to do with Vodaphone APNs [access point names]."

Red Naga's researcher Tim Strazzere wrote he suspected Hacking Team was the source for the spyware, citing two IP addresses that had previously been linked to Hacking Team as well as the use of Italian language in the malware code. However, Motherboard reported the source was more likely Raxir srl, a Naples, Italy-based intelligence software startup, in large part because "Raxir" is listed as the organization linked to the certificate.

Red Naga wrote the Android spyware "has the normal abilities of most spyware," including code to automatically remove itself from the launcher after it runs once, persistence on the victim device, ability to go silent when the victim uses the device, surreptitiously record audio and video and execute further exploits downloaded through the command and control network. The spyware also turns on virtually all permissions, giving the attacker access to call logs, contacts, network connections, messaging and more.

While the Red Naga researchers were provided the malware sample by a targeted victim employed by an unnamed government, who asked to remain anonymous, they did find evidence that the Android spyware software has been used elsewhere. "While we cannot release these files due to an agreement with our contact and an ongoing criminal investigation, we have been able to find several similar files in the wild through other public feeds which closely resemble the sample we were provided. The functionality hardly changes between versions and the obfuscation is the same. Since these other samples are already publicly available, we feel comfortable talking about this threat."

Hacking Team last year suffered a major data breach in which attackers released a 400 GB trove of data that included internal documents, source code and zero-day vulnerabilities that the company used to spread its surveillance software. The breach shed light on how government agencies from numerous countries, including the United States, had purchased spyware and digital surveillance tools from Hacking Team. 

Next Steps

Find out more about the top five mobile spyware misconceptions.

Learn about how command and control servers control malware, remotely.

Read about how to remove malware that reinstalls itself from Android devices.



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

State and local government agencies, as well as K-12 educational institutions are being targeted in a newly discovered spam email campaign aimed at distributing a new ransomware variant, Proofpoint researchers warn.

Dubbed MarsJoke, the malware was observed in late August, but the first large-scale spam campaign involving this piece of ransomware kicked off only on Sept. 22, 2016. The distribution of this spam is fueled by the Kelihos botnet, which has been recently associated with other campaigns as well, Proofpoint reveals.

The MarsJoke ransomware email campaign spotted last week featured emails containing links to an executable file named “file_6.exe,” which was hosted on various sites with recently registered domains. Apparently, the attackers registered the abused domains for this specific campaign, marking a major shift from the usual attached document campaigns that well-known ransomware families such as Locky employ.

By referencing to a major national air carrier in the subject line and using a convincing email body, along with stolen branding, the attackers attempted to convince victims of the legitimacy of emails. Some of the used subject lines included “Checking tracking number,” “Check your package,” “Check your TN,” “Check your tracking number,” “Tracking information,” and “Track your package.”

In addition to state and local government agencies, and K-12 educational institutions, the spam was also targeting healthcare, telecommunications, insurance, and several other verticals, though in smaller numbers, Proofpoint says.

The MarsJoke malware distributed in this campaign is said to mimic the style of CTB-Locker, as well as to create .bat, and .txt instruction files and save them throughout the file system, to alert the victim on the infection. The ransomware doesn’t change the extension of the encrypted files, though it uses temp files with different extensions during the encryption process (it deletes them when the encryption has finished).

Infected users need to follow the instructions included in a locker window, but can also install the Tor browser and visit an onion portal to view these instructions. The malware also changes the victim’s desktop background and displays a ransom message in several languages, including English, Russian, Italian, Spanish, and Ukrainian. Victims are warned that, if a 0.7 Bitcoin ransom isn’t paid within 96 hours, their files are deleted.

MarsJoke connects to the command and control (C&C) server to report on the new infection, as well as to deliver information such as signature, malware version, and more. Data is URL-encoded, base64-encoded, Proofpoint says.

“Ransomware has become a billion dollar a year industry for cybercriminals. In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections,” Proofpoint notes.

According to the security firm, MarsJoke does not appear to be “just another ransomware.” Given the large message volume observed in this campaign, and corroborating it with the intended targets, it’s clear that the threat requires more attention, researchers say. “The message volume and targeting associated with this campaign bear further monitoring as attackers look to monetize new variants and old strains saturate potential victims,” Proofpoint concludes.

Related: CTB-Locker Ransomware Impersonator Uses WinRAR for Encryption

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

Related: DetoxCrypto Ransomware Sends Screenshots to Operators

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Paul Ducklin

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Follow him on Twitter: @duckblog

Information Security Podcasts

Crafty GovRAT malware is found targeting U.S. government employees

The U.S. Capitol building in Washington.

Credit: Matt Wade

A tough-to-detect malware that attacks government and corporate computers has been upgraded, making it more aggressive in its mission to steal sensitive files, according to security firm InfoArmor.

