Online test-proctoring: educational spyware that lets third parties secretly watch and listen to you through your computer

Rebecca from EFF writes, "How would you feel about having your computer taken over by online test-taking software - complete with proctors peering through your laptop camera? Reporters at the Spartan Daily (the student paper for San Jose State University) have an interesting story about new software in use there, and the legitimate concerns that some students have. The data-broker connection is especially chilling to those worried about their personal information." The company's response? "We're a customer service business, so it’s really not advantageous for us to violate that trust." Oh, well, so long as that's sorted out then.

UK phone companies turned a profit by shoveling customer data into GCHQ's maw

A fresh set of Snowden leaks show that the UK spy agency GCHQ turned spying into a profit centre for Britain's telcos, who received huge cash payouts in exchange for turning over their customers' private communications and developing spyware to infect customers' computers in order to extract more data.

Read the rest

Inside the awful world of RATters - the men who spy on people through their computers with "remote administration tools"


Nate Anderson's long Ars Technica piece on RATters -- men who use "Remote Administration Tools" to spy on others, mostly women, via their laptop cameras, and to plunder their computers for files and passwords -- is a must-read. Anderson lays out the way that online communities like Hack Forums provide expertise, tools, and, most importantly, validation for the men who participate in this "game." Anderson explains the power of software like DarkComet, which allows for near-total control of compromised computers (everything from opening the CD trays to disabling the Start menu in Windows); the dehumanizing language used by Ratters (they call their victims "slaves"); and the way that these tools have found their way into the arsenals of totalitarian governments, like the Assad regime in Syria, which used these tools to spy on rebels.

For many ratters, though, the spying remains little more than a game. It might be an odd hobby, but it's apparently no big deal to invade someone's machine, rifle through the personal files, and watch them silently from behind their own screens. "Most of my slaves are boring," wrote one aspiring ratter. "Wish I could get some more girls with webcams. It makes it more exciting when you can literally spy on someone. Even if they aren't getting undressed!"

One poster said he had already archived 200GB of webcam material from his slaves. "Mostly I pick up the best bits (funny parts, the 'good' [sexual] stuff) and categorize them (name, address, passwords etc.), just for funsake," he wrote. "For me I don't have the feeling of doing something perverted, it's more or less a game, cat and mouse game, with all the bonuses included. The weirdest thing is, when I see the person you've been spying on in real life, I've had that a couple of times, it just makes me giggle, especially if it's someone with an uber-weird-nasty habit."

By finding their way to forums filled with other ratters, these men—and they appear to be almost exclusively men—gain community validation for their actions. "lol I have some good news for u guys we will all die sometime, really glad to know that there are other people like me who do this shit," one poster wrote. "Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves."

Everything we do today involves computers and everything we do tomorrow will require computers. It's imperative that computers be designed to reveal themselves to their users and owners -- every program and process accessible to users and owners by design. But we continue to erode this fundamental through bans on jailbreaking and unlocking, and through the governmental trade in "zero-day" exploits intended for use in so-called cyberwar.

Meet the men who spy on women through their webcams [Nate Anderson/Ars Technica]

Laptop rental companies reach cash-free, pointless settlement with toothless FTC for taking secret naked pictures of customers having sex, harvesting medical records and banking passwords and more

The FTC has settled with seven rent-to-own companies and a software company called DesignerWare of North East Pennsylvania for their role in secretly installing spyware on rental laptops, which was used to take "pictures of children, individuals not fully clothed, and couples engaged in sexual activities."

Under the terms of the settlement, the companies are free to go on engaging in this behavior, but now they'll have to notify customers. They won't pay a fine. The FTC won't say if it's referred any of the companies for criminal prosecution. The rental companies used the spyware to harvest renters' bank passwords, private emails to doctors, medical records, and Social Security numbers, and they used it to pop up deceptive windows on customers' computers to trick them into entering personal information.

Wired's David Kravets has more:

The software, known as Detective Mode, didn’t just secretly turn on webcams. It “can log the keystrokes of the computer user, take screen shots of the computer user’s activities on the computer, and photograph anyone within view of the computer’s webcam. Detective Mode secretly gathers this information and transmits it to DesignerWare, who then transmits it to the rent-to-own store from which the computer was rented, unbeknownst to the individual using the computer,” according to the complaint.

