aggregator

San Francisco – The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients.

The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.

The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors. In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut.

“People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos,” said EFF Director of Cybersecurity Eva Galperin. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform,” said Mike Murray, Vice President of Security Intelligence at Lookout. “The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”

Dark Caracal has been operating since at least 2012. However, one reason it has been hard to track is the diversity of seemingly unrelated espionage campaigns originating from the same domain names. The researchers believe that Dark Caracal is only one of a number of different global attackers using this infrastructure. Over the years, Dark Caracal’s work has been repeatedly misattributed to other cybercrime groups. In fact, EFF’s Operation Manul report from 2016 misidentified espionage from these servers as coming from the Indian security company Appin.

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin. “This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”

For the full report:
https://www.lookout.com/info/ds-dark-caracal-ty

For more on Dark Caracal:
https://blog.lookout.com/dark-caracal-mobile-APT

For more on how to avoid downloading malware:
https://ssd.eff.org/en/module/how-avoid-phishing-attacks

Washington, D.C.—The Electronic Frontier Foundation (EFF) asked the Librarian of Congress today to limit the legal barriers people face when they want to repair and modify software-enabled products, so that they—not manufacturers— control the appliances, computers, toys, vehicles, and other products they own.

In comments filed in Washington D.C. today, EFF continued its years-long fight to enable owners and creators to repair, modify, and enhance products, or use snippets of films or songs, free of onerous threats that doing so somehow infringes companies' copyrights. Software-enabled devices and Internet-connected products and appliances are ubiquitous in modern life, and people aren't infringing anyone's copyright when, for example, they choose to permanently disable the embedded, on-all-the-time camera or microphone in their kids' toys, or send their car to their favorite mechanic, rather than high-priced dealerships, to be repaired.

“It’s absurd that a law intended to protect copyrighted works is misused instead to prevent people from taking apart or modifying the things they own, inhibit scientists and researches from investigating safety features or security enhancements, and block artists and educators from using snippets of film in noncommercial ways," said EFF Legal Director Corynne McSherry. "The exemption process is one highly flawed way of alleviating that burden."

“We rely on the devices in our lives to learn and communicate, to keep us safe and get things done,” said EFF Staff Attorney Kit Walsh. “These devices should work for us and embody our preferences, not the commercial desires of their manufacturers. We, the users of these devices, should be able to decide how they affect our  lives and how we can improve and adapt them. That’s how we ensure that technology enhances our freedoms rather than undermining them.”

This year EFF petitioned the Librarian to exempt from Section 1201 of the Digital Millennium Copyright Act (DMCA) all modifications and repairs of software-enabled devices that don’t infringe copyrights. It’s also seeking exemptions that will allow people to tinker with smart speakers and digital home assistants such as Amazon Echo and Google Home. EFF is also seeking one clear, easier-to-use exemption for video excerpts that would allow educators, libraries, documentary filmmakers, remix artists, and others to use video snippets without fear of legal repercussions by copyright owners. The Librarian implements the exemption recommendations of the Copyright Office.

“Our approach is simple: we are seeking to expand the types of activities that should be exempt from Section 1201 of the DMCA to encompass repairs, modifications, enhancements, and innovations that don’t infringe copyright,” said EFF Senior Staff Attorney Mitch Stoltz. “We shouldn’t have to seek exemptions for things copyright law already allows. Instead, there should be a general rule that allows people to circumvent digital locks to do any non-infringing activity.”

For EFF’s comments:
https://www.eff.org/document/eff-1201-exemption-comments-2017-computer-program-repairs
https://www.eff.org/document/eff-1201-exemption-comments-2017-jailbreaking-0
https://www.eff.org/document/eff-1201-exemption-comments-2017-video-0
https://www.eff.org/document/huang-1201-exemption-comments-2017
https://www.eff.org/document/green-1201-exemption-comments-2017

For more on the Section 1201 exemption process:
https://www.eff.org/cases/2018-dmca-rulemaking

For more on the unintended consequences of Section 1201 of the DMCA:
https://www.eff.org/issues/dmca
https://www.eff.org/issues/dmca-rulemaking

Washington, D.C. - The Electronic Frontier Foundation (EFF) filed suit against the Department of Justice, the Department of Commerce, and the Department of Homeland Security today, demanding records about the agencies’ work on the federal Tattoo Recognition Technology program.

This secretive program involves a coalition of government, academia, and private industry working to develop a series of algorithms that would rapidly detect tattoos, identify people via their tattoos, and match people with others who have similar body art—as well as flagging tattoos believed to be connected to religious and ethnic symbols. This type of surveillance raises profound religious, speech, and privacy concerns. Moreover, the limited information that EFF has been able to obtain about the program has already revealed a range of potentially unethical behavior, including conducting research on prisoners without approval, adequate oversight, or safeguards.

EFF filed a series of Freedom of Information Act (FOIA) requests for more information about the Tattoo Recognition Technology program, which is a National Institute of Standards and Technology (NIST) project sponsored by the FBI, beginning in January of 2016. Although the agencies released some records, they withheld others, and heavily redacted some of the documents they released. As a result, EFF is going to court today against DHS, DOJ, and NIST's parent agency, the Commerce Department, to make sure this important information is released to the public.

“These new automated tattoo recognition tools raise serious constitutional concerns,” said EFF Stanton Fellow Camille Fischer. “Tattoos have served as an expression of the self for thousands of years, and can represent our innermost thoughts, closely held beliefs, and significant moments. If law enforcement is creating a detailed database of tattoos, we have to make sure that everyone’s rights to freedom of expression are protected.”

One big danger of this surveillance is that it can create First Amendment freedom of association concerns when people are matched with others who have similar tattoos—sometimes incorrectly. For example, someone who wears a Star of David tattoo could be confused with a member of a Chicago street gang whose members also wear six-pointed-star tattoos. Recently, an immigrant was fast-tracked for deportation because immigration officials claimed he had a gang tattoo. The immigrant argued that the tattoo signified his place of birth.

“Federal researchers say they want to ‘crack the code’ of tattoos and speech, creating a powerful program that will encourage police to make assumptions about tattoo-wearers,” said EFF Staff Attorney Aaron Mackey. “But the reality is that body art is much more complex than that. The government must disclose more about this program so we can ensure that it doesn’t violate our rights.”

For the full lawsuit:
https://www.eff.org/document/tattoo-complaint

For more on tattoo recognition technology:
https://www.eff.org/deeplinks/2016/06/tattoo-recognition-research-threatens-free-speech-and-privacy
https://www.eff.org/deeplinks/2016/05/5-ways-law-enforcement-will-use-tattoo-recognition-technology