Last November, InfoArmor published details on GovRAT, a sophisticated piece of malware that’s designed to bypass antivirus tools. It does this by using stolen digital certificates to avoid detection.

[ Roger Grimes' free and almost foolproof way to check for malware. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Through GovRAT, hackers can potentially steal files from a victim’s computer, remotely execute commands, or upload other malware to the system.

Earlier this year, however, the makers of GovRAT came out with a second version, according to a new report from InfoArmor. The malware features an additional function to secretly monitor network traffic over the victim’s computer -- something with scary consequences.

“If you’re downloading something from a particular resource, the hackers can intercept the download and replace it with malware,” said InfoArmor CIO Andrew Komarov on Friday.

Last year, InfoArmor said that earlier versions of GovRAT had attacked more than 15 governments around the world, in addition to seven financial institutions and over 100 corporations.

The number of GovRAT victims, however, is growing, according to InfoArmor. That’s partly because the maker behind the malware has been selling it to other hackers on Hell Forum, a black market website, Komarov said.

Buyers of GovRAT have also been supplied with a stolen database of 33,000 Internet accounts, some of which belong to U.S. government employees, InfoArmor said. It includes email addresses, hashed passwords, full names, and addresses.

Hackers can use the contact information to carry out GovRAT attacks on U.S. government targets, Komarov said. That can be done through phishing emails or
InfoWorld Security

Direct from the mind of the guy who bought you the "I will kill you" presentation at DEF CON 23, is another mind bending, entertaining talk. This time it’s bigger and badder than before.

Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself.

Find out how over the last 60 years, governments and resource companies have been directly involved in architecting regime changes around world using clandestine mercenaries to ensure deniability. This has been achieved by destabilizing the ruling government, providing military equipment, assassinations, financing, training rebel groups and using government agencies like the CIA, Mossad and MI-5 or using foreign private mercenaries such as Executive Order and Sandline. Working with Simon Mann an elite ex SAS soldier turned coup architect who overthrew governments in Africa, Chris Rock will show you how mercenary coup tactics directly applied to digital mercenaries to cause regime changes as the next generation of "Cyber Dogs of War".

Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt. This will include taking ownership of all facets of government including finance, telecommunications, transportation, commercial companies and critical infrastructure such a power, water and oil. You will learn:
• Traditional military mercenary coup tactics used by the infamous 32 Battalion in Africa, Executive Order and Sandline that can be directly applied to a cyber mercenary regime change.
• How to architect a cyber coup using advisor’s, hackers and the general populace, using misinformation, professional agitators, false information and financing.
• How to gather intelligence to analyze a government’s systemic weaknesses on financial, societal values and political climates that is leader or country specific to structure your attack.
• How to identify and prioritize government resources, infrastructure and commercial companies and how to use these compromised assets to stage the coup.
• Combine physical and digital techniques and have the best of both worlds to own a countries infrastructure.
• Hot to manipulate the media using propaganda targeting journalists flawed multiple "source" rules for a story.
• The Grand finale of a cyber regime change on a real country from beginning to end using the above techniques with operational footage. Come to this talk and find out how you too can be your own dictator, benevolent or merciless that part is up to you.

Chris Rock presented "I will kill you" at DEF CON 23 has been active in the security industry for the last 20 years and is the founder and CEO of Kustodian, a specialized security company that specializes in Security Operations Centres, Penetration testing and independent research. Kustodian is an Australian, Middle East and Hong Kong registered company that has been operational for over 10 years. Chris has also spent 12 years in the banking sector and provides security services around the world for small, medium and large companies. Chris Rock also created SIEMonster, an open source, scalable, free Security Incident and Event Management (SIEM) as a commercial alternative to Splunk, ArcSight and AlienVault. SIEMonster can be run on Amazon AWS or Virtual machines and details can be found on

Twitter: @_kustodian_

DEF CON Announcements!

Andrew Otto Boggs, aka INCURSIO, and Justin Gray Liverman, aka D3F4ULT, were arrested on charges related to their alleged roles in the computer hacking of several senior US government officials and US government computer systems.

hacking senior US government officials

According to charging documents filed with the court, Boggs and Liverman conspired with members of a hacking group that called itself “Crackas With Attitude.” From about October 2015 to February 2016, the group used social engineering techniques, including victim impersonation, to gain unlawful access to the personal online accounts of senior US government officials, their families, and several US government computer systems.

In some instances, members of the conspiracy uploaded private information that they obtained from victims’ personal accounts to public websites; made harassing phone calls to victims and their family members; and defaced victims’ social media accounts.

At least three other members of the conspiracy are located in the United Kingdom and are being investigated by the Crown Prosecution Service.

Boggs and Liverman will have their initial appearances at the federal courthouse in Alexandria next week in front of US Magistrate Judge Theresa Carroll Buchanan.

Help Net Security