Under the settlement, the companies can still use tracking software on their rental computers, so long as they advise renters, the FTC said. The companies include Aspen Way Enterprises Inc.; Watershed Development Corp.; Showplace Inc., doing business as Showplace Rent-to-Own; J.A.G. Rents LLC, doing business as ColorTyme; Red Zone Inc., doing business as ColorTyme; B. Stamper Enterprises Inc., doing business as Premier Rental Purchase; and C.A.L.M. Ventures Inc., doing business as Premier Rental Purchase.

Rent-to-Own Laptops Secretly Photographed Users Having Sex, FTC Says

New virus targets online banking systems in Mideast

Russian security firm Kaspersky Lab claims to have uncovered a new "cyber-espionage toolkit" designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran. The researchers claim this new malware has been found infecting systems in other countries in the Middle East, and targets online financial systems. More at Wired Threat Level and Reuters. They're calling this one "Gauss."

Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors

The Electronic Frontier Foundation's Marcia Hoffman writes about security research companies that work to discover "zero day" vulnerabilities in software and operating systems, then sell them to governments and corporations that want to use them as a vector for installing spyware. France's VUPEN is one such firm, and it claims that it only sells to NATO countries and their "partners," a list that includes Belarus, Azerbaijan, Ukraine, and Russia. As Hoffman points out, even this low standard is likely not met, since many of the governments with which VUPEN deals would happily trade with other countries with even worse human rights records -- if Russia will sell guns to Syria, why not software exploits? VUPEN refuses to disclose their discoveries to the software vendors themselves, even for money, because they want to see to it that the vulnerabilities remain unpatched and exploitable for as long as possible.

“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.

While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million. But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful. Another hacker who goes by the handle “the Grugq” says he acts as a middleman for freelance security researchers and sells their exploits to many agencies in the U.S. government. He implies the only reason he doesn’t sell to Middle Eastern countries is they don’t pay enough.

EFF calls out governments for trafficking in these vulnerabilities, rather than demanding their disclosure and repair. Any unpatched vulnerability puts every user of the affected software at risk. For a government to appropriate a vulnerability to itself and keep it secret in the name of "national security," rather than fixing it for the nation's citizens, is "security for the 1%."

“Zero-day” exploit sales should be key point in cybersecurity debate

Carrier IQ latest

Daring Fireball's front page currently offers a great roundup of stories about Carrier IQ, makers of spyware installed on smartphones by carriers.

Some more news about CarrierIQ

the rootkit/spyware that's been discovered on various mobile phones: first, Al Franken asking some pointed questions about it (Go, Al! But come on, you're Mr Net Neutrality, anti-corporatism, and you can't figure out why building a Great Firewall of America to "protect copyright" is batshit insane? Seriously?); second, "Google Experience" phones, like the Nexus S, Nexus One and Nexus Galaxy do not have the spyware on them. (Thanks, Alan!)

Sprint loaded spyware on its Android phones

Alan sez, "TechCrunch and others are reporting that a program called "Carrier IQ" that comes pre-installed on Sprint phones has some pretty amazing spyware capabilities, right down to keylogging everything you do on the phone."

Note the careful use of the words “record,” “provide,” “inspect,” and “report.” It’s obvious from this video that the application has access to the information in question, and whether it records, provides, inspects, or reports it is simply a setting they can choose. The purposes for which CIQ says their software is installed — identifying trending problems in the fleet, for instance — don’t seem to me to require the level of access the software has granted itself. Add this to the fact that users are not informed at any step of the fact that their information is passing through “quality assurance” layer (sometimes before the user layer itself is aware of it), and their indignant denial begins to ring hollow.

Furthermore, as many developers have pointed out, the mere presence of the software is detrimental. Removing the software has reportedly improved performance and battery life. Furthermore, secure handshake information over wifi is passed through the software unencrypted, something that has little to do with carrier quality assurance. And if that information is cached even temporarily, that’s a security risk.

CarrierIQ, makers of the rootkit/spyware, threatened legal action against Trevor Eckhart, the researcher who reported on this, and backed down after EFF took up his case.

Carrier IQ Video Shows Alarming Capabilities Of Mobile Tracking Software (Thanks, Alan!)